Re: Please help me to get Snort rules for Automotive

[Ayan Bandyopadhyay via Snort-sigs <snort-sigs () lists snort org>]

Hi Team,
This is the details I have collected. Sorry for the late reply as it took me quite some time and study to collect the 
details.


However, with regards to Snort, its traffic analysis, and rules what you have to ask yourself and answer is this -

1. What type of traffic and network protocols is used between Zonal Controllers and ECU? and maybe between the 4 Zonal 
controllers?
-- IPv4? TCP/UDP/ICMP? What application level protocols? What ports?

[Ayan]:
Protocols used within Controllers only:
Protocols used with external words: IPV4, TCP, UDP, ICMP, SSH, SCP, AVTP, FQTSS, 1AS PTP, 1QAT SRP, INFIBAND (IB), 
Sockets Direct Protocol (SDP)

-- Do you expect to monitor that traffic?
[Ayan]:
Yes, we expect to Monitor that traffic.


** Snort does not have any capability to analyze custom application level protocols. Snort can very well do analysis of 
well-known application level protocols (HTTP, SMTP, and all such..).

2. Do you run other servers on these Zonal controllers and ECUs? For e.g. Web servers or FTP servers?

[Ayan]:
No.

** If yes, then Snort can inspect and detect any attacks against those applications. Towards that you do not need any 
custom rules, the regular snort rules that are available will suffice. The publicly available rules will be a bit old. 
You will need to contact any 3rd party providers who sell snort rules to get the latest.

[Ayan]:
Please provide some good third party reference who are strong in rule development?


Thanks & Regards,
Ayan Bandyopadhyay,
Mobile: +91 9836654548



Internal to Wipro
From: Snort User <snort.user () gmail com>
Sent: Monday, October 31, 2022 6:58 PM
To: Ayan Bandyopadhyay <ayan.bandyopadhyay () wipro com>
Cc: snort-sigs () lists snort org; Swapnil Rajendra Patil <swapnil.patil31 () wipro com>; Akhilesh Kumar Gupta 
<akhilesh.gupta10 () wipro com>
Subject: Re: [Snort-sigs] Please help me to get Snort rules for Automotive


CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.

Ok. That gives more clarity.

However, with regards to Snort, its traffic analysis, and rules what you have to ask yourself and answer is this -

1. What type of traffic and network protocols is used between Zonal Controllers and ECU? and maybe between the 4 Zonal 
controllers?
-- IPv4? TCP/UDP/ICMP? What application level protocols? What ports?
-- Do you expect to monitor that traffic?

** Snort does not have any capability to analyze custom application level protocols. Snort can very well do analysis of 
well known application level protocols (HTTP, SMTP, and all such..).

2. Do you run other servers on these Zonal controllers and ECUs? For e.g. Web servers or FTP servers?

** If yes, then Snort can inspect and detect any attacks against those applications. Towards that you do not need any 
custom rules, the regular snort rules that are available will suffice. The publicly available rules will be a bit old. 
You will need to contact any 3rd party providers who sell snort rules to get the latest.

IMPORTANT: I also want to make you aware that this is a public forum, and any information that you provide here is 
available to ALL. So, be vary and think twice before writing any details about the architectures, servers, applications 
etc.

Best regards



On Mon, Oct 31, 2022 at 6:04 AM Ayan Bandyopadhyay <ayan.bandyopadhyay () wipro com<mailto:ayan.bandyopadhyay () wipro 
com>> wrote:
Hi,
Thanks for asking. Let me give you a brief detail of our project:

    We are developing for a SW driven Electric Vehicle. As a major architecture change w.r.t previous Automotive era, 
there will be 4 zonal controllers which are connected in a circular fashion via 10Gbps Ethernet. All other ECUs are 
connected to the Zonal Controllers by different connection types like CAN, MOST, Ethernet etc. One of these 4 Zonal 
controller is working as master and will be connected to internet via 5G wifi. This connection will be used for FOTA 
update and other connected features.
    We are planning to run Snort on this master zonal controller as a Network IDS tool and alert the admin (or log) 
whenever there is any unwanted transaction happens through it. We should consider that all the other Automotive ECUs 
(like Infotainment, Cluster, Body, Power Transmission etc.) will be communicating through this master zonal controller 
to outside world.
    So we are expecting Snort rules which will help us capture typical attacks that can compromise any of the internal 
Automotive ECU or can try to control any of the Zonal controllers. Please let us know if you need further details of 
area.


Thanks & Regards,
Ayan Bandyopadhyay,
Mobile: +91 9836654548

________________________________
From: Snort User <snort.user () gmail com<mailto:snort.user () gmail com>>
Sent: Saturday, October 29, 2022 2:04 AM
To: Ayan Bandyopadhyay <ayan.bandyopadhyay () wipro com<mailto:ayan.bandyopadhyay () wipro com>>
Cc: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>; Swapnil Rajendra Patil <swapnil.patil31 () wipro com<mailto:swapnil.patil31 
() wipro com>>
Subject: Re: [Snort-sigs] Please help me to get Snort rules for Automotive


CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.

Ayan,

Does the Automative domains have any specific networking protocols? Can you be a bit more detailed as to what is 
different about Automative domain/field?
For e.g. there are SCADA networks that have specific protocols, and Snort has created preprocessors and rules that are 
specific to that domain.
Does Automative domain fall under that category?





On Thu, Oct 27, 2022 at 1:09 PM Ayan Bandyopadhyay via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () 
lists snort org>> wrote:
Hi,
Please help me to get Snort rules for Automotive.

If you can forward me some link, document to community address who works on Automotive specific Snort rules will be a 
great help.

Thanks & Regards,
Ayan Bandyopadhyay,
Mobile: +91 9836654548
'The information contained in this electronic message and any attachments to this message are intended for the 
exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not 
the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender 
immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted 
via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts 
no liability for any damage caused by any virus transmitted by this email. 
www.wipro.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wipro.com%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=llQ5B2T2PNFLQ%2FHuOzyqDuBiay8HacrRj%2BCFTU7smcE%3D&reserved=0>'

Internal to Wipro
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-sigs&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=uqYj%2FcCoiTJRombrvGROijpkElgDRF9iFZTGZIXB%2Bl8%3D&reserved=0>

Please visit 
http://blog.snort.org<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.snort.org%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7H1elhIjoaSW3hN2O8I5dB%2BfYGayXd2CLWDR8ov53Y%3D&reserved=0>
 for the latest news about Snort!

Please follow these rules: 
https://snort.org/faq/what-is-the-mailing-list-etiquette<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oQlG5mTAPtNuc91E8w5qmFJukqtGB8qJSYoVuJFHh04%3D&reserved=0>

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" 
https://snort.org/downloads/#rule-downloads<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnort.org%2Fdownloads%2F%23rule-downloads&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740827408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hNw3fMnwPpGu4xGmskzef1WHpNspm3zuNM8nI1lCAPc%3D&reserved=0>">emerging
 threats</a>!
'The information contained in this electronic message and any attachments to this message are intended for the 
exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not 
the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender 
immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted 
via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts 
no liability for any damage caused by any virus transmitted by this email. 
www.wipro.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wipro.com%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740827408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=paW1%2Bo4wyOBgt1itM%2F%2BPOvtxH0indua%2BXQmP7s4jhSw%3D&reserved=0>'

Internal to Wipro

'The information contained in this electronic message and any attachments to this message are intended for the 
exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not 
the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender 
immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted 
via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts 
no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!