Snort 2.9.2 marks Snort’s first foray into the world of “Supervisory Control And Data Acquisition”, or SCADA. In this release, we have added preprocessors to support the DNP3 and Modbus protocols.
SCADA covers a broad range of networks, from industrial control processes to utility distribution. There are a slew of protocols and devices out there. These networks have some similar characteristics; they involve a central “Master” device that sends commands and reads data from several “Outstation” devices. These outstations are typically small embedded systems, and they may even communicate over serial link to a gateway which passes the messages over TCP/IP.
The following documents can help get you up to speed:
- DNP3 Primer: http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf
- Modbus Specs: http://www.modbus.org/specs.php
The complete Modbus specifications are free to download, but the DNP3 specs will require a paid membership at www.dnp.org. The DNP3 Primer will be enough for this blog post.
The DNP3 and Modbus preprocessors will decode their respective protocols, check for certain anomalies, and provide rule options for some of the protocol fields. The Snort Manual (XXX: LINK MANUAL, manual.snort.org/nodeXXXXX.html) will act as a reference for preprocessor and rule syntax, while this blog post will highlight some of the tasks you can perform:
Easier Rules : VRT releases a set of Modbus and DNP3 rules in their “scada.rules” file. Prior to Snort 2.9.2, these rules had to decode the protocol with “content” and “byte_test” rules. This makes for some cumbersome rules. Here is rule 1:17782, as it was written before the Modbus preprocessor:
<tt>alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (
msg:"SCADA Modbus write single register from external source";
flow:established,to_server; content:"|06|"; depth:1; offset:7;
classtype:protocol-command-decode; sid:17783; rev:1;)</tt>
read More in Here
Download In here : http://www.snort.org/snort-downloads