This is very minimal, should be expanded on.
Ticket: #7601
--- /dev/null
+# Description
+
+Test dnp3_func rule keyword.
+
+# PCAP
+
+The pcap comes from running the master-demo and outstation-demo from
+the OpenDNP3 project.
--- /dev/null
+local dnp3 = require("suricata.dnp3")
+
+function init (args)
+ return {dnp3 = true}
+end
+
+function match(args)
+ -- No args for DNP3.
+
+ -- Get transaction.
+ local tx = dnp3.get_tx()
+
+ if not tx["is_request"] then
+ return 0
+ end
+
+ local request = tx["request"]
+ if request == nil then
+ return 0
+ end
+
+ if not request["done"] then
+ return 0
+ end
+
+ if not request["complete"] then
+ return 0
+ end
+
+ return 1
+end
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert:
+ - dnp3:
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+alert dnp3 any any -> any any (msg:"LUA"; dnp3_func:21; lua:rule.lua; sid:4; rev:1;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --set security.lua.allow-rules=true
+
+pcap: ../dnp3-eve/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 4
projects / thirdparty / suricata-verify.git / commitdiff
