local.rules

alert ip any any -> any any (msg:"Exercise 1 - OpenSSH"; content:"OpenSSH"; sid:1000001; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 - OpenSSH not HTTP"; content:"OpenSSH"; depth: 15 ; sid:1000002; rev:1;)
alert ip any any -> any any (msg:"Exercise 2 alt - OpenSSH not HTTP"; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert ip any any -> any any (msg:"Exercise 3 - OpenSSH not HTTP - Server only"; flow:from_server; pcre:"/^SSH\-.*OpenSSH/"; sid:1000003; rev:1;)
alert tcp any any -> any any ( msg:"Tor uplink (tested: 0.2.6.10)";  content: "|16 03 01|"; offset: 0; depth: 3; rawbytes;  content: "|01|"; distance: 1; rawbytes;  content: "|03 03|"; distance: 3; rawbytes;  byte_jump: 1,43,align;  content: "|00 30|"; distance: 0; rawbytes;  content: "|C0 2B C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2F 00 41 00 35 00 84 00 0A 00 05 00 04 00 FF|"; distance: 0; rawbytes;  content: "|01 00|"; distance: 0; rawbytes;  content: "|00 00|"; rawbytes; distance: 2;  byte_jump: 2,0,relative;  content: "|00 0B|"; rawbytes; distance: 0;  content: "|03 00 01 02|"; rawbytes; distance: 0;  content: "|00 0A|"; rawbytes; distance: 0;  content: "|1a00 17 00 19 00 1C 00 1B 00 18 00 1A 00 16 00 0E 00 0D 00 0B 00 0C 00 09 00 0A|"; rawbytes; distance: 0;  content: "|00 23|"; rawbytes; distance: 0;  byte_jump: 2,0,relative;  content: "|00 0D|"; rawbytes; distance: 0;  content: "|1e06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03|"; rawbytes; distance: 0;  content: "|00 0F|"; rawbytes; distance: 0;  sid:1000303; rev:1;)