diff --git a/tests/ssh-banner-lt7/test.rules b/tests/ssh-banner-lt7/test.rules new file mode 100644 index 000000000..7bd468092 --- /dev/null +++ b/tests/ssh-banner-lt7/test.rules @@ -0,0 +1,2 @@ +# ssh.softwareversion is deprecated in favor of ssh.software this is just to check if it still works +alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;) diff --git a/tests/ssh-banner-lt7/test.yaml b/tests/ssh-banner-lt7/test.yaml new file mode 100644 index 000000000..3c9ab43a6 --- /dev/null +++ b/tests/ssh-banner-lt7/test.yaml @@ -0,0 +1,23 @@ +requires: + lt-version: 7 + +pcap: ../ssh-banner-only/input.pcap + +args: + - -k none + +checks: + # Check that we have the ssh event in eve.json + - filter: + count: 1 + match: + event_type: ssh + ssh.client.proto_version: "2.0" + ssh.server.proto_version: "2.0" + ssh.client.software_version: "OpenSSH_for_Windows_7.7" + ssh.server.software_version: "OpenSSH_7.4" + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/ssh-banner-only/test.rules b/tests/ssh-banner-only/test.rules index dfeade1e4..b9d158f83 100644 --- a/tests/ssh-banner-only/test.rules +++ b/tests/ssh-banner-only/test.rules @@ -1,4 +1,2 @@ alert ssh any any -> any any (ssh.software; content:"OpenSSH"; sid:1;) -# ssh.softwareversion is deprecated in favor of ssh.software this is just to check if it still works -alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;) alert ssh any any -> any any (ssh.proto; content:"2"; sid:3;) diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml index 02e82d20c..02cb26630 100644 --- a/tests/ssh-banner-only/test.yaml +++ b/tests/ssh-banner-only/test.yaml @@ -1,6 +1,3 @@ -features: - - RUST - args: - -k none @@ -19,11 +16,6 @@ checks: match: event_type: alert alert.signature_id: 1 - - filter: - count: 1 - match: - event_type: alert - alert.signature_id: 2 - filter: count: 2 match: