Quickdraw Detection Plugins
From SCADApedia
Digital Bond's Quickdraw research project detects and creates security events for PLC's, RTU's and other field devices that lack a security logging capability. It does this by adding SCADA intelligence to the Snort IDS in the form of preprocessors, detection plugins, output plugins and rules.
Quickdraw was funded by a DHS research contract.
Contents |
General Design Information
The protocols are built on top of TCP, so the decoding of the packets needs to occur after TCP handling in Stream5. This is why protocol decoders are implemented as Snort preprocessors. The preprocessor store the parsed packets in the stream (using Snort's stream_api) so the detection engine plugins can access multiple packets in the same stream for it's inspection. This way the detection engine can work with both requests and replies so that Quickdraw doesn't just log a request or a reply, but the full event with PLC response.
The detection plugins create keywords that can be used in Snort rules. The keywords then will pull data for Snort rule evaluation from objects decoded and assigned in the preprocessor.
DNP3 Detection Plugins
Name: dnp3_checksum
Purpose: checks if the checksums are correct of the packet and the data chunks
Source files: src/detection-plugins/sp_dnp3_checksum.[ch]
Enable: "dnp3_checksum:<value>;" in any rule that needs to check the checksum
Options: "correct" or "incorrect"
Dependencies: preprocessor dnp3 must be active.
Example rule: alert tcp any 20000 -> any any (msg:"(Event 16) Failed Checksum Error"; flags: PA; dnp3_checksum:incorrect; category:request error; sid:1000500; rev:1;)
TODO: check packet checksum too.
Name: dnp3_cmd_fc
Purpose: matches on the function code field in a cmd packet.
Source files: src/detection-plugins/sp_dnp3_cmd_fc.[ch]
Enable: "dnp3_cmd_fc:<value>;" in any rule that needs to match on the function code
Options: decimal value of the function code to match on
Dependencies: preprocessor dnp3 must be active. Matches only if the matching response packet is also recorded by the session.
Example rule: alert tcp any any -> any 20000 (msg:"(Event 32) - Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; category:configuration; sid:1000903; rev:1;)
Name: dnp3_resp_ot
Purpose: matches on the object type field in a cmd packet.
Source files: src/detection-plugins/dnp3_resp_ot.[ch]
Enable: "dnp3_cmd_ot:<value>;" in any rule that needs to match on the object typ
Options: decimal value of the object type to match on
Dependencies: preprocessor dnp3 must be active..
Example rule: alert tcp any 20000 -> any any (msg:"(Event 08) Change Time"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; category:configuration; sid:123; rev:1;)
Name: dnp3_cmd_ot
Purpose: matches on the object type field in a response packet.
Source files: src/detection-plugins/sp_dnp3_cmd_ot.[ch]
Enable: "dnp3_cmd_ot:<value>;" in any rule that needs to match on the object type
Options: decimal value of the object type to match on
Dependencies: preprocessor dnp3 must be active.
Example rule: alert tcp any any -> any 20000 (msg:"(Event 32) - Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; category:configuration; sid:1000903; rev:1;)
Name: dnp3_resp_ii
Purpose: matches on the internal indications field in a response packet.
Source files: src/detection-plugins/sp_dnp3_resp_ii.[ch]
Enable: "dnp3_resp_ii:<value>;" in any rule that needs to match on the object type
Options: internal indication. Supported are: unknown_object (0x0002) and unknown_func (0x0001).
Dependencies: preprocessor dnp3 must be active.
Example: alert tcp any 20000 -> any any (msg:"(Event 20) Function Not Available Error"; flags: PA; dnp3_resp_ii:unknown_func; category:request error; sid:1000501; rev:1;)
EtherNet/IP and CIP
Name: cip_service
Purpose: matches on the CIP service field of a packet.
Source files: src/detection-plugins/sp_cip_service.[ch]
Enable: "cip_service:<value>;" in any rule that needs to match on the CIP service
Options: decimal value of the CIP service
Dependencies: preprocessor enip must be active. Matches only if the matching reply packet is also recorded by the session.
Example rule: alert tcp any 44818 -> any any (msg:"(Event 29) - Software Upload"; flags:PA; cip_service:79; cip_response:06; category:reconnaissance; sid:1000509; rev:1;)
Name: cip_response
Purpose: matches on the CIP response field of a packet.
Source files: src/detection-plugins/sp_cip_response.[ch]
Enable: "cip_response:<value>;" in any rule that needs to match on the CIP response
Options: decimal value of the CIP response
Dependencies: preprocessor enip must be active.
Example rule: alert tcp any 44818 -> any any (msg:"(Event 29) - Software Upload"; flags:PA; cip_service:79; cip_response:06; category:reconnaissance; sid:1000509; rev:1;)
Modbus TCP Detection Plugins
Name: modbus_func
Purpose: checks if the checksums are correct of the packet and the data chunks
Source files: src/detection-plugins/sp_modbus_func.[ch]
Enable: "modbus_func:<value>;" in any rule that needs to check the checksum
Options: decimal value of the object type to match on
Dependencies: preprocessor modbus must be active.
Example rule: alert tcp any any -> any 502 (msg:"(Event 49) Request Controller ID"; flags: PA; modbus_func:17; category:reconnaissance; sid:1000600; rev:1;)
OPC UA Detection Plugins
Name: opcua_chunk_type
Purpose: matches on the OPC UA chunk type of a packet.
Source files: src/detection-plugins/sp_opcua_ct.[ch]
Enable: "opcua_chunk_type:<value>;" in any rule that needs to match on the OPC UA chunk type
Options: character value of the OPC UA chunk type
Dependencies: preprocessor opcua must be active.
Example rule: alert tcp any any -> any 4840 (msg:"(Event XX) IsFinal Abort"; opcua_chunk_type:A; category:Request Error; sid:123; rev:1;)
Name: opcua_message_size
Purpose: matches on the OPC UA message size of a packet.
Source files: src/detection-plugins/sp_opcua_ms.[ch]
Enable: "opcua_message_size:<value>;" in any rule that needs to match on the OPC UA chunk type
Options: either G,L or E (greater, less, equal) character plus value of the size of OPC UA message
Dependencies: preprocessor opcua must be active.
Example rule: alert tcp any any -> any 4840 (msg:"(Event XX) OPCUA Message over 8192 bytes"; opcua_message_size:G8192; category:Audit; sid:123; rev:1;)
Name: opcua_message_type
Purpose: matches on the OPC UA message type of a packet.
Source files: src/detection-plugins/sp_opcua_mt.[ch]
Enable: "opcua_message_type:<value>;" in any rule that needs to match on the OPC UA message type
Options: character values of the OPC UA message type
Dependencies: preprocessor opcua must be active.
Example rule: alert tcp any any -> any 4840 (msg:"(Event XX) OPCUA OPN Message"; opcua_message_type:OPN; category:Audit; sid:123; rev:1;)
Additional Detection Plugins
Digital Bond developed the detection plugins that were required for detecting and outputing information for the Quickdraw Security Events. There are additional protocol fields that are decoded and assigned to objects by the SCADA protocol preprocessors. Additional detection plugins can be written to create additional keywords for the objects currently not evaluated in Quickdraw.
