Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enip rust 3958 v3 #9848

Closed
wants to merge 2 commits into from
Closed

Enip rust 3958 v3 #9848

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958
https://redmine.openinfosecfoundation.org/issues/6304

Describe changes:

  • fix stats not having _tcp prefix when protocol is detection-only
  • convert enip parser to rust

Alon the way, also

  • enip_command keyword accepts now string enumeration as values.
  • transactions are now bidirectional
  • there is a enip logger
  • gap support is improved with probing for resync
  • SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
  • frames
  • events

#9844 CI should be greener + events, frames, get cip attributes by parsing deeper based on cip service, and reuse that for cip_service keyword, better response/request association for bidirectional transactions

Draft as is this is not complete :

  • parse more, log more, add more keywords (enip.status)...

Provide values to any of the below to override the defaults.

SV_BRANCH=pr/1485

OISF/suricata-verify#1485

@catenacyber catenacyber mentioned this pull request Nov 20, 2023
Closed
@catenacyber
stats: always use tcp/udp prefix
ebe5201 
Even when on detection-only mode.
So that we always have enip_tcp and enip_udp in stats
and never just `enip`.
Suricata needs to know beyond suricata.yaml configuration which
protocols can be enabled on both tcp and udp...

Ticket: 6304
@catenacyber
enip: convert to rust
3d9de12 
Ticket: 3958

- enip_command keyword accepts now string enumeration as values.
- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- SEQUENCE_ADDR_ITEM value is fixed to 0x8002 instead of 0xB002
- frames support
- app-layer events
@catenacyber catenacyber mentioned this pull request Nov 20, 2023
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #9850

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish will be requested when the pull request is marked ready for review jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini will be requested when the pull request is marked ready for review jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@catenacyber