As a followup to our preprocessor code release, we’re going to put together a few posts detailing the use of a few of the features provided by them.

To begin, we’ll work our way through an example with enip/cip.  Lets say that we wanted to have a log of everytime that a sucessful “Open Connection” request was sent to the device we want to monitor.  The first step in creating a rule for snort is usually to examine a packet capture of the event we want to log.  We’ll leave pcap creation as an exercise for you, and use this this provided pcap as an example.

Lets go ahead and create the skeleton for our rule and build on it from there.  If none of this looks familiar, you might want to take some time looking over the snort documentation and examples.  Theres a steep, but short learning curve for these and you’ll be lost if you don’t have the basics.

alert tcp any any ->  any any (msg:”Open Connection”; category:access control; sid:1111; rev:1;)

To examine this we’ll load the pcap file into wireshark, essentially a hex editor with network focused filtering, and we should see two messages.  Normally there would be a lot more packets, but we’ve trimmed this down to make the example work a little more smoothly.  Since we’ve read the readme for the preprocessors and understand the options we have avaliable in the beta build, we know this is going to be easy.

We’ll be using the cip_service option, and as we can tell from wireshake we need to pass it the decimal value of 0×4c, so 76.  So our rule currently looks like:

alert tcp any any ->  any any (msg:”Open Connection Requested”; cip_service:76; category:access control; sid:1111; rev:1;)

We’re almost there, but right now we would just be alerting on any request to open, we want to know if the request was sucessful or not.  For now we’ll just worry about success.  Looking at the next packet we that the response field is set to 0, and thats exactly what we need to match on to complete our rule.

alert tcp any any ->  any any (msg:”Open Connection Requested Successful”; cip_service:76; cip_response:0; category:access control; sid:1111; rev:1;)

And there we have it, you’ll have an alert fired each time that the event occurs and you can do loads of correlation and analysis on the backend using whatever tools you’re most familiar with.  We’ve just scratched the surface here, and we’ll be expanding the preprocessor and output capabilities over the next few releases, so keep an eye out. Until next time, happy snorting and pcapping.