Skip to content

Comments

Enip rust 3958 v6#9940

Closed
catenacyber wants to merge 3 commits intoOISF:masterfrom
catenacyber:enip-rust-3958-v6
Closed

Enip rust 3958 v6#9940
catenacyber wants to merge 3 commits intoOISF:masterfrom
catenacyber:enip-rust-3958-v6

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Dec 1, 2023

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958

Describe changes:

  • convert enip parser to rust
  • integer keywords now support hexadecimal notation

Alon the way, also

  • enip_command keyword accepts now string enumeration as values.
  • transactions are now bidirectional
  • there is a enip logger
  • gap support is improved with probing for resync
  • SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
  • frames
  • events

#9937 +

  • new keywords : enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus
  • frames for enip items
  • frames for TCP
  • also take first attribute in set attribute list

This is complete but missing S-V tests

Provide values to any of the below to override the defaults.

SV_BRANCH=pr/1485

OISF/suricata-verify#1485

@catenacyber
detect: integer keywords now support hexadecimal
d84c41b 
So that we can write enip.revision: 0x203
@catenacyber catenacyber mentioned this pull request Dec 1, 2023
Closed
@catenacyber
enip: convert to rust
5e86426 
Ticket: 3958

- enip_command keyword accepts now string enumeration as values.
- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
- frames support
- app-layer events
- add enip.status keyword
- add identity keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
@victorjulien victorjulien removed the request for review from a team December 1, 2023 16:27
@codecov
Copy link

codecov bot commented Dec 1, 2023

Codecov Report

Merging #9940 (e41bb20) into master (9c3ab36) will decrease coverage by 0.68%.
The diff coverage is 36.08%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9940      +/-   ##
==========================================
- Coverage   82.35%   81.67%   -0.68%     
==========================================
  Files         972      991      +19     
  Lines      273060   275471    +2411     
==========================================
+ Hits       224870   224989     +119     
- Misses      48190    50482    +2292
Flag Coverage Δ
fuzzcorpus 63.20% <33.73%> (-0.95%) ⬇️
suricata-verify 60.34% <30.64%> (-0.76%) ⬇️
unittests 62.39% <11.98%> (-0.53%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

suricata-qa commented Dec 2, 2023

Information: QA ran without warnings.

Pipeline 16843

This was referenced Dec 7, 2023
Closed
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Dec 7, 2023

Replaced by #9991

@catenacyber catenacyber closed this Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish

@jufajardini jufajardini Awaiting requested review from jufajardini

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa