From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Mon, 28 Feb 2022 08:41:03 +0000 (+0100)
Subject: detect-dnp3: add tests
X-Git-Tag: suricata-5.0.10~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=330dd4bf0977c4c2123fbecdc339e0e31fc0cabc;p=thirdparty%2Fsuricata-verify.git

detect-dnp3: add tests

Task: 4911
---

diff --git a/tests/dnp3-dnp3_data-alert/README.md b/tests/dnp3-dnp3_data-alert/README.md
index 4d3199a04..42806b69a 100644
--- a/tests/dnp3-dnp3_data-alert/README.md
+++ b/tests/dnp3-dnp3_data-alert/README.md
@@ -1,6 +1,6 @@
 # Description
 
-Test dnp3_func rule keyword.
+Test dnp3_data rule keyword.
 
 # PCAP
 
diff --git a/tests/dnp3-dnp3_data-alert/test.rules b/tests/dnp3-dnp3_data-alert/test.rules
index e9beeebc1..45fbcb853 100644
--- a/tests/dnp3-dnp3_data-alert/test.rules
+++ b/tests/dnp3-dnp3_data-alert/test.rules
@@ -1,5 +1,7 @@
-# Trivial dnp3_data match rule.
-alert dnp3 any any -> any any (msg:"DNP3 Data match"; \
-      flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; \
-      dnp3_func:unsolicited_response; \
-      sid:4; rev:1;)
\ No newline at end of file
+alert dnp3 any any -> any any (msg:"DNP3 Data match"; flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; dnp3_func:unsolicited_response; sid:1; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; dnp3_data; content:"|02 01 28 01 00|"; sid:2; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_server; dnp3_data; content:"|02 01 28 01 00|"; sid:3; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; sid:4; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_server; dnp3_data; content:"|3c 04 06 3c|"; sid:5; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; flow:established,to_client; dnp3_data; content:"|3c 04 06 3c|"; sid:6; rev:1;)
+alert dnp3 any any -> any any (msg:"DetectDNP3DataTest"; dnp3_data; content:"|15 ab|"; sid:7; rev:1;)
diff --git a/tests/dnp3-dnp3_data-alert/test.yaml b/tests/dnp3-dnp3_data-alert/test.yaml
index 1b009bd20..8419f7ab0 100644
--- a/tests/dnp3-dnp3_data-alert/test.yaml
+++ b/tests/dnp3-dnp3_data-alert/test.yaml
@@ -3,8 +3,39 @@ requires:
     - HAVE_LIBJANSSON
 
 checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
   - filter:
       count: 4
       match:
         event_type: alert
         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+        pcap_cnt: 17
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 7
diff --git a/tests/dnp3-dnp3_obj-alert/README.md b/tests/dnp3-dnp3_obj-alert/README.md
new file mode 100644
index 000000000..240abefcd
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test dnp3_obj rule keyword.
+
+# PCAP
+
+The pcap comes from dnp3-dnp3_data-alert
diff --git a/tests/dnp3-dnp3_obj-alert/input.pcap b/tests/dnp3-dnp3_obj-alert/input.pcap
new file mode 100644
index 000000000..9c0d4885e
Binary files /dev/null and b/tests/dnp3-dnp3_obj-alert/input.pcap differ
diff --git a/tests/dnp3-dnp3_obj-alert/suricata.yaml b/tests/dnp3-dnp3_obj-alert/suricata.yaml
new file mode 100644
index 000000000..3011d88dc
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            packet: yes
+            dnp3: yes
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-dnp3_obj-alert/test.rules b/tests/dnp3-dnp3_obj-alert/test.rules
new file mode 100644
index 000000000..349a282e9
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/test.rules
@@ -0,0 +1,2 @@
+alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:22,01; sid:1; rev:1;)
+alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:29,01; sid:2; rev:1;)
diff --git a/tests/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3-dnp3_obj-alert/test.yaml
new file mode 100644
index 000000000..00ccdefa1
--- /dev/null
+++ b/tests/dnp3-dnp3_obj-alert/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2