mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
add test trace in which DNP3 packets are over UDP; update test scripts and baseline results
This commit is contained in:
Hui Lin
parent
ded592868c
commit
794273913f
27 changed files with 4153 additions and 7 deletions
|
|
@ -1 +1 @@
|
||||||
Subproject commit 4e5969f5a40f5cc192a751375cb61131d32c0fc1
|
Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit 181f084432e277f899140647d9b788059b3cccb1
|
Subproject commit 977654dc51ab08a2afde32241f108cdb4a581d8f
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit 6be54279bb7ecb5e03d8bcdc7660d323dc4de1bc
|
Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit f0e0efda05e4b20924efc1b826ad5d85c8b65f83
|
Subproject commit 39e865dec9611b9b53b609cbc8df519cebae0a1e
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit 6de518922e5f89d52d831ea6fb6adb7fff94437e
|
Subproject commit ad600b5bdcd56a2723e323c0f2c8e1708956ca4f
|
||||||
2
cmake
2
cmake
|
|
@ -1 +1 @@
|
||||||
Subproject commit aa15263ae39667e5e9bd73690b05aa4af9147ca3
|
Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f
|
||||||
|
|
@ -31,7 +31,7 @@ redef record connection += {
|
||||||
dnp3: Info &optional;
|
dnp3: Info &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
const ports = { 20000/tcp };
|
const ports = { 20000/tcp , 20000/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event bro_init() &priority=5
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
4 of 51 events triggered by trace
|
||||||
|
|
@ -0,0 +1,10 @@
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path dnp3
|
||||||
|
#open 2015-01-07-21-02-21
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
|
||||||
|
#types time string addr port addr port string string count
|
||||||
|
1420058797.673799 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 ENABLE_UNSOLICITED RESPONSE 1
|
||||||
|
#close 2015-01-07-21-02-21
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
dnp3_header_block, T, 25605, 17, 196, 1, 100
|
||||||
|
dnp3_application_request_header, T, 207, 20
|
||||||
|
dnp3_object_header, T, 15362, 6, 0, 65535, 65535
|
||||||
|
dnp3_object_header, T, 15363, 6, 0, 65535, 65535
|
||||||
|
dnp3_object_header, T, 15364, 6, 0, 65535, 65535
|
||||||
|
dnp3_header_block, F, 25605, 10, 68, 100, 1
|
||||||
|
dnp3_application_response_header, F, 207, 129, 1
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
7 of 51 events triggered by trace
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path dnp3
|
||||||
|
#open 2015-01-07-21-02-12
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
|
||||||
|
#types time string addr port addr port string string count
|
||||||
|
1420058427.969342 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864
|
||||||
|
1420058427.972303 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 - RESPONSE 36864
|
||||||
|
#close 2015-01-07-21-02-12
|
||||||
File diff suppressed because it is too large
Load diff
|
|
@ -0,0 +1 @@
|
||||||
|
7 of 51 events triggered by trace
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path dnp3
|
||||||
|
#open 2015-01-07-21-02-26
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
|
||||||
|
#types time string addr port addr port string string count
|
||||||
|
1420058517.353161 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 SELECT RESPONSE 36864
|
||||||
|
1420058517.467502 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 OPERATE RESPONSE 36864
|
||||||
|
1420058517.574061 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864
|
||||||
|
#close 2015-01-07-21-02-26
|
||||||
File diff suppressed because it is too large
Load diff
|
|
@ -0,0 +1 @@
|
||||||
|
5 of 51 events triggered by trace
|
||||||
|
|
@ -0,0 +1,10 @@
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path dnp3
|
||||||
|
#open 2015-01-07-21-02-34
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
|
||||||
|
#types time string addr port addr port string string count
|
||||||
|
1420058753.490949 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 WRITE RESPONSE 0
|
||||||
|
#close 2015-01-07-21-02-34
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
dnp3_header_block, T, 25605, 14, 196, 1, 100
|
||||||
|
dnp3_application_request_header, T, 206, 2
|
||||||
|
dnp3_object_header, T, 20481, 0, 1, 7, 7
|
||||||
|
dnp3_object_prefix, T, 0
|
||||||
|
dnp3_header_block, F, 25605, 10, 68, 100, 1
|
||||||
|
dnp3_application_response_header, F, 206, 129, 0
|
||||||
BIN
testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
Executable file
BIN
testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
Executable file
Binary file not shown.
BIN
testing/btest/Traces/dnp3/dnp3_udp_read.pcap
Executable file
BIN
testing/btest/Traces/dnp3/dnp3_udp_read.pcap
Executable file
Binary file not shown.
BIN
testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
Executable file
BIN
testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
Executable file
Binary file not shown.
BIN
testing/btest/Traces/dnp3/dnp3_udp_write.pcap
Executable file
BIN
testing/btest/Traces/dnp3/dnp3_udp_write.pcap
Executable file
Binary file not shown.
|
|
@ -0,0 +1,9 @@
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.bro >output
|
||||||
|
# @TEST-EXEC: btest-diff output
|
||||||
|
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||||
|
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||||
|
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
|
||||||
|
# @TEST-EXEC: btest-diff coverage
|
||||||
|
# @TEST-EXEC: btest-diff dnp3.log
|
||||||
|
#
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.bro >output
|
||||||
|
# @TEST-EXEC: btest-diff output
|
||||||
|
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||||
|
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||||
|
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
|
||||||
|
# @TEST-EXEC: btest-diff coverage
|
||||||
|
# @TEST-EXEC: btest-diff dnp3.log
|
||||||
|
#
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.bro >output
|
||||||
|
# @TEST-EXEC: btest-diff output
|
||||||
|
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||||
|
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||||
|
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
|
||||||
|
# @TEST-EXEC: btest-diff coverage
|
||||||
|
# @TEST-EXEC: btest-diff dnp3.log
|
||||||
|
#
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.bro >output
|
||||||
|
# @TEST-EXEC: btest-diff output
|
||||||
|
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||||
|
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||||
|
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
|
||||||
|
# @TEST-EXEC: btest-diff coverage
|
||||||
|
# @TEST-EXEC: btest-diff dnp3.log
|
||||||
|
#
|
||||||
Loading…
Add table
Add a link
Reference in a new issue