With a few things wrapping up with other projects this week I’ve been concentrating on our Quickdraw project and expanding out the capabilities of snort to be able to do detection and alerting quite a bit easier.  Thankfully the good people who’ve created snort have made this a lot easier by providing a way to add dynamic preprocessors that allow us to do much more in depth analysis than the standard rule language allows like checksums in dnp3 or in cases like this where the rule would get convoluted very quickly.  The documentation isn’t great, but with a nice writup from the SANS reading room and the preprocessors that a friend of mine, Ben Feinstein, released last year I had plenty of code to work from. After being misled by documentation not matching implementation a few times I’d rather have that anyways.

I’m currently working on the ENIP (Ethernet Industrial Protocol, which is really a terrible name), so the first stop to find if theres a newer version of the specification than the one I have was the ethernet-ip.org that so many sites still point to but it appears to have been taken over by a domain squatter and the ODVA site feels like a circular maze that keeps wanting me to accept license terms and send money…

So, I’ll do the easy thing and let someone else do all that analysis and Ill make sure their aren’t any mistakes.  Wireshark, an open source project and a darn fine one, has a protocol dissector built in to take care of ENIP, and a quick grep through the source tree lets me find the code that does just that.  And from there things get pretty easy and I can just implement similar logic that Wireshark is using and we’re able to get a pretty well functioning preprocessor with just a bit of work.

Things like this are why open source and open protocols are fantastic for everyone interested in security and monitoring their systems.