Main menu:

• Home
• Consulting
• Tools
  • Bandolier
  • SCADA IDS/IPS
    • IDS Signatures
      • Modbus TCP IDS Signatures
      • 1111001
      • 1111002
      • 1111003
      • 1111004
      • 1111005
      • 1111006
      • 1111007
      • 1111008
      • 1111009
      • 1111010
      • 1111011
      • 1111012
      • 1111013
      • 1111014
      • DNP3 IDS Signatures
      • 1111201
      • 1111202
      • 1111203
      • 1111204
      • 1111205
      • 1111206
      • 1111207
      • 1111208
      • 1111209
      • 1111210
      • 1111211
      • 1111212
      • 1111213
      • 1111214
      • 11112151
      • 11112161
      • ICCP IDS Signatures
      • 1111401
      • 1111402
      • 1111403
      • 1111404
      • 1111405
      • 1111406
      • 1111407
      • 1111408
      • 1111409
      • 1111410
      • Vulnerability Exploit IDS Signatures
      • 1111601
      • 1111602
      • 1111603
    • Preprocessors and Plugins
  • Quickdraw
  • Honeynet
  • ICCP Test Tools
  • NetDDE Exploit Tools
  • OPC Test Tools
  • Portaledge
• S4 Proceedings
• Events
• Subscribe
• About Us
• Resources

 

 

 

AAA  AAA 

DNP3 IDS Signatures

DNP3 is a very simple client/server protocol that was originally designed for very low speed serial communication in process control networks. DNP3 is most commonly used in electric utilities, but there is nothing specific to the electric industry in the protocol. The client, also referred to as the master, is typically a HMI or control server that issues DNP3 requests to a PLC, RTU, or other field device acting as a DNP3 server, also called the slave. Common request types include read requests, write requests, starting and stopping applications, freezing values to buffers, and a variety of administrative and diagnostic requests.

DNP3 also supports unsolicited response – - communication initiated by the DNP3 server without a request packet. Unsolicited response is often used to immediately notify the Control Center of significant events or changes in the field. Many systems decrease the polling interval and enable unsolicited responses to reduce communications without losing time sensitive information. All unsolicited responses use function code 82.

All of the DNP3 Snort rules are applicable only to DNP3. You will need to add a few items to your Snort setup:

• Add variables for “DNP3_CLIENT”, “DNP3_SERVER”, and “DNP3_PORTS” to your conf file. Most systems will have a small number of DNP3 clients and a large number of DNP3 servers.
• Add “include $RULE_PATH/DNP3.rules” to your conf file.
• Add “config reference: http://www.digitalbond.com/index.php/research/scada-idsips/ids-signatures/” to your configuration.

Digital Bond has also developed a DNP3 preprocessor. The DNP3 preprocessor prevents false negatives due to DNP3 fragmentation. It also has plugins that adds new keyword capabilities for easier Snort signature writing. The DNP3 preprocessor patch must be applied to the Snort application and the following line must be added to the config file:

preprocessor dnp3

The preprocessor column should be read as follows:

• Yes = A version of the signature is available that uses the preprocessor and another version that does not. You will see two SID’s in the row. The first is the SID for the non-preprocessor version of the signature. The second SID, which is the first SID with a 1 appended, is the preprocessor version of the signature.
• No = The signature does not use the preprocessor.
• Only = A signature is available, but it requires the preprocessor.

The rules and links to the documentation are including in the table below.

SID	Preprocessor	Message
1111201 / 11112011	Yes	DNP3 – Disable Unsolicited Responses
1111202	No	DNP3 – Non-DNP3 Communication on a DNP3 Port
1111203	No	DNP3 – Unsolicited Response Storm
1111204 / 11112041	Yes	DNP3 – Cold Restart from Authorized Client
1111205 / 11112051	Yes	DNP3 – Cold Restart from Unauthorized Client
1111206 / 11112061	Yes	DNP3 – Unauthorized Read Request to a PLC
1111207	No	DNP3 – Unauthorized Write Request to a PLC
1111208	No	DNP3 – Unauthorized Miscellaneous Request to a PLC
1111209 / 11112091	Yes	DNP3 – Stop Application
1111210 / 11112101	Yes	DNP3 – Warm Restart
1111211	No	DNP3 – Broadcast Request from an Authorized Client
1111212	No	DNP3 – Broadcast Request from an Unauthorized Client
1111213	No	DNP3 – Points List Scan
1111214	No	DNP3 – Function Code Scan
11112151	Only	DNP3 – Time Change Attempt
11112161	Only	DNP3 – Failed Checksum Error