Enip rust 3958 v3

tests/bug-4903/bug-4903-01/test.yaml

@@ -54,12 +54,8 @@ checks:
 - filter:
     count: 1
     match:
-      dest_ip: 192.168.200.1
-      dest_port: 22
       event_type: ssh
       proto: TCP
-      src_ip: 192.168.100.1
-      src_port: 10000
       ssh.server.proto_version: '1.99'
       ssh.server.software_version: Cisco_server-1.24
 - filter:

tests/bug-4903/bug-4903-02/test.yaml

@@ -54,12 +54,8 @@ checks:
 - filter:
     count: 1
     match:
-      dest_ip: 192.168.200.1
-      dest_port: 22
       event_type: ssh
       proto: TCP
-      src_ip: 192.168.100.1
-      src_port: 10001
       ssh.server.proto_version: '1.99'
       ssh.server.software_version: Cisco_server-1.24
 - filter:

tests/bug-4903/bug-4903-04/test.yaml

@@ -60,13 +60,9 @@ checks:
 - filter:
     count: 1
     match:
-      dest_ip: 192.168.200.1
-      dest_port: 22
       event_type: ssh
       pcap_cnt: 6
       proto: TCP
-      src_ip: 192.168.100.1
-      src_port: 10003
       ssh.client.proto_version: '2.0'
       ssh.client.software_version: Cisco_client-1.25
       ssh.server.proto_version: '1.99'

tests/enip-alert/test.yaml

@@ -3,7 +3,7 @@ requires:
 
 # disables checksum verification
 args:
-- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes
+- -k none --set app-layer.protocols.enip.enabled=yes
 
 checks:
   - filter:

tests/enip-frames/README.md

@@ -0,0 +1,11 @@
+# Description
+
+Test ENIP frames
+
+# Related issue
+
+https://redmine.openinfosecfoundation.org/issues/3958
+
+# PCAP
+
+The pcap is reused from enip-keywords test

tests/enip-frames/suricata.yaml

@@ -0,0 +1,23 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+
+      types:
+        - alert
+        - anomaly
+        - enip
+        - flow
+
+app-layer:
+  protocols:
+    enip:
+      enabled: yes
+
+stream:
+  inline: true
+  midstream: true

tests/enip-frames/test.rules

@@ -0,0 +1,4 @@
+alert enip any any -> any any (msg:"enip header frame"; frame:enip.enip.header; content:"|63 00 33 00|"; sid:1;)
+alert enip any any -> any any (msg:"enip payload frame"; frame:enip.enip.payload; content:"|00 00 00 00 01 00 02 00|"; sid:2;)
+alert enip any any -> any any (msg:"header frame"; frame:enip.cip; content:"|03 02 20 8b 24 01 01 00 06 00|"; bsize: 10; sid:3;)
+alert enip any any -> any any (msg:"enip item frame"; frame:enip.enip.item; content:"|0c 00 2d 00|"; sid:4;)

tests/enip-frames/test.yaml

@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap:  ../enip-keywords/enip_cip_example.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      # enip.sud.iface == 0x00000000 && enip.timeout == 1 && enip.cpf.itemcount == 2
+      count: 134
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      # cip.rr == 0x00 && cip.attribute == 5 && cip.class == 1
+      count: 41
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 41
+      match:
+        event_type: enip
+        enip.request.cip.service: "Multiple Service Packet"
+        enip.request.cip.path[0].segment_type: class
+        enip.request.cip.path[0].value: 2
+        enip.request.cip.path[1].segment_type: instance
+        enip.request.cip.path[1].value: 1
+        enip.request.cip.class_name: "Message Router"

tests/enip-keywords-suricata8/README.md

@@ -0,0 +1,11 @@
+# Description
+
+Test ENIP keywords introduced in Suricata 8
+
+# Related issue
+
+https://redmine.openinfosecfoundation.org/issues/3958
+
+# PCAP
+
+The pcap is reused from enip-keywords test

tests/enip-keywords-suricata8/suricata.yaml

@@ -0,0 +1,23 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+
+      types:
+        - alert
+        - anomaly
+        - enip
+        - flow
+
+app-layer:
+  protocols:
+    enip:
+      enabled: yes
+
+stream:
+  inline: true
+  midstream: true

tests/enip-keywords-suricata8/test.rules

@@ -0,0 +1,12 @@
+alert enip any any -> any any (msg:"Testing enip status";  enip.status:0 ; sid:4;)
+alert enip any any -> any any (msg:"Testing enip product_name"; enip.product_name; content: "1756-ENBT/A"; sid:5;)
+alert enip any any -> any any (msg:"Testing enip protocol_version"; enip.protocol_version: 1; sid:6;)
+alert enip any any -> any any (msg:"Testing enip revision"; enip.revision: 0x403; sid:7;)
+alert enip any any -> any any (msg:"Testing enip identity_status"; enip.identity_status: 0x30; sid:8;)
+alert enip any any -> any any (msg:"Testing enip state"; enip.state: 3; sid:9;)
+alert enip any any -> any any (msg:"Testing enip serial"; enip.serial: 0x524D8E; sid:10;)
+alert enip any any -> any any (msg:"Testing enip product_code"; enip.product_code: 58; sid:11;)
+alert enip any any -> any any (msg:"Testing enip device_type"; enip.device_type: 12; sid:12;)
+alert enip any any -> any any (msg:"Testing enip vendor_id"; enip.vendor_id: 1; sid:13;)
+alert enip any any -> any any (msg:"Testing cip request";  flow:established,to_server; enip.cip_attribute: 5; enip.cip_class: 1; enip.cip_instance: 1;sid:14;)
+alert enip any any -> any any (msg:"Testing cip response"; enip.cip_status: 0; sid:15;)

tests/enip-keywords-suricata8/test.yaml

@@ -0,0 +1,70 @@
+requires:
+  min-version: 8
+
+pcap:  ../enip-keywords/enip_cip_example.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 269
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 41
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 133
+      match:
+        event_type: alert
+        alert.signature_id: 15

tests/enip-keywords/test.yaml

@@ -2,15 +2,24 @@ requires:
   min-version: 7
 
 # disables checksum verification
+# use stream inline to match Wireshark as last packet does not get acked
 args:
-- -k none --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes
+- -k none --set stream.inline=true --set stream.midstream=true --set app-layer.protocols.enip.enabled=yes
 
 checks:
   - filter:
+      lt-version: 8
       count: 41
       match:
         event_type: alert
         alert.signature_id: 1
+  - filter:
+      # version 8 also works on responses
+      min-version: 8
+      count: 81
+      match:
+        event_type: alert
+        alert.signature_id: 1
   - filter:
       count: 267
       match:

tests/enip-log-identity/README.md

@@ -0,0 +1,8 @@
+# Description
+
+Test ENIP logging
+And enip_command keyword with enumeration string
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/3886

tests/enip-log-identity/suricata.yaml

@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+
+      types:
+        - alert
+        - anomaly
+        - enip
+        - flow
+
+app-layer:
+  protocols:
+    enip:
+      enabled: yes

tests/enip-log-identity/test.rules

@@ -0,0 +1 @@
+alert enip any any -> any any (msg:"SURICATA enip test command string";enip_command:ListIdentity ; sid:1;)

tests/enip-log-identity/test.yaml

@@ -0,0 +1,27 @@
+requires:
+  min-version: 8
+
+pcap:  ../enip-alert/enip_test1.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        # check enip metadata in alert
+        enip.request.command: ListIdentity
+  - filter:
+      count: 1
+      match:
+        event_type: enip
+        enip.request.command: ListIdentity
+        enip.response.status: Success
+        # quote because this is a string, not a yaml float
+        enip.response.identity.revision: "4.3"
+        enip.response.identity.product_name: "1756-ENBT/A"
+        enip.response.identity.vendor_id: "Rockwell Automation/Allen-Bradley"