Snort mailing list archives
New Snort Rules for PCOM protocol
From: Luís Rosa <lmrosa () dei uc pt>
Date: Mon, 14 Jan 2019 12:39:16 +0000
Hi folks, You can find below a list of Snort rules that I'm currently testing for PCOM protocol. PCOM is a SCADA protocol to interact with Unitronics PLCs. You can find more information about the protocol here [0] and you can also find some pcaps for testing here [1]. alert tcp any any -> any 20256 (flow:established; content:"ID"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"ID"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)"; classtype:attempted-recon; sid: 1000002; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCE"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)"; classtype:attempted-dos; sid: 1000003; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCS"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)"; classtype:attempted-dos; sid: 1000004; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCR"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)"; classtype:attempted-dos; sid: 1000005; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCI"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)"; classtype:attempted-dos; sid: 1000006; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"UG"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000007; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"UG"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000008; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"US"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)"; classtype:attempted-recon; sid: 1000009; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"US"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)"; classtype:attempted-recon; sid: 1000010; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)"; classtype:attempted-recon; sid: 1000011; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon; sid: 1000012; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set RTC (SC)"; classtype:attempted-recon; sid: 1000014; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RE"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000015; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RE"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000016; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000017; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000018; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"GS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000019; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"GS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000020; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"GF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000021; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"GF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000022; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)"; classtype:attempted-recon; sid: 1000023; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)"; classtype:attempted-recon; sid: 1000024; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"MB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000025; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"MB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000026; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"MI"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000027; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"MI"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000028; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)"; classtype:attempted-recon; sid: 1000029; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000030; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000031; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000032; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000033; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000034; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000035; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)"; classtype:attempted-recon; sid: 1000036; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)"; classtype:attempted-recon; sid: 1000037; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000038; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000039; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000040; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000041; rev:1;) -- [0] https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf [1] https://github.com/lmrosa/pcom-misc/tree/master/pcaps -- Best Regards, Luís Rosa
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- New Snort Rules for PCOM protocol Luís Rosa (Jan 14)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 15)
- Re: New Snort Rules for PCOM protocol Ankit Bhadage via Snort-sigs (Jan 15)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol ivan ninichuck via Snort-sigs (Jan 14)