enip: adds test for frames

Ticket: 3598

diff --git a/tests/enip-frames/README.md b/tests/enip-frames/README.md
new file mode 100644 (file)
index 0000000..d3bd0b5
--- /dev/null
+++ b/tests/enip-frames/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test ENIP frames
+
+# Related issue
+
+https://redmine.openinfosecfoundation.org/issues/3958
+
+# PCAP
+
+The pcap is reused from enip-keywords test

diff --git a/tests/enip-frames/suricata.yaml b/tests/enip-frames/suricata.yaml
new file mode 100644 (file)
index 0000000..f6c0fe6
--- /dev/null
+++ b/tests/enip-frames/suricata.yaml
@@ -0,0 +1,23 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+
+      types:
+        - alert
+        - anomaly
+        - enip
+        - flow
+
+app-layer:
+  protocols:
+    enip:
+      enabled: yes
+
+stream:
+  inline: true
+  midstream: true

diff --git a/tests/enip-frames/test.rules b/tests/enip-frames/test.rules
new file mode 100644 (file)
index 0000000..335eb66
--- /dev/null
+++ b/tests/enip-frames/test.rules
@@ -0,0 +1,5 @@
+alert enip any any -> any any (msg:"enip header frame"; frame:enip.hdr; content:"|63 00 33 00|"; sid:1;)
+alert enip any any -> any any (msg:"enip payload/data frame"; frame:enip.data; content:"|00 00 00 00 01 00 02 00|"; bsize: 32; sid:2;)
+alert enip any any -> any any (msg:"enip whole pdu frame"; frame:enip.pdu; content:"|00 00 00 00 01 00 02 00|"; bsize: 56; sid:3;)
+alert enip any any -> any any (msg:"header frame"; frame:enip.cip; content:"|03 02 20 8b 24 01 01 00 06 00|"; bsize: 10; sid:4;)
+alert enip any any -> any any (msg:"enip item frame"; frame:enip.enip.item; content:"|0c 00 2d 00|"; sid:5;)

diff --git a/tests/enip-frames/test.yaml b/tests/enip-frames/test.yaml
new file mode 100644 (file)
index 0000000..e3a9f06
--- /dev/null
+++ b/tests/enip-frames/test.yaml
@@ -0,0 +1,50 @@
+requires:
+  min-version: 8
+
+pcap:  ../enip-keywords/enip_cip_example.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        # check enip metadata logging for frame alert
+        enip.request.command: list_identity
+  - filter:
+      # enip.sud.iface == 0x00000000 && enip.timeout == 1 && enip.cpf.itemcount == 2 && enip.length == 32
+      count: 92
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      # enip.sud.iface == 0x00000000 && enip.timeout == 1 && enip.cpf.itemcount == 2 && len(tcp.payload) == 56
+      count: 92
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      # cip.rr == 0x00 && cip.attribute == 5 && cip.class == 1
+      count: 41
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 41
+      match:
+        event_type: enip
+        enip.request.cip.service: "Multiple Service Packet"
+        enip.request.cip.path[0].segment_type: class
+        enip.request.cip.path[0].value: 2
+        enip.request.cip.path[1].segment_type: instance
+        enip.request.cip.path[1].value: 1
+        enip.request.cip.class_name: "Message Router"