DNP3 IDS Signatures
From SCADApedia
The DNP3 IDS Signatures are part of Digital Bond's SCADA IDS Signature research project, also known as Quickdraw. The signatures, or rules in Snort parlance, are written for Snort and some or all of the SCADA signatures have been integrated into most commercial IDS/IPS products.
These signatures and all other components of Quickdraw are available to Digital Bond Site Subscribers.
Contents |
DNP3 Preprocessor
The first version of DNP3 IDS signatures did not require a preprocessor. The DNP3 protocol is simple and structured enough that various fields can be evaluated using the standard Snort rule creation keywords. However DNP3 can have long, valid request or response packets that require DNP3 fragmentation, and this fragmentation can cause a false negative - - that is the Snort rule is not triggered even though the event has occurred. Fragmentation can occur in normal operation or intentionally by an attacker attempting to circumvent detection by the SCADA IDS Signatures.
Digital Bond developed a DNP3 Preprocessor to address this problem. The preprocessor handles the fragmentation and parses the DNP3 packet. In addition to reducing false negatives, the DNP3 plugins associated with DNP3 Preprocessor also make rule writing easier by creating new keywords that can be used in a Snort rule. For example, there are plugins/keywords for the DNP3 function code, object type, IIN and more.
DNP3 Signatures
The signatures can be broadly grouped in the following categories:
- Unauthorized DNP3 Use - the authorized DNP3 clients and servers are entered as variables in the IDS, and the signatures identify when unauthorized systems send requests with variable severity levels dependent on the request.
- DNP3 Protocol Errors - these signatures will be triggered when an attacker is attempting to fuzz the protocol.
- Rare and Dangerous Requests - a number of DNP3 requests can cause a denial of service condition if used by an attacker.
Preprocessor Signatures
The DNP3 signature file includes two sets of rules. One set of rules is for when the DNP3 preprocessor is not used, and a second set for when the DNP3 preprocessor is used. One set or the other should be used, not both. The chart below has a Preprocessor Available column with the following entries and meanings:
- Yes - There is a version of the rule without the preprocessor and a second version of the rule that uses the preprocessor
- No - There is only one version of the rule and that version does not require the preprocessor
- Only - The rule will only work with the preprocessor
DNP3 Signatures
The DNP3 Signatures currently available are listed in the table below.
| SID | Preprocessor Available | Message | Summary |
|---|---|---|---|
| 1111201 | Yes | Disable Unsolicited Response | An attacker stops unsolicited responses from field devices to prevent alarms and other critical events. |
| 1111202 | No | Non-DNP3 Communication on a DNP3 Port | An established connection between a HMI or control server and a PLC is hijacked or spoofed to send other attacks to either device. |
| 1111203 | No | Unsolicited Response Storm | Large amounts of false unsolicited responses are sent to a DNP3 server to overwelm the control servers or control room operators. |
| 1111204 | Yes | Cold Restart from Authorized Client | An attacker can force a PLC or other DNP3 server to power cycle by issuing a response packet with function code 0D. |
| 1111205 | Yes | Cold Restart from Unauthorized Client | An attacker can force a PLC or other DNP3 server to power cycle by issuing a response packet with function code 0D. |
| 1111206 | Yes | Unauthorized Read Request to a PLC | An unauthorized DNP3 client attempts to read information from a PLC or other field device. |
| 1111207 | No | Unauthorized Write Request to a PLC | An unauthorized DNP3 client attempts to write information to a PLC or other field device. |
| 1111208 | No | Unauthorized Miscellaneous Request to a PLC | An unauthorized DNP3 client issues a request, other than a read or write request, to a PLC or other field device. |
| 1111209 | Yes | Stop Application | An application is stopped on the PLC or other field device. |
| 1111210 | Yes | Warm Restart | An attacker can force a PLC or other DNP3 server to initialize its configuration and clear events with function code 0E. |
| 1111211 | No | Broadcast Request from an Authorized Client | An attacker can issue a request packet to a network of PLCs or other DNP3 servers. |
| 1111212 | No | Broadcast Request from an Unauthorized Client | An attacker can issue a request packet to a network of PLCs or other DNP3 servers. |
| 1111213 | No | Points List Scan | An attacker determines what DNP3 data points are available in the reconnaissance phase of an attack. |
| 1111214 | No | Function Code Scan | An attacker determines what DNP3 function codes are available in the reconnaissance phase of an attack. |
| 11112151 | Only | Time Change Attempt | An attempt to change the time on a PLC or other field device. |
| 11112161 | Only | Failed Checksum Error | The DNP3 checksum failed indicating either comm error or potential attack. |
Release Package
The release package for the DNP3 IDS signatures includes:
- A rules file with both the standard/no preprocessor rule set and the preprocessor rule set
- Packet capture files (pcaps) that can be replayed to test the SCADA IDS installation
- A config file with instructions on how to modify it for a specific Snort installation
In addition to the release package, there are full documentation pages in the typical Snort format for each of the DNP3 signatures. This documentation is subscriber only content.
