Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enip rust 3958 v6 #9940

Closed
wants to merge 3 commits into from
Closed

Enip rust 3958 v6 #9940

wants to merge 3 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958

Describe changes:

  • convert enip parser to rust
  • integer keywords now support hexadecimal notation

Alon the way, also

  • enip_command keyword accepts now string enumeration as values.
  • transactions are now bidirectional
  • there is a enip logger
  • gap support is improved with probing for resync
  • SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
  • frames
  • events

#9937 +

  • new keywords : enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus
  • frames for enip items
  • frames for TCP
  • also take first attribute in set attribute list

This is complete but missing S-V tests

Provide values to any of the below to override the defaults.

SV_BRANCH=pr/1485

OISF/suricata-verify#1485

@catenacyber
detect: integer keywords now support hexadecimal
d84c41b 
So that we can write enip.revision: 0x203
@catenacyber catenacyber mentioned this pull request Dec 1, 2023
Closed
@catenacyber
enip: convert to rust
5e86426 
Ticket: 3958

- enip_command keyword accepts now string enumeration as values.
- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
- frames support
- app-layer events
- add enip.status keyword
- add identity keywords :
    enip.product_name, enip.protocol_version, enip.revision,
    enip.identity_status, enip.state, enip.serial, enip.product_code,
    enip.device_type, enip.vendor_id, enip.capabilities,
    enip.cip_attribute, enip.cip_class, enip.cip_instance,
    enip.cip_status, enip.cip_extendedstatus
@victorjulien victorjulien removed the request for review from a team December 1, 2023 16:27
@codecov Codecov
Copy link

codecov bot commented Dec 1, 2023

Codecov Report

Merging #9940 (e41bb20) into master (9c3ab36) will decrease coverage by 0.68%.
The diff coverage is 36.08%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9940      +/-   ##
==========================================
- Coverage   82.35%   81.67%   -0.68%     
==========================================
  Files         972      991      +19     
  Lines      273060   275471    +2411     
==========================================
+ Hits       224870   224989     +119     
- Misses      48190    50482    +2292
Flag Coverage Δ
fuzzcorpus 63.20% <33.73%> (-0.95%) ⬇️
suricata-verify 60.34% <30.64%> (-0.76%) ⬇️
unittests 62.39% <11.98%> (-0.53%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 16843

This was referenced Dec 7, 2023
Closed
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #9991

@catenacyber catenacyber closed this Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@catenacyber @suricata-qa