--- /dev/null
+{
+ "info": {
+ "threat": [
+ {
+ "context": "gold old test",
+ "year": 2005,
+ "host": {
+ "fqdn": "www.testmyids.com",
+ "domain": "testmyids.com"
+ }
+ },
+ {
+ "context": "old test",
+ "year": 2023,
+ "host": {
+ "domain": "testmyids.com"
+ }
+ }
+ ]
+ }
+}
alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,dbadhost,type string,load hosts-direct.json,key dbad_host,json_key host; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:2;)
-
alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nbadhost,type string,load hosts-nested.json,key nbad_host,json_key host, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:3;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nkbadhost,type string,load hosts-nested-key.json,key nkbad_host,json_key host.fqdn, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:4;)
checks:
- filter:
- count: 3
+ count: 4
match:
event_type: alert
- filter:
alert.signature_id: 3
alert.extra.src_ip.test: success
alert.extra.nbad_host.year: 2005
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ alert.extra.src_ip.test: success
+ alert.extra.nkbad_host.year: 2005
+ alert.extra.nkbad_host.host.domain: testmyids.com
projects / thirdparty / suricata-verify.git / commitdiff
