Quickdraw is our DHS funded research project to create a passive security event log generator application for legacy field devices that lack security logging capabilities. We just published a SCADApedia page with a drawing that shows the Quickdraw architecture.
As the drawing shows, we are extending Snort with additional preprocessors and plugins. The control system protocol plugins reconstruct the request and response messages and strip the lower layer formating from the serial protocol before passing the message to the Snort detection engine. We have completed a DNP3 preprocessor, and others are planned. These preprocessors should also be helpful in developing additional SCADA IDS signatures and may help provide deep packet inspection for field firewalls.
The most challenging plugin is the Quickdraw trigger detection plugin because it triggers on data in both request and response packets. Multi-packet detection is something that Snort has traditionally not done very well. There are also plugins to create the security log event after detection and to send it to historians, SEM’s or other log aggregators.
FYI – we are looking for a bit more help writing the Snort preprocessors and plugins. Full and part time available for experienced Snort developers, email us if you are interested.