I have created 3 suricata rules & I can see that non-http & non-tcp traffic is dropped & event logged. But what I can’t see is SSH drops? Which is strange.
I have tried few ways of doing this but I can’t seem to get this right. Is there something wrong with the rule. I can see SSH traffic but packets are not being dropped. Why is that?
drop ssh 172.16.10.10 any <> 172.16.10.20 22 (msg:"ssh attempt"; flow:established,to_server; content:"SSH-"; sid:100000; rev:1;)
drop tcp 172.16.10.10 any <> 172.16.10.20 any (msg:"block tcp traffic that is not http"; flow:established; app-layer-protocol:!http; sid:200000; rev:1;)
drop ip 172.16.10.10 any <> 172.16.10.20 any (msg: "block traffic that is not tcp."; ip_proto:!TCP;sid:300000; rev:1;)