enip: adds test for new enip keywords

Ticket: 3958

diff --git a/tests/enip-keywords-suricata8/README.md b/tests/enip-keywords-suricata8/README.md
new file mode 100644 (file)
index 0000000..676d891
--- /dev/null
+++ b/tests/enip-keywords-suricata8/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test ENIP keywords introduced in Suricata 8
+
+# Related issue
+
+https://redmine.openinfosecfoundation.org/issues/3958
+
+# PCAP
+
+The pcap is reused from enip-keywords test

diff --git a/tests/enip-keywords-suricata8/suricata.yaml b/tests/enip-keywords-suricata8/suricata.yaml
new file mode 100644 (file)
index 0000000..f6c0fe6
--- /dev/null
+++ b/tests/enip-keywords-suricata8/suricata.yaml
@@ -0,0 +1,23 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+
+      types:
+        - alert
+        - anomaly
+        - enip
+        - flow
+
+app-layer:
+  protocols:
+    enip:
+      enabled: yes
+
+stream:
+  inline: true
+  midstream: true

diff --git a/tests/enip-keywords-suricata8/test.rules b/tests/enip-keywords-suricata8/test.rules
new file mode 100644 (file)
index 0000000..f7266c0
--- /dev/null
+++ b/tests/enip-keywords-suricata8/test.rules
@@ -0,0 +1,12 @@
+alert enip any any -> any any (msg:"Testing enip status";  enip.status:0 ; sid:4;)
+alert enip any any -> any any (msg:"Testing enip product_name"; enip.product_name; content: "1756-ENBT/A"; sid:5;)
+alert enip any any -> any any (msg:"Testing enip protocol_version"; enip.protocol_version: 1; sid:6;)
+alert enip any any -> any any (msg:"Testing enip revision"; enip.revision: 0x403; sid:7;)
+alert enip any any -> any any (msg:"Testing enip identity_status"; enip.identity_status: 0x30; sid:8;)
+alert enip any any -> any any (msg:"Testing enip state"; enip.state: 3; sid:9;)
+alert enip any any -> any any (msg:"Testing enip serial"; enip.serial: 0x524D8E; sid:10;)
+alert enip any any -> any any (msg:"Testing enip product_code"; enip.product_code: 58; sid:11;)
+alert enip any any -> any any (msg:"Testing enip device_type"; enip.device_type: 12; sid:12;)
+alert enip any any -> any any (msg:"Testing enip vendor_id"; enip.vendor_id: 1; sid:13;)
+alert enip any any -> any any (msg:"Testing cip request";  flow:established,to_server; enip.cip_attribute: 5; enip.cip_class: 1; enip.cip_instance: 1;sid:14;)
+alert enip any any -> any any (msg:"Testing cip response"; enip.cip_status: 0; sid:15;)

diff --git a/tests/enip-keywords-suricata8/test.yaml b/tests/enip-keywords-suricata8/test.yaml
new file mode 100644 (file)
index 0000000..8e52532
--- /dev/null
+++ b/tests/enip-keywords-suricata8/test.yaml
@@ -0,0 +1,70 @@
+requires:
+  min-version: 8
+
+pcap:  ../enip-keywords/enip_cip_example.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 269
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 41
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 133
+      match:
+        event_type: alert
+        alert.signature_id: 15