Snort mailing list archives
Re: New Snort Rules for PCOM protocol
From: Luís Rosa <lmrosa () dei uc pt>
Date: Tue, 15 Jan 2019 13:47:44 +0000
Hi Marcos, I added a few more rules for PCOM Binary mode and fixed a few typos in the last ones (I accidentally mixed Operands with function codes in some of them). I also added to all rules a byte_test keyword to verify whether it is PCOM/ASCII or PCOM/Binary, not sure it is the most optimised way to do it. Sorry for the noise. Please find bellow the newest rules. You can also refer to [0] to most recent changes. alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"ID"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"ID"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)"; classtype:attempted-recon; sid: 1000002; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCE"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)"; classtype:attempted-dos; sid: 1000003; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCS"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)"; classtype:attempted-dos; sid: 1000004; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCR"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)"; classtype:attempted-dos; sid: 1000005; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCI"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)"; classtype:attempted-dos; sid: 1000006; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000007; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000008; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)"; classtype:attempted-recon; sid: 1000009; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)"; classtype:attempted-recon; sid: 1000010; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)"; classtype:attempted-recon; sid: 1000011; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon; sid: 1000012; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set RTC (SC)"; classtype:attempted-recon; sid: 1000014; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000015; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000016; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000017; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000018; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000019; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000020; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000021; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000022; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)"; classtype:attempted-recon; sid: 1000023; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)"; classtype:attempted-recon; sid: 1000024; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (RB)"; classtype:attempted-recon; sid: 1000025; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (RB)"; classtype:attempted-recon; sid: 1000026; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (RW)"; classtype:attempted-recon; sid: 1000027; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (RW)"; classtype:attempted-recon; sid: 1000028; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)"; classtype:attempted-recon; sid: 1000029; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000030; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000031; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000032; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000033; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000034; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000035; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)"; classtype:attempted-recon; sid: 1000036; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)"; classtype:attempted-recon; sid: 1000037; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000038; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000039; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000040; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000041; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write Memory Longs (SNL)"; classtype:attempted-recon; sid: 1000042; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|4d|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Read Operands (4d)"; classtype:attempted-recon; sid: 1000043; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 102, 2; content:"|cd|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Read Operands (cd)"; classtype:attempted-recon; sid: 1000044; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|04|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Read Data Table (04)"; classtype:attempted-recon; sid: 1000045; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 102, 2; content:"|84|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Read Data Table (84)"; classtype:attempted-recon; sid: 1000046; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|44|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Write Data Table (44)"; classtype:attempted-recon; sid: 1000047; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 102, 2; content:"|c4|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Write Data Table (c4)"; classtype:attempted-recon; sid: 1000048; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|0c|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Get PLC Name (0c)"; classtype:attempted-recon; sid: 1000049; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 102, 2; content:"|8c|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Get PLC Name (8c)"; classtype:attempted-recon; sid: 1000050; rev:1;) [0] https://github.com/lmrosa/pcom-misc/blob/master/snort/local.rules On Mon, Jan 14, 2019 at 2:28 PM Marcos Rodriguez <mrodriguez () sourcefire com> wrote:
On Mon, Jan 14, 2019 at 7:40 AM Luís Rosa <lmrosa () dei uc pt> wrote:Hi folks, You can find below a list of Snort rules that I'm currently testing forPCOM protocol. PCOM is a SCADA protocol to interact with Unitronics PLCs. You can find more information about the protocol here [0] and you can also find some pcaps for testing here [1].alert tcp any any -> any 20256 (flow:established; content:"ID"; offset:9; depth:2; msg:"PCOM/ASCII Request - Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"ID"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)"; classtype:attempted-recon; sid: 1000002; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"CCE"; offset:9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)"; classtype:attempted-dos; sid: 1000003; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"CCS"; offset:9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)"; classtype:attempted-dos; sid: 1000004; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"CCR"; offset:9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)"; classtype:attempted-dos; sid: 1000005; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"CCI"; offset:9; depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)"; classtype:attempted-dos; sid: 1000006; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"UG"; offset:9; depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000007; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"UG"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000008; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"US"; offset:9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)"; classtype:attempted-recon; sid: 1000009; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"US"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)"; classtype:attempted-recon; sid: 1000010; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"RC"; offset:9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)"; classtype:attempted-recon; sid: 1000011; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"RC"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon; sid: 1000012; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SC"; offset:9; depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SC"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Set RTC (SC)"; classtype:attempted-recon; sid: 1000014; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"RE"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000015; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"RE"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000016; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"RA"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000017; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"RA"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000018; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"GS"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000019; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"GS"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000020; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"GF"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000021; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"GF"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000022; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"RNH"; offset:9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)"; classtype:attempted-recon; sid: 1000023; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"RN"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)"; classtype:attempted-recon; sid: 1000024; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"MB"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000025; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"MB"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000026; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"MI"; offset:9; depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000027; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"MI"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000028; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"RNL"; offset:9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)"; classtype:attempted-recon; sid: 1000029; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SA"; offset:9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000030; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SA"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000031; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SS"; offset:9; depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000032; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SS"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000033; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SF"; offset:9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000034; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SF"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000035; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SNH"; offset:9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)"; classtype:attempted-recon; sid: 1000036; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SN"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)"; classtype:attempted-recon; sid: 1000037; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SB"; offset:9; depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000038; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SB"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000039; rev:1;)alert tcp any any -> any 20256 (flow:established; content:"SW"; offset:9; depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000040; rev:1;)alert tcp any 20256 -> any any (flow:established; content:"SW"; offset:10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000041; rev:1;)-- [0]https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf[1] https://github.com/lmrosa/pcom-misc/tree/master/pcapsHi Luis, Thank you so much for your submission. We'll place these rules through our testing procedures and ensure you receive credit should they get added to the community ruleset. Thanks again! -- Marcos Rodriguez Cisco Talos
-- Cumprimentos, Luís Rosa
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- New Snort Rules for PCOM protocol Luís Rosa (Jan 14)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 15)
- Re: New Snort Rules for PCOM protocol Ankit Bhadage via Snort-sigs (Jan 15)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol ivan ninichuck via Snort-sigs (Jan 14)