DNP3 Preprocessor
From SCADApedia
Digital Bond has developed SCADA IDS Preprocessors for the Snort IDS/IPS. These preprocessors were developed for the DHS funded Quickdraw project, but they are also useful for intrusion detection and prevention as well as for adding SCADA protocol deep inspection to field firewalls.
The DNP3 preprocessor simplifies Snort rule writing. There is no need to figure out what bytes in a DNP3 packet are function codes or unit ID's. Digital Bond has developed Snort plugins that use the objects created by the preprocessor and will allow an IDS rule to use a keyword to evaluate Modbus parameters.
The DNP3 preprocessor also eliminates false positives and false negatives due to DNP3 fragmentation.
Contents |
DNP3 Preprocessor Details
Name: dnp3
Purpose: decodes DNP3 packets and stores them in the stream using the Quickdraw api for inspection by the detection engine
Source files: src/preprocessors/spp_dnp3.[ch]
Enable: "preprocessor dnp3" in snort.conf
Options: none
Dependencies: place after Frag3 & Stream5 in the snort.conf
Available Plugins
There are currently five DNP3 plugins available.
DNP3 Checksum: dnp3_checksum
Purpose: checks if the DNP3 checksums are correct for the packet and the data chunks
Source files: src/detection-plugins/sp_dnp3_checksum.[ch]
Enable: "dnp3_checksum:<value>;" in any rule that needs to check the checksum
Options: "correct" or "incorrect"
Dependencies: preprocessor dnp3 must be active
Example rule: alert tcp any any -> any 20000 (msg:"(Event 15) Checksum Failed"; dnp3_checksum:incorrect; category:request error; sid:123; rev:1;)
DNP3 Function Code: dnp3_cmd_fc
Purpose: matches on the function code field in a cmd packet
Source files: src/detection-plugins/sp_dnp3_cmd_fc.[ch]
Enable: "dnp3_cmd_fc:<value>;" in any rule that needs to match on the function code
Options: decimal value of the function code to match on
Dependencies: preprocessor dnp3 must be active; matches only if the matching response packet is also recorded by the session
Example rule: alert tcp any 20000 -> any any (msg:"(Event 08) Change Time"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; category:configuration; sid:123; rev:1;)
DNP3 Command Packet Object Type: dnp3_cmd_ot
Purpose: matches on the object type field in a cmd packet
Source files: src/detection-plugins/sp_dnp3_cmd_ot.[ch]
Enable: "dnp3_cmd_ot:<value>;" in any rule that needs to match on the object type
Options: decimal value of the object type to match on
Dependencies: preprocessor dnp3 must be active; matches only if the matching response packet is also recorded by the session
Example rule: alert tcp any 20000 -> any any (msg:"(Event 08) Change Time"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; category:configuration; sid:123; rev:1;)
DNP3 Response Packet Object Type: dnp3_resp_ot
Purpose: matches on the object type field in a response packet.
Source files: src/detection-plugins/sp_dnp3_resp_ot.[ch]
Enable: "dnp3_resp_ot:<value>;" in any rule that needs to match on the object type
Options: decimal value of the object type to match on
Dependencies: preprocessor dnp3 must be active.
Example rule: alert tcp any 20000 -> any any (msg:"(Event 08) Change Time"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; category:configuration; sid:123; rev:1;)
DNP3 Response Packet Internal Indications: dnp3_resp_ii
Purpose: matches on the internal indications (IIN) field in a response packet
Source files: src/detection-plugins/sp_dnp3_resp_ii.[ch]
Enable: "dnp3_resp_ii:<value>;" in any rule that needs to match on the object type
Options: internal indication. Supported are: unknown_object (0x0002) and unknown_func (0x0001).
Dependencies: preprocessor dnp3 must be active.
Example: alert tcp any 20000 -> any any (msg:"(Event 20) Point Not Available"; dnp3_resp_ii:unknown_object; category:request error; sid:123; rev:1;)
Future Developments
The preprocessor stores every DNP3 field in an object. A person familiar with the Snort software and preprocessors would be able to use this message parsing to access any or all of the DNP3 packets based on the object type. This is likely to be useful for developers.
Digital Bond plans to release additional plugins in the near future that will create Snort rule keywords for other fields such as register address or value.
