For those of you who have downloaded our latest release of the SCADA Honeynet, you have probably noticed that the SCADA IDS signatures display ‘unknown signature’ in the Walleye interface. I’m sure this is true for anyone who has put a custom IDS snort signature on their honeywall as well. The steps below outline what to do to make this work.

1. Append your signatures to the /etc/snort/rules/local.rules file. The new roo-1.1 utilizes oinkmaster for updating rules and oinkmaster ignores local.rules. This will insure that your custom signatures do not get overwritten.

2. Declare any variables used by the custom rules file in the /etc/snort/snort.conf file. For example:

...
ICCP_CLIENT
ICCP_SERVER
...

3. Add URL references to /etc/snort/rules/reference.config.

4. Add the sid and message information for the /etc/snort/rules/sig-msg.map file. For example:

...
1111201 || DNP3 - Disable Unsolicited Responses
1111202 || DNP3 - Non-DNP3 Communication on a DNP3 Port
1111203 || DNP3 - Unsolicited Response Storm
…

5. This is the part that matters, Walleye looks into the mysql database to reference signatures that fired. Below is an example of what the alerts look like in the database.

+--------+------------+---------+----------+------------+------+----------+---------+---------+----------------+------+---------------+
| ids_id | sensor_id | sig_id | argus_id | sec | usec | priority | sig_rev | sig_gen | classification | type | to_be_deleted |
+--------+------------+---------+----------+------------+------+----------+---------+---------+----------------+------+---------------+
| 1 | 2886729986 | 1111006 | 79 | 1170752609 | 0 | 2 | 1 | 1 | 3 | | 0 |
| 2 | 2886729986 | 1111006 | 79 | 1170752601 | 0 | 2 | 1 | 1 | 3 | | 0 |
| 3 | 2886729986 | 1111006 | 79 | 1170752604 | 0 | 2 | 1 | 1 | 3 | | 0 |
| 4 | 2886729986 | 1111012 | 79 | 1170752601 | 0 | 2 | 1 | 1 | 25 | | 0 |


So when referencing a sig_id the information is looked up in another table ‘ids_sig’ in the ‘ids_sig_id’ column. Below you’ll see what I’m talking about.

mysql> select * from ids_sig where sig_name LIKE '%Modbus%';
+------------+------------+-----------------------------------------------------------+------------------------------------------------------------------------+
| ids_sig_id | sensor_id | sig_name | reference |
+------------+------------+-----------------------------------------------------------+------------------------------------------------------------------------+
| 1111001 | 2886731775 | Modbus TCP - Force Listen Only Mode | url,www.digitalbond.com/index.php/resources/scada-network-ids-project/ |
| 1111002 | 2886731775 | Modbus TCP - Restart Communications Option | url,www.digitalbond.com/index.php/resources/scada-network-ids-project/ |


How did I do this? I basically just made a sql file formated like the string below.

INSERT INTO ids_sig VALUES (1111201,2886731775,'DNP3 - Disable Unsolicited Responses','url,www.digitalbond.com/index.php/resources/scada-network-ids-project/');
INSERT INTO ids_sig VALUES (1111202,2886731775,'DNP3 - Non-DNP3 Communication on a DNP3 Port','url,www.digitalbond.com/index.php/resources/scada-network-ids-project/');
...


It’s a small amount of work, but much more useful than before. Here you’ll see a sanitized screenshot from one of our current honeynet projects (I generated the Modbus traffic).