Add tests for modbus logging and alerting.
--- /dev/null
+Test Modbus output and alerts
+
+Sample PCAP edited from: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: true
+ types:
+ - modbus
+ - alert
--- /dev/null
+alert modbus any any -> any any (msg:"Modbus function number test"; modbus: function 1; sid:1; rev:1;)
+alert modbus any any -> any any (msg:"Modbus function word test"; modbus: function assigned; sid:2; rev:1;)
+alert modbus any any -> any any (msg:"Modbus access test"; modbus: access read; sid:3; rev:1;)
+alert modbus any any -> any any (msg:"Modbus unit test"; modbus: unit 10; sid:4; rev:1;)
+alert modbus any any -> any any (msg:"Modbus full test"; modbus: unit >9, access read coils, address 0<>2; sid:5; rev:1;)
--- /dev/null
+requires:
+ min-version: 7.0.0
+
+args:
+ - -k none
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: modbus
+ modbus.id: 10
+
+ - filter:
+ count: 2
+ match:
+ event_type: modbus
+ modbus.request.function_code: RdCoils
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ modbus.request.access_type: "READ | COILS"
+ modbus.response.category: "PUBLIC_ASSIGNED"
+
+ - filter:
+ count: 18
+ match:
+ event_type: alert
+ alert.signature_id: 2
+
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 3
+
+ - filter:
+ count: 18
+ match:
+ event_type: alert
+ alert.signature_id: 4
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ modbus.request.function_code: "MEI"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
projects / thirdparty / suricata-verify.git / commitdiff
