From 1b7bb895e3c02dc9422c569ff23dfc4f09879bb3 Mon Sep 17 00:00:00 2001
From: Simon Dugas <simon.dugas@cyber.gc.ca>
Date: Sun, 6 Dec 2020 17:20:24 +0000
Subject: [PATCH] modbus: add test cases

Add tests for modbus logging and alerting.
---
 tests/modbus/README.md     |   3 ++
 tests/modbus/modbus.pcap   | Bin 0 -> 8701 bytes
 tests/modbus/suricata.yaml |   9 ++++++
 tests/modbus/test.rules    |   5 ++++
 tests/modbus/test.yaml     |  58 +++++++++++++++++++++++++++++++++++++
 5 files changed, 75 insertions(+)
 create mode 100644 tests/modbus/README.md
 create mode 100644 tests/modbus/modbus.pcap
 create mode 100644 tests/modbus/suricata.yaml
 create mode 100644 tests/modbus/test.rules
 create mode 100644 tests/modbus/test.yaml

diff --git a/tests/modbus/README.md b/tests/modbus/README.md
new file mode 100644
index 000000000..ac84a538d
--- /dev/null
+++ b/tests/modbus/README.md
@@ -0,0 +1,3 @@
+Test Modbus output and alerts
+
+Sample PCAP edited from: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap
diff --git a/tests/modbus/modbus.pcap b/tests/modbus/modbus.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5e8e2ad012ba4ce8f538bce10ffe0674176a9773
GIT binary patch
literal 8701
zc-rlldr(x@9f0rM7t3A1U0&YB>O>%l(oNA?i;t0)n9hh{i8eF|pn!(hpiniA8mB@C
z#NdM{Hl(8wK@mrYrszQ91E@f3hZLGrQ76`60%9Vz!IBVNO}4-DTkhVwXK&B{?Zg>$
zarE2o<No%Xd+wEvrWy^W<D_3sC&%&dXTT@6gz4)7xP|bVd~upHJ%wr96I-|(e<PR7
zaZ#l^;<+M2c8I`n^WaPCyPO|u$lcqy@8PZI?G{JwaDl`mtQsW?DK4Um<@}tmhW<b}
zgvXEhE+-t|b=l3%>Y<-1S-}NN)&R0TP-R(wHCxGwD_}MjVPi1W*af^7>}F_OFR?7Z
zdQ>BDi{SMlHC9Y%F|te&O9<r0va9aDPX2MB#xWB73H&FW{w&YyG=x@DtDw=9G0s7(
ztd}c=z{30QhXJvqFwp6|f6SA16KIUi*U>GIaw`GiB<LK8*dldK0oLFGEtd$d6V+IA
zN=uNXS7nKg5$m(#D1%@mgGY!NNm?!r{whwbb(Zrsw$@RtlYm-b7oDTVzm5~N!cG&x
z#U(QZ-#|efC0GH-ND#bZUE(cRxr`||go4K?!APJU1i?GTPD*f5DpRl&1+|pmK|tC-
z@RoJHx8Uh?rr;eEJW2`LfLafNpBc|ng7q^DtZ^wr!2n9I9*}ckT&_l}kj5nnSf-19
ztk^e^#jCPJ$5rbrMJ(?kF6s1R#eRXYwN&g}pq_!)USpFYmf&W5#1!0#f*d7y29R+e
z__6g#Z$Wd9f=CO_aej${hbh50ptgZvM{u||@%bKq)&+S>b!}+_>QcBM?GX#53-T1O
zY(Y9!Z#iMD`d*bKI@+yPPdh@K9HwLS-o@VcsNSVO?S|f#;81U3_9`D%?=I~1r5w9~
znhw2ZBVwf96kwIjVt(3oWA9^CmgqQZ)hX-*7qKZ;%jzA*-a}MxI#91cZ$mKeO<b9*
zXZ7yEULVTw8c=hg_e4ab)SC*d#)Zt@z1ZteWr>ax;sZ}RLR_E3?7fG*2dUm%pbkK9
zb<j87#FF{U1*SrE4;cVz0rVb<5T)L!pV|_B^O}#mQ`&Wvg?S$P?m_ImH_kE&LHyX7
zl!iKK-+gXW-YE$!Zo3b??;_Jh(}WP(;07eQT7wc#u1N&q@xnmI$f<8UY5Cg~b4<HM
zl^#O3QOfN&5R=Hh``L$5=QLpH&gtc=K(pqQzK5(KRTk{KmkK%8t(`%L4$$&Q+<(eQ
z-$}`>QJPR}-Ac740ksM224%aMz)Jt6FU#&Q+TEt?n%s7)J?#kbZ&yq#yNPJGMa8Za
z?5@jpvB2uiFtM&fHQJ3(cCBb<f$MNY$qLD0dWECcIu)-r^!lTc^~D+{D*{>hsw@kz
zT9mB#mza%5u<<LZu?={Oan`CO)-qu2ar(3FWowW%tor#B9fw5e6R#00gto#bfJ=jK
z)6~|FB<BNMKZ>aJqX3A*uzplsy*y3}5iEh6Gkxv)yu$2FFF%p8cHP=dYgRu4Z*bxU
z$68KmQTN}J?l8PbIiwdyn5A?(upSiXSm{TR^`$CHbQFvKl+y{VZ?le-{t(l5Q0e7B
z9EJ3XtBuTb@&<YS%$@R>$7D;oqwpqmkp5DHQA)1_R-{AEI$1qN*(yr54rMLQipjT>
ztd$Ptj&|B(Jy3cbM=u|V_0HdI2@!Ae^d(WO$y%Jofl0t2cLZ8Lfgk(D!q!r0g<qL1
zugQc~ucWy?CyJ95_oPRqFF)odY%8w|1!5UFS<OG<Nz2{G)18V>uog#eAe?e51L8#T
zsmtFeb=CqaP?$jP+%jv9wjNm)RTiwFInTM*Q1UxZi2arcTs(Xeuhu%7n})3isMd)<
z-A_(d87bpLoxt<lQQ+N8*05?%py7`w!~MXV3bjM|c~WgVu)bbyV%0Vv%U_ixI)-wd
zR@7=Z4I%D((Zs5qj<uCk?Np#1CdaglL}e}ErPlegY8%l|qzn%OGa71d=D#S_-UimM
zbQ)Ie`^Yk>vP8$toVo5=EvM%+ggD7h!zICAC8^c^jElnB3aU05s3*ypFE(bJ=p$%#
zoG&L5<mz56EBF*jhEkFz0UHa!z4@u`=SWxJ5cIW{75pJ#eeP6ciH_bJn>!eCUBs@(
zTKX14aU06b#NfSDa4b-p$+<6csyDIrTRp4y9QF#7V>3|6mf4Y?B;^XgYP0gJ-t*Y|
zohnOobmW99?06UPWH`_2jmF+RRPSP-ULwcH%usLQl}P6Gy@0(&%JC9V?a<qj|8uGL
zC%}4nK6A0Uh`o<gS)!vQ$KbXzz(AW~fH*Wx`!Bse#@^jjuN|m8<QSRZ@FvC-F_)`W
z>@`r1JwVNX-iG{WsrPAMZO}4*c5TSgtFkP>nyF-2bXxjWO|j8(Hq|XC19-i5v$G{{
zijtM4XR@9`);p>!3$P|DSz!idV>>qLsK#F4W#Z3khQ!kJ*%Fp+GO~_kkMIUyxBGU~
z%8za6>su^s+EY5^ZI;l&UNtg~W%}<3t-oAxqijtpD~JbTGC7uI-t(j-ziMRND&vjL
zs!GZ&8HfpF(=Pu&>I?$b@A&}kA<P~5qFMZKnGa!Qb*Zvo(_S{uHMKi+dLN^&`G=SP
zn=gZ55dN}@XPo8q-{Xkxqee7gL*I3y-Tcrd50wb4k9{?)p)%r7b$Slfb)z&?OE>>8
zRR0Gr$skN=(y@lhi9_|a_fXyFwwu5GwLDbwfHil8z<5Mc=8LP|HqW8D(Jc+tcGv!D
z#v5*)(-PuWVg3v|gAVO>sn}fuyDZr*4p<kKupS_l323*Kvb*NC`<JI3A(pnV9<CVl
zs(S{p8vwg!WxHp9RehPsG9c?MRh9)<r<JU`mst;L%1l`L230x$yhO75ylHVi>;=|9
zC(mN}A*)1{WdW91$(r^NYXLLhPS(GZYD@&)ApX2gNvy5FvK?UU*M?wZZIoG-tmP?9
zRnqSNLbJSI6WYcDtb2(vf6vLaWbtF0HdloJ@m;d}r&>K}6Mn~f>}kM9y#3oKw|9XU
zN`C&Y{X^=!0IZ<80QtyCvt}Fc5o&*dDhsCem1Oskv)I601YYY_j&(f)u(X&e4FzT`
zIbh3ft-xBj*vN9j2dMq)DYsg;+XAH<;hl>YSZ)*0tw_bKksOC*w{~DH>e8~@M08t6
zxiz}oW+~kW?|h+w<z_~=9V%|k;P$EP_9tLv-e+D@E4t-VZq07D=}Nat!0SAsVYyk*
h?YAm!?cnxj*{uUu3-bI~Zei&53gy=BcAKnp`wxrsWSsy2

literal 0
Hc-jL100001

diff --git a/tests/modbus/suricata.yaml b/tests/modbus/suricata.yaml
new file mode 100644
index 000000000..d3758909d
--- /dev/null
+++ b/tests/modbus/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - modbus
+        - alert
diff --git a/tests/modbus/test.rules b/tests/modbus/test.rules
new file mode 100644
index 000000000..e3411227c
--- /dev/null
+++ b/tests/modbus/test.rules
@@ -0,0 +1,5 @@
+alert modbus any any -> any any (msg:"Modbus function number test"; modbus: function 1; sid:1; rev:1;)
+alert modbus any any -> any any (msg:"Modbus function word test"; modbus: function assigned; sid:2; rev:1;)
+alert modbus any any -> any any (msg:"Modbus access test"; modbus: access read; sid:3; rev:1;)
+alert modbus any any -> any any (msg:"Modbus unit test"; modbus: unit 10; sid:4; rev:1;)
+alert modbus any any -> any any (msg:"Modbus full test"; modbus: unit >9, access read coils, address 0<>2; sid:5; rev:1;)
diff --git a/tests/modbus/test.yaml b/tests/modbus/test.yaml
new file mode 100644
index 000000000..e8fb58dd7
--- /dev/null
+++ b/tests/modbus/test.yaml
@@ -0,0 +1,58 @@
+requires:
+  min-version: 7.0.0
+
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: modbus
+        modbus.id: 10
+
+  - filter:
+      count: 2
+      match:
+        event_type: modbus
+        modbus.request.function_code: RdCoils
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        modbus.request.access_type: "READ | COILS"
+        modbus.response.category: "PUBLIC_ASSIGNED"
+
+  - filter:
+      count: 18
+      match:
+        event_type: alert
+        alert.signature_id: 2
+
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+  - filter:
+      count: 18
+      match:
+        event_type: alert
+        alert.signature_id: 4
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+        modbus.request.function_code: "MEI"
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
-- 
2.47.2