From f30d7bbbc7716d648f616e36d838668baafcdec3 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 19 Jan 2021 19:23:24 +0100
Subject: [PATCH] tests: add dnp3 tests

Based on pcaps from:
https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
---
 tests/dnp3-del-measure/README.md        |   4 +
 tests/dnp3-del-measure/input.pcap       | Bin 0 -> 804 bytes
 tests/dnp3-del-measure/suricata.yaml    |  25 ++
 tests/dnp3-del-measure/test.yaml        |  96 ++++++
 tests/dnp3-en-spon/README.md            |   4 +
 tests/dnp3-en-spon/input.pcap           | Bin 0 -> 807 bytes
 tests/dnp3-en-spon/suricata.yaml        |  25 ++
 tests/dnp3-en-spon/test.yaml            | 109 +++++++
 tests/dnp3-eve/test.yaml                |   5 +-
 tests/dnp3-file-del/README.md           |   4 +
 tests/dnp3-file-del/input.pcap          | Bin 0 -> 920 bytes
 tests/dnp3-file-del/suricata.yaml       |  25 ++
 tests/dnp3-file-del/test.yaml           | 124 ++++++++
 tests/dnp3-file-read/README.md          |   4 +
 tests/dnp3-file-read/input.pcap         | Bin 0 -> 3489 bytes
 tests/dnp3-file-read/suricata.yaml      |  25 ++
 tests/dnp3-file-read/test.yaml          | 369 ++++++++++++++++++++++++
 tests/dnp3-file-write/README.md         |   4 +
 tests/dnp3-file-write/input.pcap        | Bin 0 -> 2868 bytes
 tests/dnp3-file-write/suricata.yaml     |  25 ++
 tests/dnp3-file-write/test.yaml         | 208 +++++++++++++
 tests/dnp3-select-operate/README.md     |   4 +
 tests/dnp3-select-operate/input.pcap    | Bin 0 -> 1120 bytes
 tests/dnp3-select-operate/suricata.yaml |  25 ++
 tests/dnp3-select-operate/test.yaml     | 211 ++++++++++++++
 tests/dnp3-write/README.md              |   4 +
 tests/dnp3-write/input.pcap             | Bin 0 -> 808 bytes
 tests/dnp3-write/suricata.yaml          |  25 ++
 tests/dnp3-write/test.yaml              |  96 ++++++
 29 files changed, 1420 insertions(+), 1 deletion(-)
 create mode 100644 tests/dnp3-del-measure/README.md
 create mode 100644 tests/dnp3-del-measure/input.pcap
 create mode 100644 tests/dnp3-del-measure/suricata.yaml
 create mode 100644 tests/dnp3-del-measure/test.yaml
 create mode 100644 tests/dnp3-en-spon/README.md
 create mode 100644 tests/dnp3-en-spon/input.pcap
 create mode 100644 tests/dnp3-en-spon/suricata.yaml
 create mode 100644 tests/dnp3-en-spon/test.yaml
 create mode 100644 tests/dnp3-file-del/README.md
 create mode 100644 tests/dnp3-file-del/input.pcap
 create mode 100644 tests/dnp3-file-del/suricata.yaml
 create mode 100644 tests/dnp3-file-del/test.yaml
 create mode 100644 tests/dnp3-file-read/README.md
 create mode 100644 tests/dnp3-file-read/input.pcap
 create mode 100644 tests/dnp3-file-read/suricata.yaml
 create mode 100644 tests/dnp3-file-read/test.yaml
 create mode 100644 tests/dnp3-file-write/README.md
 create mode 100644 tests/dnp3-file-write/input.pcap
 create mode 100644 tests/dnp3-file-write/suricata.yaml
 create mode 100644 tests/dnp3-file-write/test.yaml
 create mode 100644 tests/dnp3-select-operate/README.md
 create mode 100644 tests/dnp3-select-operate/input.pcap
 create mode 100644 tests/dnp3-select-operate/suricata.yaml
 create mode 100644 tests/dnp3-select-operate/test.yaml
 create mode 100644 tests/dnp3-write/README.md
 create mode 100644 tests/dnp3-write/input.pcap
 create mode 100644 tests/dnp3-write/suricata.yaml
 create mode 100644 tests/dnp3-write/test.yaml

diff --git a/tests/dnp3-del-measure/README.md b/tests/dnp3-del-measure/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-del-measure/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-del-measure/input.pcap b/tests/dnp3-del-measure/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..888dfd33d00d8e2940dcfac1cc18451bc09206e2
GIT binary patch
literal 804
zc-no^KS%;m90%~<yVE+T3k^b{tP2}-X$n&iye#7&6l;uhx={(LL5j>=S}X_(q9tn0
zDIEGw;w{Yu1=bX`w6$e}{ob=HxQ=`9cyD;`^M2nS@4j|&$bk*?(QE<`TsxB=iR&>D
zqPV9MdIvjthEB`#$FXGrVgMt`nGA)t?crj6t5M9CUaR(mbTo4_M-LY`2`*It&StL=
zp63X$aa2r4|HPKna(~1{CN5EpstKuTe{)^cP)!xOC2%kNih?ex<06Dn3!ByGQ_h(f
zGSrwtRZBW#f2dE-O|4s1q_^1oXN@Ws%<`LBZrQ&t0oYYR<A8@i`9*V0&5DTb4G;*R
z7ch(LQ&t$7Gep)9&LkZKa(Jx^m4{Uk;wZ$;l!&s!6vb3=6Yw9<(i{^!aPT?#sI6nO
zxpqQe<C)_8nq?2~7%mxdXYhe~(kXj`UwRLz<w46L?k=;^hC=J;Wm(*Q00&h{mP&;w
f5mUv9il?PaZ(8PhXNq9Rl||_Z|Asf%&~tqQM4jnr

literal 0
Hc-jL100001

diff --git a/tests/dnp3-del-measure/suricata.yaml b/tests/dnp3-del-measure/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-del-measure/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-del-measure/test.yaml b/tests/dnp3-del-measure/test.yaml
new file mode 100644
index 000000000..6bf445787
--- /dev/null
+++ b/tests/dnp3-del-measure/test.yaml
@@ -0,0 +1,96 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 4
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 23
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 2
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49413
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 4
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 52
+      dnp3.application.objects[0].points[0].delay_ms: 1
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].prefix: 0
+      dnp3.application.objects[0].prefix_code: 0
+      dnp3.application.objects[0].qualifier: 7
+      dnp3.application.objects[0].range_code: 7
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 2
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 2
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49413
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 4
+      flow.alerted: false
+      flow.bytes_toclient: 305
+      flow.bytes_toserver: 315
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 5
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49413
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-en-spon/README.md b/tests/dnp3-en-spon/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-en-spon/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-en-spon/input.pcap b/tests/dnp3-en-spon/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5a0b67ef020a5b0fb8db968239ca975df274ac8d
GIT binary patch
literal 807
zc-no^KS%;m9KiA4y*tHf(J~T)@WMfHs3C;vf+G?k;S!{wRU2}0v8A9)T1*K7w;(C0
zrD!k*L8s28bgPDzXlZF}=#PW_-a9VhIPTzhZ#X{h_kG->T012mfd2IR035ELl`q9T
zM_>{6^o4P8Xw=`h%3Maa91sDR3Ejz%vtLi-cMgB@JEb?ZsQ8Z6u`~K{j`$!Q03d>`
z&hb3qIDt^{=AWopnyZQ8E)^RaRHLfmQ;SpO^CYU(+^`SI-apZyi|u&=5^9p!jDgTS
zn=xpZv5IOc?v#V|w%$#xQi6bjd&SI>Lmg&0O)ZZcOl$+#)?IA^Jal{S9k)d65^t9T
z`*e-!7cm=z5e}QR2gH5Wo-wqi@PuaE$-&1Hz&9$Z%LJk*M9q|0vA~oyQ^mu<K!MIU
zxWog2ME<3-2e2?n*=)@68lPFZ*O1;sIvaP%{(42fMrsw&vIsq3Bc=@_X3=Z0P!*tu
m%7bF595E$ns<=?O)s*gvW!Ed~8ZmUWP};=b!(TtqyM6%|UHRVt

literal 0
Hc-jL100001

diff --git a/tests/dnp3-en-spon/suricata.yaml b/tests/dnp3-en-spon/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-en-spon/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-en-spon/test.yaml b/tests/dnp3-en-spon/test.yaml
new file mode 100644
index 000000000..ba5356591
--- /dev/null
+++ b/tests/dnp3-en-spon/test.yaml
@@ -0,0 +1,109 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 11
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 20
+      dnp3.application.objects[0].count: 0
+      dnp3.application.objects[0].group: 60
+      dnp3.application.objects[0].prefix_code: 0
+      dnp3.application.objects[0].qualifier: 6
+      dnp3.application.objects[0].range_code: 6
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 2
+      dnp3.application.objects[1].count: 0
+      dnp3.application.objects[1].group: 60
+      dnp3.application.objects[1].prefix_code: 0
+      dnp3.application.objects[1].qualifier: 6
+      dnp3.application.objects[1].range_code: 6
+      dnp3.application.objects[1].start: 0
+      dnp3.application.objects[1].stop: 0
+      dnp3.application.objects[1].variation: 3
+      dnp3.application.objects[2].count: 0
+      dnp3.application.objects[2].group: 60
+      dnp3.application.objects[2].prefix_code: 0
+      dnp3.application.objects[2].qualifier: 6
+      dnp3.application.objects[2].range_code: 6
+      dnp3.application.objects[2].start: 0
+      dnp3.application.objects[2].stop: 0
+      dnp3.application.objects[2].variation: 4
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 2
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50059
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 11
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 2
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50059
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 4
+      flow.alerted: false
+      flow.bytes_toclient: 299
+      flow.bytes_toserver: 324
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 5
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50059
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-eve/test.yaml b/tests/dnp3-eve/test.yaml
index dbd97315f..a1cf92367 100644
--- a/tests/dnp3-eve/test.yaml
+++ b/tests/dnp3-eve/test.yaml
@@ -1,4 +1,7 @@
-# *** Add configuration here ***
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
 
 checks:
 - filter:
diff --git a/tests/dnp3-file-del/README.md b/tests/dnp3-file-del/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-file-del/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-file-del/input.pcap b/tests/dnp3-file-del/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1703907404df4031b8660c050154c65993aa95e6
GIT binary patch
literal 920
zc-p&ic+)~A1{MYw`2U}Qfe}bgpY+Rbt`t9m6OawU4AP3+qAEMq<ga$E;$U!PU@%dr
zbzo><+nLo=*Y~TbuIK5IT0aH0`5l))iW`^|7<#lA7?@aCw=gm@Gchu<Fo8_`DUC1@
zViv?)h>7|?K_;$z2Qm$0s-MD<+U7GUwLnuZHwY;(EItW0kppJp6B&L68=z@6*xab0
zPzQEnDViHE15K?95OB~uQVjF=44_#?0t^hR7$6wKtT_txV6zyonkC_&>9mM}fi)%h
z2nz!<!|`{=PfEKnM>B>pNHJK0jGK3y0Sy2{T8_clO1~sEw?N;;FTf==y|yefIn_Bo
zFD)~@v?#G8Gk-Eqo<ez1W=TnEo<d2!LQrb1sX~59s)9=@NTpsyZqAWzkjta2m>JA~
zW}0COR}KAN;Bftk7Or({^E=%G1Q;2ZH5nLY0!^_}<!6Winh=A{6hHmnU{fw(HARAv
z;r}I&|7Bg6fvKsP<G{&A1_n2lXhvR$Z+GZ}DLDp)u#F(Q>eTSY+ca=k$D)RHr#sNT
zB>{pC@`oS6LJ?%vOrTkKeE$dR?(b;sUIH}F1MGVyVB`W#@#AE`XUbo&Dc`V~A_z2v
g5n_r77Xv<jZ36qt5zSv7K$DgN)1&<1hcJHu0QdqE*#H0l

literal 0
Hc-jL100001

diff --git a/tests/dnp3-file-del/suricata.yaml b/tests/dnp3-file-del/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-file-del/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-file-del/test.yaml b/tests/dnp3-file-del/test.yaml
new file mode 100644
index 000000000..75715cbb3
--- /dev/null
+++ b/tests/dnp3-file-del/test.yaml
@@ -0,0 +1,124 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 9
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 27
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].authentication_key: 0
+      dnp3.application.objects[0].points[0].created: 0
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration
+        written to Remote Device.xml
+      dnp3.application.objects[0].points[0].filename_offset: 26
+      dnp3.application.objects[0].points[0].filename_size: 59
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].operational_mode: 0
+      dnp3.application.objects[0].points[0].permissions: 0
+      dnp3.application.objects[0].points[0].prefix: 85
+      dnp3.application.objects[0].points[0].request_id: 30
+      dnp3.application.objects[0].points[0].size: 85
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 3
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50301
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 9
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 0
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 30
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50301
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 5
+      flow.alerted: false
+      flow.bytes_toclient: 320
+      flow.bytes_toserver: 416
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 5
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50301
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-file-read/README.md b/tests/dnp3-file-read/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-file-read/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-file-read/input.pcap b/tests/dnp3-file-read/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..450ca880e53ecdc5eb194373248ea25a1ef005ca
GIT binary patch
literal 3489
zc-noIdvHuw9LLW-LLwgVEP@;<O_Y7)QBmF91S<)W&5}q(2%Fs#SvI@ry*DqLA>L}x
zOchgNRA-QxnwVBZNLv!oQBqozsejCrGCEXBhaf|L=iF>;)}6bP&F<WL&*yv}=bpXS
z&VF}5iPXsVdi@$91$_Sf$qUOni$l<K_)gy_d~E2@ag9ej-^^SYjAkMf@6As_RlV{y
ztX;MJ#oAR{|7vwu@bU1gdGz8cB}O}@BBWFY)hkpgr9z=rQesBl8=}Y(xgs%t8YPw;
zqBKgi;8q8>=fq;5E~y%Xk#k}<G1x~;ToQr|Kr={bjP}}@#_9l#OMseZ4NIEv>F++@
zly&Q?5X8fGUW!G$4#t`%$r_$CVdNErf*i4}YNSFn+n!w-k*vy9j6)+)ABsD64*9<z
z;*`5;HPY$?!VB8+BG<#usD$#XebHn%KUpfE==|v{pl<^L$^#iS)-VM+-;B@$pm-}o
z&>|o#lA>7hXE4eZNy=~qIv!1pj5e!aS*#0wd}&P>N>=A8`l0gd_(7(Xr&T}&=}5Vn
z&b9wY2$~N^=1YZ^;$6i;%MJ*w2IgB2p+!8~N9P*GLMx8xxU5JH%2fojnE<zQ3am#u
z$-|#yV=*&BM*|G4hl!e4ER_g70?N2TC0Yo{({~_6k(NJ`QcAZ-QXrN;*HfvlSuCkb
z`A0Ms5Sy%GVi%Oas(;jU+K>oc;!?u#_oq8OZewJORv(Fp+wO5VXD7Iq86!)C0?m}j
zL{q;$hQtS*aJ7aPDqMswBt*c%@S_#Q#26)zazR(lyP|Mm<9i$_Fh-dz);KdMb=ryb
zMgiw3aJtBBn>$t?qt}-6y(YSZC|pDwPMa}`w{wIHFuSAJ9Npv6?-8pw&g`+56cM*@
z@dAeF-Tc&Y-f4_16ole0Ra14kva&L5S)A6xEz`y7b9d=ubPLkcGVO(=$fj|+d9qrt
zx$Pvfd#ocjUK~xw+Aq?ihYCS*cjaETC>8`PiY9JPW34qT@%rYqzT1Sda<co#wU)wK
z+uXCY##&!%+e7?Yi}$w%#$NUBwibzb`e{9H%ZBn;b+KA~f>!^}1$~!SpUWF(Sw;?b
zv4}ET{!6mP>AKnxGoG_q*Hup>w1BZ;tRh0A@g<K_iOoUsE^!)-c-A4FP@Wgq8IB#L
z$CX#QhFEMx#54_?Ej10+I1I9JGE8I8!N>uvZ>|u>-Lm+If|<a2a2Deg0(dfI6*_qg
ze>QBkCBe$TGdxAbF48!JChf5IlWXmO<o*Y(oos{Fwrx7>YpoqvwG&lxt<7SsZS2|F
z$u?hW%{%;C`#>OA3>UL>TgJEuF7R*=h81U&2)r=qBOA4coo*}?5}cL(ar7%{t*FH9
zw2P;#N!6T3@Yp>roCRAhPPK7+n%#uwS%h6t#hzkev8co(_boMWFg0BesZL(-a1}q-
zvD;f*A*|f3qp?_)O&}&(xn}v&m{^TI2GH~nCB6EBU1BQ{3O$@DQy``Hb`zX#pW&%6
z=(>(xoFvW(*Kx$ggNC@5z7<0pqU;VM2&b}frdd0RCS8-zORlxUthKbaTRYVbt(iBr
z`L}j6A{5ob_j;*)_E7#Dw$Hxbv$a$0zShhmXlpB2YYuY*l;hvp4}Ix!?J~xUdfvtK
zfM2>xbGQoehVYd#=gylu!l0v@S;Y1pHyQ+#GlE5AI$cRUJe?g%)w1_nc_es`uso)`
zokx?~Iy`aw_&=zJVD^Jl-}wA8YOA5pnLGQ-{Q#v)J-9Tv0epe}0JW|Y;~loEKgs|?
zhLp5v-lI&~!~kg*eA2FePo)iF(#BN2IHQbJ^j2I+{jnfkF}menz^ANG%89fvkq0G2
z-ew|~BlH9)rn*p+0)!MP%7^(GjIu+L0&76sK}GgqYoN03*_kz9>=?x!yca6xy^VSA
zAK?8qpjU%;9MSIY{be)r9zTnE&o86+j855t<}%e^2dG{RQ*<)#NeDd!%G@%wocDQ*
zQY}dV@At#~y>~Q&_s73btY)_wEd=C3Der0CyA-?let`E*Kv#qJQFXNx8_v9s&+Kd&
z`Q~X1aEmeg3qt5{6`jd;uD4taS<Jxx00Y&>!>?f$LnuNWK&jZ+SMK?7KBJUNQXq!U
z>-?V|pSM5^eu|&mWV;PhOy@Fg>MOH-RVr9Ek9%fw4a0m5)`5wGH~i+?z9=halk8(+
zHq*T?Kz9T1#!~lZ?;!LXDEyEhIm!Y?*(*sI2$b6*#W_^&5vZ~^^YtLW*H|E(fNgp3
JhF^WY{s-mrZ$AJ4

literal 0
Hc-jL100001

diff --git a/tests/dnp3-file-read/suricata.yaml b/tests/dnp3-file-read/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-file-read/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-file-read/test.yaml b/tests/dnp3-file-read/test.yaml
new file mode 100644
index 000000000..70d8a033a
--- /dev/null
+++ b/tests/dnp3-file-read/test.yaml
@@ -0,0 +1,369 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 14
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 25
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].authentication_key: 0
+      dnp3.application.objects[0].points[0].created: 0
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].filename: ./test.xml
+      dnp3.application.objects[0].points[0].filename_offset: 26
+      dnp3.application.objects[0].points[0].filename_size: 10
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 1024
+      dnp3.application.objects[0].points[0].operational_mode: 1
+      dnp3.application.objects[0].points[0].permissions: 0
+      dnp3.application.objects[0].points[0].prefix: 36
+      dnp3.application.objects[0].points[0].request_id: 4
+      dnp3.application.objects[0].points[0].size: 36
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 3
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 14
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 830
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 1024
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 4
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.iin.indicators[0]: need_time
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 15
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 1
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].block_number: 0
+      dnp3.application.objects[0].points[0].file_data: ''
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].prefix: 8
+      dnp3.application.objects[0].points[0].size: 8
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 5
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 8
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 0
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 2
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 50
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].prefix: 0
+      dnp3.application.objects[0].points[0].timestamp: 1324573673682
+      dnp3.application.objects[0].prefix_code: 0
+      dnp3.application.objects[0].qualifier: 7
+      dnp3.application.objects[0].range_code: 7
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 19
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 0
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 21
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 1
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 2
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 50
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].prefix: 0
+      dnp3.application.objects[0].points[0].timestamp: 1324573673780
+      dnp3.application.objects[0].prefix_code: 0
+      dnp3.application.objects[0].qualifier: 7
+      dnp3.application.objects[0].range_code: 7
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 22
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 1
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 24
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 2
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 26
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 5
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 25
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 2
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 5
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 29
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 15
+      flow.alerted: false
+      flow.bytes_toclient: 2042
+      flow.bytes_toserver: 943
+      flow.pkts_toclient: 17
+      flow.pkts_toserver: 13
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50276
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-file-write/README.md b/tests/dnp3-file-write/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-file-write/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-file-write/input.pcap b/tests/dnp3-file-write/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..571720be039d4336752d4821758bb5acd8cc6141
GIT binary patch
literal 2868
zc-noIYfO_@7{{N|qKKf#G@{seY{m*7N((3~+TsNy#6Ts2j)<3a?SZ~Y`@XF2TPTYI
zhPn^V=m)oKMz>|&aB8+G3Mk8rk$}q<b?Q))-JSYDontyLAhPG2w`EY9HofJ%=lq`M
z`Tx)D%GqO|#efb%ui;?;4gMb6K45?Q%XnCV|Jesp=S-aTa_150@Y1*9U@5>{{eeZ$
zJnrkoEsfg-S{k?B?A~A}{Tat^vChpg1pHe8Vsx>`HCk<qMx%>i#2a7zPgGedS0x(%
zWyGWZFdC!UN%w~R_b=ok^>%YI0a!jlj0+Jvj>dx(Y1T+Nrt4dIjwN9^-bQL(S<<2m
z@-$R8V|{Ze9uDFELy=g!^#>WN>uN++%A$;}PXS_G&TbuOq4%#dJu`~5RhpGB6BaPs
z%2P~SO(<Lpz{D-OaZoVdtWa;QxzJu#NVn{%6P&a_603z8zt5ov(vAd?)cXWQp(0Tv
zvVwZ&5lNw>kg}ec0k5a~J(hU}OoCj*=0?&r-S~*>IuxdBUVp}ks<I>vtp5U_4Jq^N
zT3CaGHIXQG<6}<gi%3b)!1bS4{rW;J&ZdoVLp|>R6zQroi4a&dHyQR;u(GjYD6C_#
znxAN4HOj$0;aY1-^ryMjNn^D>QHAl=qSmwTzQJM*bFK5rmh{FH#a3yGv^)~PcLUA$
zyG~mdqCBLI`eZ?x)+O2uS(z3Cp`ufA31ZFERGY!CRGVHkEX+@gXMK0Q?=i_rgNMp)
zN)@6s)ZS~OHlsoVia8*AjKuAu#<Xgi5xvS$4Jh+T54x%a4_)REvn^ScOzfvjZ!r=t
zbqNleQFi($6^&;P^BAMX-B5fI8&@bf{az|6BrtE2*CWdF1F~Q<xD};#z8UVA>+9<?
z>vJ+CUyV82V#)eoyScKoq}=JIUWZ8#WyMi?S#(kZ2?WQwY=*wO>S#8$qnatbJ9&Jx
zx$%U%IvD2a+Ww68rm`d$UPslr@pENDG{1VdUlYdq)!r2HtKB==FYV}}u%tOVgGCvL
z%zszi&~w|+wCqevUZ%xjSg=E_GNg{V{#OOnaf!7mii!Kfb@PZXOkMM`Kdz|87*Kyg
ztaD7J?1v+o7gL9e`b;31)TgfCgW}&`=TCU6+WxnjKe0Q!G=DK+vAm50y&y#x#%ksx
z?|c~Q5gOMzH%Kg`I1_|gMYz0867wtEf=ux3V4y~O4k?hlwH~U_bFIfw=>=&J&9A52
zuYni+>e!2ZJztAkE2G5AvC;hcp8KU8>sQC#kY9rdqy5qa_Zt$_b?3LFTJo{%$#TDf
z(@?qCh-MK1Hz_wI6{W9{g7sF(>-CF*lWk)n8`<wuB&Xyd6;wv;9X^rXIxovX@q!|K
z{4SRXMG9)@%PzstY$_BBvLg8!NZoIpBXdKwmGq@^xg844XJ(tSvRlAp$wD-1Qc2F$
z*u~*j+>$T9T%mQ8%>Jm<Ss*o7&B4~h_{Taz)Tq=UV-AJVsTwsm>I$WO@ERsA%cPun
zH<c+p*d7<nuL17Y(--~f>_xwZ*34G@DsE1MW9%G?boT7ipXYvkKGv_!-jH9jK4E?d
z+^-`mHi!8&qs?j#mK2l~HetgUUE!L#2uAEEz8MIu0;^fwx_+5CYH{&pl+%hm^E=->
zffa1qs)?q<AlKo^i#nVvKpmb{?E_$x$&(YH5($-&D9en`IOWHPloWWjua@aBgP%e7
zmOk%gXVADR%>?xfa!$va30(Y>#W}Ma_cM&KI+ETc`b%8zp|N_OEWlVzsP}Y#5sQ<`
z^-e4AIX83ENe7U<3%|w#Ty1N|NPAMEuIC|M(W9`6nlM@o*JT|5qtt9nh;}wV=adT(
zDX7b&^`p<`;d5ip=Ie|3on$0q@1}%kcd9;qr_zUMQ-ksLmrYreIO~<rC5N##BP&Yv
z!#wYYVR`RIo|{*n2hf2OTXJj^N;+`LgNT$VNXb<xOJ0hNR@XINS87;YZX_MRyJF(3
Iv`}6D0g(jAl>h($

literal 0
Hc-jL100001

diff --git a/tests/dnp3-file-write/suricata.yaml b/tests/dnp3-file-write/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-file-write/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-file-write/test.yaml b/tests/dnp3-file-write/test.yaml
new file mode 100644
index 000000000..2ed631dff
--- /dev/null
+++ b/tests/dnp3-file-write/test.yaml
@@ -0,0 +1,208 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 6
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 25
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].authentication_key: 0
+      dnp3.application.objects[0].points[0].created: 0
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration
+        written to Remote Device.xml
+      dnp3.application.objects[0].points[0].filename_offset: 26
+      dnp3.application.objects[0].points[0].filename_size: 59
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 1024
+      dnp3.application.objects[0].points[0].operational_mode: 2
+      dnp3.application.objects[0].points[0].permissions: 511
+      dnp3.application.objects[0].points[0].prefix: 85
+      dnp3.application.objects[0].points[0].request_id: 6
+      dnp3.application.objects[0].points[0].size: 85
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 3
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50300
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 6
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 1024
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 6
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50300
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 8
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 26
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 7
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 4
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 17
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50300
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 8
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 70
+      dnp3.application.objects[0].points[0].file_handle: 305419896
+      dnp3.application.objects[0].points[0].file_size: 0
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].maximum_block_size: 0
+      dnp3.application.objects[0].points[0].optional_text: ''
+      dnp3.application.objects[0].points[0].prefix: 13
+      dnp3.application.objects[0].points[0].request_id: 7
+      dnp3.application.objects[0].points[0].size: 13
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].prefix_code: 5
+      dnp3.application.objects[0].qualifier: 91
+      dnp3.application.objects[0].range_code: 11
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 4
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 4
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 21
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50300
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 5
+      flow.alerted: false
+      flow.bytes_toclient: 770
+      flow.bytes_toserver: 1722
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 10
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 50300
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-select-operate/README.md b/tests/dnp3-select-operate/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-select-operate/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-select-operate/input.pcap b/tests/dnp3-select-operate/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fb9052ca2c5af16aa27f853fd7980e501e7d4e4d
GIT binary patch
literal 1120
zc-noFO-S2d9LAqFsYA`Meipyz+D)(?geqEhC>o@Cu(tG8O3{nGD|o9PRF5KxR1XCa
z#&!{lit{iw4>CXM#$ZFnz}`KK9kzKHNT>eaw?<+J34|mNe$Vs#NWLHKy^>&qcHG_q
zjIKY2uEISd3i|1upJ;L`buI6*<68sCQValH-sdV(Pc~2HXP2($XBRII3t`vbV$Cpr
zIVHJp5&$Gy$v%^1i7}hRi5EIzkyYdtiS{i{{Osp6P7S*b3%hwo2T?<*Y8P(Y55!W9
zxG}20Pc*+-N00Y~==jahF+|kPNTu55{G#pVtky{dF}jbLv4Y+f!OEJl>eaUHZJ;F4
zcq~DNdUcwUpE3_4moiHbZaJS2IdLBJXT1VGdhnTP@Yr{RhJZmsCxuN!Dj7!3fnP-V
zF{L2Rk!F;T{jH!hnNsQ*`akiy%>fw_f-8mG9H1-A-T?Q7c~mTGX{KG6d2KK=L2*$s
z^Q<AMH<LTFJu<WTRTs2$U}<JwZ0a*?ic(lwm{|aR6XiT@Y39A4)S6Pr%y6UL%>T2;
zX8x5unBh^qYnI=iSC~06m`PLIbfijkIK$fa$5}CAS&aW6YQHqpo+jR^7*DPK5~Vz2
kN%<%!9j25jqKp+Og^cB{9<l4duxph_GxT3MoFQ%39fP+;u>b%7

literal 0
Hc-jL100001

diff --git a/tests/dnp3-select-operate/suricata.yaml b/tests/dnp3-select-operate/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-select-operate/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-select-operate/test.yaml b/tests/dnp3-select-operate/test.yaml
new file mode 100644
index 000000000..200401454
--- /dev/null
+++ b/tests/dnp3-select-operate/test.yaml
@@ -0,0 +1,211 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 7
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 3
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 12
+      dnp3.application.objects[0].points[0].count: 1
+      dnp3.application.objects[0].points[0].cr: 0
+      dnp3.application.objects[0].points[0].index: 1
+      dnp3.application.objects[0].points[0].offtime: 100
+      dnp3.application.objects[0].points[0].ontime: 100
+      dnp3.application.objects[0].points[0].op_type: 3
+      dnp3.application.objects[0].points[0].prefix: 1
+      dnp3.application.objects[0].points[0].qu: 0
+      dnp3.application.objects[0].points[0].reserved: 0
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].points[0].tcc: 0
+      dnp3.application.objects[0].prefix_code: 2
+      dnp3.application.objects[0].qualifier: 40
+      dnp3.application.objects[0].range_code: 8
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 2
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49404
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 7
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 12
+      dnp3.application.objects[0].points[0].count: 1
+      dnp3.application.objects[0].points[0].cr: 0
+      dnp3.application.objects[0].points[0].index: 1
+      dnp3.application.objects[0].points[0].offtime: 100
+      dnp3.application.objects[0].points[0].ontime: 100
+      dnp3.application.objects[0].points[0].op_type: 3
+      dnp3.application.objects[0].points[0].prefix: 1
+      dnp3.application.objects[0].points[0].qu: 0
+      dnp3.application.objects[0].points[0].reserved: 0
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].points[0].tcc: 0
+      dnp3.application.objects[0].prefix_code: 2
+      dnp3.application.objects[0].qualifier: 40
+      dnp3.application.objects[0].range_code: 8
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 2
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49404
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 8
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 4
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 12
+      dnp3.application.objects[0].points[0].count: 1
+      dnp3.application.objects[0].points[0].cr: 0
+      dnp3.application.objects[0].points[0].index: 1
+      dnp3.application.objects[0].points[0].offtime: 100
+      dnp3.application.objects[0].points[0].ontime: 100
+      dnp3.application.objects[0].points[0].op_type: 3
+      dnp3.application.objects[0].points[0].prefix: 1
+      dnp3.application.objects[0].points[0].qu: 0
+      dnp3.application.objects[0].points[0].reserved: 0
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].points[0].tcc: 0
+      dnp3.application.objects[0].prefix_code: 2
+      dnp3.application.objects[0].qualifier: 40
+      dnp3.application.objects[0].range_code: 8
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 2
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 8
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49404
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 8
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 12
+      dnp3.application.objects[0].points[0].count: 1
+      dnp3.application.objects[0].points[0].cr: 0
+      dnp3.application.objects[0].points[0].index: 1
+      dnp3.application.objects[0].points[0].offtime: 100
+      dnp3.application.objects[0].points[0].ontime: 100
+      dnp3.application.objects[0].points[0].op_type: 3
+      dnp3.application.objects[0].points[0].prefix: 1
+      dnp3.application.objects[0].points[0].qu: 0
+      dnp3.application.objects[0].points[0].reserved: 0
+      dnp3.application.objects[0].points[0].status_code: 0
+      dnp3.application.objects[0].points[0].tcc: 0
+      dnp3.application.objects[0].prefix_code: 2
+      dnp3.application.objects[0].qualifier: 40
+      dnp3.application.objects[0].range_code: 8
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 2
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 12
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49404
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 8
+      flow.alerted: false
+      flow.bytes_toclient: 464
+      flow.bytes_toserver: 424
+      flow.pkts_toclient: 7
+      flow.pkts_toserver: 6
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49404
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
diff --git a/tests/dnp3-write/README.md b/tests/dnp3-write/README.md
new file mode 100644
index 000000000..d09a35d10
--- /dev/null
+++ b/tests/dnp3-write/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
diff --git a/tests/dnp3-write/input.pcap b/tests/dnp3-write/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f1fd3ec764e42d5a35a62f76505d22cee226cec6
GIT binary patch
literal 808
zc-p&ic+)~A1{MYw`2U}Qfe}d8`G4|jXyj#Z0<uAvL0XYpRAtAS{MD{i91N}u3??r8
z4h#)!Q*SiY_5Et9>v?*R*-zn#(bh(g;sz!KhSo#|1|}BPEsV^}OpJ^yOdu2Gnh+*J
z%z~H;HL($FVj9Rakg0wO2bmXi9aaLG+SDMVz@Ru6ZXyTF#4A7(ZGfiPU~{8}ivZZf
z$7pVB0-CBEAmE_s<PP&U$SmC%ybS(8wm&wr99;y#W}U=pmV|@mrO6BotSLfAm>8HD
z=49MIz+}Y8&e*&(Cc=dA^QC&A@ph$*3}!%+&9Hf1!=(*ud@h>jm4Q~w4iI2uXbcAi
zE6|jQTX`8ku6D;}ilxgWuqgppO_5+^_-YMuB$o>_0~14V)0G3j*b+MjGWOOsyy2(;
zHuf}{-)94jHVF`PP;pX(g(JwUk3h5Vcyuz@tOPVCngGq41NJCTQ4`RVdAsnMvKXsJ
kA*KidO>u#kvS&A5e>sCq*?{J+IY5(4f$2lVNde|B059+IZU6uP

literal 0
Hc-jL100001

diff --git a/tests/dnp3-write/suricata.yaml b/tests/dnp3-write/suricata.yaml
new file mode 100644
index 000000000..6000e1e87
--- /dev/null
+++ b/tests/dnp3-write/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      # enable/disable the community id feature.
+      community-id: true
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0
+
+      types:
+        - alert
+        - anomaly
+        - dnp3
+        - flow
+
+app-layer:
+  protocols:
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
diff --git a/tests/dnp3-write/test.yaml b/tests/dnp3-write/test.yaml
new file mode 100644
index 000000000..d6413fe33
--- /dev/null
+++ b/tests/dnp3-write/test.yaml
@@ -0,0 +1,96 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 0
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 2
+      dnp3.application.objects[0].count: 1
+      dnp3.application.objects[0].group: 50
+      dnp3.application.objects[0].points[0].index: 0
+      dnp3.application.objects[0].points[0].prefix: 0
+      dnp3.application.objects[0].points[0].timestamp: 1324332393859
+      dnp3.application.objects[0].prefix_code: 0
+      dnp3.application.objects[0].qualifier: 7
+      dnp3.application.objects[0].range_code: 7
+      dnp3.application.objects[0].start: 0
+      dnp3.application.objects[0].stop: 0
+      dnp3.application.objects[0].variation: 1
+      dnp3.control.dir: true
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 2
+      dnp3.src: 3
+      dnp3.type: request
+      event_type: dnp3
+      pcap_cnt: 5
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49411
+- filter:
+    count: 1
+    match:
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      dnp3.application.complete: true
+      dnp3.application.control.con: false
+      dnp3.application.control.fin: true
+      dnp3.application.control.fir: true
+      dnp3.application.control.sequence: 0
+      dnp3.application.control.uns: false
+      dnp3.application.function_code: 129
+      dnp3.control.dir: false
+      dnp3.control.fcb: false
+      dnp3.control.fcv: false
+      dnp3.control.function_code: 4
+      dnp3.control.pri: true
+      dnp3.dst: 3
+      dnp3.src: 2
+      dnp3.type: response
+      event_type: dnp3
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49411
+- filter:
+    count: 1
+    match:
+      app_proto: dnp3
+      dest_ip: 130.126.140.229
+      dest_port: 20000
+      event_type: flow
+      flow.age: 4
+      flow.alerted: false
+      flow.bytes_toclient: 299
+      flow.bytes_toserver: 325
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 5
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 130.126.142.250
+      src_port: 49411
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
-- 
2.47.2