Skip to content

Enip rust 3958 v1 #1485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
catenacyber wants to merge 2 commits into from
Closed

Enip rust 3958 v1 #1485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e37155
enip: Add test for logger
catenacyber Nov 17, 2023
76c143c
enip: tests compatible with rust parser
catenacyber Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion tests/enip-alert/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ requires:

# disables checksum verification
args:
- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes
- -k none --set app-layer.protocols.enip.enabled=yes

checks:
- filter:
Expand Down
11 changes: 10 additions & 1 deletion tests/enip-keywords/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,24 @@ requires:
min-version: 7

# disables checksum verification
# use stream inline to match Wireshark as last packet does not get acked
args:
- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes
- -k none --set stream.inline=true --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes

checks:
- filter:
lt-version: 8
count: 41
match:
event_type: alert
alert.signature_id: 1
- filter:
# version 8 also works on responses
min-version: 8
count: 81
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 267
match:
Expand Down
8 changes: 8 additions & 0 deletions tests/enip-log/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Description

Test ENIP logging
And enip_command keyword with enumeration string

# PCAP

The pcap comes from https://redmine.openinfosecfoundation.org/issues/3886
19 changes: 19 additions & 0 deletions tests/enip-log/suricata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
%YAML 1.1
---

outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json

types:
- alert
- anomaly
- enip
- flow

app-layer:
protocols:
enip:
enabled: yes
1 change: 1 addition & 0 deletions tests/enip-log/test.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert enip any any -> any any (msg:"SURICATA enip test command string";enip_command:ListIdentity ; sid:1;)
21 changes: 21 additions & 0 deletions tests/enip-log/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
requires:
min-version: 8

pcap: ../enip-alert/enip_test1.pcap

# disables checksum verification
args:
- -k none

checks:
- filter:
count: 2
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 1
match:
event_type: enip
enip.request.command: ListIdentity
enip.response.status: Success