diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml index 61ef84932..0c0b4e3f2 100644 --- a/tests/bug-4903/bug-4903-01/test.yaml +++ b/tests/bug-4903/bug-4903-01/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10000 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml index 562558f25..56e891d7f 100644 --- a/tests/bug-4903/bug-4903-02/test.yaml +++ b/tests/bug-4903/bug-4903-02/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10001 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml index 4ef142345..6d3b4cc35 100644 --- a/tests/bug-4903/bug-4903-04/test.yaml +++ b/tests/bug-4903/bug-4903-04/test.yaml @@ -60,13 +60,9 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh pcap_cnt: 6 proto: TCP - src_ip: 192.168.100.1 - src_port: 10003 ssh.client.proto_version: '2.0' ssh.client.software_version: Cisco_client-1.25 ssh.server.proto_version: '1.99' diff --git a/tests/enip-alert/test.yaml b/tests/enip-alert/test.yaml index cdf4f19d3..84c37e639 100644 --- a/tests/enip-alert/test.yaml +++ b/tests/enip-alert/test.yaml @@ -3,7 +3,7 @@ requires: # disables checksum verification args: -- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes +- -k none --set app-layer.protocols.enip.enabled=yes checks: - filter: diff --git a/tests/enip-frames/README.md b/tests/enip-frames/README.md new file mode 100644 index 000000000..d3bd0b5e0 --- /dev/null +++ b/tests/enip-frames/README.md @@ -0,0 +1,11 @@ +# Description + +Test ENIP frames + +# Related issue + +https://redmine.openinfosecfoundation.org/issues/3958 + +# PCAP + +The pcap is reused from enip-keywords test diff --git a/tests/enip-frames/suricata.yaml b/tests/enip-frames/suricata.yaml new file mode 100644 index 000000000..f6c0fe603 --- /dev/null +++ b/tests/enip-frames/suricata.yaml @@ -0,0 +1,23 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + + types: + - alert + - anomaly + - enip + - flow + +app-layer: + protocols: + enip: + enabled: yes + +stream: + inline: true + midstream: true diff --git a/tests/enip-frames/test.rules b/tests/enip-frames/test.rules new file mode 100644 index 000000000..e0aa803b8 --- /dev/null +++ b/tests/enip-frames/test.rules @@ -0,0 +1,4 @@ +alert enip any any -> any any (msg:"enip header frame"; frame:enip.enip.header; content:"|63 00 33 00|"; sid:1;) +alert enip any any -> any any (msg:"enip payload frame"; frame:enip.enip.payload; content:"|00 00 00 00 01 00 02 00|"; sid:2;) +alert enip any any -> any any (msg:"header frame"; frame:enip.cip; content:"|03 02 20 8b 24 01 01 00 06 00|"; bsize: 10; sid:3;) +alert enip any any -> any any (msg:"enip item frame"; frame:enip.enip.item; content:"|0c 00 2d 00|"; sid:4;) diff --git a/tests/enip-frames/test.yaml b/tests/enip-frames/test.yaml new file mode 100644 index 000000000..50fe68664 --- /dev/null +++ b/tests/enip-frames/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +pcap: ../enip-keywords/enip_cip_example.pcap + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + # enip.sud.iface == 0x00000000 && enip.timeout == 1 && enip.cpf.itemcount == 2 + count: 134 + match: + event_type: alert + alert.signature_id: 2 + - filter: + # cip.rr == 0x00 && cip.attribute == 5 && cip.class == 1 + count: 41 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 41 + match: + event_type: enip + enip.request.cip.service: "Multiple Service Packet" + enip.request.cip.path[0].segment_type: class + enip.request.cip.path[0].value: 2 + enip.request.cip.path[1].segment_type: instance + enip.request.cip.path[1].value: 1 + enip.request.cip.class_name: "Message Router" diff --git a/tests/enip-keywords-suricata8/README.md b/tests/enip-keywords-suricata8/README.md new file mode 100644 index 000000000..676d891ab --- /dev/null +++ b/tests/enip-keywords-suricata8/README.md @@ -0,0 +1,11 @@ +# Description + +Test ENIP keywords introduced in Suricata 8 + +# Related issue + +https://redmine.openinfosecfoundation.org/issues/3958 + +# PCAP + +The pcap is reused from enip-keywords test diff --git a/tests/enip-keywords-suricata8/suricata.yaml b/tests/enip-keywords-suricata8/suricata.yaml new file mode 100644 index 000000000..f6c0fe603 --- /dev/null +++ b/tests/enip-keywords-suricata8/suricata.yaml @@ -0,0 +1,23 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + + types: + - alert + - anomaly + - enip + - flow + +app-layer: + protocols: + enip: + enabled: yes + +stream: + inline: true + midstream: true diff --git a/tests/enip-keywords-suricata8/test.rules b/tests/enip-keywords-suricata8/test.rules new file mode 100644 index 000000000..f7266c0d6 --- /dev/null +++ b/tests/enip-keywords-suricata8/test.rules @@ -0,0 +1,12 @@ +alert enip any any -> any any (msg:"Testing enip status"; enip.status:0 ; sid:4;) +alert enip any any -> any any (msg:"Testing enip product_name"; enip.product_name; content: "1756-ENBT/A"; sid:5;) +alert enip any any -> any any (msg:"Testing enip protocol_version"; enip.protocol_version: 1; sid:6;) +alert enip any any -> any any (msg:"Testing enip revision"; enip.revision: 0x403; sid:7;) +alert enip any any -> any any (msg:"Testing enip identity_status"; enip.identity_status: 0x30; sid:8;) +alert enip any any -> any any (msg:"Testing enip state"; enip.state: 3; sid:9;) +alert enip any any -> any any (msg:"Testing enip serial"; enip.serial: 0x524D8E; sid:10;) +alert enip any any -> any any (msg:"Testing enip product_code"; enip.product_code: 58; sid:11;) +alert enip any any -> any any (msg:"Testing enip device_type"; enip.device_type: 12; sid:12;) +alert enip any any -> any any (msg:"Testing enip vendor_id"; enip.vendor_id: 1; sid:13;) +alert enip any any -> any any (msg:"Testing cip request"; flow:established,to_server; enip.cip_attribute: 5; enip.cip_class: 1; enip.cip_instance: 1;sid:14;) +alert enip any any -> any any (msg:"Testing cip response"; enip.cip_status: 0; sid:15;) diff --git a/tests/enip-keywords-suricata8/test.yaml b/tests/enip-keywords-suricata8/test.yaml new file mode 100644 index 000000000..8e52532c9 --- /dev/null +++ b/tests/enip-keywords-suricata8/test.yaml @@ -0,0 +1,70 @@ +requires: + min-version: 8 + +pcap: ../enip-keywords/enip_cip_example.pcap + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 269 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 41 + match: + event_type: alert + alert.signature_id: 14 + - filter: + count: 133 + match: + event_type: alert + alert.signature_id: 15 diff --git a/tests/enip-keywords/test.yaml b/tests/enip-keywords/test.yaml index af188cda7..d114df964 100644 --- a/tests/enip-keywords/test.yaml +++ b/tests/enip-keywords/test.yaml @@ -2,15 +2,24 @@ requires: min-version: 7 # disables checksum verification +# use stream inline to match Wireshark as last packet does not get acked args: -- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes +- -k none --set stream.inline=true --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes checks: - filter: + lt-version: 8 count: 41 match: event_type: alert alert.signature_id: 1 + - filter: + # version 8 also works on responses + min-version: 8 + count: 81 + match: + event_type: alert + alert.signature_id: 1 - filter: count: 267 match: diff --git a/tests/enip-log-identity/README.md b/tests/enip-log-identity/README.md new file mode 100644 index 000000000..2059f843e --- /dev/null +++ b/tests/enip-log-identity/README.md @@ -0,0 +1,8 @@ +# Description + +Test ENIP logging +And enip_command keyword with enumeration string + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/issues/3886 diff --git a/tests/enip-log-identity/suricata.yaml b/tests/enip-log-identity/suricata.yaml new file mode 100644 index 000000000..8c467785c --- /dev/null +++ b/tests/enip-log-identity/suricata.yaml @@ -0,0 +1,19 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + + types: + - alert + - anomaly + - enip + - flow + +app-layer: + protocols: + enip: + enabled: yes diff --git a/tests/enip-log-identity/test.rules b/tests/enip-log-identity/test.rules new file mode 100644 index 000000000..62a9aa1ca --- /dev/null +++ b/tests/enip-log-identity/test.rules @@ -0,0 +1 @@ +alert enip any any -> any any (msg:"SURICATA enip test command string";enip_command:list_identity ; sid:1;) diff --git a/tests/enip-log-identity/test.yaml b/tests/enip-log-identity/test.yaml new file mode 100644 index 000000000..c46f9c556 --- /dev/null +++ b/tests/enip-log-identity/test.yaml @@ -0,0 +1,27 @@ +requires: + min-version: 8 + +pcap: ../enip-alert/enip_test1.pcap + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + # check enip metadata in alert + enip.request.command: ListIdentity + - filter: + count: 1 + match: + event_type: enip + enip.request.command: ListIdentity + enip.response.status: Success + # quote because this is a string, not a yaml float + enip.response.identity.revision: "4.3" + enip.response.identity.product_name: "1756-ENBT/A" + enip.response.identity.vendor_id: "Rockwell Automation/Allen-Bradley"