Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Snort Rules for PCOM protocol

From: Ankit Bhadage via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 15 Jan 2019 20:34:01 +0530
Unsubscibe me please

On Tue, Jan 15, 2019 at 7:48 PM Marcos Rodriguez <mrodriguez () sourcefire com>
wrote:


On Tue, Jan 15, 2019 at 8:48 AM Luís Rosa <lmrosa () dei uc pt> wrote:


Hi Marcos,

I added a few more rules for PCOM Binary mode and fixed a few typos in

the last ones (I accidentally mixed Operands with function codes in some of
them). I also added to all rules a byte_test keyword to verify whether it
is PCOM/ASCII or PCOM/Binary, not sure it is the most optimised way to do
it. Sorry for the noise. Please find bellow the newest rules. You can also
refer to [0] to most recent changes.


alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101,

2; content:"ID"; offset: 9; depth:2; msg:"PCOM/ASCII Request -
Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;)alert
tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2;
content:"ID"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Identification
(ID)"; classtype:attempted-recon; sid: 1000002; rev:1;)alert tcp any any ->
any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCE"; offset:
9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)";
classtype:attempted-dos; sid: 1000003; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCS"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)";
classtype:attempted-dos; sid: 1000004; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCR"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)";
classtype:attempted-dos; sid: 1000005; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCI"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)";
classtype:attempted-dos; sid: 1000006; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000007; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000008; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)";
classtype:attempted-recon; sid: 1000009; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)";
classtype:attempted-recon; sid: 1000010; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)";
classtype:attempted-recon; sid: 1000011; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon;
sid: 1000012; rev:1;)alert tcp any any -> any 20256 (flow:established;
byte_test:1, =, 101, 2; content:"SC"; offset: 9; depth:2; msg:"PCOM/ASCII
Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013;
rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =,
101, 2; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set RTC
(SC)"; classtype:attempted-recon; sid: 1000014; rev:1;)alert tcp any any ->
any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset:
9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000015; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000016; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000017; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000018; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000019; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000020; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000021; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000022; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RNH"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)";
classtype:attempted-recon; sid: 1000023; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RN"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)";
classtype:attempted-recon; sid: 1000024; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (RB)";
classtype:attempted-recon; sid: 1000025; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (RB)";
classtype:attempted-recon; sid: 1000026; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (RW)";
classtype:attempted-recon; sid: 1000027; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (RW)";
classtype:attempted-recon; sid: 1000028; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RNL"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)";
classtype:attempted-recon; sid: 1000029; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000030; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000031; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000032; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000033; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000034; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000035; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SNH"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)";
classtype:attempted-recon; sid: 1000036; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SN"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)";
classtype:attempted-recon; sid: 1000037; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000038; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000039; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000040; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000041; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SNL"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Write Memory Longs (SNL)";
classtype:attempted-recon; sid: 1000042; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|4d|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Read Operands (4d)";
classtype:attempted-recon; sid: 1000043; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|cd|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Read Operands (cd)";
classtype:attempted-recon; sid: 1000044; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|04|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Read Data Table (04)";
classtype:attempted-recon; sid: 1000045; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|84|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Read Data Table (84)";
classtype:attempted-recon; sid: 1000046; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|44|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Write Data Table (44)";
classtype:attempted-recon; sid: 1000047; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|c4|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Write Data Table (c4)";
classtype:attempted-recon; sid: 1000048; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|0c|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Get PLC Name (0c)";
classtype:attempted-recon; sid: 1000049; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|8c|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Get PLC Name (8c)";
classtype:attempted-recon; sid: 1000050; rev:1;)


 [0] https://github.com/lmrosa/pcom-misc/blob/master/snort/local.rules


Hi Luis,

Thanks for the update, I'll get this sorted and updated.

--
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: