Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Snort Rules for PCOM protocol

From: Luís Rosa <lmrosa () dei uc pt>
Date: Tue, 15 Jan 2019 13:47:44 +0000
Hi Marcos,

I added a few more rules for PCOM Binary mode and fixed a few typos in the
last ones (I accidentally mixed Operands with function codes in some of
them). I also added to all rules a byte_test keyword to verify whether it
is PCOM/ASCII or PCOM/Binary, not sure it is the most optimised way to do
it. Sorry for the noise. Please find bellow the newest rules. You can also
refer to [0] to most recent changes.

alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2;
content:"ID"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Identification
(ID)"; classtype:attempted-recon; sid: 1000001; rev:1;)alert tcp any 20256
-> any any (flow:established; byte_test:1, =, 101, 2; content:"ID"; offset:
10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)";
classtype:attempted-recon; sid: 1000002; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCE"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)";
classtype:attempted-dos; sid: 1000003; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCS"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)";
classtype:attempted-dos; sid: 1000004; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCR"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)";
classtype:attempted-dos; sid: 1000005; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"CCI"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)";
classtype:attempted-dos; sid: 1000006; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000007; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000008; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)";
classtype:attempted-recon; sid: 1000009; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)";
classtype:attempted-recon; sid: 1000010; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)";
classtype:attempted-recon; sid: 1000011; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RC"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon;
sid: 1000012; rev:1;)alert tcp any any -> any 20256 (flow:established;
byte_test:1, =, 101, 2; content:"SC"; offset: 9; depth:2; msg:"PCOM/ASCII
Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013;
rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =,
101, 2; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set RTC
(SC)"; classtype:attempted-recon; sid: 1000014; rev:1;)alert tcp any any ->
any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset:
9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000015; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RE"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000016; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000017; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000018; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000019; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000020; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000021; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"GF"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000022; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RNH"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)";
classtype:attempted-recon; sid: 1000023; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RN"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)";
classtype:attempted-recon; sid: 1000024; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (RB)";
classtype:attempted-recon; sid: 1000025; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (RB)";
classtype:attempted-recon; sid: 1000026; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (RW)";
classtype:attempted-recon; sid: 1000027; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (RW)";
classtype:attempted-recon; sid: 1000028; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"RNL"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)";
classtype:attempted-recon; sid: 1000029; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000030; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000031; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000032; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000033; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000034; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SF"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000035; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SNH"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)";
classtype:attempted-recon; sid: 1000036; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SN"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)";
classtype:attempted-recon; sid: 1000037; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000038; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000039; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 9;
depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000040; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 10;
depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000041; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 101, 2; content:"SNL"; offset: 9;
depth:3; msg:"PCOM/ASCII Request - Write Memory Longs (SNL)";
classtype:attempted-recon; sid: 1000042; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|4d|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Read Operands (4d)";
classtype:attempted-recon; sid: 1000043; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|cd|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Read Operands (cd)";
classtype:attempted-recon; sid: 1000044; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|04|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Read Data Table (04)";
classtype:attempted-recon; sid: 1000045; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|84|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Read Data Table (84)";
classtype:attempted-recon; sid: 1000046; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|44|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Write Data Table (44)";
classtype:attempted-recon; sid: 1000047; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|c4|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Write Data Table (c4)";
classtype:attempted-recon; sid: 1000048; rev:1;)alert tcp any any -> any
20256 (flow:established; byte_test:1, =, 102, 2; content:"|0c|"; offset:
18; depth:1; msg:"PCOM/Binary Request - Get PLC Name (0c)";
classtype:attempted-recon; sid: 1000049; rev:1;)alert tcp any 20256 -> any
any (flow:established; byte_test:1, =, 102, 2; content:"|8c|"; offset: 18;
depth:1; msg:"PCOM/Binary Reply - Get PLC Name (8c)";
classtype:attempted-recon; sid: 1000050; rev:1;)

 [0] https://github.com/lmrosa/pcom-misc/blob/master/snort/local.rules



On Mon, Jan 14, 2019 at 2:28 PM Marcos Rodriguez <mrodriguez () sourcefire com>
wrote:


On Mon, Jan 14, 2019 at 7:40 AM Luís Rosa <lmrosa () dei uc pt> wrote:


Hi folks,

You can find below a list of Snort rules that I'm currently testing for

PCOM protocol. PCOM is a SCADA protocol to interact with Unitronics PLCs.
You can find more information about the protocol here [0] and you can also
find some pcaps for testing here [1].


alert tcp any any -> any 20256 (flow:established; content:"ID"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Identification (ID)";
classtype:attempted-recon; sid: 1000001; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"ID"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)";
classtype:attempted-recon; sid: 1000002; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"CCE"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)";
classtype:attempted-dos; sid: 1000003; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"CCS"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)";
classtype:attempted-dos; sid: 1000004; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"CCR"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)";
classtype:attempted-dos; sid: 1000005; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"CCI"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)";
classtype:attempted-dos; sid: 1000006; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"UG"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000007; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"UG"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)";
classtype:attempted-recon; sid: 1000008; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"US"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)";
classtype:attempted-recon; sid: 1000009; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"US"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)";
classtype:attempted-recon; sid: 1000010; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"RC"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)";
classtype:attempted-recon; sid: 1000011; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"RC"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)";
classtype:attempted-recon; sid: 1000012; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SC"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)";
classtype:attempted-recon; sid: 1000013; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SC"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Set RTC (SC)";
classtype:attempted-recon; sid: 1000014; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"RE"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000015; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"RE"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)";
classtype:attempted-recon; sid: 1000016; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"RA"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000017; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"RA"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)";
classtype:attempted-recon; sid: 1000018; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"GS"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000019; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"GS"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)";
classtype:attempted-recon; sid: 1000020; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"GF"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000021; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"GF"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)";
classtype:attempted-recon; sid: 1000022; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"RNH"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)";
classtype:attempted-recon; sid: 1000023; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"RN"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)";
classtype:attempted-recon; sid: 1000024; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"MB"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (MB)";
classtype:attempted-recon; sid: 1000025; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"MB"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (MB)";
classtype:attempted-recon; sid: 1000026; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"MI"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (MI)";
classtype:attempted-recon; sid: 1000027; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"MI"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (MI)";
classtype:attempted-recon; sid: 1000028; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"RNL"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)";
classtype:attempted-recon; sid: 1000029; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SA"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000030; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SA"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)";
classtype:attempted-recon; sid: 1000031; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SS"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000032; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SS"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)";
classtype:attempted-recon; sid: 1000033; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SF"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000034; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SF"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)";
classtype:attempted-recon; sid: 1000035; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SNH"; offset:

9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)";
classtype:attempted-recon; sid: 1000036; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SN"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)";
classtype:attempted-recon; sid: 1000037; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SB"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000038; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SB"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)";
classtype:attempted-recon; sid: 1000039; rev:1;)

alert tcp any any -> any 20256 (flow:established; content:"SW"; offset:

9; depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000040; rev:1;)

alert tcp any 20256 -> any any (flow:established; content:"SW"; offset:

10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)";
classtype:attempted-recon; sid: 1000041; rev:1;)

--
[0]

https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf

[1] https://github.com/lmrosa/pcom-misc/tree/master/pcaps


Hi Luis,

Thank you so much for your submission.  We'll place these rules
through our testing procedures and ensure you receive credit should
they get added to the community ruleset.  Thanks again!

--
Marcos Rodriguez
Cisco Talos




-- 
Cumprimentos,
Luís Rosa

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: