From 51ac7233a8f4b34fffd8a8da7b115a6836d28608 Mon Sep 17 00:00:00 2001
From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Thu, 10 Feb 2022 14:39:40 +0100
Subject: [PATCH] ssh-banner: add tests

Bug: 4903
---
 tests/bug-4903/bug-4903-01/README.md  |   7 ++
 tests/bug-4903/bug-4903-01/input.pcap | Bin 0 -> 524 bytes
 tests/bug-4903/bug-4903-01/test.rules |   4 +
 tests/bug-4903/bug-4903-01/test.yaml  |  77 +++++++++++++++
 tests/bug-4903/bug-4903-02/README.md  |   7 ++
 tests/bug-4903/bug-4903-02/input.pcap | Bin 0 -> 594 bytes
 tests/bug-4903/bug-4903-02/test.rules |   5 +
 tests/bug-4903/bug-4903-02/test.yaml  |  77 +++++++++++++++
 tests/bug-4903/bug-4903-03/README.md  |   7 ++
 tests/bug-4903/bug-4903-03/input.pcap | Bin 0 -> 714 bytes
 tests/bug-4903/bug-4903-03/test.rules |   5 +
 tests/bug-4903/bug-4903-03/test.yaml  | 125 +++++++++++++++++++++++++
 tests/bug-4903/bug-4903-04/README.md  |   7 ++
 tests/bug-4903/bug-4903-04/input.pcap | Bin 0 -> 784 bytes
 tests/bug-4903/bug-4903-04/test.rules |   5 +
 tests/bug-4903/bug-4903-04/test.yaml  | 130 ++++++++++++++++++++++++++
 16 files changed, 456 insertions(+)
 create mode 100644 tests/bug-4903/bug-4903-01/README.md
 create mode 100644 tests/bug-4903/bug-4903-01/input.pcap
 create mode 100644 tests/bug-4903/bug-4903-01/test.rules
 create mode 100644 tests/bug-4903/bug-4903-01/test.yaml
 create mode 100644 tests/bug-4903/bug-4903-02/README.md
 create mode 100644 tests/bug-4903/bug-4903-02/input.pcap
 create mode 100644 tests/bug-4903/bug-4903-02/test.rules
 create mode 100644 tests/bug-4903/bug-4903-02/test.yaml
 create mode 100644 tests/bug-4903/bug-4903-03/README.md
 create mode 100644 tests/bug-4903/bug-4903-03/input.pcap
 create mode 100644 tests/bug-4903/bug-4903-03/test.rules
 create mode 100644 tests/bug-4903/bug-4903-03/test.yaml
 create mode 100644 tests/bug-4903/bug-4903-04/README.md
 create mode 100644 tests/bug-4903/bug-4903-04/input.pcap
 create mode 100644 tests/bug-4903/bug-4903-04/test.rules
 create mode 100644 tests/bug-4903/bug-4903-04/test.yaml

diff --git a/tests/bug-4903/bug-4903-01/README.md b/tests/bug-4903/bug-4903-01/README.md
new file mode 100644
index 000000000..79da158c2
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcap where only server sends its banner 
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2427
diff --git a/tests/bug-4903/bug-4903-01/input.pcap b/tests/bug-4903/bug-4903-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2669c1b71f015c24ff6e688fbe59f902408211be
GIT binary patch
literal 524
zc-p&ic+)~A1{MYw`2U}Qfe}dSt^JqK5W&Y_24tH-<pc!5qyPtlD+7ZDNSOoM+3Eu;
zQWy`cIKikcz#zuJz!U*e6Tqavuu}kH3Ud^yDGFdy6fjIV!3Z*mK@4aP1JfQLjtme|
zVA$piG37@T8E%OL;=KU^KvP^GraX=2V>koUcLtkV_CZWJ^Ayc3d%<o2n$ohHfgw29
xL)TEx(o)wsvp6|FzBsk0EVT$IVq~JgFkpZS<hR&Z@<NC?I6y>!Ve2Xe1_0niPH_ML

literal 0
Hc-jL100001

diff --git a/tests/bug-4903/bug-4903-01/test.rules b/tests/bug-4903/bug-4903-01/test.rules
new file mode 100644
index 000000000..e579e5007
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml
new file mode 100644
index 000000000..768d4a46c
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/test.yaml
@@ -0,0 +1,77 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10000
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 162
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10000
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 162
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10000
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
diff --git a/tests/bug-4903/bug-4903-02/README.md b/tests/bug-4903/bug-4903-02/README.md
new file mode 100644
index 000000000..f6cb5fdf1
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner and client acks it
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2426
diff --git a/tests/bug-4903/bug-4903-02/input.pcap b/tests/bug-4903/bug-4903-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..961779f6632e6be406bb692d9b127de742d7d35a
GIT binary patch
literal 594
zc-p&ic+)~A1{MYw`2U}Qfe}dSt^Jo^p3cW$24tH-<pc!5qyPtlD+7ZDNSOoM+3Eu;
zQWy`cIKikc$RNhRz!U*e6Tqavu#+ER%7qM6Qxw3aC}5a!f)QjAgBZ{p2Btkg92p>_
zz_85;Vv2Vb8E%OL;=KU^KvSF{rZ{EuF`NPFJA=(F`yi&Ad5Y$iy<oQhO=;Q1zz`hl
zp=+pTX{qa+S)807Uz}Q0mRbZ9F)~qL7%;#E^4qo?@<NC?805FDYat=DFqdpoM1ZEO
HWMBXQp~+h>

literal 0
Hc-jL100001

diff --git a/tests/bug-4903/bug-4903-02/test.rules b/tests/bug-4903/bug-4903-02/test.rules
new file mode 100644
index 000000000..750cb0ea9
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+
diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml
new file mode 100644
index 000000000..ad21e2ccd
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/test.yaml
@@ -0,0 +1,77 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10001
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 216
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10001
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 216
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10001
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
diff --git a/tests/bug-4903/bug-4903-03/README.md b/tests/bug-4903/bug-4903-03/README.md
new file mode 100644
index 000000000..7d6215642
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner and client sends its banner
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2429
diff --git a/tests/bug-4903/bug-4903-03/input.pcap b/tests/bug-4903/bug-4903-03/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7fe03a777885c65ade9b897030a9ee6bebccf13d
GIT binary patch
literal 714
zc-p&ic+)~A1{MYw`2U}Qfe}dSt^JqqsDh8d49GTv$_WU9NdXQ9R|W<RkTM6hv(*Py
zq%a;>ae`4@h(U~jfhhu{CV)wSVJ9ENl%^_FQxw3aC}5a!f)QjAgBZ{p2Btkg92p>_
zz_85`Vv1l58E%OL;=KU^KvSF`rfAgiF`NPFJA=(F`yi&Ad5Y$iy<oQhO=;Q5zz`hl
zp=+pTX{qa+S)807Uz}Q0mRbZ9F)~qL7%;#E^4o$sK8AHb&N^%%v;Z1H%$Om>91QZ?
p(Flm&jPwkkUQ5o&OwB6+dCgRT_O9n^ATNG_t`|{Y*t&v&0RT^fV`~5a

literal 0
Hc-jL100001

diff --git a/tests/bug-4903/bug-4903-03/test.rules b/tests/bug-4903/bug-4903-03/test.rules
new file mode 100644
index 000000000..750cb0ea9
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+
diff --git a/tests/bug-4903/bug-4903-03/test.yaml b/tests/bug-4903/bug-4903-03/test.yaml
new file mode 100644
index 000000000..1f5a4464f
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/test.yaml
@@ -0,0 +1,125 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 1
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software client detected !!!
+      alert.signature_id: 3
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10002
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10002
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
diff --git a/tests/bug-4903/bug-4903-04/README.md b/tests/bug-4903/bug-4903-04/README.md
new file mode 100644
index 000000000..cb9124a03
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner, client sends its banner, and server server the client's banner
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2428
diff --git a/tests/bug-4903/bug-4903-04/input.pcap b/tests/bug-4903/bug-4903-04/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..73cf1f1c8ec5b885b4da00e4e21d1dacd40caafc
GIT binary patch
literal 784
zc-p&ic+)~A1{MYw`2U}Qfe}dSt^JoE-_6Hh24tH-<pc!5qyPtlD+7ZDNSOoM+3Eu;
zQWy`cIKikc%pk_Vz!U*e6Tqavu#*>J%FZ5CQxw3aC}5a!f)QjAgBZ{p2Btkg92p>_
zz_85$Vv0u}8E%OL;=KU^KvNtcrj+&bF`NPFJA=(F`yi&Ad5Y$iy<oQhO=;P|zz`hl
zp=+pTX{qa+S)807Uz}Q0mRbZ9F)~qL7%;#E@|)sBK8AHb&N^%%v;Z1H%$Om>91QZ?
z(Qt_0jPwkkUQ5o&OwB6+dCgRT_O4$xiS$&$91QfqMUd;a8bjiD-emGp2`~&qfTk>G
GU;qGQw{a5y

literal 0
Hc-jL100001

diff --git a/tests/bug-4903/bug-4903-04/test.rules b/tests/bug-4903/bug-4903-04/test.rules
new file mode 100644
index 000000000..750cb0ea9
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+
diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml
new file mode 100644
index 000000000..ce7e992d8
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/test.yaml
@@ -0,0 +1,130 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10003
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 282
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 3
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10003
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 282
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 3
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 1
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software client detected !!!
+      alert.signature_id: 3
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
-- 
2.47.2