From: Jason Ish Date: Tue, 6 Jan 2026 17:43:13 +0000 (-0600) Subject: test: dnp3 max points test X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=920b7488ee847d852c5652d8720b8c2b3a5bdbb0;p=thirdparty%2Fsuricata-verify.git test: dnp3 max points test Test that an alert is raised if the maximum number of points per object was hit. Ticket: #8181 --- diff --git a/tests/dnp3/dnp3-max-points/README.md b/tests/dnp3/dnp3-max-points/README.md new file mode 100644 index 000000000..3d4746062 --- /dev/null +++ b/tests/dnp3/dnp3-max-points/README.md @@ -0,0 +1,3 @@ +DNP3 test for max points alert. + +Ticket: #8181 diff --git a/tests/dnp3/dnp3-max-points/dnp3-events.rules b/tests/dnp3/dnp3-max-points/dnp3-events.rules new file mode 100644 index 000000000..a6e2d9dac --- /dev/null +++ b/tests/dnp3/dnp3-max-points/dnp3-events.rules @@ -0,0 +1,38 @@ +# DNP3 application decoder event rules. +# +# This SIDs fall in the 2270000+ range. See: +# http://doc.emergingthreats.net/bin/view/Main/SidAllocation + +# Flooded. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \ + app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) + +# Length to small for PDU type. For example, link specifies the type +# as user data, but the length field is not large enough for user +# data. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; \ + app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) + +# Bad link layer CRC. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; \ + app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) + +# Bad transport layer CRC. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; \ + app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) + +# Unknown object. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; \ + app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) + +# Too many points in a message. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many points in message"; \ + app-layer-event:dnp3.too_many_points; \ + threshold:type backoff, track by_flow, count 1, multiplier 10; \ + classtype:protocol-command-decode; sid:2270005; rev:1;) + +# Too many objects. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many objects"; \ + app-layer-event:dnp3.too_many_objects; \ + threshold:type backoff, track by_flow, count 1, multiplier 10; \ + classtype:protocol-command-decode; sid:2270006; rev:1;) diff --git a/tests/dnp3/dnp3-max-points/suricata.yaml b/tests/dnp3/dnp3-max-points/suricata.yaml new file mode 100644 index 000000000..1c9f19d75 --- /dev/null +++ b/tests/dnp3/dnp3-max-points/suricata.yaml @@ -0,0 +1,21 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3/dnp3-max-points/test.pcap b/tests/dnp3/dnp3-max-points/test.pcap new file mode 100644 index 000000000..6bc7d41a0 Binary files /dev/null and b/tests/dnp3/dnp3-max-points/test.pcap differ diff --git a/tests/dnp3/dnp3-max-points/test.yaml b/tests/dnp3/dnp3-max-points/test.yaml new file mode 100644 index 000000000..7b0a2fb07 --- /dev/null +++ b/tests/dnp3/dnp3-max-points/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9.0.0 + +checks: + - filter: + count: 1 + match: + event_type: dnp3 + dnp3.type: request + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2270005