From: Simon Dugas <simon.dugas@cyber.gc.ca>
Date: Sun, 6 Dec 2020 17:20:24 +0000 (+0000)
Subject: modbus: add test cases
X-Git-Tag: suricata-6.0.4~85
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b7bb895e3c02dc9422c569ff23dfc4f09879bb3;p=thirdparty%2Fsuricata-verify.git

modbus: add test cases

Add tests for modbus logging and alerting.
---

diff --git a/tests/modbus/README.md b/tests/modbus/README.md
new file mode 100644
index 000000000..ac84a538d
--- /dev/null
+++ b/tests/modbus/README.md
@@ -0,0 +1,3 @@
+Test Modbus output and alerts
+
+Sample PCAP edited from: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap
diff --git a/tests/modbus/modbus.pcap b/tests/modbus/modbus.pcap
new file mode 100644
index 000000000..5e8e2ad01
Binary files /dev/null and b/tests/modbus/modbus.pcap differ
diff --git a/tests/modbus/suricata.yaml b/tests/modbus/suricata.yaml
new file mode 100644
index 000000000..d3758909d
--- /dev/null
+++ b/tests/modbus/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - modbus
+        - alert
diff --git a/tests/modbus/test.rules b/tests/modbus/test.rules
new file mode 100644
index 000000000..e3411227c
--- /dev/null
+++ b/tests/modbus/test.rules
@@ -0,0 +1,5 @@
+alert modbus any any -> any any (msg:"Modbus function number test"; modbus: function 1; sid:1; rev:1;)
+alert modbus any any -> any any (msg:"Modbus function word test"; modbus: function assigned; sid:2; rev:1;)
+alert modbus any any -> any any (msg:"Modbus access test"; modbus: access read; sid:3; rev:1;)
+alert modbus any any -> any any (msg:"Modbus unit test"; modbus: unit 10; sid:4; rev:1;)
+alert modbus any any -> any any (msg:"Modbus full test"; modbus: unit >9, access read coils, address 0<>2; sid:5; rev:1;)
diff --git a/tests/modbus/test.yaml b/tests/modbus/test.yaml
new file mode 100644
index 000000000..e8fb58dd7
--- /dev/null
+++ b/tests/modbus/test.yaml
@@ -0,0 +1,58 @@
+requires:
+  min-version: 7.0.0
+
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: modbus
+        modbus.id: 10
+
+  - filter:
+      count: 2
+      match:
+        event_type: modbus
+        modbus.request.function_code: RdCoils
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        modbus.request.access_type: "READ | COILS"
+        modbus.response.category: "PUBLIC_ASSIGNED"
+
+  - filter:
+      count: 18
+      match:
+        event_type: alert
+        alert.signature_id: 2
+
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+  - filter:
+      count: 18
+      match:
+        event_type: alert
+        alert.signature_id: 4
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+        modbus.request.function_code: "MEI"
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5