Here is how I do my VTY matching. The problem with using "transport input ssh" as your config block end is if it actually contains just "transport input telnet" or "transport input telnet ssh" it will not even see it in your config. With this one you put in the "String matching" section what you want to look for.
In the "Search Config File/Block" section you start off looking for lines that start with "line vty" (at the start of the line). The end of the config block I make a passive (ie: non-capturing) match on either a config line beginning with "line" (ie: the next "line vty" block, like "line vty 5 15") or beginning with a "!". I haven't seen it do anything beyond those two combinations after a "line vty" block...
I use this for a few different things, like checking to make sure our access-class is there, the timeouts are correct, transport input is set to ssh, etc. etc... You never have to modify the config block settings, just the string matching to change it to different purposes... Remediation scripts are fairly simple, let me know if you need examples...
