]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 57e6f9a)
new test: dnp3_data; skipped for now
authorJason Ish <ish@unx.ca>
Wed, 26 Oct 2016 20:31:00 +0000 (14:31 -0600)
committerJason Ish <ish@unx.ca>
Wed, 26 Oct 2016 20:31:00 +0000 (14:31 -0600)
dnp3-dnp3_data-alert/README.md [new file with mode: 0644] patch | blob
dnp3-dnp3_data-alert/expected/eve.json [new file with mode: 0644] patch | blob
dnp3-dnp3_data-alert/input.pcap [new file with mode: 0644] patch | blob
dnp3-dnp3_data-alert/skip [new file with mode: 0644] patch | blob
dnp3-dnp3_data-alert/suricata.yaml [new file with mode: 0644] patch | blob
dnp3-dnp3_data-alert/test.rules [new file with mode: 0644] patch | blob

diff --git a/dnp3-dnp3_data-alert/README.md b/dnp3-dnp3_data-alert/README.md
new file mode 100644 (file)
index 0000000..4d3199a
--- /dev/null
+++ b/dnp3-dnp3_data-alert/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test dnp3_func rule keyword.
+
+# PCAP
+
+The pcap comes from running the master-demo and outstation-demo from
+the OpenDNP3 project.
diff --git a/dnp3-dnp3_data-alert/expected/eve.json b/dnp3-dnp3_data-alert/expected/eve.json
new file mode 100644 (file)
index 0000000..4fd640f
--- /dev/null
+++ b/dnp3-dnp3_data-alert/expected/eve.json
@@ -0,0 +1,4 @@
+{"timestamp":"2015-07-14T11:46:10.214640-0600","flow_id":634711522427892,"pcap_cnt":64,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":16,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zM=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrBAAEAG3hF\/AAABfwAAAU4g6NIGUGtA2MG3koAQAVb+KAAAAQEIChjKbJ8Yymyf","packet_info":{"linktype":1}}
+{"timestamp":"2015-07-14T11:46:11.685971-0600","flow_id":634711522427892,"pcap_cnt":72,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":18,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVM=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrRAAEAG3g1\/AAABfwAAAU4g6NIGUGtq2MG3s4AQAVb+KAAAAQEIChjKcl8YynI3","packet_info":{"linktype":1}}
+{"timestamp":"2015-07-14T11:46:12.685991-0600","flow_id":634711522427892,"pcap_cnt":80,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":20,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVMFZApEAQAKAG4l1MyBAAAS5wVkEkQBAAoAc8fV94IAAAIBKAEAAAAB9ZY=","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrhAAEAG3gl\/AAABfwAAAU4g6NIGUGuU2MG31IAQAVb+KAAAAQEIChjKdkcYynYf","packet_info":{"linktype":1}}
+{"timestamp":"2015-07-14T11:46:13.630138-0600","flow_id":634711522427892,"pcap_cnt":83,"event_type":"alert","src_ip":"127.0.0.1","src_port":20000,"dest_ip":"127.0.0.1","dest_port":59602,"proto":"TCP","tx_id":21,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":1,"signature":"DNP3 Data match","category":"","severity":3},"dnp3":{"request":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":10,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":21,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}},"response":{"type":"response","control":{"dir":false,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":10,"dst":1,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":0},"function_code":129,"objects":[],"complete":true},"iin":{"indicators":["device_restart"]}}},"payload":"BWQKRAEACgBuJcDwgoAAa30FZApEAQAKAG4lwcCBgAC10AVkCkQBAAoAbiXCwYEAAHhsBWT\/RAEACgBa60PCgQAAAQIAAAkCAgICAgJARgICAgIDAgAACQICAgICAgJw2gICAhQBAAAJAgAAAAACAADjCwAAAgAAAAACAAAAAAIAAABNugACAAAAAAIAAAAAAgAAAAB+rgIAAAAAAgAAAAAVAQAACQLTQgAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAACAADdXgAAAgAAAAACAAAAAAIAAABNugAeBQAAAAIAAAAAHgEAAQlB6QIAAAAAAgAAAAACAAAAAALwAwAAAAACAAAAAAIAAAAAAgBpzgAAAAIAAAAAAgAAAAAKAgD4iAAJAgICAgICAgICAigBAAAsagkCAAAAAAIAAAAAAgAAAABgFQIAAAAAAgAAAABOcgVkH0QBAAoAJqWEAgAAAAACAAAAAAIAAAAAO+ICAAAAAAIAAAAATnIFZApEAQAKAG4lxcOBAADDTQVkCkQBAAoAbiXGxIEAAKP+BWQKRAEACgBuJcfFgQAATR8FZBZEAQAKAB2KyPGCAAAWASgBAAAAAQAAABWrAP\/\/BWQKRAEACgBuJcnGgQAAUYoFZApEAQAKAG4lyseBAACzLQVkCkQBAAoAbiXLyIEAAPAtBWQWRAEACgAdiszyggAAFgEoAQAAAAEBAADMewD\/\/wVkCkQBAAoAbiXNyYEAAAwlBWQWRAEACgAdis7zggAAFgEoAQAAAAECAAAEpAD\/\/wVkCkQBAAoAbiXPyoEAAEFpBWQWRAEACgAditD0ggAAFgEoAQAAAAEDAAATTAD\/\/wVkEkQBAAoAc8fR9YIAAAIBKAEAAAAB1zMFZApEAQAKAG4l0suBAABs+wVkEkQBAAoAc8fT9oIAAAIBKAEAAACBTVMFZApEAQAKAG4l1MyBAAAS5wVkEkQBAAoAc8fV94IAAAIBKAEAAAAB9ZYFZBJEAQAKAHPH1viCAAACASgBAAAAgW0F","stream":1,"packet":"AAAAAAAAAAAAAAAACABFAAA0XrpAAEAG3gd\/AAABfwAAAU4g6NIGUGut2MG344AQAVb+KAAAAQEIChjKefcYynn3","packet_info":{"linktype":1}}
diff --git a/dnp3-dnp3_data-alert/input.pcap b/dnp3-dnp3_data-alert/input.pcap
new file mode 100644 (file)
index 0000000..87ab344
Binary files /dev/null and b/dnp3-dnp3_data-alert/input.pcap differ
diff --git a/dnp3-dnp3_data-alert/skip b/dnp3-dnp3_data-alert/skip
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/dnp3-dnp3_data-alert/suricata.yaml b/dnp3-dnp3_data-alert/suricata.yaml
new file mode 100644 (file)
index 0000000..68d3756
--- /dev/null
+++ b/dnp3-dnp3_data-alert/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+include: ../etc/suricata-3.1.2.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            packet: yes
+            dnp3: yes
diff --git a/dnp3-dnp3_data-alert/test.rules b/dnp3-dnp3_data-alert/test.rules
new file mode 100644 (file)
index 0000000..e9beeeb
--- /dev/null
+++ b/dnp3-dnp3_data-alert/test.rules
@@ -0,0 +1,5 @@
+# Trivial dnp3_data match rule.
+alert dnp3 any any -> any any (msg:"DNP3 Data match"; \
+      flow:established,to_client; dnp3_data; content:"|02 01 28 01 00|"; \
+      dnp3_func:unsolicited_response; \
+      sid:4; rev:1;)
\ No newline at end of file
Mirror of https://github.com/OISF/suricata-verify.git