detect-dnp3: add tests

author Modupe Falodun <falodunmodupeola@gmail.com>

Mon, 28 Feb 2022 08:41:03 +0000 (09:41 +0100)

committer Jason Ish <jason.ish@oisf.net>

Tue, 26 Apr 2022 21:29:11 +0000 (15:29 -0600)
author Modupe Falodun <falodunmodupeola@gmail.com>
Mon, 28 Feb 2022 08:41:03 +0000 (09:41 +0100)
committer Jason Ish <jason.ish@oisf.net>
Tue, 26 Apr 2022 21:29:11 +0000 (15:29 -0600)
diff --git a/tests/dnp3-dnp3_data-alert/README.md b/tests/dnp3-dnp3_data-alert/README.md

index 4d3199a045821c50981c4c828b36a9831f22c31e..42806b69ac856e1be6ce01b5bcde38b3f4de9f4f 100644 (file)
--- a/tests/dnp3-dnp3_data-alert/README.md
+++ b/tests/dnp3-dnp3_data-alert/README.md
@@ -1,6 +1,6 @@
  # Description
  
-Test dnp3_func rule keyword.
+Test dnp3_data rule keyword.
  
  # PCAP
  
diff --git a/tests/dnp3-dnp3_data-alert/test.rules b/tests/dnp3-dnp3_data-alert/test.rules

index e9beeebc159194da4139b09bf663c7e5bb3113c8..45fbcb8537569f681afa80e7df80b37612aeb0ac 100644 (file)
--- a/tests/dnp3-dnp3_data-alert/test.rules
+++ b/tests/dnp3-dnp3_data-alert/test.rules
@@ -1,5 +1,7 @@
-# Trivial dnp3_data match rule.
-alert dnp3 any any -> any any (msg:"DNP3 Data match"; \
-      flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; \
-      dnp3_func:unsolicited_response; \
-      sid:4; rev:1;)
-\ No newline at end of file
+alert dnp3 any any -> any any (msg:"DNP3 Data match"; flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; dnp3_func:unsolicited_response; sid:1; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; dnp3_data; content:"|02 01 28 01 00|"; sid:2; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_server; dnp3_data; content:"|02 01 28 01 00|"; sid:3; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; sid:4; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_server; dnp3_data; content:"|3c 04 06 3c|"; sid:5; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_client; dnp3_data; content:"|3c 04 06 3c|"; sid:6; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; dnp3_data; content:"|15 ab|"; sid:7; rev:1;)
diff --git a/tests/dnp3-dnp3_data-alert/test.yaml b/tests/dnp3-dnp3_data-alert/test.yaml

index 1b009bd20763e06df5809b4df2863a4cce37ef4e..8419f7ab07a7f865afb504e6edebb9daa98d336f 100644 (file)
--- a/tests/dnp3-dnp3_data-alert/test.yaml
+++ b/tests/dnp3-dnp3_data-alert/test.yaml
@@ -3,8 +3,39 @@ requires:
      - HAVE_LIBJANSSON
  
  checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
    - filter:
        count: 4
        match:
          event_type: alert
          alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+        pcap_cnt: 17
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 7
diff --git a/tests/dnp3-dnp3_obj-alert/README.md b/tests/dnp3-dnp3_obj-alert/README.md

new file mode 100644 (file)

index 0000000..240abef
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test dnp3_obj rule keyword.
+
+# PCAP
+
+The pcap comes from dnp3-dnp3_data-alert
diff --git a/tests/dnp3-dnp3_obj-alert/input.pcap b/tests/dnp3-dnp3_obj-alert/input.pcap

new file mode 100644 (file)

index 0000000..9c0d488

Binary files /dev/null and b/tests/dnp3-dnp3_obj-alert/input.pcap differ
diff --git a/tests/dnp3-dnp3_obj-alert/suricata.yaml b/tests/dnp3-dnp3_obj-alert/suricata.yaml

new file mode 100644 (file)

index 0000000..3011d88
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            packet: yes
+            dnp3: yes
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-dnp3_obj-alert/test.rules b/tests/dnp3-dnp3_obj-alert/test.rules

new file mode 100644 (file)

index 0000000..349a282
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/test.rules
@@ -0,0 +1,2 @@
+alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:22,01; sid:1; rev:1;)
+alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:29,01; sid:2; rev:1;)
diff --git a/tests/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3-dnp3_obj-alert/test.yaml

new file mode 100644 (file)

index 0000000..00ccdef
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
author	Modupe Falodun <falodunmodupeola@gmail.com>
	Mon, 28 Feb 2022 08:41:03 +0000 (09:41 +0100)
committer	Jason Ish <jason.ish@oisf.net>
	Tue, 26 Apr 2022 21:29:11 +0000 (15:29 -0600)
tests/dnp3-dnp3_data-alert/README.md		patch \| blob \| blame \| history
tests/dnp3-dnp3_data-alert/test.rules		patch \| blob \| blame \| history
tests/dnp3-dnp3_data-alert/test.yaml		patch \| blob \| blame \| history
tests/dnp3-dnp3_obj-alert/README.md	[new file with mode: 0644]	patch \| blob
tests/dnp3-dnp3_obj-alert/input.pcap	[new file with mode: 0644]	patch \| blob
tests/dnp3-dnp3_obj-alert/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/dnp3-dnp3_obj-alert/test.rules	[new file with mode: 0644]	patch \| blob
tests/dnp3-dnp3_obj-alert/test.yaml	[new file with mode: 0644]	patch \| blob