From: Victor Julien <victor@inliniac.net>
Date: Wed, 20 Jan 2021 15:03:36 +0000 (+0100)
Subject: tests: add ssh keyword tests
X-Git-Tag: suricata-6.0.4~167
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1009fbe1c368d4f74f20df800eee8fede37520e0;p=thirdparty%2Fsuricata-verify.git

tests: add ssh keyword tests
---

diff --git a/tests/ssh-banner-only/test.rules b/tests/ssh-banner-only/test.rules
new file mode 100644
index 000000000..7638fded0
--- /dev/null
+++ b/tests/ssh-banner-only/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (ssh.software; content:"OpenSSH"; sid:1;)
+# broken?
+#alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;)
+alert ssh any any -> any any (ssh.proto; content:"2"; sid:3;)
diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml
index e40480a99..5c4b9087a 100644
--- a/tests/ssh-banner-only/test.yaml
+++ b/tests/ssh-banner-only/test.yaml
@@ -15,4 +15,9 @@ checks:
         ssh.client.proto_version: "2.0"
         ssh.server.proto_version: "2.0"
         ssh.client.software_version: "OpenSSH_for_Windows_7.7"
-        ssh.server.software_version: "OpenSSH_7.4"
\ No newline at end of file
+        ssh.server.software_version: "OpenSSH_7.4"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1