From: Shivani Bhardwaj Date: Thu, 21 Mar 2024 09:17:39 +0000 (+0530) Subject: port-grouping: add tests for bug 6881 and more X-Git-Tag: suricata-6.0.19~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=becdc51ee049d615c526a9edece18f95c28c55f8;p=thirdparty%2Fsuricata-verify.git port-grouping: add tests for bug 6881 and more --- diff --git a/tests/rule-grouping/rule-grouping-10/README.md b/tests/rule-grouping/rule-grouping-10/README.md new file mode 100644 index 000000000..adc78bdf2 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-10/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for single point +and a range separated by a gap. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6881 diff --git a/tests/rule-grouping/rule-grouping-10/suricata.yaml b/tests/rule-grouping/rule-grouping-10/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-10/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-10/test.rules b/tests/rule-grouping/rule-grouping-10/test.rules new file mode 100644 index 000000000..084869c4e --- /dev/null +++ b/tests/rule-grouping/rule-grouping-10/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any 80 (flow:to_server; content:"abc"; sid:1;) +alert tcp any any -> any 100:120 (flow:to_server; content:"abc"; sid:2;) diff --git a/tests/rule-grouping/rule-grouping-10/test.yaml b/tests/rule-grouping/rule-grouping-10/test.yaml new file mode 100644 index 000000000..5c8abbcb3 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-10/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 80 + tcp.toserver[0].port2: 80 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 100 + tcp.toserver[1].port2: 120 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 diff --git a/tests/rule-grouping/rule-grouping-11/README.md b/tests/rule-grouping/rule-grouping-11/README.md new file mode 100644 index 000000000..c41b719a0 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-11/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for a range +and a single point separated by a gap. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-11/suricata.yaml b/tests/rule-grouping/rule-grouping-11/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-11/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-11/test.rules b/tests/rule-grouping/rule-grouping-11/test.rules new file mode 100644 index 000000000..fae118f3c --- /dev/null +++ b/tests/rule-grouping/rule-grouping-11/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any 80:120 (flow:to_server; content:"abc"; sid:1;) +alert tcp any any -> any 150 (flow:to_server; content:"abc"; sid:2;) diff --git a/tests/rule-grouping/rule-grouping-11/test.yaml b/tests/rule-grouping/rule-grouping-11/test.yaml new file mode 100644 index 000000000..636d840ed --- /dev/null +++ b/tests/rule-grouping/rule-grouping-11/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 80 + tcp.toserver[0].port2: 120 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 150 + tcp.toserver[1].port2: 150 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 diff --git a/tests/rule-grouping/rule-grouping-12/README.md b/tests/rule-grouping/rule-grouping-12/README.md new file mode 100644 index 000000000..26878aeef --- /dev/null +++ b/tests/rule-grouping/rule-grouping-12/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for a small range +cut by a single port. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-12/suricata.yaml b/tests/rule-grouping/rule-grouping-12/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-12/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-12/test.rules b/tests/rule-grouping/rule-grouping-12/test.rules new file mode 100644 index 000000000..57656f849 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-12/test.rules @@ -0,0 +1,2 @@ +alert tcp any 1024: -> any 80:120 (flow:to_server; content:"abc"; sid:1;) +alert tcp any 1024: -> any 100 (flow:to_server; content:"abc"; sid:2;) diff --git a/tests/rule-grouping/rule-grouping-12/test.yaml b/tests/rule-grouping/rule-grouping-12/test.yaml new file mode 100644 index 000000000..44a9df649 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-12/test.yaml @@ -0,0 +1,39 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 80 + tcp.toserver[1].port2: 99 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 100 + tcp.toserver[0].port2: 100 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 101 + tcp.toserver[2].port2: 120 + tcp.toserver[2].rulegroup.id: 1 + tcp.toserver[2].rulegroup.rules[0].sig_id: 1 diff --git a/tests/rule-grouping/rule-grouping-13/README.md b/tests/rule-grouping/rule-grouping-13/README.md new file mode 100644 index 000000000..d4e3a02b1 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-13/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for small ranges +with a point overlap only. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-13/suricata.yaml b/tests/rule-grouping/rule-grouping-13/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-13/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-13/test.rules b/tests/rule-grouping/rule-grouping-13/test.rules new file mode 100644 index 000000000..4f15ad671 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-13/test.rules @@ -0,0 +1,2 @@ +alert tcp any 1024: -> any 80:100 (flow:to_server; content:"abc"; sid:2;) +alert tcp any 1024: -> any 100:120 (flow:to_server; content:"abc"; sid:3;) diff --git a/tests/rule-grouping/rule-grouping-13/test.yaml b/tests/rule-grouping/rule-grouping-13/test.yaml new file mode 100644 index 000000000..509079e57 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-13/test.yaml @@ -0,0 +1,40 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 100 + tcp.toserver[0].port2: 100 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 2 + tcp.toserver[0].rulegroup.rules[1].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 80 + tcp.toserver[1].port2: 99 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 101 + tcp.toserver[2].port2: 120 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 3 + diff --git a/tests/rule-grouping/rule-grouping-14/README.md b/tests/rule-grouping/rule-grouping-14/README.md new file mode 100644 index 000000000..3adc0cce0 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-14/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for disjointed ranges +but with overlaps within them. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-14/suricata.yaml b/tests/rule-grouping/rule-grouping-14/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-14/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-14/test.rules b/tests/rule-grouping/rule-grouping-14/test.rules new file mode 100644 index 000000000..17204eb83 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-14/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any 80:120 (flow:to_server; content:"abc"; sid:1;) +alert tcp any 1024: -> any 100:110 (flow:to_server; content:"abc"; sid:2;) +alert tcp any 1024: -> any 150:250 (flow:to_server; content:"abc"; sid:3;) +alert tcp any any -> any 200:220 (flow:to_server; content:"abc"; sid:4;) diff --git a/tests/rule-grouping/rule-grouping-14/test.yaml b/tests/rule-grouping/rule-grouping-14/test.yaml new file mode 100644 index 000000000..32c1b9a6b --- /dev/null +++ b/tests/rule-grouping/rule-grouping-14/test.yaml @@ -0,0 +1,65 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 100 + tcp.toserver[0].port2: 110 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 200 + tcp.toserver[1].port2: 220 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 3 + tcp.toserver[1].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 80 + tcp.toserver[2].port2: 99 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 111 + tcp.toserver[3].port2: 120 + tcp.toserver[3].rulegroup.id: 2 + tcp.toserver[3].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 150 + tcp.toserver[4].port2: 199 + tcp.toserver[4].rulegroup.id: 3 + tcp.toserver[4].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 221 + tcp.toserver[5].port2: 250 + tcp.toserver[5].rulegroup.id: 3 + tcp.toserver[5].rulegroup.rules[0].sig_id: 3 + diff --git a/tests/rule-grouping/rule-grouping-15/README.md b/tests/rule-grouping/rule-grouping-15/README.md new file mode 100644 index 000000000..d9823dbcb --- /dev/null +++ b/tests/rule-grouping/rule-grouping-15/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for multiple +small range continuos overlaps with predecessor. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-15/suricata.yaml b/tests/rule-grouping/rule-grouping-15/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-15/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-15/test.rules b/tests/rule-grouping/rule-grouping-15/test.rules new file mode 100644 index 000000000..81f4fcef1 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-15/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any 1:20 (flow:to_server; content:"abc"; sid:1;) +alert tcp any 1024: -> any 15:40 (flow:to_server; content:"abc"; sid:2;) +alert tcp any 1024: -> any 35:60 (flow:to_server; content:"abc"; sid:3;) +alert tcp any any -> any 55:80 (flow:to_server; content:"abc"; sid:4;) diff --git a/tests/rule-grouping/rule-grouping-15/test.yaml b/tests/rule-grouping/rule-grouping-15/test.yaml new file mode 100644 index 000000000..380444b79 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-15/test.yaml @@ -0,0 +1,74 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 15 + tcp.toserver[0].port2: 20 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 35 + tcp.toserver[1].port2: 40 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + tcp.toserver[1].rulegroup.rules[1].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 55 + tcp.toserver[2].port2: 60 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 3 + tcp.toserver[2].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 1 + tcp.toserver[3].port2: 14 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 21 + tcp.toserver[4].port2: 34 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 41 + tcp.toserver[5].port2: 54 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 61 + tcp.toserver[6].port2: 80 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 4 + diff --git a/tests/rule-grouping/rule-grouping-16/README.md b/tests/rule-grouping/rule-grouping-16/README.md new file mode 100644 index 000000000..b1a6d0422 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-16/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for several separate +single points. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-16/suricata.yaml b/tests/rule-grouping/rule-grouping-16/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-16/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-16/test.rules b/tests/rule-grouping/rule-grouping-16/test.rules new file mode 100644 index 000000000..8eb657009 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-16/test.rules @@ -0,0 +1,12 @@ +drop tls any 1 -> any 10 (flow:to_server; sid:1; gid:10000002;) +drop tls any 2 -> any 20 (flow:to_server; sid:2; gid:10000002;) +drop tls any 3 -> any 30 (flow:to_server; sid:3; gid:10000002;) +drop tls any 4 -> any 40 (flow:to_server; sid:4; gid:10000002;) +drop tls any 5 -> any 50 (flow:to_server; sid:5; gid:10000002;) +drop tls any 6 -> any 60 (flow:to_server; sid:6; gid:10000002;) +drop tls any 7 -> any 70 (flow:to_server; sid:7; gid:10000002;) +drop tls any 8 -> any 80 (flow:to_server; sid:8; gid:10000002;) +drop tls any 9 -> any 90 (flow:to_server; sid:9; gid:10000002;) +drop tls any 10 -> any 100 (flow:to_server; sid:10; gid:10000002;) +drop tls any 11 -> any 110 (flow:to_server; sid:11; gid:10000002;) +drop tls any 12 -> any 120 (flow:to_server; sid:12; gid:10000002;) diff --git a/tests/rule-grouping/rule-grouping-16/test.yaml b/tests/rule-grouping/rule-grouping-16/test.yaml new file mode 100644 index 000000000..c20ec50fe --- /dev/null +++ b/tests/rule-grouping/rule-grouping-16/test.yaml @@ -0,0 +1,110 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 12 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 80 + tcp.toserver[0].port2: 80 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 8 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 10 + tcp.toserver[1].port2: 10 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 20 + tcp.toserver[2].port2: 20 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 30 + tcp.toserver[3].port2: 30 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 40 + tcp.toserver[4].port2: 40 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 50 + tcp.toserver[5].port2: 50 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 60 + tcp.toserver[6].port2: 60 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 70 + tcp.toserver[7].port2: 70 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 90 + tcp.toserver[8].port2: 90 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 100 + tcp.toserver[9].port2: 100 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 10 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 110 + tcp.toserver[10].port2: 110 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 11 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[11].port: 120 + tcp.toserver[11].port2: 120 + tcp.toserver[11].rulegroup.id: 11 + tcp.toserver[11].rulegroup.rules[0].sig_id: 12