update to not do any exact file matches...

changes in flow id can break the tests

diff --git a/alert-testmyids-not-established/check.sh b/alert-testmyids-not-established/check.sh
new file mode 100755 (executable)
index 0000000..a6cff0c
--- /dev/null
+++ b/alert-testmyids-not-established/check.sh
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should have one fast log entry.
+n=$(cat output/fast.log | wc -l)
+assert_eq 1 "$n" "bad fast.log"
+
+# Should have one eve alert.
+n=$(jq_count output/eve.json 'select(.event_type == "alert")')
+assert_eq 1 "$n" "eve.json alerts"
+
+exit 0

diff --git a/alert-testmyids-not-established/expected/eve.json b/alert-testmyids-not-established/expected/eve.json
deleted file mode 100644 (file)
index b6c4c2c..0000000
--- a/alert-testmyids-not-established/expected/eve.json
+++ /dev/null
@@ -1 +0,0 @@
-{"timestamp":"2016-07-13T22:42:07.388030+0000","flow_id":1842518484315070,"pcap_cnt":1,"event_type":"alert","src_ip":"82.165.177.154","src_port":80,"dest_ip":"10.16.1.11","dest_port":54186,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2},"payload":"SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDEzIEp1bCAyMDE2IDIyOjQyOjA3IEdNVA0KU2VydmVyOiBBcGFjaGUNCkxhc3QtTW9kaWZpZWQ6IE1vbiwgMTUgSmFuIDIwMDcgMjM6MTE6NTUgR01UDQpFVGFnOiAiMTgxYzg0OWEtMjctNDI3MWM1ZjFhYzRjMCINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogMzkNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sDQoNCnVpZD0wKHJvb3QpIGdpZD0wKHJvb3QpIGdyb3Vwcz0wKHJvb3QpCg==","payload_printable":"HTTP\/1.1 200 OK\r\nDate: Wed, 13 Jul 2016 22:42:07 GMT\r\nServer: Apache\r\nLast-Modified: Mon, 15 Jan 2007 23:11:55 GMT\r\nETag: \"181c849a-27-4271c5f1ac4c0\"\r\nAccept-Ranges: bytes\r\nContent-Length: 39\r\nContent-Type: text\/html\r\n\r\nuid=0(root) gid=0(root) groups=0(root)\n","stream":0,"packet":"2MuK7aFGABUXDQb3CABFAAErVHNAADEG5P9SpbGaChABCwBQ06qX5tInesioD1AYAUvACwAASFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDEzIEp1bCAyMDE2IDIyOjQyOjA3IEdNVA0KU2VydmVyOiBBcGFjaGUNCkxhc3QtTW9kaWZpZWQ6IE1vbiwgMTUgSmFuIDIwMDcgMjM6MTE6NTUgR01UDQpFVGFnOiAiMTgxYzg0OWEtMjctNDI3MWM1ZjFhYzRjMCINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogMzkNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sDQoNCnVpZD0wKHJvb3QpIGdpZD0wKHJvb3QpIGdyb3Vwcz0wKHJvb3QpCg==","packet_info":{"linktype":1}}

diff --git a/alert-testmyids-not-established/expected/fast.log b/alert-testmyids-not-established/expected/fast.log
deleted file mode 100644 (file)
index 738f3b3..0000000
--- a/alert-testmyids-not-established/expected/fast.log
+++ /dev/null
@@ -1 +0,0 @@
-07/13/2016-22:42:07.388030  [**] [1:2:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 10.16.1.11:54186

diff --git a/alert-testmyids/check.sh b/alert-testmyids/check.sh
new file mode 100755 (executable)
index 0000000..a6cff0c
--- /dev/null
+++ b/alert-testmyids/check.sh
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should have one fast log entry.
+n=$(cat output/fast.log | wc -l)
+assert_eq 1 "$n" "bad fast.log"
+
+# Should have one eve alert.
+n=$(jq_count output/eve.json 'select(.event_type == "alert")')
+assert_eq 1 "$n" "eve.json alerts"
+
+exit 0

diff --git a/alert-testmyids/expected/eve.json b/alert-testmyids/expected/eve.json
deleted file mode 100644 (file)
index 03432e6..0000000
--- a/alert-testmyids/expected/eve.json
+++ /dev/null
@@ -1 +0,0 @@
-{"timestamp":"2016-07-13T22:42:07.573103+0000","flow_id":1842518484266121,"pcap_cnt":9,"event_type":"alert","src_ip":"82.165.177.154","src_port":80,"dest_ip":"10.16.1.11","dest_port":54186,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"www.testmyids.com","url":"\/","http_user_agent":"curl\/7.43.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":39},"payload":"SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDEzIEp1bCAyMDE2IDIyOjQyOjA3IEdNVA0KU2VydmVyOiBBcGFjaGUNCkxhc3QtTW9kaWZpZWQ6IE1vbiwgMTUgSmFuIDIwMDcgMjM6MTE6NTUgR01UDQpFVGFnOiAiMTgxYzg0OWEtMjctNDI3MWM1ZjFhYzRjMCINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogMzkNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sDQoNCnVpZD0wKHJvb3QpIGdpZD0wKHJvb3QpIGdyb3Vwcz0wKHJvb3QpCg==","payload_printable":"HTTP\/1.1 200 OK\r\nDate: Wed, 13 Jul 2016 22:42:07 GMT\r\nServer: Apache\r\nLast-Modified: Mon, 15 Jan 2007 23:11:55 GMT\r\nETag: \"181c849a-27-4271c5f1ac4c0\"\r\nAccept-Ranges: bytes\r\nContent-Length: 39\r\nContent-Type: text\/html\r\n\r\nuid=0(root) gid=0(root) groups=0(root)\n","stream":1,"packet":"2MuK7aFGABUXDQb3CABFAAAoVHRAADEG5gFSpbGaChABCwBQ06qX5tMqesioEFARAUs9SQAAAAAAAAAA","packet_info":{"linktype":1}}

diff --git a/alert-testmyids/expected/fast.log b/alert-testmyids/expected/fast.log
deleted file mode 100644 (file)
index f10278f..0000000
--- a/alert-testmyids/expected/fast.log
+++ /dev/null
@@ -1 +0,0 @@
-07/13/2016-22:42:07.573103  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 10.16.1.11:54186

diff --git a/dnp3-dnp3_data-alert/check.sh b/dnp3-dnp3_data-alert/check.sh
new file mode 100755 (executable)
index 0000000..8620ee1
--- /dev/null
+++ b/dnp3-dnp3_data-alert/check.sh
@@ -0,0 +1,9 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should have 4 DNP3 data match alerts.
+n=$(grep "DNP3 Data match" output/eve.json | wc -l)
+assert_eq 4 "$n" "bad event count"
+
+exit 0

diff --git a/dnp3-dnp3_data-alert/expected/eve.json b/dnp3-dnp3_data-alert/expected/eve.json
deleted file mode 100644 (file)
index 2196f68..0000000
--- a/dnp3-dnp3_data-alert/expected/eve.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{"timestamp":"2015-07-14T17:46:10.214640+0000","flow_id":634711522427892,"pcap_cnt":64,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":16,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zM=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrBAAEAG3hF\/AAABfwAAAU4g6NIGUGtA2MG3koAQAVYzugAAAQEIChjKbJ8Yymyf","packet_info":{"linktype":1}}
-{"timestamp":"2015-07-14T17:46:11.685971+0000","flow_id":634711522427892,"pcap_cnt":72,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":18,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVM=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrRAAEAG3g1\/AAABfwAAAU4g6NIGUGtq2MG3s4AQAVYoFwAAAQEIChjKcl8YynI3","packet_info":{"linktype":1}}
-{"timestamp":"2015-07-14T17:46:12.685991+0000","flow_id":634711522427892,"pcap_cnt":80,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":20,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVMFZApEAQAKAG4l1MyBAAAS5wVkEkQBAAoAc8fV94IAAAIBKAEAAAAB9ZY=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrhAAEAG3gl\/AAABfwAAAU4g6NIGUGuU2MG31IAQAVYf\/AAAAQEIChjKdkcYynYf","packet_info":{"linktype":1}}
-{"timestamp":"2015-07-14T17:46:13.630138+0000","flow_id":634711522427892,"pcap_cnt":83,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":21,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVMFZApEAQAKAG4l1MyBAAAS5wVkEkQBAAoAc8fV94IAAAIBKAEAAAAB9ZYFZBJEAQAKAHPH1viCAAACASgBAAAAgW0F","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrpAAEAG3gd\/AAABfwAAAU4g6NIGUGut2MG344AQAVYYTAAAAQEIChjKefcYynn3","packet_info":{"linktype":1}}

diff --git a/dnp3-dnp3_func-alert/check.sh b/dnp3-dnp3_func-alert/check.sh
new file mode 100755 (executable)
index 0000000..38ea75f
--- /dev/null
+++ b/dnp3-dnp3_func-alert/check.sh
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should have one alert sid 1.
+n=$(jq_count output/eve.json 'select(.alert.signature_id == 1)')
+assert_eq 1 "$n" "sig id 1"
+
+# Should have one alert sid 2.
+n=$(jq_count output/eve.json 'select(.alert.signature_id == 2)')
+assert_eq 1 "$n" "sig id 1"
+
+exit 0

diff --git a/dnp3-dnp3_func-alert/expected/eve.json b/dnp3-dnp3_func-alert/expected/eve.json
deleted file mode 100644 (file)
index 5e87fa8..0000000
--- a/dnp3-dnp3_func-alert/expected/eve.json
+++ /dev/null
@@ -1,2 +0,0 @@
-{"timestamp":"2015-07-14T17:45:56.279980+0000","flow_id":634711522427892,"pcap_cnt":7,"event_type":"alert","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"DNP3 Function code test bi-directional","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}},"payload":"BWQRxAoAAQAGFcDAFTwCBjwDBjwEBhpV","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0gGxAAEAGvFV\/AAABfwAAAejSTiDYwbZyBlBotYAQAVakQgAAAQEIChjKNjEYyjYw","packet_info":{"linktype":1}}
-{"timestamp":"2015-07-14T17:45:56.279980+0000","flow_id":634711522427892,"pcap_cnt":7,"event_type":"alert","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}},"payload":"BWQRxAoAAQAGFcDAFTwCBjwDBjwEBhpV","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0gGxAAEAGvFV\/AAABfwAAAejSTiDYwbZyBlBotYAQAVakQgAAAQEIChjKNjEYyjYw","packet_info":{"linktype":1},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":1,"signature":"DNP3 Function code test to-server","category":"","severity":3}}

diff --git a/dnp3/check.sh b/dnp3/check.sh
new file mode 100755 (executable)
index 0000000..fc57e6b
--- /dev/null
+++ b/dnp3/check.sh
@@ -0,0 +1,9 @@
+#! /bin/sh
+
+. ../functions.sh
+
+n=$(jq_count output/eve.json 'select(.event_type == "dnp3")')
+assert_eq 55 "$n" "bad dnp3 event count"
+
+exit 0
+

diff --git a/dnp3/expected/eve.json b/dnp3/expected/eve.json
deleted file mode 100644 (file)
index 77ede86..0000000
--- a/dnp3/expected/eve.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{"timestamp":"2015-07-14T17:45:56.279893+0000","flow_id":634711522427892,"pcap_cnt":5,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:56.279980+0000","flow_id":634711522427892,"pcap_cnt":7,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":0},"function_code":130,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}}
-{"timestamp":"2015-07-14T17:45:56.320059+0000","flow_id":634711522427892,"pcap_cnt":11,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}}
-{"timestamp":"2015-07-14T17:45:56.320217+0000","flow_id":634711522427892,"pcap_cnt":13,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":1},"function_code":2,"objects":[{"group":80,"variation":1,"qualifier":0,"prefix_code":0,"range_code":0,"start":7,"stop":7,"count":1,"points":[{"prefix":0,"index":7,"state":0}]}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:56.320232+0000","flow_id":634711522427892,"pcap_cnt":14,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":1},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:45:56.320598+0000","flow_id":634711522427892,"pcap_cnt":16,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":2},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":1,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:56.360140+0000","flow_id":634711522427892,"pcap_cnt":19,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":2},"function_code":129,"objects":[{"group":1,"variation":2,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"reserved":0,"state":0}]},{"group":3,"variation":2,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":0}]},{"group":20,"variation":1,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0}]},{"group":21,"variation":1,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0}]},{"group":30,"variation":5,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0.0}]},{"group":30,"variation":1,"qualifier":0,"prefix_code":0,"range_code":0,"start":1,"stop":9,"count":9,"points":[{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0}]},{"group":10,"variation":2,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"reserved0":0,"reserved1":0,"state":0}]},{"group":40,"variation":1,"qualifier":0,"prefix_code":0,"range_code":0,"start":0,"stop":9,"count":10,"points":[{"prefix":0,"index":0,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":1,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":2,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":3,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":4,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":5,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":6,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":7,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":8,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0},{"prefix":0,"index":9,"online":0,"restart":1,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:45:56.361312+0000","flow_id":634711522427892,"pcap_cnt":21,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":3},"function_code":20,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:56.361531+0000","flow_id":634711522427892,"pcap_cnt":22,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":3},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:45:56.361606+0000","flow_id":634711522427892,"pcap_cnt":23,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":4},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:56.401111+0000","flow_id":634711522427892,"pcap_cnt":24,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":4},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:45:58.361284+0000","flow_id":634711522427892,"pcap_cnt":26,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":5},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:45:58.361307+0000","flow_id":634711522427892,"pcap_cnt":27,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":5},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:45:59.382213+0000","flow_id":634711522427892,"pcap_cnt":29,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":1},"function_code":130,"objects":[{"group":22,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:00.361186+0000","flow_id":634711522427892,"pcap_cnt":33,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":6},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:00.401022+0000","flow_id":634711522427892,"pcap_cnt":35,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":6},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:02.361273+0000","flow_id":634711522427892,"pcap_cnt":37,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":7},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:02.361297+0000","flow_id":634711522427892,"pcap_cnt":38,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":7},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:04.361329+0000","flow_id":634711522427892,"pcap_cnt":40,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":8},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:04.361364+0000","flow_id":634711522427892,"pcap_cnt":41,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":8},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:05.846081+0000","flow_id":634711522427892,"pcap_cnt":43,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":2},"function_code":130,"objects":[{"group":22,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":1}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:06.361131+0000","flow_id":634711522427892,"pcap_cnt":47,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":9},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:06.400984+0000","flow_id":634711522427892,"pcap_cnt":49,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":9},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:07.446289+0000","flow_id":634711522427892,"pcap_cnt":51,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":3},"function_code":130,"objects":[{"group":22,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":2}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:08.361136+0000","flow_id":634711522427892,"pcap_cnt":55,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":10},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:08.401013+0000","flow_id":634711522427892,"pcap_cnt":57,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":10},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:08.758149+0000","flow_id":634711522427892,"pcap_cnt":59,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":4},"function_code":130,"objects":[{"group":22,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"rollover":0,"discontinuity":0,"reserved0":0,"count":3}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:10.214623+0000","flow_id":634711522427892,"pcap_cnt":63,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":5},"function_code":130,"objects":[{"group":2,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"state":1}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:10.361084+0000","flow_id":634711522427892,"pcap_cnt":66,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":11},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:10.400955+0000","flow_id":634711522427892,"pcap_cnt":68,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":11},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:11.646245+0000","flow_id":634711522427892,"pcap_cnt":70,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":6},"function_code":130,"objects":[{"group":2,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"state":129}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:12.361102+0000","flow_id":634711522427892,"pcap_cnt":74,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":12},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:12.401022+0000","flow_id":634711522427892,"pcap_cnt":76,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":12},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:12.646187+0000","flow_id":634711522427892,"pcap_cnt":78,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":7},"function_code":130,"objects":[{"group":2,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"state":1}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:13.630114+0000","flow_id":634711522427892,"pcap_cnt":82,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":8},"function_code":130,"objects":[{"group":2,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"state":129}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:14.361114+0000","flow_id":634711522427892,"pcap_cnt":85,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":13},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:14.400978+0000","flow_id":634711522427892,"pcap_cnt":87,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":13},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:14.654298+0000","flow_id":634711522427892,"pcap_cnt":89,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":9},"function_code":130,"objects":[{"group":4,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":1}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:15.886393+0000","flow_id":634711522427892,"pcap_cnt":93,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":10},"function_code":130,"objects":[{"group":4,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":2}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:16.361211+0000","flow_id":634711522427892,"pcap_cnt":96,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":14},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:16.401025+0000","flow_id":634711522427892,"pcap_cnt":98,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":14},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:16.966298+0000","flow_id":634711522427892,"pcap_cnt":100,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":11},"function_code":130,"objects":[{"group":4,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":1}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:18.361192+0000","flow_id":634711522427892,"pcap_cnt":104,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":15},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:18.401026+0000","flow_id":634711522427892,"pcap_cnt":106,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":15},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:19.062395+0000","flow_id":634711522427892,"pcap_cnt":108,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":12},"function_code":130,"objects":[{"group":4,"variation":1,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"chatter_filter":0,"state":2}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:20.361177+0000","flow_id":634711522427892,"pcap_cnt":112,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:20.401023+0000","flow_id":634711522427892,"pcap_cnt":114,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:20.401106+0000","flow_id":634711522427892,"pcap_cnt":116,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":13},"function_code":130,"objects":[{"group":32,"variation":7,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":0.0,"timestamp":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:22.022608+0000","flow_id":634711522427892,"pcap_cnt":120,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":14},"function_code":130,"objects":[{"group":32,"variation":7,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":1.0,"timestamp":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:22.361133+0000","flow_id":634711522427892,"pcap_cnt":123,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":1},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:22.401073+0000","flow_id":634711522427892,"pcap_cnt":125,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":1},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:23.174428+0000","flow_id":634711522427892,"pcap_cnt":127,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":15},"function_code":130,"objects":[{"group":32,"variation":7,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":2.0,"timestamp":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:24.070578+0000","flow_id":634711522427892,"pcap_cnt":131,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"unsolicited_response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":true,"uns":true,"sequence":0},"function_code":130,"objects":[{"group":32,"variation":7,"qualifier":40,"prefix_code":2,"range_code":8,"start":0,"stop":0,"count":1,"points":[{"prefix":0,"index":0,"online":1,"restart":0,"comm_lost":0,"remote_forced":0,"local_forced":0,"over_range":0,"reference_err":0,"reserved0":0,"value":3.0,"timestamp":0}]}],"complete":true},"iin":{"indicators":[]}}}
-{"timestamp":"2015-07-14T17:46:24.361169+0000","flow_id":634711522427892,"pcap_cnt":134,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":2},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
-{"timestamp":"2015-07-14T17:46:24.400957+0000","flow_id":634711522427892,"pcap_cnt":136,"event_type":"dnp3","src_ip":"127.0.0.1","src_port":59602,"dest_ip":"127.0.0.1","dest_port":20000,"proto":"TCP","dnp3":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":2},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":[]}}}

diff --git a/dns-udp-dns-log-unanswered/check.sh b/dns-udp-dns-log-unanswered/check.sh
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/dns-udp-unsolicited-response/check.sh b/dns-udp-unsolicited-response/check.sh
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/dns-udp-z-flag-fp/check.sh b/dns-udp-z-flag-fp/check.sh
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/output-eve-fileinfo/check.sh b/output-eve-fileinfo/check.sh
new file mode 100755 (executable)
index 0000000..241ae2f
--- /dev/null
+++ b/output-eve-fileinfo/check.sh
@@ -0,0 +1,8 @@
+#! /bin/sh
+
+. ../functions.sh
+
+filename=$(cat output/eve.json | jq -c .fileinfo.filename)
+assert_eq '"eicar.com"' "$filename" "bad filename"
+
+exit 0

diff --git a/test-config-empty-rule-file/run.sh b/test-config-empty-rule-file/run.sh
index 056a47b62f0f3465f24016b5ee8da56148278457..3ce534c00d60aa9baf7014d4e23383678b7814e3 100755 (executable)
--- a/test-config-empty-rule-file/run.sh
+++ b/test-config-empty-rule-file/run.sh
@@ -1,13 +1,13 @@
 #! /bin/sh
 
 run() {
-    mkdir -p ${TEST_DIR}/output
     if ! ./src/suricata -T -c ${TEST_DIR}/suricata.yaml -vvv \
         -l ${TEST_DIR}/output --set default-rule-path="${TEST_DIR}"; then
        exit 1
     fi
 }
 
-run
+mkdir -p ${TEST_DIR}/output
+run > ${TEST_DIR}/output/stdout 2> ${TEST_DIR}/output/stderr
 
 exit 0

diff --git a/tls-fingerprint-alert/check.sh b/tls-fingerprint-alert/check.sh
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/tls-json-output-ids/check.sh b/tls-json-output-ids/check.sh
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/tls-json-output-ips/check.sh b/tls-json-output-ips/check.sh
old mode 100644 (file)
new mode 100755 (executable)