From: Victor Julien Date: Tue, 19 Jan 2021 18:23:24 +0000 (+0100) Subject: tests: add dnp3 tests X-Git-Tag: suricata-6.0.4~170 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f30d7bbbc7716d648f616e36d838668baafcdec3;p=thirdparty%2Fsuricata-verify.git tests: add dnp3 tests Based on pcaps from: https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 --- diff --git a/tests/dnp3-del-measure/README.md b/tests/dnp3-del-measure/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-del-measure/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-del-measure/input.pcap b/tests/dnp3-del-measure/input.pcap new file mode 100644 index 000000000..888dfd33d Binary files /dev/null and b/tests/dnp3-del-measure/input.pcap differ diff --git a/tests/dnp3-del-measure/suricata.yaml b/tests/dnp3-del-measure/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-del-measure/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-del-measure/test.yaml b/tests/dnp3-del-measure/test.yaml new file mode 100644 index 000000000..6bf445787 --- /dev/null +++ b/tests/dnp3-del-measure/test.yaml @@ -0,0 +1,96 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 4 + dnp3.application.control.uns: false + dnp3.application.function_code: 23 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 2 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49413 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 4 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 52 + dnp3.application.objects[0].points[0].delay_ms: 1 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].prefix: 0 + dnp3.application.objects[0].prefix_code: 0 + dnp3.application.objects[0].qualifier: 7 + dnp3.application.objects[0].range_code: 7 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 2 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 2 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 9 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49413 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 4 + flow.alerted: false + flow.bytes_toclient: 305 + flow.bytes_toserver: 315 + flow.pkts_toclient: 5 + flow.pkts_toserver: 5 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 49413 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-en-spon/README.md b/tests/dnp3-en-spon/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-en-spon/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-en-spon/input.pcap b/tests/dnp3-en-spon/input.pcap new file mode 100644 index 000000000..5a0b67ef0 Binary files /dev/null and b/tests/dnp3-en-spon/input.pcap differ diff --git a/tests/dnp3-en-spon/suricata.yaml b/tests/dnp3-en-spon/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-en-spon/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-en-spon/test.yaml b/tests/dnp3-en-spon/test.yaml new file mode 100644 index 000000000..ba5356591 --- /dev/null +++ b/tests/dnp3-en-spon/test.yaml @@ -0,0 +1,109 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 11 + dnp3.application.control.uns: false + dnp3.application.function_code: 20 + dnp3.application.objects[0].count: 0 + dnp3.application.objects[0].group: 60 + dnp3.application.objects[0].prefix_code: 0 + dnp3.application.objects[0].qualifier: 6 + dnp3.application.objects[0].range_code: 6 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 2 + dnp3.application.objects[1].count: 0 + dnp3.application.objects[1].group: 60 + dnp3.application.objects[1].prefix_code: 0 + dnp3.application.objects[1].qualifier: 6 + dnp3.application.objects[1].range_code: 6 + dnp3.application.objects[1].start: 0 + dnp3.application.objects[1].stop: 0 + dnp3.application.objects[1].variation: 3 + dnp3.application.objects[2].count: 0 + dnp3.application.objects[2].group: 60 + dnp3.application.objects[2].prefix_code: 0 + dnp3.application.objects[2].qualifier: 6 + dnp3.application.objects[2].range_code: 6 + dnp3.application.objects[2].start: 0 + dnp3.application.objects[2].stop: 0 + dnp3.application.objects[2].variation: 4 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 2 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50059 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 11 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 2 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 9 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50059 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 4 + flow.alerted: false + flow.bytes_toclient: 299 + flow.bytes_toserver: 324 + flow.pkts_toclient: 5 + flow.pkts_toserver: 5 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 50059 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-eve/test.yaml b/tests/dnp3-eve/test.yaml index dbd97315f..a1cf92367 100644 --- a/tests/dnp3-eve/test.yaml +++ b/tests/dnp3-eve/test.yaml @@ -1,4 +1,7 @@ -# *** Add configuration here *** +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON checks: - filter: diff --git a/tests/dnp3-file-del/README.md b/tests/dnp3-file-del/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-file-del/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-file-del/input.pcap b/tests/dnp3-file-del/input.pcap new file mode 100644 index 000000000..170390740 Binary files /dev/null and b/tests/dnp3-file-del/input.pcap differ diff --git a/tests/dnp3-file-del/suricata.yaml b/tests/dnp3-file-del/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-file-del/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-file-del/test.yaml b/tests/dnp3-file-del/test.yaml new file mode 100644 index 000000000..75715cbb3 --- /dev/null +++ b/tests/dnp3-file-del/test.yaml @@ -0,0 +1,124 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 9 + dnp3.application.control.uns: false + dnp3.application.function_code: 27 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].authentication_key: 0 + dnp3.application.objects[0].points[0].created: 0 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration + written to Remote Device.xml + dnp3.application.objects[0].points[0].filename_offset: 26 + dnp3.application.objects[0].points[0].filename_size: 59 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].operational_mode: 0 + dnp3.application.objects[0].points[0].permissions: 0 + dnp3.application.objects[0].points[0].prefix: 85 + dnp3.application.objects[0].points[0].request_id: 30 + dnp3.application.objects[0].points[0].size: 85 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 3 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50301 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 9 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 0 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 30 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 9 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50301 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 5 + flow.alerted: false + flow.bytes_toclient: 320 + flow.bytes_toserver: 416 + flow.pkts_toclient: 5 + flow.pkts_toserver: 5 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 50301 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-file-read/README.md b/tests/dnp3-file-read/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-file-read/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-file-read/input.pcap b/tests/dnp3-file-read/input.pcap new file mode 100644 index 000000000..450ca880e Binary files /dev/null and b/tests/dnp3-file-read/input.pcap differ diff --git a/tests/dnp3-file-read/suricata.yaml b/tests/dnp3-file-read/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-file-read/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-file-read/test.yaml b/tests/dnp3-file-read/test.yaml new file mode 100644 index 000000000..70d8a033a --- /dev/null +++ b/tests/dnp3-file-read/test.yaml @@ -0,0 +1,369 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 14 + dnp3.application.control.uns: false + dnp3.application.function_code: 25 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].authentication_key: 0 + dnp3.application.objects[0].points[0].created: 0 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].filename: ./test.xml + dnp3.application.objects[0].points[0].filename_offset: 26 + dnp3.application.objects[0].points[0].filename_size: 10 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 1024 + dnp3.application.objects[0].points[0].operational_mode: 1 + dnp3.application.objects[0].points[0].permissions: 0 + dnp3.application.objects[0].points[0].prefix: 36 + dnp3.application.objects[0].points[0].request_id: 4 + dnp3.application.objects[0].points[0].size: 36 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 3 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 14 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 830 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 1024 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 4 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.iin.indicators[0]: need_time + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 7 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 15 + dnp3.application.control.uns: false + dnp3.application.function_code: 1 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].block_number: 0 + dnp3.application.objects[0].points[0].file_data: '' + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].prefix: 8 + dnp3.application.objects[0].points[0].size: 8 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 5 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 8 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 0 + dnp3.application.control.uns: false + dnp3.application.function_code: 2 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 50 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].prefix: 0 + dnp3.application.objects[0].points[0].timestamp: 1324573673682 + dnp3.application.objects[0].prefix_code: 0 + dnp3.application.objects[0].qualifier: 7 + dnp3.application.objects[0].range_code: 7 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 19 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 0 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 21 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 1 + dnp3.application.control.uns: false + dnp3.application.function_code: 2 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 50 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].prefix: 0 + dnp3.application.objects[0].points[0].timestamp: 1324573673780 + dnp3.application.objects[0].prefix_code: 0 + dnp3.application.objects[0].qualifier: 7 + dnp3.application.objects[0].range_code: 7 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 22 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 1 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 24 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 2 + dnp3.application.control.uns: false + dnp3.application.function_code: 26 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 5 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 25 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 2 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 5 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 29 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 15 + flow.alerted: false + flow.bytes_toclient: 2042 + flow.bytes_toserver: 943 + flow.pkts_toclient: 17 + flow.pkts_toserver: 13 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 50276 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-file-write/README.md b/tests/dnp3-file-write/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-file-write/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-file-write/input.pcap b/tests/dnp3-file-write/input.pcap new file mode 100644 index 000000000..571720be0 Binary files /dev/null and b/tests/dnp3-file-write/input.pcap differ diff --git a/tests/dnp3-file-write/suricata.yaml b/tests/dnp3-file-write/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-file-write/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-file-write/test.yaml b/tests/dnp3-file-write/test.yaml new file mode 100644 index 000000000..2ed631dff --- /dev/null +++ b/tests/dnp3-file-write/test.yaml @@ -0,0 +1,208 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 6 + dnp3.application.control.uns: false + dnp3.application.function_code: 25 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].authentication_key: 0 + dnp3.application.objects[0].points[0].created: 0 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration + written to Remote Device.xml + dnp3.application.objects[0].points[0].filename_offset: 26 + dnp3.application.objects[0].points[0].filename_size: 59 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 1024 + dnp3.application.objects[0].points[0].operational_mode: 2 + dnp3.application.objects[0].points[0].permissions: 511 + dnp3.application.objects[0].points[0].prefix: 85 + dnp3.application.objects[0].points[0].request_id: 6 + dnp3.application.objects[0].points[0].size: 85 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 3 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50300 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 6 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 1024 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 6 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 7 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50300 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 8 + dnp3.application.control.uns: false + dnp3.application.function_code: 26 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 7 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 4 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 17 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50300 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 8 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 70 + dnp3.application.objects[0].points[0].file_handle: 305419896 + dnp3.application.objects[0].points[0].file_size: 0 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].maximum_block_size: 0 + dnp3.application.objects[0].points[0].optional_text: '' + dnp3.application.objects[0].points[0].prefix: 13 + dnp3.application.objects[0].points[0].request_id: 7 + dnp3.application.objects[0].points[0].size: 13 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].prefix_code: 5 + dnp3.application.objects[0].qualifier: 91 + dnp3.application.objects[0].range_code: 11 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 4 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 4 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 21 + proto: TCP + src_ip: 130.126.142.250 + src_port: 50300 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 5 + flow.alerted: false + flow.bytes_toclient: 770 + flow.bytes_toserver: 1722 + flow.pkts_toclient: 12 + flow.pkts_toserver: 10 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 50300 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-select-operate/README.md b/tests/dnp3-select-operate/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-select-operate/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-select-operate/input.pcap b/tests/dnp3-select-operate/input.pcap new file mode 100644 index 000000000..fb9052ca2 Binary files /dev/null and b/tests/dnp3-select-operate/input.pcap differ diff --git a/tests/dnp3-select-operate/suricata.yaml b/tests/dnp3-select-operate/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-select-operate/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-select-operate/test.yaml b/tests/dnp3-select-operate/test.yaml new file mode 100644 index 000000000..200401454 --- /dev/null +++ b/tests/dnp3-select-operate/test.yaml @@ -0,0 +1,211 @@ +requires: + min-version: 5 + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 7 + dnp3.application.control.uns: false + dnp3.application.function_code: 3 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 12 + dnp3.application.objects[0].points[0].count: 1 + dnp3.application.objects[0].points[0].cr: 0 + dnp3.application.objects[0].points[0].index: 1 + dnp3.application.objects[0].points[0].offtime: 100 + dnp3.application.objects[0].points[0].ontime: 100 + dnp3.application.objects[0].points[0].op_type: 3 + dnp3.application.objects[0].points[0].prefix: 1 + dnp3.application.objects[0].points[0].qu: 0 + dnp3.application.objects[0].points[0].reserved: 0 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].points[0].tcc: 0 + dnp3.application.objects[0].prefix_code: 2 + dnp3.application.objects[0].qualifier: 40 + dnp3.application.objects[0].range_code: 8 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 2 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49404 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 7 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 12 + dnp3.application.objects[0].points[0].count: 1 + dnp3.application.objects[0].points[0].cr: 0 + dnp3.application.objects[0].points[0].index: 1 + dnp3.application.objects[0].points[0].offtime: 100 + dnp3.application.objects[0].points[0].ontime: 100 + dnp3.application.objects[0].points[0].op_type: 3 + dnp3.application.objects[0].points[0].prefix: 1 + dnp3.application.objects[0].points[0].qu: 0 + dnp3.application.objects[0].points[0].reserved: 0 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].points[0].tcc: 0 + dnp3.application.objects[0].prefix_code: 2 + dnp3.application.objects[0].qualifier: 40 + dnp3.application.objects[0].range_code: 8 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 2 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 7 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49404 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 8 + dnp3.application.control.uns: false + dnp3.application.function_code: 4 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 12 + dnp3.application.objects[0].points[0].count: 1 + dnp3.application.objects[0].points[0].cr: 0 + dnp3.application.objects[0].points[0].index: 1 + dnp3.application.objects[0].points[0].offtime: 100 + dnp3.application.objects[0].points[0].ontime: 100 + dnp3.application.objects[0].points[0].op_type: 3 + dnp3.application.objects[0].points[0].prefix: 1 + dnp3.application.objects[0].points[0].qu: 0 + dnp3.application.objects[0].points[0].reserved: 0 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].points[0].tcc: 0 + dnp3.application.objects[0].prefix_code: 2 + dnp3.application.objects[0].qualifier: 40 + dnp3.application.objects[0].range_code: 8 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 2 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 8 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49404 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 8 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 12 + dnp3.application.objects[0].points[0].count: 1 + dnp3.application.objects[0].points[0].cr: 0 + dnp3.application.objects[0].points[0].index: 1 + dnp3.application.objects[0].points[0].offtime: 100 + dnp3.application.objects[0].points[0].ontime: 100 + dnp3.application.objects[0].points[0].op_type: 3 + dnp3.application.objects[0].points[0].prefix: 1 + dnp3.application.objects[0].points[0].qu: 0 + dnp3.application.objects[0].points[0].reserved: 0 + dnp3.application.objects[0].points[0].status_code: 0 + dnp3.application.objects[0].points[0].tcc: 0 + dnp3.application.objects[0].prefix_code: 2 + dnp3.application.objects[0].qualifier: 40 + dnp3.application.objects[0].range_code: 8 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 2 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 12 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49404 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 8 + flow.alerted: false + flow.bytes_toclient: 464 + flow.bytes_toserver: 424 + flow.pkts_toclient: 7 + flow.pkts_toserver: 6 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 49404 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/dnp3-write/README.md b/tests/dnp3-write/README.md new file mode 100644 index 000000000..d09a35d10 --- /dev/null +++ b/tests/dnp3-write/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3 diff --git a/tests/dnp3-write/input.pcap b/tests/dnp3-write/input.pcap new file mode 100644 index 000000000..f1fd3ec76 Binary files /dev/null and b/tests/dnp3-write/input.pcap differ diff --git a/tests/dnp3-write/suricata.yaml b/tests/dnp3-write/suricata.yaml new file mode 100644 index 000000000..6000e1e87 --- /dev/null +++ b/tests/dnp3-write/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + types: + - alert + - anomaly + - dnp3 + - flow + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-write/test.yaml b/tests/dnp3-write/test.yaml new file mode 100644 index 000000000..d6413fe33 --- /dev/null +++ b/tests/dnp3-write/test.yaml @@ -0,0 +1,96 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 0 + dnp3.application.control.uns: false + dnp3.application.function_code: 2 + dnp3.application.objects[0].count: 1 + dnp3.application.objects[0].group: 50 + dnp3.application.objects[0].points[0].index: 0 + dnp3.application.objects[0].points[0].prefix: 0 + dnp3.application.objects[0].points[0].timestamp: 1324332393859 + dnp3.application.objects[0].prefix_code: 0 + dnp3.application.objects[0].qualifier: 7 + dnp3.application.objects[0].range_code: 7 + dnp3.application.objects[0].start: 0 + dnp3.application.objects[0].stop: 0 + dnp3.application.objects[0].variation: 1 + dnp3.control.dir: true + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 2 + dnp3.src: 3 + dnp3.type: request + event_type: dnp3 + pcap_cnt: 5 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49411 +- filter: + count: 1 + match: + dest_ip: 130.126.140.229 + dest_port: 20000 + dnp3.application.complete: true + dnp3.application.control.con: false + dnp3.application.control.fin: true + dnp3.application.control.fir: true + dnp3.application.control.sequence: 0 + dnp3.application.control.uns: false + dnp3.application.function_code: 129 + dnp3.control.dir: false + dnp3.control.fcb: false + dnp3.control.fcv: false + dnp3.control.function_code: 4 + dnp3.control.pri: true + dnp3.dst: 3 + dnp3.src: 2 + dnp3.type: response + event_type: dnp3 + pcap_cnt: 9 + proto: TCP + src_ip: 130.126.142.250 + src_port: 49411 +- filter: + count: 1 + match: + app_proto: dnp3 + dest_ip: 130.126.140.229 + dest_port: 20000 + event_type: flow + flow.age: 4 + flow.alerted: false + flow.bytes_toclient: 299 + flow.bytes_toserver: 325 + flow.pkts_toclient: 5 + flow.pkts_toserver: 5 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 130.126.142.250 + src_port: 49411 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b