Added filter for rule sid 3 which had none
Uncommented rule sid 2
alert ssh any any -> any any (ssh.software; content:"OpenSSH"; sid:1;)
-# broken?
-#alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;)
+# ssh.softwareversion is deprecated in favor of ssh.software this is just to check if it still works
+alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;)
alert ssh any any -> any any (ssh.proto; content:"2"; sid:3;)
match:
event_type: alert
alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 3
projects / thirdparty / suricata-verify.git / commitdiff
