Modbus TCP Preprocessor
From SCADApedia
Digital Bond has developed SCADA IDS Preprocessors for the Snort IDS/IPS. These preprocessors were developed for the DHS funded Quickdraw project, but they are also useful for intrusion detection and prevention as well as for adding SCADA protocol deep inspection to field firewalls.
Modbus TCP is a simple request/response control system protocol. It's limited length eliminates the need for fragmentation, and the structured format makes it possible to develop IDS signatures without a preprocessor to decode the protocol. Digital Bond has released a set of Modbus TCP IDS Signatures that are highly reliable. The only known issues with these signatures are for proprietary modifications to the standard protocol.
The Modbus TCP preprocessor does simplify Snort rule writing for those unfamiliar with the Modbus protocol. There is no need to figure out what bytes in a Modbus TCP packet are function codes or unit ID's. Digital Bond has developed Snort plugins that use the objects created by the preprocessor and will allow an IDS rule to use a keyword to evaluate Modbus parameters.
Contents |
Modbus Preprocessor Details
Name: modbus
Purpose: decodes modbus tcp packets and stores them in the stream using the Quickdraw api for inspection by the detection engine
Source files: src/preprocessors/spp_modbus.[ch]
Enable: "preprocessor modbus" in snort.conf
Options: none
Dependencies: place after Frag3 & Stream5 in the snort.conf
Available Plugins
There are currently two Modbus TCP plugins available.
Keyword: modbus_func
Purpose: matches on the modbus function code field of a request or response packet
Source files: src/detection-plugins/sp_modbus_func.[ch]
Enable: "modbus_func:<value>;" in any rule that needs to match on the modbus function code
Options: decimal value of the modbus function code
Dependencies: preprocessor modbus must be active; matches regardless of whether it is a request or response packet
Sample rule: alert tcp any any -> any 502 (msg:"SCADA IDS: Modbus TCP - Read Multiple Registers"; modbus_func:3; classtype:attempted-recon; sid:123333; rev:1;)
Keyword: modbus_unit
Purpose: matches on the modbus unit id field of a packet
Source files: src/detection-plugins/sp_modbus_unit.[ch]
Enable: "modbus_unit:<value>;" in any rule that needs to match on the unit id
Options: decimal value of the modbus unit
Dependencies: preprocessor modbus must be active
Sample rule: alert tcp any any -> any 502 (msg:"SCADA IDS: Modbus TCP - Read Multiple Register Message Sent to Unit 1"; modbus_unit:1; modbus_func:3; classtype:attempted-recon; sid:123; rev:1;)
Future Developments
The preprocessor stores every Modbus field in an object. A person familiar with the Snort software and preprocessors would be able to use this message parsing to access any or all of the Modbus packets based on the object type. This is likely to be useful for developers.
Digital Bond plans to release additional plugins in the near future that will create Snort rule keywords for other fields such as register address or value.
See Also
SCADA IDS Preprocessor Installation Instructions
