Snort mailing list archives

Re: New Snort Rules for PCOM protocol

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 15 Jan 2019 09:16:43 -0500

On Tue, Jan 15, 2019 at 8:48 AM Luís Rosa <lmrosa () dei uc pt> wrote:


Hi Marcos,

I added a few more rules for PCOM Binary mode and fixed a few typos in the last ones (I accidentally mixed Operands 
with function codes in some of them). I also added to all rules a byte_test keyword to verify whether it is 
PCOM/ASCII or PCOM/Binary, not sure it is the most optimised way to do it. Sorry for the noise. Please find bellow 
the newest rules. You can also refer to [0] to most recent changes.

alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"ID"; offset: 9; depth:2; 
msg:"PCOM/ASCII Request - Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;)alert tcp any 20256 
-> any any (flow:established; byte_test:1, =, 101, 2; content:"ID"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - 
Identification (ID)"; classtype:attempted-recon; sid: 1000002; rev:1;)alert tcp any any -> any 20256 
(flow:established; byte_test:1, =, 101, 2; content:"CCE"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Reset Device 
(CCE)"; classtype:attempted-dos; sid: 1000003; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, 
=, 101, 2; content:"CCS"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)"; classtype:attempted-dos; 
sid: 1000004; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCR"; offset: 
9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)"; classtype:attempted-dos; sid: 1000005; rev:1;)alert tcp 
any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"CCI"; offset: 9; depth:3; msg:"PCOM/ASCII 
Request - Init Device (CCI)"; classtype:attempted-dos; sid: 1000006; rev:1;)alert tcp any any -> any 20256 
(flow:established; byte_test:1, =, 101, 2; content:"UG"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get UnitID 
(UG)"; classtype:attempted-recon; sid: 1000007; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, 
=, 101, 2; content:"UG"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)"; classtype:attempted-recon; 
sid: 1000008; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 
9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)"; classtype:attempted-recon; sid: 1000009; rev:1;)alert tcp any 
20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"US"; offset: 10; depth:2; msg:"PCOM/ASCII Reply 
- Set UnitID (US)"; classtype:attempted-recon; sid: 1000010; rev:1;)alert tcp any any -> any 20256 (flow:established; 
byte_test:1, =, 101, 2; content:"RC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)"; 
classtype:attempted-recon; sid: 1000011; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"RC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon; sid: 
1000012; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SC"; offset: 9; 
depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013; rev:1;)alert tcp any 20256 
-> any any (flow:established; byte_test:1, =, 101, 2; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set 
RTC (SC)"; classtype:attempted-recon; sid: 1000014; rev:1;)alert tcp any any -> any 20256 (flow:established; 
byte_test:1, =, 101, 2; content:"RE"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)"; 
classtype:attempted-recon; sid: 1000015; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"RE"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)"; classtype:attempted-recon; sid: 
1000016; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 9; 
depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000017; rev:1;)alert tcp any 
20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply 
- Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000018; rev:1;)alert tcp any any -> any 20256 
(flow:established; byte_test:1, =, 101, 2; content:"GS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System 
Bits (GS)"; classtype:attempted-recon; sid: 1000019; rev:1;)alert tcp any 20256 -> any any (flow:established; 
byte_test:1, =, 101, 2; content:"GS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)"; 
classtype:attempted-recon; sid: 1000020; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"GF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)"; 
classtype:attempted-recon; sid: 1000021; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"GF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)"; 
classtype:attempted-recon; sid: 1000022; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"RNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)"; 
classtype:attempted-recon; sid: 1000023; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"RN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)"; classtype:attempted-recon; sid: 
1000024; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 9; 
depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (RB)"; classtype:attempted-recon; sid: 1000025; rev:1;)alert tcp 
any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"RB"; offset: 10; depth:2; msg:"PCOM/ASCII 
Reply - Read Memory Bits (RB)"; classtype:attempted-recon; sid: 1000026; rev:1;)alert tcp any any -> any 20256 
(flow:established; byte_test:1, =, 101, 2; content:"RW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory 
Integers (RW)"; classtype:attempted-recon; sid: 1000027; rev:1;)alert tcp any 20256 -> any any (flow:established; 
byte_test:1, =, 101, 2; content:"RW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (RW)"; 
classtype:attempted-recon; sid: 1000028; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"RNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)"; 
classtype:attempted-recon; sid: 1000029; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"SA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)"; classtype:attempted-recon; 
sid: 1000030; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SA"; offset: 
10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000031; rev:1;)alert tcp 
any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 9; depth:2; msg:"PCOM/ASCII 
Request - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000032; rev:1;)alert tcp any 20256 -> any any 
(flow:established; byte_test:1, =, 101, 2; content:"SS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System 
Bits (SS)"; classtype:attempted-recon; sid: 1000033; rev:1;)alert tcp any any -> any 20256 (flow:established; 
byte_test:1, =, 101, 2; content:"SF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)"; 
classtype:attempted-recon; sid: 1000034; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"SF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)"; 
classtype:attempted-recon; sid: 1000035; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"SNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)"; 
classtype:attempted-recon; sid: 1000036; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
101, 2; content:"SN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)"; classtype:attempted-recon; sid: 
1000037; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 9; 
depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000038; rev:1;)alert tcp 
any 20256 -> any any (flow:established; byte_test:1, =, 101, 2; content:"SB"; offset: 10; depth:2; msg:"PCOM/ASCII 
Reply - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000039; rev:1;)alert tcp any any -> any 20256 
(flow:established; byte_test:1, =, 101, 2; content:"SW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory 
Integers (SW)"; classtype:attempted-recon; sid: 1000040; rev:1;)alert tcp any 20256 -> any any (flow:established; 
byte_test:1, =, 101, 2; content:"SW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)"; 
classtype:attempted-recon; sid: 1000041; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
101, 2; content:"SNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write Memory Longs (SNL)"; 
classtype:attempted-recon; sid: 1000042; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 
102, 2; content:"|4d|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Read Operands (4d)"; 
classtype:attempted-recon; sid: 1000043; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
102, 2; content:"|cd|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Read Operands (cd)"; classtype:attempted-recon; 
sid: 1000044; rev:1;)alert tcp any any -> any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|04|"; 
offset: 18; depth:1; msg:"PCOM/Binary Request - Read Data Table (04)"; classtype:attempted-recon; sid: 1000045; 
rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 102, 2; content:"|84|"; offset: 18; depth:1; 
msg:"PCOM/Binary Reply - Read Data Table (84)"; classtype:attempted-recon; sid: 1000046; rev:1;)alert tcp any any -> 
any 20256 (flow:established; byte_test:1, =, 102, 2; content:"|44|"; offset: 18; depth:1; msg:"PCOM/Binary Request - 
Write Data Table (44)"; classtype:attempted-recon; sid: 1000047; rev:1;)alert tcp any 20256 -> any any 
(flow:established; byte_test:1, =, 102, 2; content:"|c4|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Write Data 
Table (c4)"; classtype:attempted-recon; sid: 1000048; rev:1;)alert tcp any any -> any 20256 (flow:established; 
byte_test:1, =, 102, 2; content:"|0c|"; offset: 18; depth:1; msg:"PCOM/Binary Request - Get PLC Name (0c)"; 
classtype:attempted-recon; sid: 1000049; rev:1;)alert tcp any 20256 -> any any (flow:established; byte_test:1, =, 
102, 2; content:"|8c|"; offset: 18; depth:1; msg:"PCOM/Binary Reply - Get PLC Name (8c)"; classtype:attempted-recon; 
sid: 1000050; rev:1;)

 [0] https://github.com/lmrosa/pcom-misc/blob/master/snort/local.rules


Hi Luis,

Thanks for the update, I'll get this sorted and updated.

-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

New Snort Rules for PCOM protocol Luís Rosa (Jan 14)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
  - Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
    - Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 15)
    - Re: New Snort Rules for PCOM protocol Ankit Bhadage via Snort-sigs (Jan 15)
- Re: New Snort Rules for PCOM protocol ivan ninichuck via Snort-sigs (Jan 14)