SCADA IDS Preprocessors
From SCADApedia
Digital Bond has developed SCADA IDS Preprocessors for use in Snort as part of a US Department of Homeland Security funded research project named Quickdraw.
Contents |
General Design
The SCADA protocols considered in this project are built on top of TCP, so the decoding of the packets needs to occur after TCP handling in Stream5. This is why protocol decoders are implemented as Snort preprocessors. The preprocessor store the parsed packets in the stream (using Snort's stream_api) so the detection engine plugins can access multiple packets in the same stream for it's inspection.
With this first beta release, Digital Bond is doing a full decode of the SCADA protocols and providing a small number of plugins to make Snort rule writing easier in all cases and more effective in most cases. For example there are plugins that make it easy to write Snort rules to detect use of specific function codes in Modbus TCP or DNP3. Additional plugins will be developed, but at this time an experienced Snort programmer would be able to access any of the decoded fields in the stream.
Available Preprocessors
Digital Bond has released three preprocessors to date and others are under development.
Click on the preprocessor to see a detailed documentation page on each preprocessor.
Installation Overview
The SCADA IDS preprocessor, plugins and supporting code are distributed as a gzipped unix patch file. For those of you that aren't familiar with this file type, a patch file is essentially a detailed list of the changes and additions, between two files or directories. By sending this information into patch and pointing it at your snort source code directory the changes are applied and you now have a copy of SCADA IDS Preprocessor source tree.
This is a common process for a UNIX admin, but additional information will be provided in the near future.
Preprocessor Uses
Quickdraw
Quickdraw is a Digital Bond developed application that sits passively on the network, captures data sent to and from a PLC or other field device, and creates the security events that a field device would ideally log. For example, Quickdraw will create security events for failed login attempts, firmware uploads, unsupported function codes and more.
Quickdraw is an enhancement to Snort. One of the enhancements required analyzing and storing data from multiple packets. This is required to determine if a something that should be logged has occurred and, if an event has occurred, to have access to all the parameters to create the security log event. In addition, knowing the state of a session was very important to avoid false positives and false negatives.
Quickdraw is funded by the US Department of Homeland Security.
Snort IDS/IPS
The preprocessors will make writing Snort rules easier in all cases and possible in other cases.
Modbus TCP is a very simple protocol. Packet lengths are short so fragmentation is not an issue. It is purely request / response so session information is very simple to track. Rules can be written directly for Modbus TCP, and Digital Bond has released Modbus TCP IDS Signatures, but this requires knowledge of the Modbus TCP packet structure and counting of bytes. Not too difficult, but the preprocessor makes it easier. For example, the keyword modbus_func will detect the designated function code (e.g modbus_func:3 will detect when function code 3 is used).
DNP3 is a more complex protocol because it supports unsolicited response and longer messages. In fact the DNP3 messages can be so long that they require fragmentation, and reassembly is more than TCP/IP reassembly. It requires DNP3 message reassembly as well. Snort rules that do not deal with the DNP3 fragmentation issue can result in false positives and false negatives.
EtherNet/IP is an even more complex protocol and knowing the session state is necessary to write effective Snort rules. Digital Bond believes it would be very difficult in most cases and impossible in other cases to have effective IDS/IPS rules without the preprocessor.
Deep Inspection Field Firewalls
Many commercial vendors offer deep packet inspection of common protocols such as http or ftp. The SCADA IDS preprocessors would allow a firewall vendor to easily inspect the protocol information and even build and enforce rules based on SCADA protocol fields. A simple example is allowing or disallowing access based on function codes. Some IP addresses could be allowed access with read function codes, but not be able to write to a field device.
