SCADA IDS Preprocessors

From SCADApedia

Digital Bond has developed SCADA IDS Preprocessors for use with the Snort IDS under a contract for the US Department of Homeland Security. The main reason to develop the preprocessors was to make reliable detection possible. In some protocols, such as EtherNet/IP, the items that need to be evaluated can appear almost anywhere in the packet. The only way to evaluate a field in this case is to decode the protocol and evaluate the applicable field. Other protocols, such as DNP3, have a more consistent structure, but intentional or unintentional fragmentation can cause a false negative in an IDS sensor.

The SCADA IDS Preprocessors decode that protocol and then related plugins allow Snort rules to evaluate decoded fields in the preprocessor.

Contents 1 General Design 2 Available Preprocessors 3 Installation Overview 4 Preprocessor Uses 4.1 Quickdraw 4.2 Snort IDS/IPS 4.3 Deep Inspection Field Firewalls 5 See Also 6 External Links

General Design

The SCADA protocols considered in this project are built on top of TCP, so the decoding of the packets needs to occur after TCP handling in Stream5. This is why protocol decoders are implemented as Snort preprocessors. The preprocessor store the parsed packets in the stream (using Snort's stream_api) so the detection engine plugins can access multiple packets in the same stream for it's inspection.

With this first release, Digital Bond is doing a full decode of the SCADA protocols and providing a small number of plugins to make Snort rule writing easier in all cases and more effective in most cases. For example there are plugins that make it easy to write Snort rules to detect use of specific function codes in Modbus TCP, EtherNet/IP or DNP3. Additional plugins will be developed, but at this time an experienced Snort programmer would be able to access any of the decoded fields in the stream.

Available Preprocessors

Digital Bond has released three preprocessors to date and others are under development.

• DNP3 Preprocessor
• EtherNet/IP and CIP Preprocessor
• Modbus TCP Preprocessor

Click on the preprocessor to see a detailed documentation page on each preprocessor.

Installation Overview

The SCADA IDS preprocessor, plugins and supporting code are distributed as a gzipped unix patch file. For those of you that aren't familiar with this file type, a patch file is essentially a detailed list of the changes and additions, between two files or directories. By sending this information into patch and pointing it at your Snort source code directory the changes are applied and you now have a copy of SCADA IDS Preprocessor source tree.

There is a SCADA IDS Preprocessor Installation Instructions page and the installation instructions are provided with the preprocessor download.

Preprocessor Uses

Quickdraw

Quickdraw is a Digital Bond developed application that sits passively on the network, captures data sent to and from a PLC or other field device, and creates the security events that a field device would ideally log. For example, Quickdraw will create security events for failed login attempts, firmware uploads, unsupported function codes and more.

Quickdraw is an enhancement to Snort. One of the enhancements required analyzing and storing data from multiple packets. This is required to determine if a something that should be logged has occurred and, if an event has occurred, to have access to all the parameters to create the security log event. In addition, knowing the state of a session was very important to avoid false positives and false negatives.

Quickdraw is funded by the US Department of Homeland Security.

Snort IDS/IPS

The preprocessors will make writing Snort rules easier in all cases and possible in other cases.

Modbus TCP is a very simple protocol. Packet lengths are short so fragmentation is not an issue. It is purely request / response so session information is very simple to track. Rules can be written directly for Modbus TCP, and Digital Bond has released Modbus TCP IDS Signatures, but this requires knowledge of the Modbus TCP packet structure and counting of bytes. Not too difficult, but the preprocessor makes it easier. For example, the keyword modbus_func will detect the designated function code (e.g modbus_func:3 will detect when function code 3 is used).

DNP3 is a more complex protocol because it supports unsolicited response and longer messages. In fact the DNP3 messages can be so long that they require fragmentation, and reassembly is more than TCP/IP reassembly. It requires DNP3 message reassembly as well. Snort rules that do not deal with the DNP3 fragmentation issue can result in false positives and false negatives.

EtherNet/IP is an even more complex protocol and knowing the session state is necessary to write effective Snort rules. Digital Bond believes it would be very difficult in most cases and impossible in other cases to have effective IDS/IPS rules without the preprocessor.

Digital Bond has developed and released a set of SCADA IDS Signatures that leverage the capabilities of the preprocessors. In fact, none of the EtherNet/IP IDS Signatures would be possible without the preprocessor.

Deep Inspection Field Firewalls

Many commercial vendors offer deep packet inspection of common protocols such as http or ftp. The SCADA IDS preprocessors would allow a firewall vendor to easily inspect the protocol information and even build and enforce rules based on SCADA protocol fields. A simple example is allowing or disallowing access based on function codes. Some IP addresses could be allowed access with read function codes, but not be able to write to a field device.

See Also

SCADA IDS

SCADA IDS Preprocessor Installation Instructions

SCADA IDS Signatures

External Links

Download the SCADA IDS Preprocessors