|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
/* Copyright (C) 2015-2021 Open Information Security Foundation
|
|
|
|
|
/* Copyright (C) 2015-2022 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
@ -281,115 +281,3 @@ int DetectEngineInspectENIP(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_
|
|
|
|
|
|
|
|
|
|
SCReturnInt(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef UNITTESTS /* UNITTESTS */
|
|
|
|
|
#include "app-layer-parser.h"
|
|
|
|
|
#include "detect-parse.h"
|
|
|
|
|
#include "detect-engine.h"
|
|
|
|
|
#include "flow-util.h"
|
|
|
|
|
#include "stream-tcp.h"
|
|
|
|
|
#include "util-unittest.h"
|
|
|
|
|
#include "util-unittest-helper.h"
|
|
|
|
|
|
|
|
|
|
static uint8_t listIdentity[] = {
|
|
|
|
|
/* List ID */ 0x63,
|
|
|
|
|
0x00,
|
|
|
|
|
/* Length */ 0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
/* Session */ 0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
/* Status */ 0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
/* Delay*/ 0x00,
|
|
|
|
|
/* Context */ 0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
/* Quantity of coils */ 0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
0x00,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/** \test Test code function. */
|
|
|
|
|
static int DetectEngineInspectENIPTest01(void)
|
|
|
|
|
{
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
Flow f;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
Signature *s = NULL;
|
|
|
|
|
TcpSession ssn;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
|
|
|
|
|
memset(&tv, 0, sizeof(ThreadVars));
|
|
|
|
|
memset(&f, 0, sizeof(Flow));
|
|
|
|
|
memset(&ssn, 0, sizeof(TcpSession));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacket(listIdentity, sizeof(listIdentity), IPPROTO_TCP);
|
|
|
|
|
FAIL_IF_NULL(p);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.alproto = ALPROTO_ENIP;
|
|
|
|
|
f.protoctx = (void *)&ssn;
|
|
|
|
|
f.proto = IPPROTO_TCP;
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
|
|
|
|
|
|
|
|
|
|
StreamTcpInitConfig(true);
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
s = de_ctx->sig_list = SigInit(de_ctx, "alert enip any any -> any any "
|
|
|
|
|
"(msg:\"Testing enip command\"; "
|
|
|
|
|
"enip_command:99 ; sid:1;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
|
|
|
|
|
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_ENIP, STREAM_TOSERVER,
|
|
|
|
|
listIdentity, sizeof(listIdentity));
|
|
|
|
|
FAIL_IF(r != 0);
|
|
|
|
|
|
|
|
|
|
ENIPState *enip_state = f.alstate;
|
|
|
|
|
FAIL_IF_NULL(enip_state);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
FAIL_IF(!(PacketAlertCheck(p, 1)));
|
|
|
|
|
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
DetectEngineThreadCtxDeinit(&tv, det_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
StreamTcpFreeConfig(true);
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
|
|
|
|
void DetectEngineInspectENIPRegisterTests(void)
|
|
|
|
|
{
|
|
|
|
|
#ifdef UNITTESTS
|
|
|
|
|
UtRegisterTest("DetectEngineInspectENIPTest01", DetectEngineInspectENIPTest01);
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Modupe Falodun
4 years ago
committed by
Victor Julien