Modbus TCP Preprocessor
From SCADApedia
Digital Bond has developed SCADA IDS Preprocessors for the Snort IDS/IPS. These preprocessors were developed for the DHS funded Quickdraw project, but they are also useful for intrusion detection and prevention as well as for adding SCADA protocol deep inspection to field firewalls.
The Modbus TCP preprocessor simplifies Snort rule writing. There is no need to figure out what bytes in a Modbus TCP packet are function codes or unit ID's. Digital Bond has developed Snort plugins that use the objects created by the preprocessor and will allow an IDS rule to use a keyword to evaluate Modbus parameters.
Contents |
Modbus Preprocessor Details
Name: modbus
Purpose: decodes modbus tcp packets and stores them in the stream using the Quickdraw api for inspection by the detection engine
Source files: src/preprocessors/spp_modbus.[ch]
Enable: "preprocessor modbus" in snort.conf
Options: none
Dependencies: place after Frag3 & Stream5 in the snort.conf
Available Plugins
There are currently two Modbus TCP plugins available.
Function Code: modbus_func
Purpose: matches on the modbus function code field of a request or response packet
Source files: src/detection-plugins/sp_modbus_func.[ch]
Enable: "modbus_func:<value>;" in any rule that needs to match on the modbus function code
Options: decimal value of the modbus function code
Dependencies: preprocessor modbus must be active; matches regardless of whether it is a request or response packet
Example rule: alert tcp any any -> any 502 (msg:"Modbus Function Code: Read Multiple Registers"; modbus_func:3; category:availability; sid:123; rev:1;)
Function Code: modbus_unit
Purpose: matches on the modbus unit id field of a packet
Source files: src/detection-plugins/sp_modbus_unit.[ch]
Enable: "modbus_unit:<value>;" in any rule that needs to match on the unit id
Options: decimal value of the modbus unit
Dependencies: preprocessor modbus must be active
Example rule: alert tcp any any -> any 503 (msg:"Modbus Read Multiple Register Message Sent to Unit 1"; modbus_unit:1; modbus_func:3; category:access control; sid:123; rev:1;)
Future Developments
The preprocessor stores every Modbus field in an object. A person familiar with the Snort software and preprocessors would be able to use this message parsing to access any or all of the Modbus packets based on the object type. This is likely to be useful for developers.
Digital Bond plans to release additional plugins in the near future that will create Snort rule keywords for other fields such as register address or value.
