--- /dev/null
+alert udp any any -> any 6081 (msg:"geneve udp"; sid:2;)
+pass udp any any -> any 6081 (sid:1;)
+alert ip any any -> any any (msg:"all IP"; sid:5554;)
+alert tcp any any -> any any (msg:"all TCP"; sid:5553;)
+alert ip any any -> any any (msg:"IP Packet with 47 protocol"; ip_proto:47; sid:5555;)
+alert ip any any -> any any (msg:"IP Packet with GRE protocol"; ip_proto:gre; sid:5556;)
+alert icmp any any -> any any (msg:"ICMP"; sid:5557;)
+alert http any any -> any any (http.uri; content:"/"; sid:666;)
+
--- /dev/null
+args:
+- --runmode=single
+
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: TCP
+ flow.alerted: true
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: UDP
+ flow.alerted: false
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 666
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 5553
+ - filter:
+ count: 14
+ match:
+ event_type: alert
+ alert.signature_id: 5554
+ - filter:
+ count: 12
+ match:
+ event_type: alert
+ alert.signature_id: 5554
+ proto: GRE
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 5554
+ proto: TCP
+ - filter:
+ count: 12
+ match:
+ event_type: alert
+ alert.signature_id: 5555
+ - filter:
+ count: 12
+ match:
+ event_type: alert
+ alert.signature_id: 5556
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5557
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.state: "CLOSED"
+ fileinfo.size: 18
+
+
projects / thirdparty / suricata-verify.git / commitdiff
