Ticket: 7295
Ensures that stat-code and method do not share the same buffer
in different directions
alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;)
+alert sip any any -> any any (sip.stat_code; content:"REGISTER"; sid:2;)
count: 18
match:
event_type: alert
+ - filter:
+ # only sid 1 triggered the 7 alerts
+ count: 18
+ match:
+ event_type: alert
+ alert.signature_id: 1
\ No newline at end of file
alert sip any any -> any any (flow:to_client; sip.stat_code; content:"100"; sid:1;)
+alert sip any any -> any any (sip.method; content:"100"; sid:2;)
count: 7
match:
event_type: alert
+ - filter:
+ # only sid 1 triggered the 7 alerts
+ count: 7
+ match:
+ event_type: alert
+ alert.signature_id: 1
\ No newline at end of file