Quickdraw Architecture
From SCADApedia
Quickdraw is the project name for Digital Bond's PLC Passive Security Log Generator. This project is funded by a one-year contract from the U.S. Department of Homeland Security (DHS). Quickdraw is an application that will sit passively on the network, capture data sent to and from a PLC, and create the security events that a PLC or other field device would ideally log.
Quickdraw is an extension of the Snort IDS. Preprocessors have been developed for control system protocols and plugins have been developed to provide multi-packet inspection and security log event generation.
Contents |
Architecture Diagram
The diagram below is a high level description of the Quickdraw architecture.
Preprocessors
Many control system protocols were adapted to IP communications by encapsulating the binary serial communication in TCP or UDP packets. For very simple, application layer only protocols like Modbus TCP this is not a problem for IDS or Quickdraw. However most control system protocols are multi-layer protocols that can require processing prior to being passed to the detection engine.
Two frequent reasons a request or response packet needs to be processed are fragmentation and stripping lower layer data. The DNP3 protocol is a prime example. DNP3 has an application layer, transport function and data link layer. Data from all of these layers are encapsulated in a TCP or UDP packet. The transport function and data link layer needs to be stripped out before the application layer data is passed to the detection engine. However, before this data is removed it needs to be inspected to determine if the application layer request or response have been fragmented. Reconstructing the fragmented packets takes place first, followed by stripping all the data except for application layer data.
Quickdraw Preprocessors
Digital Bond is still determining how many preprocessors will be written for the Quickdraw project. The list below will be updated as appropriate.
- DNP3 - Status: Completed and under test
- EtherNet/IP - Status: Under development
While these preprocessors are written for Quickdraw, they are likely to be useful for other projects. For example, the preprocessor will help in the development of IDS signatures especially to prevent fragmentation from circumventing the IDS engine. The preprocessor may also be helpful in field firewalls and other perimeter security devices that are performing deep packet inspection.
Plugins
The Quickdraw application includes one detection plugin and two output plugins.
The most difficult Snort enhancement is the Quickdraw Trigger Detection Plugin. This plugin does multi-packet analysis to detect security events. Most often it needs to trigger based on a request and response packet. For example a login request and the login response, success or failure, would both be evaluated by the Trigger Detection Plugin. Fortunately the requirements for maintaining state are fairly limited for Quickdraw, and it is an open question how useful this plugin will be outside of Quickdraw.
The two output plugins are:
- Quickdraw Log Message Construction plugin to extract the parameters from request and response packets and create the security log event
- Quickdraw Output plugin to send the created security log events to a historian, SEM or other log aggregator
