DNP3 IDS Signatures
From SCADApedia
The DNP3 IDS Signatures are part of Digital Bond's SCADA IDS Signature research project. The signatures, or rules in Snort parlance, are written for Snort and some or all of the SCADA signatures have been integrated into most commercial IDS/IPS products.
The signatures can be broadly grouped in the following categories:
- Unauthorized DNP3 Use - the authorized DNP3 clients and servers are entered as variables in the IDS, and the signatures identify when unauthorized systems send requests with variable severity levels dependent on the request.
- DNP3 Protocol Errors - these signatures will be triggered when an attacker is attempting to fuzz the protocol.
- Rare and Dangerous Requests - a number of DNP3 requests can cause a denial of service condition if used by an attacker.
The DNP3 Signatures currently available are listed in the table below.
| SID | Message | Summary |
|---|---|---|
| 1111201 | Disable Unsolicited Response | An attacker stops unsolicited responses from field devices to prevent alarms and other critical events. |
| 1111202 | Non-DNP3 Communication on a DNP3 Port | An established connection between a HMI or control server and a PLC is hijacked or spoofed to send other attacks to either device. |
| 1111203 | Unsolicited Response Storm | Large amounts of false unsolicited responses are sent to a DNP3 server to overwelm the control servers or control room operators. |
| 1111204 | Cold Restart from Authorized Client | An attacker can force a PLC or other DNP3 server to power cycle by issuing a response packet with function code 0D. |
| 1111205 | Cold Restart from Unauthorized Client | An attacker can force a PLC or other DNP3 server to power cycle by issuing a response packet with function code 0D. |
| 1111206 | Unauthorized Read Request to a PLC | An unauthorized DNP3 client attempts to read information from a PLC or other field device. |
| 1111207 | Unauthorized Write Request to a PLC | An unauthorized DNP3 client attempts to write information to a PLC or other field device. |
| 1111208 | Unauthorized Miscellaneous Request to a PLC | An unauthorized DNP3 client issues a request, other than a read or write request, to a PLC or other field device. |
| 1111209 | Stop Application | An application is stopped on the DNP3 server. |
| 1111210 | Warm Restart | An attacker can force a PLC or other DNP3 server to initialize its configuration and clear events with function code 0E. |
| 1111211 | Broadcast Request from an Authorized Client | An attacker can issue a request packet to a network of PLCs or other DNP3 servers. |
| 1111212 | Broadcast Request from an Unauthorized Client | An attacker can issue a request packet to a network of PLCs or other DNP3 servers. |
| 1111213 | Points List Scan | An attacker determines what DNP3 data points are available in the reconnaissance phase of an attack. |
| 1111214 | Function Code Scan | An attacker determines what DNP3 function codes are available in the reconnaissance phase of an attack. |
[edit]
