Merge branch 'topic/robin/dnp3-merge-v3'

Includes a bit more docs/comments cleanup. We should eventually
document the events further but it should suffice for now.

* topic/robin/dnp3-merge-v3:
  Tiny bit of cleanup and adapting the new test.
  added a test case for dnp3 packets with only link layer
  added condition to check DNP3 packet without app layer data
  Fixing well-known port.
  Pluginizing the DNP3 analyzer, plus a basic script logging requests and replies.

CHANGES

@@ -1,4 +1,10 @@
 
+2.1-1050 | 2013-08-12 11:37:44 -0700
+
+  * Experimental DNP3 analyzer. This includes only very basic
+    script-level support at the moment, but quite a number of events
+    are provided. (Hui Lin, Robin Sommer)
+
 2.1-1041 | 2013-08-09 15:32:22 -0700
 
   * Update coverage baselines for canonical load order of scripts.

NEWS

@@ -17,6 +17,10 @@ New Functionality
 
 - GridFTP support. TODO: Extend.
 
+- Modbus support. TODO: Extend.
+
+- DNP3 support. TODO: Extend.
+
 - ssl.log now also records the subject client and issuer certificates.
 
 - Hooks: TODO: Briefly summarize the documention from

VERSION

@@ -1 +1 @@
-2.1-1041
+2.1-1050

doc/scripts/DocSourcesList.cmake

@@ -31,6 +31,7 @@ rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.b
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNP3.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro)
@@ -142,6 +143,8 @@ rest_target(${psd} base/protocols/conn/polling.bro)
 rest_target(${psd} base/protocols/dhcp/consts.bro)
 rest_target(${psd} base/protocols/dhcp/main.bro)
 rest_target(${psd} base/protocols/dhcp/utils.bro)
+rest_target(${psd} base/protocols/dnp3/consts.bro)
+rest_target(${psd} base/protocols/dnp3/main.bro)
 rest_target(${psd} base/protocols/dns/consts.bro)
 rest_target(${psd} base/protocols/dns/main.bro)
 rest_target(${psd} base/protocols/ftp/files.bro)

scripts/base/init-default.bro

@@ -40,6 +40,7 @@
 
 @load base/protocols/conn
 @load base/protocols/dhcp
+@load base/protocols/dnp3
 @load base/protocols/dns
 @load base/protocols/ftp
 @load base/protocols/http

scripts/base/protocols/dnp3/__load__.bro

@@ -0,0 +1,3 @@
+@load ./main
+
+@load-sigs ./dpd.sig

scripts/base/protocols/dnp3/consts.bro

@@ -0,0 +1,49 @@
+
+module DNP3;
+
+export {
+	## Standard defined Modbus function codes.
+	const function_codes = {
+		# Requests.
+		[0x00] = "CONFIRM",
+		[0x01] = "READ",
+		[0x02] = "WRITE",
+		[0x03] = "SELECT",
+		[0x04] = "OPERATE",
+		[0x05] = "DIRECT_OPERATE",
+		[0x06] = "DIRECT_OPERATE_NR",
+		[0x07] = "IMMED_FREEZE",
+		[0x08] = "IMMED_FREEZE_NR",
+		[0x09] = "FREEZE_CLEAR",
+		[0x0a] = "FREEZE_CLEAR_NR",
+		[0x0b] = "FREEZE_AT_TIME",
+		[0x0c] = "FREEZE_AT_TIME_NR",
+		[0x0d] = "COLD_RESTART",
+		[0x0e] = "WARM_RESTART",
+		[0x0f] = "INITIALIZE_DATA",
+		[0x10] = "INITIALIZE_APPL",
+		[0x11] = "START_APPL",
+		[0x12] = "STOP_APPL",
+		[0x13] = "SAVE_CONFIG",
+		[0x14] = "ENABLE_UNSOLICITED",
+		[0x15] = "DISABLE_UNSOLICITED",
+		[0x16] = "ASSIGN_CLASS",
+		[0x17] = "DELAY_MEASURE",
+		[0x18] = "RECORD_CURRENT_TIME",
+		[0x19] = "OPEN_FILE",
+		[0x1a] = "CLOSE_FILE",
+		[0x1b] = "DELETE_FILE",
+		[0x1c] = "GET_FILE_INFO",
+		[0x1d] = "AUTHENTICATE_FILE",
+		[0x1e] = "ABORT_FILE",
+		[0x1f] = "ACTIVATE_CONFIG",
+		[0x20] = "AUTHENTICATE_REQ",
+		[0x21] = "AUTHENTICATE_ERR",
+
+		# Responses.
+		[0x81] = "RESPONSE",
+		[0x82] = "UNSOLICITED_RESPONSE",
+		[0x83] = "AUTHENTICATE_RESP",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); } &redef;
+}
+

scripts/base/protocols/dnp3/dpd.sig

@@ -0,0 +1,9 @@
+
+# DNP3 packets always starts with 0x05 0x64 .
+
+signature dpd_dnp3_server {
+	ip-proto == tcp
+	payload /\x05\x64/
+	tcp-state responder
+ 	enable "dnp3"
+}

scripts/base/protocols/dnp3/main.bro

@@ -0,0 +1,73 @@
+##! A very basic DNP3 analysis script that just logs requests and replies.
+
+module DNP3;
+
+@load ./consts
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Time of the request.
+		ts:         time           &log;
+		## Unique identifier for the connnection.
+		uid:        string         &log;
+		## Identifier for the connection.
+		id:         conn_id        &log;
+		## The name of the function message in the request.
+		fc_request: string         &log &optional;
+		## The name of the function message in the reply.
+		fc_reply:   string         &log &optional;
+		## The response's "internal indication number".
+		iin:        count          &log &optional;
+	};
+
+	## Event that can be handled to access the DNP3 record as it is sent on
+	## to the logging framework.
+	global log_dnp3: event(rec: Info);
+}
+
+redef record connection += {
+	dnp3: Info &optional;
+};
+
+const ports = { 20000/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, ports);
+	}
+
+event dnp3_application_request_header(c: connection, is_orig: bool, fc: count)
+	{
+	if ( ! c?$dnp3 )
+		c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
+
+	c$dnp3$ts = network_time();
+	c$dnp3$fc_request = function_codes[fc];
+	}
+
+event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count)
+	{
+	if ( ! c?$dnp3 )
+		c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
+
+	c$dnp3$ts = network_time();
+	c$dnp3$fc_reply = function_codes[fc];
+	c$dnp3$iin = iin;
+
+	Log::write(LOG, c$dnp3);
+
+	delete c$dnp3;
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( ! c?$dnp3 )
+		return;
+
+	Log::write(LOG, c$dnp3);
+	delete c$dnp3;
+	}

src/analyzer/protocol/CMakeLists.txt

@@ -6,6 +6,7 @@ add_subdirectory(bittorrent)
 add_subdirectory(conn-size)
 add_subdirectory(dce-rpc)
 add_subdirectory(dhcp)
+add_subdirectory(dnp3)
 add_subdirectory(dns)
 add_subdirectory(file)
 add_subdirectory(finger)

src/analyzer/protocol/dnp3/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro DNP3)
+bro_plugin_cc(DNP3.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
+bro_plugin_end()

src/analyzer/protocol/dnp3/DNP3.cc

@@ -0,0 +1,376 @@
+//
+// DNP3 was initially used over serial links; it defined its own application
+// layer, transport layer, and data link layer. This hierarchy cannot be
+// mapped to the TCP/IP stack directly. As a result, all three DNP3 layers
+// are packed together as a single application layer payload over the TCP
+// layer. Each DNP3 packet in the application layer may look like this DNP3
+// Packet:
+//
+//    DNP3 Link Layer | DNP3 Transport Layer | DNP3 Application Layer
+//
+//    (This hierarchy can be viewed in the Wireshark visually.)
+//
+// === Background on DNP3
+//
+// 1. Basic structure of DNP3 Protocol over serial links. This information
+//    can be found in detail in
+//
+//        DNP3 Specification Volume 2, Part 1 Basic, Application Layer
+//        DNP3 Specification Volume 4, Data Link Layer
+//
+//    Traditionally, the DNP3 Application Layer in serial links contains a
+//    "DNP3 Application Layer Fragment". The data that is parsed by the end
+//    device and then executed. As the "DNP3 Application Layer Fragment" can
+//    be long (>255 bytes), it may be trunkcated and carried in different
+//    DNP3 Application Layer of more than one DNP3 packets.
+//
+//    So we may find a long DNP3 Application Layer Fragment to be transmitted in the following format
+//
+//        DNP3 Packet #1 : DNP3 Link Layer | DNP3 Transport Layer | DNP3 Application Layer #1
+//        DNP3 Packet #2 : DNP3 Link Layer | DNP3 Transport Layer | DNP3 Application Layer #2
+//        ....
+//        DNP3 Packet #n : DNP3 Link Layer | DNP3 Transport Layer | DNP3 Application Layer #n
+//
+//    So to get the whole DNP3 application layer fragment, we concatenate
+//    each DNP3 Application Layer Data into a logic DNP3 Application Layer
+//    Fragment:
+//
+//       DNP3 Application Layer #1 + DNP3 Application Layer #2 + ... + DNP3 Application Layer #n
+//
+// 2. Packing DNP3 Network Packet into TCP/IP stack
+//
+// We will call the original DNP3 Link Layer, Transport Layer and Application
+// Layer used in serial link as Pseudo Link Layer, Pseudo Transport Layer and
+// Pseudo Application Layer.
+//
+// For a long DNP3 application layer fragment, we may find it tramistted
+// over IP network in the following format:
+//
+//     Network Packet #1 : TCP Header | DNP3 Pseudo Link Layer | DNP3 Pseudo Transport Layer | DNP3 Pseudo Application Layer #1
+//     Network Packet #2 : TCP Header | DNP3 Pseudo Link Layer | DNP3 Pseudo Transport Layer | DNP3 Pseudo Application Layer #2
+//     ....
+//     Network Packet #n : TCP Header | DNP3 Pseudo Link Layer | DNP3 Pseudo Transport Layer | DNP3 Pseudo Application Layer #n
+//
+// === Challenges of Writing DNP3 Analyzer on Binpac ===
+//
+// The detailed structure of the DNP3 Link Layer is:
+//
+//     0x05 0x64 Len Ctrl Dest_LSB Dest_MSB Src_LSB Src_MSB CRC_LSB CRC_MSB
+//
+//     Each field is a byte; LSB: least significant byte; MSB: most significatn byte.
+//
+//     "Len" indicates the length of the byte stream right after this field
+//     (excluding CRC fields) in the current DNP3 packet.
+//
+// Since "Len" is of size one byte, the largest length it can represent is
+// 255 bytes. The larget DNP3 Application Layer size is "255 - 5 + size of
+// all CRC fields". "minus 5" is coming from the 5 bytes after "Len" field in
+// the DNP3 Link Layer, i.e. Ctrl Dest_LSB Dest_MSB Src_LSB Src_MSB Hence,
+// the largest size of a DNP3 Packet (DNP3 Data Link Layer : DNP3 Transport
+// Layer : DNP3 Application Layer) can only be 292 bytes.
+//
+// The "Len" field indicates the length of of a single chunk of DNP3 Psuedo
+// Application Layer data instead of the whole DNP3 Application Layer
+// Fragment. However, we can not know the whole length of the DNP3
+// Application Layer Fragment (which Binpac would normally need) until all
+// chunks of Pseudo Application Layer Data are received.
+//
+// We hence exploit the internal flow_buffer class used in Binpac to buffer
+// the application layer data until all chunk are received, which does
+// require a bit of internal knowledge of the generated code.
+//
+// The binpac analyzer parses the DNP3 Application Layer Fragment. However,
+// we manually add the original Pseudo Link Layer data as an additional
+// header before the DNP3 Application Fragment. This helps to know how many
+// bytes are in the current chunk of DNP3 application layer data (not the
+// whole Application Layer Fragment).
+//
+// Graphically, the procedure is:
+//
+// DNP3 Packet :  DNP3 Pseudo Data Link Layer : DNP3 Pseudo Transport Layer : DNP3 Pseudo Application Layer
+//                                   ||                                    ||
+//                                   || (length field)                     || (original paylad byte stream)
+//                                   \/                                    \/
+//                DNP3 Additional Header              :                  Reassembled DNP3 Pseudo Application Layer Data
+//                                                   ||
+//                                                   \/
+//                                            Binpac DNP3 Analyzer
+
+#include "DNP3.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "events.bif.h"
+
+using namespace analyzer::dnp3;
+
+const unsigned int PSEUDO_LENGTH_INDEX = 2;		// index of len field of DNP3 Pseudo Link Layer
+const unsigned int PSEUDO_CONTROL_FIELD_INDEX = 3;	// index of ctrl field of DNP3 Pseudo Link Layer
+const unsigned int PSEUDO_TRANSPORT_INDEX = 10;		// index of DNP3 Pseudo Transport Layer
+const unsigned int PSEUDO_APP_LAYER_INDEX = 11;		// index of first DNP3 app-layer byte.
+const unsigned int PSEUDO_TRANSPORT_LEN = 1;		// length of DNP3 Transport Layer
+const unsigned int PSEUDO_LINK_LAYER_LEN = 8;		// length of DNP3 Pseudo Link Layer
+
+bool DNP3_Analyzer::crc_table_initialized = false;
+unsigned int DNP3_Analyzer::crc_table[256];
+
+DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c)
+	{
+	interp = new binpac::DNP3::DNP3_Conn(this);
+
+	ClearEndpointState(true);
+	ClearEndpointState(false);
+
+	if ( ! crc_table_initialized )
+		PrecomputeCRCTable();
+	}
+
+DNP3_Analyzer::~DNP3_Analyzer()
+	{
+	delete interp;
+	}
+
+void DNP3_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void DNP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	try
+		{
+		if ( ! ProcessData(len, data, orig) )
+			SetSkip(1);
+		}
+
+	catch ( const binpac::Exception& e )
+		{
+		SetSkip(1);
+		throw;
+		}
+	}
+
+void DNP3_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	interp->NewGap(orig, len);
+	}
+
+void DNP3_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	interp->FlowEOF(endp->IsOrig());
+	}
+
+bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
+	{
+	Endpoint* endp = orig ? &orig_state : &resp_state;
+
+	while ( len )
+		{
+		if ( endp->in_hdr )
+			{
+			// We're parsing the DNP3 header and link layer, get that in full.
+			if ( ! AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len) )
+				return true;
+
+			// The first two bytes must always be 0x0564.
+			if( endp->buffer[0] != 0x05 || endp->buffer[1] != 0x64 )
+				{
+				Weird("dnp3_header_lacks_magic");
+				return false;
+				}
+
+			// Make sure header checksum is correct.
+			if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") )
+				{
+				ProtocolViolation("broken_checksum");
+				return false;
+				}
+
+			// If the checksum works out, we're pretty certainly DNP3.
+			ProtocolConfirmation();
+
+			// DNP3 packets without transport and application
+			// layers can happen, we ignore them.
+			if ( (endp->buffer[PSEUDO_LENGTH_INDEX] + 3) == (char)PSEUDO_LINK_LAYER_LEN  )
+				{
+				ClearEndpointState(orig);
+				return true;
+				}
+
+			// Double check the direction in case the first
+			// received packet is a response.
+			u_char ctrl = endp->buffer[PSEUDO_CONTROL_FIELD_INDEX];
+
+			if ( orig != (bool)(ctrl & 0x80) )
+				Weird("dnp3_unexpected_flow_direction");
+
+			// Update state.
+			endp->pkt_length = endp->buffer[PSEUDO_LENGTH_INDEX];
+			endp->tpflags = endp->buffer[PSEUDO_TRANSPORT_INDEX];
+			endp->in_hdr = false; // Now parsing application layer.
+
+			// For the first packet, we submit the header to
+			// BinPAC.
+			if ( ++endp->pkt_cnt == 1 )
+				interp->NewData(orig, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN);
+			}
+
+		if ( ! endp->in_hdr )
+			{
+			assert(endp->pkt_length);
+
+			// We're parsing the DNP3 application layer, get that
+			// in full now as well. We calculate the number of
+			// raw bytes the application layer consists of from
+			// the packet length by determining how much 16-byte
+			// chunks fit in there, and then add 2 bytes CRC for
+			// each.
+			int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + 2 - 1;
+
+			if ( ! AddToBuffer(endp, n, &data, &len) )
+				return true;
+
+			// Parse the the application layer data.
+			if ( ! ParseAppLayer(endp) )
+				return false;
+
+			// Done with this packet, prepare for next.
+			endp->buffer_len = 0;
+			endp->in_hdr = true;
+			}
+		}
+
+	return true;
+	}
+
+bool DNP3_Analyzer::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len)
+	{
+	if ( ! target_len )
+		return true;
+
+	int to_copy = min(*len, target_len - endp->buffer_len);
+
+	memcpy(endp->buffer + endp->buffer_len, *data, to_copy);
+	*data += to_copy;
+	*len -= to_copy;
+	endp->buffer_len += to_copy;
+
+	return endp->buffer_len == target_len;
+	}
+
+bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp)
+	{
+	bool orig = (endp == &orig_state);
+	binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow();
+
+	u_char* data = endp->buffer + PSEUDO_TRANSPORT_INDEX; // The transport layer byte counts as app-layer it seems.
+	int len = endp->pkt_length - 5;
+
+	// DNP3 Packet :  DNP3 Pseudo Link Layer | DNP3 Pseudo Transport Layer | DNP3 Pseudo Application Layer
+	// DNP3 Serial Transport Layer data is always 1 byte.
+	// Get FIN FIR seq field in transport header.
+	// FIR indicate whether the following DNP3 Serial Application Layer is first chunk of bytes or not.
+	// FIN indicate whether the following DNP3 Serial Application Layer is last chunk of bytes or not.
+
+	int is_first = (endp->tpflags & 0x40) >> 6; // Initial chunk of data in this packet.
+	int is_last = (endp->tpflags & 0x80) >> 7; // Last chunk of data in this packet.
+
+	int transport = PSEUDO_TRANSPORT_LEN;
+
+	int i = 0;
+	while ( len > 0 )
+		{
+		int n = min(len, 16);
+
+		// Make sure chunk has a correct checksum.
+		if ( ! CheckCRC(n, data, data + n, "app_chunk") )
+			return false;
+
+		// Pass on to BinPAC.
+		assert(data + n < endp->buffer + endp->buffer_len);
+		flow->flow_buffer()->BufferData(data + transport, data + n);
+		transport = 0;
+
+		data += n + 2;
+		len -= n;
+		}
+
+	if ( is_first )
+		endp->encountered_first_chunk = true;
+
+	if ( ! is_first && ! endp->encountered_first_chunk )
+		{
+		// We lost the first chunk.
+		Weird("dnp3_first_application_layer_chunk_missing");
+		return false;
+		}
+
+	if ( is_last )
+		{
+		flow->flow_buffer()->FinishBuffer();
+		flow->FlowEOF();
+		ClearEndpointState(orig);
+		}
+
+	return true;
+	}
+
+void DNP3_Analyzer::ClearEndpointState(bool orig)
+	{
+	Endpoint* endp = orig ? &orig_state : &resp_state;
+	binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow();
+
+	endp->in_hdr = true;
+	endp->encountered_first_chunk = false;
+	endp->buffer_len = 0;
+	endp->pkt_length = 0;
+	endp->tpflags = 0;
+	endp->pkt_cnt = 0;
+	}
+
+bool DNP3_Analyzer::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where)
+	{
+	unsigned int crc = CalcCRC(len, data);
+
+	if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 )
+		return true;
+
+	Weird(fmt("dnp3_corrupt_%s_checksum", where));
+	return false;
+	}
+
+void DNP3_Analyzer::PrecomputeCRCTable()
+	{
+	for( unsigned int i = 0; i < 256; i++)
+		{
+		unsigned int crc = i;
+
+		for ( unsigned int j = 0; j < 8; ++j )
+			{
+			if ( crc & 0x0001 )
+				crc = (crc >> 1) ^ 0xA6BC; // Generating polynomial.
+			else
+				crc >>= 1;
+			}
+
+		crc_table[i] = crc;
+		}
+	}
+
+unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data)
+	{
+	unsigned int crc = 0x0000;
+
+	for ( int i = 0; i < len; i++ )
+		{
+		unsigned int index = (crc ^ data[i]) & 0xFF;
+		crc = crc_table[index] ^ (crc >> 8);
+		}
+
+	return ~crc & 0xFFFF;
+	}

src/analyzer/protocol/dnp3/DNP3.h

@@ -0,0 +1,56 @@
+
+#ifndef ANALYZER_PROTOCOL_DNP3_DNP3_H
+#define ANALYZER_PROTOCOL_DNP3_DNP3_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+#include "dnp3_pac.h"
+
+namespace analyzer { namespace dnp3 {
+
+class DNP3_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	DNP3_Analyzer(Connection* conn);
+	virtual ~DNP3_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(tcp::TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DNP3_Analyzer(conn); }
+
+private:
+	static const int MAX_BUFFER_SIZE = 300;
+
+	struct Endpoint	{
+		u_char buffer[MAX_BUFFER_SIZE];
+		int buffer_len;
+		bool in_hdr;
+		int tpflags;
+		int pkt_length;
+		int pkt_cnt;
+		bool encountered_first_chunk;
+		};
+
+	bool ProcessData(int len, const u_char* data, bool orig);
+	void ClearEndpointState(bool orig);
+	bool AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len);
+	bool ParseAppLayer(Endpoint* endp);
+	bool CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where);
+	unsigned int CalcCRC(int len, const u_char* data);
+
+	binpac::DNP3::DNP3_Conn* interp;
+
+	Endpoint orig_state;
+	Endpoint resp_state;
+
+	static void PrecomputeCRCTable();
+
+	static bool crc_table_initialized;
+	static unsigned int crc_table[256];
+};
+
+} } // namespace analyzer::* 
+
+#endif

src/analyzer/protocol/dnp3/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "DNP3.h"
+
+BRO_PLUGIN_BEGIN(Bro, DNP3)
+	BRO_PLUGIN_DESCRIPTION("DNP3 analyzer");
+	BRO_PLUGIN_ANALYZER("DNP3", dnp3::DNP3_Analyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocol/dnp3/dnp3-analyzer.pac

@@ -0,0 +1,969 @@
+
+connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DNP3_Flow(true);
+	downflow = DNP3_Flow(false);
+};
+
+flow DNP3_Flow(is_orig: bool) {
+	flowunit = DNP3_PDU(is_orig) withcontext (connection, this);
+
+	function get_dnp3_header_block(start: uint16, len: uint16, ctrl: uint8, dest_addr: uint16, src_addr: uint16): bool
+		%{
+		if ( ::dnp3_header_block )
+			{
+			BifEvent::generate_dnp3_header_block(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), start, len, ctrl, dest_addr, src_addr);
+			}
+
+		return true;
+		%}
+
+	function get_dnp3_application_request_header(fc: uint8): bool
+		%{
+		if ( ::dnp3_application_request_header )
+			{
+			BifEvent::generate_dnp3_application_request_header(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				fc
+				);
+			}
+		return true;
+		%}
+
+	function get_dnp3_application_response_header(fc: uint8, iin: uint16): bool
+		%{
+		if ( ::dnp3_application_response_header )
+			{
+			BifEvent::generate_dnp3_application_response_header(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				fc,
+				iin
+				);
+			}
+		return true;
+		%}
+
+	function get_dnp3_object_header(obj_type: uint16, qua_field: uint8, number: uint32, rf_low: uint32, rf_high: uint32 ): bool
+		%{
+		if ( ::dnp3_object_header )
+			{
+			BifEvent::generate_dnp3_object_header(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), obj_type, qua_field, number, rf_low, rf_high);
+			}
+
+		return true;
+		%}
+
+	function get_dnp3_object_prefix(prefix_value: uint32): bool
+		%{
+		if ( ::dnp3_object_prefix )
+			{
+			BifEvent::generate_dnp3_object_prefix(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), prefix_value);
+			}
+
+		return true;
+		%}
+
+	function get_dnp3_response_data_object(data_value: uint8): bool
+		%{
+		if ( ::dnp3_response_data_object )
+			{
+			BifEvent::generate_dnp3_response_data_object(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), data_value);
+			}
+
+		return true;
+		%}
+
+	#g0
+	function get_dnp3_attribute_common(data_type_code: uint8, leng: uint8, attribute_obj: const_bytestring): bool
+		%{
+		if ( ::dnp3_attribute_common )
+			{
+			BifEvent::generate_dnp3_attribute_common(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) );
+			}
+
+		return true;
+		%}
+
+	#g12v1
+	function get_dnp3_crob(control_code: uint8, count8: uint8, on_time: uint32, off_time: uint32, status_code: uint8): bool
+		%{
+		if ( ::dnp3_crob )
+			{
+			BifEvent::generate_dnp3_crob(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), control_code, count8, on_time, off_time, status_code);
+			}
+
+		return true;
+		%}
+
+	#g12v2
+	function get_dnp3_pcb(control_code: uint8, count8: uint8, on_time: uint32, off_time: uint32, status_code: uint8): bool
+		%{
+		if ( ::dnp3_pcb )
+			{
+			BifEvent::generate_dnp3_pcb(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), control_code, count8, on_time, off_time, status_code);
+			}
+
+		return true;
+		%}
+
+	# g20v1
+	function get_dnp3_counter_32wFlag(flag: uint8, count_value: uint32): bool
+		%{
+		if ( ::dnp3_counter_32wFlag )
+			{
+			BifEvent::generate_dnp3_counter_32wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value);
+			}
+
+		return true;
+		%}
+
+	# g20v2
+	function get_dnp3_counter_16wFlag(flag: uint8, count_value: uint16): bool
+		%{
+		if ( ::dnp3_counter_16wFlag )
+			{
+			BifEvent::generate_dnp3_counter_16wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value);
+			}
+
+		return true;
+		%}
+
+	# g20v5
+	function get_dnp3_counter_32woFlag(count_value: uint32): bool
+		%{
+		if ( ::dnp3_counter_32woFlag )
+			{
+			BifEvent::generate_dnp3_counter_32woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), count_value);
+			}
+
+		return true;
+		%}
+
+	# g20v6
+	function get_dnp3_counter_16woFlag(count_value: uint16): bool
+		%{
+		if ( ::dnp3_counter_16woFlag )
+			{
+			BifEvent::generate_dnp3_counter_16woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), count_value);
+			}
+
+		return true;
+		%}
+
+	# g21v1
+	function get_dnp3_frozen_counter_32wFlag(flag: uint8, count_value: uint32): bool
+		%{
+		if ( ::dnp3_frozen_counter_32wFlag )
+			{
+			BifEvent::generate_dnp3_frozen_counter_32wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value);
+			}
+
+		return true;
+		%}
+
+	# g21v2
+	function get_dnp3_frozen_counter_16wFlag(flag: uint8, count_value: uint16): bool
+		%{
+		if ( ::dnp3_frozen_counter_16wFlag )
+			{
+			BifEvent::generate_dnp3_frozen_counter_16wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value);
+			}
+
+		return true;
+		%}
+
+	# g21v5
+	function get_dnp3_frozen_counter_32wFlagTime(flag: uint8, count_value: uint32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_counter_32wFlagTime )
+			{
+			BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g21v6
+	function get_dnp3_frozen_counter_16wFlagTime(flag: uint8, count_value: uint16, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_counter_16wFlagTime )
+			{
+			BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, count_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g21v9
+	function get_dnp3_frozen_counter_32woFlag(count_value: uint32): bool
+		%{
+		if ( ::dnp3_frozen_counter_32woFlag )
+			{
+			BifEvent::generate_dnp3_frozen_counter_32woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), count_value);
+			}
+
+		return true;
+		%}
+
+	# g21v10
+	function get_dnp3_frozen_counter_16woFlag(count_value: uint16): bool
+		%{
+		if ( ::dnp3_frozen_counter_16woFlag )
+			{
+			BifEvent::generate_dnp3_frozen_counter_16woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), count_value);
+			}
+
+		return true;
+		%}
+
+	# g30v1
+	function get_dnp3_analog_input_32wFlag(flag: uint8, value: int32): bool
+		%{
+		if ( ::dnp3_analog_input_32wFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_32wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g30v2
+	function get_dnp3_analog_input_16wFlag(flag: uint8, value: int16): bool
+		%{
+		if ( ::dnp3_analog_input_16wFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_16wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g30v3
+	function get_dnp3_analog_input_32woFlag(value: int32): bool
+		%{
+		if ( ::dnp3_analog_input_32woFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_32woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), value);
+			}
+
+		return true;
+		%}
+
+	#g30v4
+	function get_dnp3_analog_input_16woFlag(value: int16): bool
+		%{
+		if ( ::dnp3_analog_input_16woFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_16woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), value);
+			}
+
+		return true;
+		%}
+
+	# g30v5
+	function get_dnp3_analog_input_SPwFlag(flag: uint8, value: uint32): bool
+		%{
+		if ( ::dnp3_analog_input_SPwFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_SPwFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g30v6
+	function get_dnp3_analog_input_DPwFlag(flag: uint8, value_low: uint32, value_high: uint32): bool
+		%{
+		if ( ::dnp3_analog_input_DPwFlag )
+			{
+			BifEvent::generate_dnp3_analog_input_DPwFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value_low, value_high);
+			}
+
+		return true;
+		%}
+
+	# g31v1
+	function get_dnp3_frozen_analog_input_32wFlag(flag: uint8, frozen_value: int32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_32wFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_32wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g31v2
+	function get_dnp3_frozen_analog_input_16wFlag(flag: uint8, frozen_value: int16): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_16wFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_16wFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g31v3
+	function get_dnp3_frozen_analog_input_32wTime(flag: uint8, frozen_value: int32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_32wTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_32wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g31v4
+	function get_dnp3_frozen_analog_input_16wTime(flag: uint8, frozen_value: int16, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_16wTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_16wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g31v5
+	function get_dnp3_frozen_analog_input_32woFlag(frozen_value: int32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_32woFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_32woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g31v6
+	function get_dnp3_frozen_analog_input_16woFlag(frozen_value: int16): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_16woFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_16woFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g31v7
+	function get_dnp3_frozen_analog_input_SPwFlag(flag: uint8, frozen_value: uint32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_SPwFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_SPwFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g31v8
+	function get_dnp3_frozen_analog_input_DPwFlag(flag: uint8, frozen_value_low: uint32, frozen_value_high: uint32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_DPwFlag )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_DPwFlag(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value_low, frozen_value_high);
+			}
+
+		return true;
+		%}
+
+	# g32v1
+	function get_dnp3_analog_input_event_32woTime(flag: uint8, value: int32): bool
+		%{
+		if ( ::dnp3_analog_input_event_32woTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_32woTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g32v2
+	function get_dnp3_analog_input_event_16woTime(flag: uint8, value: int16): bool
+		%{
+		if ( ::dnp3_analog_input_event_16woTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_16woTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g32v3
+	function get_dnp3_analog_input_event_32wTime(flag: uint8, value: int32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_analog_input_event_32wTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_32wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g32v4
+	function get_dnp3_analog_input_event_16wTime(flag: uint8, value: int16, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_analog_input_event_16wTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_16wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g32v5
+	function get_dnp3_analog_input_event_SPwoTime(flag: uint8, value: uint32): bool
+		%{
+		if ( ::dnp3_analog_input_event_SPwoTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_SPwoTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value);
+			}
+
+		return true;
+		%}
+
+	# g32v6
+	function get_dnp3_analog_input_event_DPwoTime(flag: uint8, value_low: uint32, value_high: uint32): bool
+		%{
+		if ( ::dnp3_analog_input_event_DPwoTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_DPwoTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value_low, value_high);
+			}
+
+		return true;
+		%}
+
+	# g32v7
+	function get_dnp3_analog_input_event_SPwTime(flag: uint8, value: uint32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_analog_input_event_SPwTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_SPwTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g32v8
+	function get_dnp3_analog_input_event_DPwTime(flag: uint8, value_low: uint32, value_high: uint32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_analog_input_event_DPwTime )
+			{
+			BifEvent::generate_dnp3_analog_input_event_DPwTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, value_low, value_high, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g33v1
+	function get_dnp3_frozen_analog_input_event_32woTime(flag: uint8, frozen_value: int32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_32woTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_32woTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g33v2
+	function get_dnp3_frozen_analog_input_event_16woTime(flag: uint8, frozen_value: int16): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_16woTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_16woTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g33v3
+	function get_dnp3_frozen_analog_input_event_32wTime(flag: uint8, frozen_value: int32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_32wTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g33v4
+	function get_dnp3_frozen_analog_input_event_16wTime(flag: uint8, frozen_value: int16, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_16wTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g33v5
+	function get_dnp3_frozen_analog_input_event_SPwoTime(flag: uint8, frozen_value: uint32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_SPwoTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value);
+			}
+
+		return true;
+		%}
+
+	# g33v6
+	function get_dnp3_frozen_analog_input_event_DPwoTime(flag: uint8, frozen_value_low: uint32, frozen_value_high: uint32): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_DPwoTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value_low, frozen_value_high);
+			}
+
+		return true;
+		%}
+
+	# g33v7
+	function get_dnp3_frozen_analog_input_event_SPwTime(flag: uint8, frozen_value: uint32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_SPwTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g33v8
+	function get_dnp3_frozen_analog_input_event_DPwTime(flag: uint8, frozen_value_low: uint32, frozen_value_high: uint32, time48: const_bytestring): bool
+		%{
+		if ( ::dnp3_frozen_analog_input_event_DPwTime )
+			{
+			BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_val(time48));
+			}
+
+		return true;
+		%}
+
+	# g70v5
+	function get_dnp3_file_transport(file_handle: uint32, block_num: uint32, file_data: const_bytestring): bool
+		%{
+		if ( ::dnp3_file_transport )
+			{
+			BifEvent::generate_dnp3_file_transport(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), file_handle, block_num, bytestring_to_val(file_data));
+			}
+
+		return true;
+		%}
+
+#### for debug use or unknown data types used in "case"
+	function get_dnp3_debug_byte(debug: const_bytestring): bool
+		%{
+		if ( ::dnp3_debug_byte )
+			{
+			BifEvent::generate_dnp3_debug_byte (
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(), bytestring_to_val(debug));
+			}
+
+		return true;
+		%}
+
+};
+
+refine typeattr Header_Block += &let {
+	get_header: bool =  $context.flow.get_dnp3_header_block(start, len, ctrl, dest_addr, src_addr);
+};
+
+refine typeattr DNP3_Application_Request_Header += &let {
+	process_request: bool =  $context.flow.get_dnp3_application_request_header(function_code);
+};
+
+refine typeattr DNP3_Application_Response_Header += &let {
+	process_request: bool =  $context.flow.get_dnp3_application_response_header(function_code, internal_indications);
+};
+
+refine typeattr Object_Header += &let {
+	process_request: bool =  $context.flow.get_dnp3_object_header(object_type_field, qualifier_field, number_of_item, rf_value_low, rf_value_high);
+};
+
+refine typeattr Prefix_Type += &let {
+	prefix_called: bool =  $context.flow.get_dnp3_object_prefix(prefix_value);
+};
+
+refine typeattr Response_Data_Object += &let {
+	process_request: bool =  $context.flow.get_dnp3_response_data_object(data_value);
+};
+
+# g0
+refine typeattr AttributeCommon += &let {
+	process_request: bool =  $context.flow.get_dnp3_attribute_common(data_type_code, leng, attribute_obj);
+};
+
+# g12v1
+refine typeattr CROB += &let {
+	process_request: bool =  $context.flow.get_dnp3_crob(control_code, count, on_time, off_time, status_code);
+};
+
+# g12v2
+refine typeattr PCB += &let {
+	process_request: bool =  $context.flow.get_dnp3_pcb(control_code, count, on_time, off_time, status_code);
+};
+
+# g20v1
+refine typeattr Counter32wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_counter_32wFlag(flag, count_value);
+};
+
+# g20v2
+refine typeattr Counter16wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_counter_16wFlag(flag, count_value);
+};
+
+# g20v5
+refine typeattr Counter32woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_counter_32woFlag(count_value);
+};
+
+# g20v6
+refine typeattr Counter16woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_counter_16woFlag(count_value);
+};
+
+# g21v1
+refine typeattr FrozenCounter32wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_32wFlag(flag, count_value);
+};
+
+# g21v2
+refine typeattr FrozenCounter16wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_16wFlag(flag, count_value);
+};
+# g21v5
+refine typeattr FrozenCounter32wFlagTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_32wFlagTime(flag, count_value, time48);
+};
+
+# g21v6
+refine typeattr FrozenCounter16wFlagTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_16wFlagTime(flag, count_value, time48);
+};
+
+# g21v9
+refine typeattr FrozenCounter32woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_32woFlag(count_value);
+};
+
+# g21v10
+refine typeattr FrozenCounter16woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_counter_16woFlag(count_value);
+};
+
+# g30v1
+refine typeattr AnalogInput32wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_32wFlag(flag, value);
+};
+
+# g30v2
+refine typeattr AnalogInput16wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_16wFlag(flag, value);
+};
+
+# g30v3
+refine typeattr AnalogInput32woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_32woFlag(value);
+};
+
+# g30v4
+refine typeattr AnalogInput16woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_16woFlag(value);
+};
+
+# g30v5
+refine typeattr AnalogInputSPwFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_SPwFlag(flag, value);
+};
+
+# g30v6
+refine typeattr AnalogInputDPwFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_DPwFlag(flag, value_low, value_high);
+};
+
+# g31v1
+refine typeattr FrozenAnalogInput32wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_32wFlag(flag, frozen_value);
+};
+
+# g31v2
+refine typeattr FrozenAnalogInput16wFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_16wFlag(flag, frozen_value);
+};
+
+# g31v3
+refine typeattr FrozenAnalogInput32wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_32wTime(flag, frozen_value, time48);
+};
+
+# g31v4
+refine typeattr FrozenAnalogInput16wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_16wTime(flag, frozen_value, time48);
+};
+
+# g31v5
+refine typeattr FrozenAnalogInput32woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_32woFlag(frozen_value);
+};
+
+# g31v6
+refine typeattr FrozenAnalogInput16woFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_16woFlag(frozen_value);
+};
+
+# g31v7
+refine typeattr FrozenAnalogInputSPwFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_SPwFlag(flag, frozen_value);
+};
+
+# g31v8
+refine typeattr FrozenAnalogInputDPwFlag += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_DPwFlag(flag, frozen_value_low, frozen_value_high);
+};
+
+# g32v1
+refine typeattr AnalogInput32woTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_32woTime(flag, value);
+};
+
+# g32v2
+refine typeattr AnalogInput16woTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_16woTime(flag, value);
+};
+
+# g32v3
+refine typeattr AnalogInput32wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_32wTime(flag, value, time48);
+};
+
+# g32v4
+refine typeattr AnalogInput16wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_16wTime(flag, value, time48);
+};
+
+# g32v5
+refine typeattr AnalogInputSPwoTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_SPwoTime(flag, value);
+};
+
+# g32v6
+refine typeattr AnalogInputDPwoTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_DPwoTime(flag, value_low, value_high);
+};
+
+# g32v7
+refine typeattr AnalogInputSPwTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_SPwTime(flag, value, time48);
+};
+
+# g32v8
+refine typeattr AnalogInputDPwTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_analog_input_event_DPwTime(flag, value_low, value_high, time48);
+};
+
+# g33v1
+refine typeattr FrozenAnaInputEve32woTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_32woTime(flag, f_value);
+};
+
+# g33v2
+refine typeattr FrozenAnaInputEve16woTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_16woTime(flag, f_value);
+};
+
+# g33v3
+refine typeattr FrozenAnaInputEve32wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_32wTime(flag, f_value, time48);
+};
+
+# g33v4
+refine typeattr FrozenAnaInputEve16wTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_16wTime(flag, f_value, time48);
+};
+
+# g33v5
+refine typeattr FrozenAnaInputEveSPwoTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_SPwoTime(flag, f_value);
+};
+
+# g33v6
+refine typeattr FrozenAnaInputEveDPwoTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_DPwoTime(flag, f_value_low, f_value_high);
+};
+
+# g33v7
+refine typeattr FrozenAnaInputEveSPwTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_SPwTime(flag, f_value, time48);
+};
+
+# g33v8
+refine typeattr FrozenAnaInputEveDPwTime += &let {
+	process_request: bool =  $context.flow.get_dnp3_frozen_analog_input_event_DPwTime(flag, f_value_low, f_value_high, time48);
+};
+
+# g70v5
+refine typeattr File_Transport += &let {
+        result: bool =  $context.flow.get_dnp3_file_transport(file_handle, block_num, file_data);
+};
+
+refine typeattr Debug_Byte += &let {
+	process_request: bool =  $context.flow.get_dnp3_debug_byte(debug);
+};
+

src/analyzer/protocol/dnp3/dnp3-protocol.pac

@@ -0,0 +1,257 @@
+#
+# This is Binpac code for DNP3 analyzer by Hui Lin.
+#
+
+type DNP3_PDU(is_orig: bool) = case is_orig of {
+	true    ->  request:  DNP3_Request;
+	false   ->  response: DNP3_Response;
+} &byteorder = bigendian;
+
+type Header_Block = record {
+	start: uint16 &check(start == 0x0564);
+	len: uint8;
+	ctrl: uint8;
+	dest_addr: uint16;
+	src_addr: uint16;
+} &byteorder = littleendian;
+
+type DNP3_Request = record {
+	addin_header: Header_Block;  ## added by Hui Lin in Bro code
+	app_header: DNP3_Application_Request_Header;
+	data: case ( app_header.function_code ) of {
+		CONFIRM -> none_coonfirm: empty;
+		READ -> read_requests: Request_Objects(app_header.function_code)[];
+		WRITE -> write_requests: Request_Objects(app_header.function_code)[];
+		SELECT -> select_requests: Request_Objects(app_header.function_code)[];
+		OPERATE -> operate_requests: Request_Objects(app_header.function_code)[];
+		DIRECT_OPERATE -> direct_operate_requests: Request_Objects(app_header.function_code)[];
+		DIRECT_OPERATE_NR -> direct_operate_nr_requests: Request_Objects(app_header.function_code)[];
+		IMMED_FREEZE -> immed_freeze_requests: Request_Objects(app_header.function_code)[];
+		IMMED_FREEZE_NR -> immed_freeze_nr_requests: Request_Objects(app_header.function_code)[];
+		FREEZE_CLEAR -> freeze_clear_requests: Request_Objects(app_header.function_code)[];
+		FREEZE_CLEAR_NR -> freeze_clear_nr_requests: Request_Objects(app_header.function_code)[];
+		FREEZE_AT_TIME -> freeze_time_requests: Request_Objects(app_header.function_code)[];
+		FREEZE_AT_TIME_NR -> freeze_time_nr_requests: Request_Objects(app_header.function_code)[];
+		COLD_RESTART -> cold_restart: empty;
+		WARM_RESTART -> warm_restart: empty;
+		INITIALIZE_DATA -> initilize_data: empty &check(0);  # obsolete
+		INITIALIZE_APPL -> initilize_appl: Request_Objects(app_header.function_code)[];
+		START_APPL -> start_appl: Request_Objects(app_header.function_code)[];
+		STOP_APPL -> stop_appl: Request_Objects(app_header.function_code)[];
+		SAVE_CONFIG -> save_config: empty &check(0);  # depracated
+		ENABLE_UNSOLICITED -> enable_unsolicited: Request_Objects(app_header.function_code)[];
+		DISABLE_UNSOLICITED -> disable_unsolicited: Request_Objects(app_header.function_code)[];
+		ASSIGN_CLASS -> assign_class: Request_Objects(app_header.function_code)[];
+		DELAY_MEASURE -> delay_measure: empty;
+		RECORD_CURRENT_TIME -> record_cur_time: empty;
+		OPEN_FILE -> open_file: Request_Objects(app_header.function_code)[];
+		CLOSE_FILE -> close_file: Request_Objects(app_header.function_code)[];
+		DELETE_FILE -> delete_file: Request_Objects(app_header.function_code)[];
+		ABORT_FILE -> abort_file: Request_Objects(app_header.function_code)[];
+		GET_FILE_INFO -> get_file_info: Request_Objects(app_header.function_code)[];
+		AUTHENTICATE_FILE  -> auth_file: Request_Objects(app_header.function_code)[];
+		ACTIVATE_CONFIG  -> active_config: Request_Objects(app_header.function_code)[];
+		AUTHENTICATE_REQ  -> auth_req: Request_Objects(app_header.function_code)[];
+		AUTHENTICATE_ERR  -> auth_err: Request_Objects(app_header.function_code)[];
+		default -> unknown: bytestring &restofdata;
+	};
+} &byteorder = bigendian
+  &length= 9 + addin_header.len - 5 - 1;
+
+type Debug_Byte = record {
+	debug: bytestring &restofdata;
+};
+
+type DNP3_Response = record {
+	addin_header: Header_Block;
+	app_header: DNP3_Application_Response_Header;
+	data: case ( app_header.function_code ) of {
+		RESPONSE -> response_objects: Response_Objects(app_header.function_code)[];
+		UNSOLICITED_RESPONSE -> unsolicited_response_objects: Response_Objects(app_header.function_code)[];
+		AUTHENTICATE_RESP -> auth_response: Response_Objects(app_header.function_code)[];
+		default -> unknown: Debug_Byte;
+	};
+} &byteorder = bigendian
+  &length= 9 + addin_header.len - 5 - 1'
+
+type DNP3_Application_Request_Header = record {
+	empty: bytestring &length = 0; # Work-around BinPAC problem.
+	application_control : uint8;
+	function_code       : uint8 ;
+} &length = 2;
+
+type DNP3_Application_Response_Header = record {
+	empty: bytestring &length = 0; # Work-around BinPAC problem.
+	application_control  : uint8;
+	function_code	: uint8;
+	internal_indications : uint16;
+} &length = 4;
+
+type Request_Objects(function_code: uint8) = record {
+	object_header: Object_Header(function_code);
+	data: case (object_header.object_type_field) of {
+		0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
+		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]
+							&check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01);
+		default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
+	};
+	# dump_data is always empty; I intend to use it for checking some conditions;
+	# However, in the current binpac implementation, &check is not implemented
+	dump_data: case (function_code) of {
+		OPEN_FILE -> open_file_dump: empty &check(object_header.object_type_field == 0x4603);
+		CLOSE_FILE -> close_file_dump: empty &check(object_header.object_type_field == 0x4604);
+		DELETE_FILE -> delete_file_dump: empty &check(object_header.object_type_field == 0x4603);
+		ABORT_FILE -> abort_file_dump: empty &check(object_header.object_type_field == 0x4604);
+		GET_FILE_INFO -> get_file_info: empty &check(object_header.object_type_field == 0x4607);
+		AUTHENTICATE_FILE  -> auth_file: empty &check(object_header.object_type_field == 0x4602);
+		ACTIVATE_CONFIG  -> active_config: empty &check(object_header.object_type_field == 0x4608 || (object_header.object_type_field & 0xFF00) == 0x6E00);
+		default -> default_dump: empty;
+	};
+};
+
+type Response_Objects(function_code: uint8) = record {
+	object_header: Object_Header(function_code);
+	data: case (object_header.object_type_field) of {
+		0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) ];
+		0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) ];
+		0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) ];
+		0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) ];
+		default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
+	};
+};
+
+type Object_Header(function_code: uint8) = record {
+	object_type_field: uint16 ;
+	qualifier_field: uint8 ;
+	range_field: case ( qualifier_field & 0x0f ) of {
+		0 -> range_field_0: Range_Field_0 &check(range_field_0.stop_index >= range_field_0.start_index);
+		1 -> range_field_1: Range_Field_1 &check(range_field_1.stop_index >= range_field_1.start_index);
+		2 -> range_field_2: Range_Field_2 &check(range_field_2.stop_index >= range_field_2.start_index);
+		3 -> range_field_3: Range_Field_3;
+		4 -> range_field_4: Range_Field_4;
+		5 -> range_field_5: Range_Field_5;
+		6 -> range_field_6: empty;
+		7 -> range_field_7: uint8;
+		8 -> range_field_8: uint16;
+		9 -> range_field_9: uint32;
+		0x0b -> range_field_b: uint8;
+		default -> unknown: bytestring &restofdata &check(0);
+	};
+	# dump_data is always empty; used to check dependency bw object_type_field and qualifier_field
+	dump_data: case ( object_type_field & 0xff00 ) of {
+		0x3C00 -> dump_3c: empty &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
+		default -> dump_def: empty;
+	};
+}
+      &let{
+	number_of_item: int = case (qualifier_field & 0x0f) of {
+		0 -> (range_field_0.stop_index - range_field_0.start_index + 1);
+		1 -> (range_field_1.stop_index - range_field_1.start_index + 1);
+		2 -> (range_field_2.stop_index - range_field_2.start_index + 1);
+		7 -> range_field_7;
+		8 -> ( range_field_8 & 0x0ff )* 0x100 + ( range_field_8 / 0x100 ) ;
+		9 -> ( range_field_9 & 0x000000ff )* 0x1000000 + (range_field_9 & 0x0000ff00) * 0x100 + (range_field_9 & 0x00ff0000) / 0x100 + (range_field_9 & 0xff000000) / 0x1000000 ;
+		0x0b -> range_field_b;
+		default -> 0;
+	};
+	rf_value_low: int = case (qualifier_field & 0x0f) of {
+		0 -> 0 + range_field_0.start_index;
+		1 -> range_field_1.start_index;
+		2 -> range_field_2.start_index;
+		3 -> range_field_3.start_addr;
+		4 -> range_field_4.start_addr;
+		5 -> range_field_5.start_addr;
+		6 -> 0xffff;
+		7 -> range_field_7;
+		8 -> range_field_8;
+		9 -> range_field_9;
+		0x0b -> range_field_b;
+		default -> 0 ;
+	};
+	rf_value_high: int = case (qualifier_field & 0x0f) of {
+		0 -> 0 + range_field_0.stop_index;
+		1 -> range_field_1.stop_index;
+		2 -> range_field_2.stop_index;
+		3 -> range_field_3.stop_addr;
+		4 -> range_field_4.stop_addr;
+		5 -> range_field_5.stop_addr;
+		6 -> 0xffff;
+		default -> 0 ;
+	};
+};
+
+type Range_Field_0 = record {
+	start_index: uint8;
+	stop_index: uint8;
+};
+
+type Range_Field_1 = record {
+	start_index: uint16;
+	stop_index: uint16;
+}
+  &byteorder = littleendian;
+
+type Range_Field_2 = record {
+	start_index: uint32;
+	stop_index: uint32;
+}
+  &byteorder = littleendian;
+
+type Range_Field_3 = record {
+	start_addr: uint8;
+	stop_addr: uint8;
+};
+
+type Range_Field_4 = record {
+	start_addr: uint16;
+	stop_addr: uint16;
+};
+
+type Range_Field_5 = record {
+	start_addr: uint32;
+	stop_addr: uint32;
+};
+
+enum function_codes_value {
+	CONFIRM = 0x00,
+	READ = 0x01,
+	WRITE = 0x02,
+	SELECT = 0x03,
+	OPERATE = 0x04,
+	DIRECT_OPERATE = 0x05,
+	DIRECT_OPERATE_NR = 0x06,
+	IMMED_FREEZE = 0x07,
+	IMMED_FREEZE_NR = 0x08,
+	FREEZE_CLEAR = 0x09,
+	FREEZE_CLEAR_NR = 0x0a,
+	FREEZE_AT_TIME = 0x0b,
+	FREEZE_AT_TIME_NR = 0x0c,
+	COLD_RESTART = 0x0d,
+	WARM_RESTART = 0x0e,
+	INITIALIZE_DATA = 0x0f,
+	INITIALIZE_APPL = 0x10,
+	START_APPL = 0x11,
+	STOP_APPL = 0x12,
+	SAVE_CONFIG = 0x13,
+	ENABLE_UNSOLICITED = 0x14,
+	DISABLE_UNSOLICITED = 0x15,
+	ASSIGN_CLASS = 0x16,
+	DELAY_MEASURE = 0x17,
+	RECORD_CURRENT_TIME = 0x18,
+	OPEN_FILE = 0x19,
+	CLOSE_FILE = 0x1a,
+	DELETE_FILE = 0x1b,
+	GET_FILE_INFO = 0x1c,
+	AUTHENTICATE_FILE = 0x1d,
+	ABORT_FILE = 0x1e,
+	ACTIVATE_CONFIG = 0x1f,
+	AUTHENTICATE_REQ = 0x20,
+	AUTHENTICATE_ERR = 0x21,
+# reserved
+	RESPONSE = 0x81,
+	UNSOLICITED_RESPONSE = 0x82,
+	AUTHENTICATE_RESP = 0x83,
+# reserved
+};
+
+%include dnp3-objects.pac

src/analyzer/protocol/dnp3/dnp3.pac

@@ -0,0 +1,16 @@
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "events.bif.h"
+%}
+
+analyzer DNP3 withcontext {
+	connection:	DNP3_Conn;
+	flow:		DNP3_Flow;
+};
+
+%include dnp3-protocol.pac
+%include dnp3-analyzer.pac
+

src/analyzer/protocol/dnp3/events.bif

@@ -0,0 +1,240 @@
+
+## Generated for a DNP3 request header.
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## fc: function code.
+event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%);
+
+## Generated for a DNP3 response header.
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## fc: function code.
+## iin: internal indication number
+event dnp3_application_response_header%(c: connection, is_orig: bool, fc: count, iin: count%);
+
+## Generated for the object header found in both DNP3 requests and responses.
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## obj_type: type of object, which is classified based on an 8-bit group number and an 8-bit variation number
+## qua_field: qualifier field
+## rf_low, rf_high: the structure of the range field depends on the qualified field. In some cases, range field
+##       contain only one logic part, e.g., number of objects, so only rf_low contains the useful values; in some
+##       cases, range field contain two logic parts, e.g., start index and stop index, so rf_low contains the start
+##       index while rf_high contains the stop index
+event dnp3_object_header%(c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count%);
+
+## Generated for the prefix before a DNP3 object. The structure and the meaning
+## of the prefix are defined by the qualifier field.
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## prefix_value: The prefix.
+event dnp3_object_prefix%(c: connection, is_orig: bool, prefix_value: count%);
+
+## Generated for an additional header that the DNP3 analyzer passes to the
+## script-level. This headers mimics the DNP3 transport-layer yet is only passed
+## once for each sequence of DNP3 records (which are otherwise reassembled and
+## treated as a single entity).
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## start: the first two bytes of the DNP3 Pseudo Link Layer; its value is fixed as 0x0564
+## len:   the "length" field in the DNP3 Pseudo Link Layer
+## ctrl:  the "control" field in the DNP3 Pseudo Link Layer
+## dest_addr: the "destination" field in the DNP3 Pseudo Link Layer
+## src_addr: the "source" field in the DNP3 Pseudo Link Layer
+event dnp3_header_block%(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count%);
+
+## Generated for a DNP3 "Response_Data_Object". The "Response_Data_Object" contains two
+## parts: object prefix and objects data. In most cases, objects data are defined
+## by new record types. But in a few cases, objects data are directly basic types,
+## such as int16, or int8; thus we use a additional data_value to record the values
+## of those object data.
+##
+## c: The connection the DNP3 communication is part of.
+## is_orig: True if this reflects originator-side activity.
+## data_value: The value for those objects that carry their information here
+##             directly.
+event dnp3_response_data_object%(c: connection, is_orig: bool, data_value: count%);
+
+## Generated for DNP3 attributes.
+event dnp3_attribute_common%(c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string%);
+
+## Generated for DNP3 objects with the group number 12 and variation number 1
+## CROB: control relay output block
+event dnp3_crob%(c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count%);
+
+## Generated for DNP3 objects with the group number 12 and variation number 2
+## PCB: Pattern Control Block
+event dnp3_pcb%(c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count%);
+
+## Generated for DNP3 objects with the group number 20 and variation number 1
+## counter 32 bit with flag
+event dnp3_counter_32wFlag%(c: connection, is_orig: bool, flag: count, count_value: count%);
+
+## Generated for DNP3 objects with the group number 20 and variation number 2
+## counter 16 bit with flag
+event dnp3_counter_16wFlag%(c: connection, is_orig: bool, flag: count, count_value: count%);
+
+## Generated for DNP3 objects with the group number 20 and variation number 5
+## counter 32 bit without flag
+event dnp3_counter_32woFlag%(c: connection, is_orig: bool, count_value: count%);
+
+## Generated for DNP3 objects with the group number 20 and variation number 6
+## counter 16 bit without flag
+event dnp3_counter_16woFlag%(c: connection, is_orig: bool, count_value: count%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 1
+## frozen counter 32 bit with flag
+event dnp3_frozen_counter_32wFlag%(c: connection, is_orig: bool, flag:count, count_value: count%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 2
+## frozen counter 16 bit with flag
+event dnp3_frozen_counter_16wFlag%(c: connection, is_orig: bool, flag:count, count_value: count%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 5
+## frozen counter 32 bit with flag and time
+event dnp3_frozen_counter_32wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 6
+## frozen counter 16 bit with flag and time
+event dnp3_frozen_counter_16wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 9
+## frozen counter 32 bit without flag
+event dnp3_frozen_counter_32woFlag%(c: connection, is_orig: bool, count_value: count%);
+
+## Generated for DNP3 objects with the group number 21 and variation number 10
+## frozen counter 16 bit without flag
+event dnp3_frozen_counter_16woFlag%(c: connection, is_orig: bool, count_value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 1
+## analog input 32 bit with flag
+event dnp3_analog_input_32wFlag%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 2
+## analog input 16 bit with flag
+event dnp3_analog_input_16wFlag%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 3
+## analog input 32 bit without flag
+event dnp3_analog_input_32woFlag%(c: connection, is_orig: bool, value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 4
+## analog input 16 bit without flag
+event dnp3_analog_input_16woFlag%(c: connection, is_orig: bool, value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 5
+## analog input single precision, float point with flag
+event dnp3_analog_input_SPwFlag%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 30 and variation number 6
+## analog input double precision, float point with flag
+event dnp3_analog_input_DPwFlag%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 1
+## frozen analog input 32 bit with flag
+event dnp3_frozen_analog_input_32wFlag%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 2
+## frozen analog input 16 bit with flag
+event dnp3_frozen_analog_input_16wFlag%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 3
+## frozen analog input 32 bit with time-of-freeze
+event dnp3_frozen_analog_input_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 4
+## frozen analog input 16 bit with time-of-freeze
+event dnp3_frozen_analog_input_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 5
+## frozen analog input 32 bit without flag
+event dnp3_frozen_analog_input_32woFlag%(c: connection, is_orig: bool, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 6
+## frozen analog input 16 bit without flag
+event dnp3_frozen_analog_input_16woFlag%(c: connection, is_orig: bool, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 7
+## frozen analog input single-precision, float point with flag
+event dnp3_frozen_analog_input_SPwFlag%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 31 and variation number 8
+## frozen analog input double-precision, float point with flag
+event dnp3_frozen_analog_input_DPwFlag%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 1
+## analog input event 32 bit without time
+event dnp3_analog_input_event_32woTime%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 2
+## analog input event 16 bit without time
+event dnp3_analog_input_event_16woTime%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 3
+## analog input event 32 bit with time
+event dnp3_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 4
+## analog input event 16 bit with time
+event dnp3_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 5
+## analog input event single-precision float point without time
+event dnp3_analog_input_event_SPwoTime%(c: connection, is_orig: bool, flag: count, value: count%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 6
+## analog input event double-precision float point without time
+event dnp3_analog_input_event_DPwoTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 7
+## analog input event single-precision float point with time
+event dnp3_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 32 and variation number 8
+## analog input event double-precisiion float point with time
+event dnp3_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 1
+## frozen analog input event 32 bit without time
+event dnp3_frozen_analog_input_event_32woTime%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 2
+## frozen analog input event 16 bit without time
+event dnp3_frozen_analog_input_event_16woTime%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 3
+## frozen analog input event 32 bit with time
+event dnp3_frozen_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 4
+## frozen analog input event 16 bit with time
+event dnp3_frozen_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 5
+## frozen analog input event single-precision float point without time
+event dnp3_frozen_analog_input_event_SPwoTime%(c: connection, is_orig: bool, flag: count, frozen_value: count%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 6
+## frozen analog input event double-precision float point without time
+event dnp3_frozen_analog_input_event_DPwoTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count%);
+
+## Generated for DNP3 objects with the group number 33 and variation number 7
+## frozen analog input event single-precision float point with time
+event dnp3_frozen_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+
+## Generated for DNP3 objects with the group number 34 and variation number 8
+## frozen analog input event double-precision float point with time
+event dnp3_frozen_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string%);
+
+## g70
+event dnp3_file_transport%(c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string%);
+
+## Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
+## generates this for unknown "cases". The user can use it to debug the byte string
+## to check what cause the malformed network packets.
+event dnp3_debug_byte%(c: connection, is_orig: bool, debug: string%);

testing/btest/Baseline/core.print-bpf-filters/conn.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-07-18-00-18-33
+#open	2013-08-12-18-24-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
 1278600802.069419	UWkUyAuUGXf	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2013-07-18-00-18-33
+#close	2013-08-12-18-24-50

testing/btest/Baseline/core.print-bpf-filters/output

@@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2013-07-19-02-54-13
+#open	2013-08-12-18-24-49
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1374202453.158981	-	ip or not ip	T	T
+1376331889.617206	-	ip or not ip	T	T
-#close	2013-07-19-02-54-13
+#close	2013-08-12-18-24-49
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2013-07-19-02-54-13
+#open	2013-08-12-18-24-49
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1374202453.437816	-	port 42	T	T
+1376331889.904944	-	port 42	T	T
-#close	2013-07-19-02-54-13
+#close	2013-08-12-18-24-49
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2013-07-19-02-54-13
+#open	2013-08-12-18-24-50
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1374202453.715717	-	(vlan) and (ip or not ip)	T	T
+1376331890.192875	-	(vlan) and (ip or not ip)	T	T
-#close	2013-07-19-02-54-13
+#close	2013-08-12-18-24-50

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -1,5 +1,6 @@
 2 1080
 1 137
+1 20000
 1 21
 1 2123
 1 2152
@@ -38,8 +39,8 @@
 1 992
 1 993
 1 995
-42 and
+43 and
-41 or
+42 or
-42 port
+43 port
-31 tcp
+32 tcp
 11 udp

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-08-09-16-13-58
+#open	2013-08-12-18-22-48
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -22,6 +22,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
@@ -94,4 +95,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-08-09-16-13-58
+#close	2013-08-12-18-22-48

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-08-09-16-13-37
+#open	2013-08-12-18-22-49
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -22,6 +22,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
@@ -162,6 +163,9 @@ scripts/base/init-default.bro
     scripts/base/protocols/dhcp/consts.bro
     scripts/base/protocols/dhcp/main.bro
       scripts/base/protocols/dhcp/utils.bro
+  scripts/base/protocols/dnp3/__load__.bro
+    scripts/base/protocols/dnp3/main.bro
+      scripts/base/protocols/dnp3/consts.bro
   scripts/base/protocols/dns/__load__.bro
     scripts/base/protocols/dns/consts.bro
     scripts/base/protocols/dns/main.bro
@@ -208,4 +212,4 @@ scripts/base/init-default.bro
     scripts/base/files/extract/main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-08-09-16-13-37
+#close	2013-08-12-18-22-49

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/coverage

@@ -0,0 +1 @@
+6 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-23-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324503054.884183	UWkUyAuUGXf	130.126.142.250	49413	130.126.140.229	20000	DELAY_MEASURE	RESPONSE	0
+#close	2013-08-12-18-23-58

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output

@@ -0,0 +1,7 @@
+dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_application_request_header, T, 23
+dnp3_header_block, F, 25605, 16, 68, 3, 2
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 13314, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/coverage

@@ -0,0 +1 @@
+4 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-23-59
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324916729.150101	UWkUyAuUGXf	130.126.142.250	50059	130.126.140.229	20000	ENABLE_UNSOLICITED	RESPONSE	0
+#close	2013-08-12-18-23-59

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output

@@ -0,0 +1,7 @@
+dnp3_header_block, T, 25605, 17, 196, 2, 3
+dnp3_application_request_header, T, 20
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_application_response_header, F, 129, 0

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/coverage

@@ -0,0 +1 @@
+6 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-23-59
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1325044377.992570	UWkUyAuUGXf	130.126.142.250	50301	130.126.140.229	20000	DELETE_FILE	RESPONSE	0
+#close	2013-08-12-18-23-59

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output

@@ -0,0 +1,9 @@
+dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_application_request_header, T, 27
+dnp3_object_header, T, 17923, 91, 1, 1, 0
+dnp3_object_prefix, T, 85
+dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 17924, 91, 1, 1, 0
+dnp3_object_prefix, F, 13
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/coverage

@@ -0,0 +1 @@
+9 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log

@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1325036012.621691	UWkUyAuUGXf	130.126.142.250	50276	130.126.140.229	20000	OPEN_FILE	RESPONSE	4096
+1325036016.729050	UWkUyAuUGXf	130.126.142.250	50276	130.126.140.229	20000	READ	RESPONSE	4096
+1325036019.765502	UWkUyAuUGXf	130.126.142.250	50276	130.126.140.229	20000	WRITE	RESPONSE	0
+1325036022.292689	UWkUyAuUGXf	130.126.142.250	50276	130.126.140.229	20000	WRITE	RESPONSE	0
+1325036024.820857	UWkUyAuUGXf	130.126.142.250	50276	130.126.140.229	20000	CLOSE_FILE	RESPONSE	0
+#close	2013-08-12-18-24-00

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output

@@ -0,0 +1,45 @@
+dnp3_header_block, T, 25605, 50, 196, 4, 3
+dnp3_application_request_header, T, 25
+dnp3_object_header, T, 17923, 91, 1, 1, 0
+dnp3_object_prefix, T, 36
+dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_application_response_header, F, 129, 4096
+dnp3_object_header, F, 17924, 91, 1, 1, 0
+dnp3_object_prefix, F, 13
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 22, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 17925, 91, 1, 1, 0
+dnp3_object_prefix, T, 8
+dnp3_file_transport, T, 305419896, 0
+                                                  ^J
+dnp3_header_block, F, 25605, 255, 68, 3, 4
+dnp3_application_response_header, F, 129, 4096
+dnp3_object_header, F, 17925, 91, 1, 1, 0
+dnp3_object_prefix, F, 838
+dnp3_file_transport, F, 305419896, 2147483648
+0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version^J0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=^J0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml^J0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type^J0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href^J0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf^J0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'^J0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?^J0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr^J0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm^J00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://^J00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/^J00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan^J00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h^J00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org^J00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"^J0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="^J0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="^J0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.^J0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP^J0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">^J0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document^J0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d^J0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..^J0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam^J0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil^J01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>^J01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD^J01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This ^J01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple^J01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil^J01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta^J0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW ^J0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr^J0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn^J0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes^J0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <^J0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History ^J0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  ^J0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1^J0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   ^J0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve^J02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.^J02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D^J02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H^J02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi^J02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas^J02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis^J0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <^J0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>^J0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr^J0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>^J
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_application_request_header, T, 26
+dnp3_object_header, T, 17924, 91, 1, 1, 0
+dnp3_object_prefix, T, 13
+dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 17924, 91, 1, 1, 0
+dnp3_object_prefix, F, 13
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/coverage

@@ -0,0 +1 @@
+8 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/dnp3.log

@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1325043635.216629	UWkUyAuUGXf	130.126.142.250	50300	130.126.140.229	20000	OPEN_FILE	RESPONSE	0
+1325043637.790287	UWkUyAuUGXf	130.126.142.250	50300	130.126.140.229	20000	WRITE	RESPONSE	0
+1325043638.820071	UWkUyAuUGXf	130.126.142.250	50300	130.126.140.229	20000	CLOSE_FILE	RESPONSE	0
+#close	2013-08-12-18-24-00

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output

@@ -0,0 +1,29 @@
+dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_application_request_header, T, 25
+dnp3_object_header, T, 17923, 91, 1, 1, 0
+dnp3_object_prefix, T, 85
+dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 17924, 91, 1, 1, 0
+dnp3_object_prefix, F, 13
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 255, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 17925, 91, 1, 1, 0
+dnp3_object_prefix, T, 838
+dnp3_file_transport, T, 305419896, 2147483648
+0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version^J0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=^J0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml^J0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type^J0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href^J0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf^J0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'^J0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?^J0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr^J0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm^J00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://^J00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/^J00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan^J00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h^J00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org^J00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"^J0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="^J0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="^J0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.^J0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP^J0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">^J0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document^J0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d^J0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..^J0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam^J0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil^J01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>^J01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD^J01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This ^J01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple^J01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil^J01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta^J0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW ^J0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr^J0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn^J0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes^J0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <^J0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History ^J0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  ^J0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1^J0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   ^J0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve^J02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.^J02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D^J02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H^J02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi^J02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas^J02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis^J0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <^J0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>^J0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr^J0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>^J
+dnp3_header_block, F, 25605, 25, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 17926, 91, 1, 1, 0
+dnp3_object_prefix, F, 9
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_application_request_header, T, 26
+dnp3_object_header, T, 17924, 91, 1, 1, 0
+dnp3_object_prefix, T, 13
+dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 17924, 91, 1, 1, 0
+dnp3_object_prefix, F, 13
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/coverage

@@ -0,0 +1 @@
+6 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/coverage

@@ -0,0 +1 @@
+7 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324327256.650425	UWkUyAuUGXf	130.126.142.250	51006	130.126.140.229	20000	READ	RESPONSE	0
+#close	2013-08-12-18-24-01

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output

@@ -0,0 +1,88 @@
+dnp3_header_block, T, 25605, 20, 196, 2, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_object_header, T, 15361, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 116, 68, 3, 2
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 258, 0, 9, 0, 8
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 129
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 129
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_header, F, 2562, 0, 7, 0, 6
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 1
+dnp3_object_header, F, 7681, 0, 15, 0, 14
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 1007
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 3
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 1005
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 18446744073709539627
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 1005
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 12006
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 134423
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 134325
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 1, 134538
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_32wFlag, F, 0, 0
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/coverage

@@ -0,0 +1 @@
+3 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324502980.465157	UWkUyAuUGXf	130.126.142.250	49412	130.126.140.229	20000	RECORD_CURRENT_TIME	RESPONSE	0
+#close	2013-08-12-18-24-02

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output

@@ -0,0 +1,4 @@
+dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_application_request_header, T, 24
+dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_application_response_header, F, 129, 0

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/coverage

@@ -0,0 +1 @@
+7 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/dnp3.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324501739.752598	UWkUyAuUGXf	130.126.142.250	49404	130.126.140.229	20000	SELECT	RESPONSE	0
+1324501743.758738	UWkUyAuUGXf	130.126.142.250	49404	130.126.140.229	20000	OPERATE	RESPONSE	0
+#close	2013-08-12-18-24-02

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output

@@ -0,0 +1,22 @@
+dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 1
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 1
+dnp3_crob, F, 3, 1, 100, 100, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_application_request_header, T, 4
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 1
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 1
+dnp3_crob, F, 3, 1, 100, 100, 0
+dnp3_response_data_object, F, 255

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/coverage

@@ -0,0 +1 @@
+5 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/dnp3.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1324502912.898449	UWkUyAuUGXf	130.126.142.250	49411	130.126.140.229	20000	WRITE	RESPONSE	0
+#close	2013-08-12-18-24-03

testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output

@@ -0,0 +1,6 @@
+dnp3_header_block, T, 25605, 18, 196, 2, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_application_response_header, F, 129, 0

testing/btest/Baseline/scripts.base.protocols.dnp3.events/coverage

@@ -0,0 +1 @@
+9 of 51 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.dnp3.events/dnp3.log

@@ -0,0 +1,75 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dnp3
+#open	2013-08-12-18-24-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fc_request	fc_reply	iin
+#types	time	string	addr	port	addr	port	string	string	count
+1097501938.504844	UWkUyAuUGXf	10.0.0.8	2789	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	4096
+1097501941.569134	UWkUyAuUGXf	10.0.0.8	2789	10.0.0.3	20000	WRITE	RESPONSE	0
+1097502061.912093	UWkUyAuUGXf	10.0.0.8	2789	10.0.0.3	20000	DISABLE_UNSOLICITED	RESPONSE	0
+1097502623.047417	arKYeMETxOg	10.0.0.8	2803	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097504102.257400	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	4096
+1097504103.409070	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	WRITE	RESPONSE	0
+1097504186.667107	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	ENABLE_UNSOLICITED	RESPONSE	0
+1097504195.106257	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097504196.566493	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504197.887726	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504199.597084	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504200.719510	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504202.513608	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504203.324245	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504204.663060	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504205.750705	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504210.792443	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	CONFIRM	UNSOLICITED_RESPONSE	0
+1097504223.905294	k6kgXLOoSKl	10.0.0.8	2828	10.0.0.3	20000	COLD_RESTART	RESPONSE	0
+1097505719.083365	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	COLD_RESTART	UNSOLICITED_RESPONSE	0
+1097505719.083898	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505719.084451	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	RESPONSE	0
+1097505754.654239	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	READ	RESPONSE	32768
+1097505754.654731	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	32768
+1097505754.756391	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	DISABLE_UNSOLICITED	RESPONSE	32768
+1097505754.864882	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	WRITE	RESPONSE	0
+1097505754.977534	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	READ	RESPONSE	0
+1097505769.716268	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505784.797836	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505799.908753	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505839.916865	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505880.043946	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505920.204187	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097505960.308661	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097506000.396024	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097506013.373353	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	ENABLE_UNSOLICITED	RESPONSE	0
+1097506013.373850	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097506020.703162	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	ENABLE_UNSOLICITED	RESPONSE	0
+1097506028.446245	nQcgTWjvg4c	10.0.0.9	1080	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	0
+1097507785.885063	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	36864
+1097507788.624309	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	DISABLE_UNSOLICITED	RESPONSE	36864
+1097507788.834395	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	WRITE	RESPONSE	32768
+1097507788.944297	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	DISABLE_UNSOLICITED	RESPONSE	32768
+1097507789.167700	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	WRITE	RESPONSE	32768
+1097507789.274806	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	DISABLE_UNSOLICITED	RESPONSE	32768
+1097507789.484975	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	WRITE	RESPONSE	0
+1097507789.797226	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	READ	RESPONSE	0
+1097507835.030339	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	WARM_RESTART	RESPONSE	0
+1097507856.091024	j4u32Pc5bif	10.0.0.8	1086	10.0.0.3	20000	WARM_RESTART	RESPONSE	0
+1097510947.094289	TEfuqmmG4bh	10.0.0.8	1159	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	256
+1097510959.359091	TEfuqmmG4bh	10.0.0.8	1159	10.0.0.3	20000	DISABLE_UNSOLICITED	-	-
+1097512255.236054	FrJExwHcSal	10.0.0.8	1184	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	4096
+1097512264.723894	FrJExwHcSal	10.0.0.8	1184	10.0.0.3	20000	STOP_APPL	RESPONSE	4097
+1097512267.537969	FrJExwHcSal	10.0.0.8	1184	10.0.0.3	20000	STOP_APPL	RESPONSE	4097
+1097513177.297272	5OKnoww6xl4	10.0.0.9	1084	10.0.0.3	20000	-	UNSOLICITED_RESPONSE	38145
+1097513182.837583	5OKnoww6xl4	10.0.0.9	1084	10.0.0.3	20000	STOP_APPL	-	-
+1178205958.184068	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	0
+1178205982.425227	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	SELECT	RESPONSE	4
+1178205984.486492	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	SELECT	RESPONSE	4
+1178205985.311235	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	SELECT	RESPONSE	4
+1178205986.029976	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	SELECT	RESPONSE	4
+1178205986.556099	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	SELECT	RESPONSE	4
+1178206042.953163	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	6
+1178206044.500956	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	6
+1178206045.032815	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	6
+1178206045.557097	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	6
+1178206046.086403	3PKsZ2Uye21	192.168.66.33	1167	192.168.66.34	20000	READ	RESPONSE	6
+#close	2013-08-12-18-24-03

testing/btest/Baseline/scripts.base.protocols.dnp3.events/output

@@ -0,0 +1,574 @@
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 4096
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 4096
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 20
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 4, 1024, 0
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 198
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 198
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 202
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 198
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 4, 1024, 0
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 202
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 200
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 50, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 198
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 199
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 199
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 66, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 202
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 200
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 5, 1280, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, F, 25605, 56, 68, 3, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_object_header, F, 13057, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 515, 40, 1, 256, 0
+dnp3_object_prefix, F, 2
+dnp3_response_data_object, F, 255
+dnp3_object_header, F, 8193, 40, 3, 768, 0
+dnp3_object_prefix, F, 0
+dnp3_analog_input_event_32woTime, F, 1, 203
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 1
+dnp3_analog_input_event_32woTime, F, 1, 202
+dnp3_response_data_object, F, 255
+dnp3_object_prefix, F, 2
+dnp3_analog_input_event_32woTime, F, 1, 199
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 13
+dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 13314, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 13
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 13314, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 512, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 32768
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 20481, 0, 1, 7, 7
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_object_header, T, 15361, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 257, 0, 6, 0, 5
+dnp3_object_header, F, 522, 2, 4294705410, 17104896, 16843009
+dnp3_object_header, F, 276, 5, 0, 0, 21
+dnp3_object_header, F, 2304, 0, 1, 0, 0
+dnp3_object_prefix, F, 0
+dnp3_debug_byte, F, \0\0\0\x1e^C\0\0^F\xc5\0\0\0\xc7\0\0\0\xc8\0\0\0^A\0\0\0%\x1c\0\0^N\x1c\0\0^P\x1c\0\0
+dnp3_response_data_object, F, 255
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 20
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 20
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_application_response_header, F, 130, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 36864
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 36864
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 12801, 7, 1, 1, 0
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 32768
+dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_application_request_header, T, 2
+dnp3_object_header, T, 20481, 0, 1, 7, 7
+dnp3_object_prefix, T, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_object_header, T, 15361, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 257, 0, 6, 0, 5
+dnp3_object_header, F, 6410, 2, 2155643138, 2164588544, 25264385
+dnp3_object_prefix, F, 0
+dnp3_debug_byte, F, ^A^T^E\0\0\0 \0\0\0^U^I\0\0\0\0\0\0\0\x1e^C\0\0^F\xca\0\0\0\xcb\0\0\0\xc9\0\0\0\xff\xff\xff\xfff!\0\0Y!\0\0K!\0\0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 14
+dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 13314, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_application_request_header, T, 14
+dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_object_header, F, 13314, 7, 1, 1, 0
+dnp3_object_prefix, F, 0
+dnp3_response_data_object, F, 255
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 256
+dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_application_request_header, T, 21
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 130, 4096
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 18
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 263, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 4097
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 18
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 263, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 4097
+dnp3_header_block, F, 25605, 10, 68, 3, 6
+dnp3_application_response_header, F, 130, 38145
+dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_application_request_header, T, 18
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 263, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_application_request_header, T, 18
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 263, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 237, 0, 0, 0
+dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 15362, 6, 0, 65535, 65535
+dnp3_object_header, T, 15363, 6, 0, 65535, 65535
+dnp3_object_header, T, 15364, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 0
+dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 34463
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_application_response_header, F, 129, 4
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 34463
+dnp3_crob, F, 3, 1, 100, 100, 4
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 34463
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_application_response_header, F, 129, 4
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 34463
+dnp3_crob, F, 3, 1, 100, 100, 4
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 34463
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_application_response_header, F, 129, 4
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 34463
+dnp3_crob, F, 3, 1, 100, 100, 4
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 34463
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_application_response_header, F, 129, 4
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 34463
+dnp3_crob, F, 3, 1, 100, 100, 4
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_application_request_header, T, 3
+dnp3_object_header, T, 3073, 40, 1, 256, 0
+dnp3_object_prefix, T, 34463
+dnp3_crob, T, 3, 1, 100, 100, 0
+dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_application_response_header, F, 129, 4
+dnp3_object_header, F, 3073, 40, 1, 256, 0
+dnp3_object_prefix, F, 34463
+dnp3_crob, F, 3, 1, 100, 100, 4
+dnp3_response_data_object, F, 255
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 65280, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 6
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 65280, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 6
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 65280, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 6
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 65280, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 6
+dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_application_request_header, T, 1
+dnp3_object_header, T, 65280, 6, 0, 65535, 65535
+dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_application_response_header, F, 129, 6

testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro

@@ -0,0 +1,8 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.bro >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#

testing/btest/scripts/base/protocols/dnp3/events.bro

@@ -0,0 +1,266 @@
+#
+# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff dnp3.log
+#
+event dnp3_application_request_header(c: connection, is_orig: bool, fc: count)
+	{
+	print "dnp3_application_request_header", is_orig, fc;
+	}
+
+event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count)
+	{
+	print "dnp3_application_response_header", is_orig, fc, iin;
+	}
+
+event dnp3_object_header(c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)
+	{
+	print "dnp3_object_header", is_orig, obj_type, qua_field, number, rf_low, rf_high;
+	}
+
+event dnp3_object_prefix(c: connection, is_orig: bool, prefix_value: count)
+	{
+	print "dnp3_object_prefix", is_orig, prefix_value;
+	}
+
+event dnp3_header_block(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count)
+	{
+	print "dnp3_header_block", is_orig, start, len, ctrl, dest_addr, src_addr;
+	}
+
+event dnp3_response_data_object(c: connection, is_orig: bool, data_value: count)
+	{
+	print "dnp3_response_data_object", is_orig, data_value;
+	}
+
+event dnp3_attribute_common(c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)
+	{
+        print "dnp3_attribute_common", is_orig, data_type_code, leng, attribute_obj;
+	}
+
+event dnp3_crob(c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)
+	{
+	print "dnp3_crob", is_orig, control_code, count8, on_time, off_time, status_code;
+	}
+
+event dnp3_pcb(c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)
+	{
+	print "dnp3_pcb", is_orig, control_code, count8, on_time, off_time, status_code;
+	}
+
+event dnp3_counter_32wFlag(c: connection, is_orig: bool, flag: count, count_value: count)
+	{
+	print "dnp3_counter_32wFlag", is_orig, flag, count_value;
+	}
+
+event dnp3_counter_16wFlag(c: connection, is_orig: bool, flag: count, count_value: count)
+	{
+	print "dnp3_counter_16wFlag", is_orig, flag, count_value;
+	}
+
+event dnp3_counter_32woFlag(c: connection, is_orig: bool, count_value: count)
+	{
+	print "dnp3_counter_32woFlag", is_orig, count_value;
+	}
+
+event dnp3_counter_16woFlag(c: connection, is_orig: bool, count_value: count)
+	{
+	print "dnp3_counter_16woFlag", is_orig, count_value;
+	}
+
+event dnp3_frozen_counter_32wFlag(c: connection, is_orig: bool, flag:count, count_value: count)
+	{
+	print "dnp3_frozen_counter_32wFlag", is_orig, flag;
+	}
+
+event dnp3_frozen_counter_16wFlag(c: connection, is_orig: bool, flag:count, count_value: count)
+	{
+	print "dnp3_frozen_counter_16wFlag", is_orig, flag;
+	}
+
+event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+	{
+	print "dnp3_frozen_counter_32wFlagTime", is_orig, flag;
+	}
+
+event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+	{
+	print "dnp3_frozen_counter_16wFlagTime", is_orig, flag;
+	}
+
+event dnp3_frozen_counter_32woFlag(c: connection, is_orig: bool, count_value: count)
+	{
+	print "dnp3_frozen_counter_32woFlag", is_orig, count_value;
+	}	
+
+event dnp3_frozen_counter_16woFlag(c: connection, is_orig: bool, count_value: count)
+	{
+	print "dnp3_frozen_counter_16woFlag", is_orig, count_value;
+	}
+
+event dnp3_analog_input_32wFlag(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_32wFlag", is_orig, flag, value;
+	}
+
+event dnp3_analog_input_16wFlag(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_16wFlag", is_orig, flag, value;
+	}
+
+event dnp3_analog_input_32woFlag(c: connection, is_orig: bool, value: count)
+	{
+	print "dnp3_analog_input_32woFlag", is_orig, value;
+	}
+
+event dnp3_analog_input_16woFlag(c: connection, is_orig: bool, value: count)
+	{
+	print "dnp3_analog_input_16woFlag", is_orig, value;
+	}
+
+event dnp3_analog_input_SPwFlag(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_SPwFlag", is_orig, flag, value;
+	}
+
+event dnp3_analog_input_DPwFlag(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)
+	{
+	print "dnp3_analog_input_DPwFlag", is_orig, flag, value_low, value_high;
+	}
+
+event dnp3_frozen_analog_input_32wFlag(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_32wFlag", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_16wFlag(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_16wFlag", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+	{
+	print "dnp3_frozen_analog_input_32wTime", is_orig, flag, frozen_value, time48;
+	}
+
+event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+	{
+	print "dnp3_frozen_analog_input_16wTime", is_orig, flag, frozen_value, time48;
+	}
+
+event dnp3_frozen_analog_input_32woFlag(c: connection, is_orig: bool, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_32woFlag", is_orig, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_16woFlag(c: connection, is_orig: bool, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_16woFlag", is_orig, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_SPwFlag(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_SPwFlag", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_DPwFlag(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)
+	{
+	print "dnp3_frozen_analog_input_DPwFlag", is_orig, flag, frozen_value_low, frozen_value_high;
+	}
+
+event dnp3_analog_input_event_32woTime(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_event_32woTime", is_orig, flag, value;
+	}
+
+event dnp3_analog_input_event_16woTime(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_event_16woTime", is_orig, flag, value;
+	}
+
+event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+	{
+	print "dnp3_analog_input_event_32wTime", is_orig, flag, value, time48;
+	}
+
+event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+	{
+	print "dnp3_analog_input_event_16wTime", is_orig, flag, value, time48;
+	}
+
+event dnp3_analog_inputSP_woTime(c: connection, is_orig: bool, flag: count, value: count)
+	{
+	print "dnp3_analog_input_event_SPwoTime", is_orig, flag, value;
+	}
+
+event dnp3_analog_inputDP_woTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)
+	{
+	print "dnp3_analog_input_event_DPwoTime", is_orig, flag, value_low, value_high;
+	}
+
+event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+	{
+	print "dnp3_analog_input_event_SPwTime", is_orig, flag, value, time48;
+	}
+
+event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string)
+	{
+	print "dnp3_analog_input_event_DPwTime", is_orig, flag, value_low, value_high, time48;
+	}
+
+event dnp3_frozen_analog_input_event_32woTime(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_event_32woTime", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_event_16woTime(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_event_16woTime", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+	{
+	print "dnp3_frozen_analog_input_event_32wTime", is_orig, flag, frozen_value, time48;
+	}
+
+event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+	{
+	print "dnp3_frozen_analog_input_event_16wTime", is_orig, flag, frozen_value, time48;
+	}
+
+event dnp3_frozen_analog_input_event_SPwoTime(c: connection, is_orig: bool, flag: count, frozen_value: count)
+	{
+	print "dnp3_frozen_analog_input_event_SPwoTime", is_orig, flag, frozen_value;
+	}
+
+event dnp3_frozen_analog_input_event_DPwoTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)
+	{
+	print "dnp3_frozen_analog_input_event_DPwoTime", is_orig, flag, frozen_value_low, frozen_value_high;
+	}
+
+event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+	{
+	print "dnp3_frozen_analog_inputeventSP_wTime", is_orig, flag, frozen_value, time48;
+	}
+
+event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string)
+	{
+	print "dnp3_frozen_analog_inputeventDP_wTime", is_orig, flag, frozen_value_low, frozen_value_high, time48;
+	}
+
+event dnp3_file_transport(c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)
+	{
+        print "dnp3_file_transport", is_orig, file_handle, block_num;
+        print hexdump(file_data);
+	}
+
+event dnp3_debug_byte(c: connection, is_orig: bool, debug: string)
+{
+	print "dnp3_debug_byte", is_orig, debug;
+}
+
+