EtherNet/IP Preprocessor
From SCADApedia
Digital Bond has developed SCADA IDS Preprocessors for the Snort IDS/IPS. These preprocessors were developed for the DHS funded Quickdraw project, but they are also useful for intrusion detection and prevention as well as for adding SCADA protocol deep inspection to field firewalls.
The EtherNet/IP preprocessor simplifies and makes possible Snort rule writing for EtherNet/IP and the underlying CIP. It would be difficult to write reliable rules without the preprocessor because it is necessary to know the session state to avoid false positives and negatives. The plugins that use the preprocessor collected objects allow a Snort rule writer to easily match field values, such as the CIP service.
Contents |
EtherNet/IP Preprocessor Details
Name: enip
Purpose: decodes ENIP/CIP packets and stores them in the stream using the Quickdraw api for inspection by the detection engine
Source files: src/preprocessors/spp_enip.[ch]
Enable: "preprocessor enip" in snort.conf
Options: none
Dependencies: place after Frag3 & Stream5 in the snort.conf
Available Plugins
There are currently two EtherNet/IP plugins available.
EtherNet/IP CIP Service: cip_service
Purpose: matches on the CIP service field of a packet
Source files: src/detection-plugins/sp_cip_service.[ch]
Enable: "cip_service:<value>;" in any rule that needs to match on the CIP service
Options: decimal value of the CIP service
Dependencies: preprocessor enip must be active; matches only if the matching reply packet is also recorded by the session
Example rule: alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"SCADA_IDS: ENIP/CIP - Reboot or Restart from Unauthorized Client"; flags:PA; cip_service:5; reference:scada,1111501.htm, classtype:attempted-dos; sid:1111501; rev:1; priority:1;)
EtherNet/IP CIP Response: cip_response
Purpose: matches on the CIP response field of a packet
Source files: src/detection-plugins/sp_cip_response.[ch]
Enable: "cip_response:<value>;" in any rule that needs to match on the CIP response
Options: decimal value of the CIP response
Dependencies: preprocessor enip must be active
Example rule: alert tcp any 44818 -> any any (msg:"(Event XX) PLC Unlocked"; cip_service:76; cip_response:0; category:access control; sid:123; rev:1;)
Future Developments
The preprocessor stores every EtherNet/IP field in an object. A person familiar with the Snort software and preprocessors would be able to use this message parsing to access any or all of the Modbus packets based on the object type. This is likely to be useful for developers.
Digital Bond plans to release additional plugins in the near future that will create Snort rule keywords for other fields such as register address or value.
See Also
SCADA IDS Preprocessor Installation Instructions
