--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert dns any any -> any any (dns.query; content:"mail"; tag:host,100,packets,src; tag:session; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../smtp-file-data-02/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 58
+ match:
+ event_type: packet
+ - filter:
+ count: 1
+ match:
+ event_type: packet
+ src_ip: 10.10.1.1
+ dest_ip: 10.10.1.4
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:session; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 8
+ match:
+ event_type: packet
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:host,100,packets,src; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 8
+ match:
+ event_type: packet
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:host,9,packets,dst; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 8
+ match:
+ event_type: packet
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:host,100,packets,dst; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 14
+ match:
+ event_type: packet
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:host,9,packets,src; tag:host,15,packets,dst; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 14
+ match:
+ event_type: packet
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: true
+ - dns
+ - smtp
+ - anomaly
--- /dev/null
+alert tcp any any -> any any (flags:S; tag:host,2,packets,src; tag:session; sid:1;)
--- /dev/null
+args:
+- --runmode=single
+- -k none
+
+pcap: ../ssh-banner-only/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 8
+ match:
+ event_type: packet
projects / thirdparty / suricata-verify.git / commitdiff
