Re: Please help me to get Snort rules for Automotive

[Snort User via Snort-sigs <snort-sigs () lists snort org>]

Hello Ayan,

Among the protocols listed, snort does inspect IPv4, TCP, UDP, ICMP. Snort
will detect a set of abnormalities such as abnormal or malicious header
options, and any abnormality in TCP handshake, and other abnormalities
found in TCP segment overlaps, retransmissions etc. In addition to these,
there are a set of signatures that may be applicable for you.
There is the community set of rules and if you register you get the
registered user rules. Check the license terms.
Snort Rules and IDS Software Download
<https://www.snort.org/downloads#rules>

As far as the other protocols, these are custom and proprietary protocols,
and you will not find many signatures and analysis modules for that
category.

Notes on the list of SCADA preprocessors (and the protocols) - Snort Blog:
Snort 2.9.2: SCADA Preprocessors
<https://blog.snort.org/2012/01/snort-292-scada-preprocessors.html>
SSH protocol module - README.ssh (snort.org)
<https://snort.org/faq/readme-ssh>

With Snort3, the list of protocols analyzed is more and includes Snort 3
Inspector Reference - Introduction [Cisco Secure Firewall Management
Center] - Cisco
<https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/intro.html>

Best -




On Wed, Nov 9, 2022 at 8:40 AM Ayan Bandyopadhyay <
ayan.bandyopadhyay () wipro com> wrote:

> Hi Team,
>
> This is the details I have collected. Sorry for the late reply as it took
> me quite some time and study to collect the details.
>
>
>
>
>
> However, with regards to Snort, its traffic analysis, and rules what you
> have to ask yourself and answer is this -
>
>
>
> 1. What type of traffic and network protocols is used between Zonal
> Controllers and ECU? and maybe between the 4 Zonal controllers?
>
> -- IPv4? TCP/UDP/ICMP? What application level protocols? What ports?
>
>
>
> [Ayan]:
>
> Protocols used within Controllers only:
>
> Protocols used with external words: IPV4, TCP, UDP, ICMP, SSH, SCP, AVTP,
> FQTSS, 1AS PTP, 1QAT SRP, INFIBAND (IB), Sockets Direct Protocol (SDP)
>
>
>
> -- Do you expect to monitor that traffic?
>
> [Ayan]:
>
> Yes, we expect to Monitor that traffic.
>
>
>
>
>
> ** Snort does not have any capability to analyze custom application level
> protocols. Snort can very well do analysis of well-known application level
> protocols (HTTP, SMTP, and all such..).
>
>
>
> 2. Do you run other servers on these Zonal controllers and ECUs? For e.g.
> Web servers or FTP servers?
>
>
>
> [Ayan]:
>
> No.
>
>
>
> ** If yes, then Snort can inspect and detect any attacks against
> those applications. Towards that you do not need any custom rules, the
> regular snort rules that are available will suffice. The publicly available
> rules will be a bit old. You will need to contact any 3rd party providers
> who sell snort rules to get the latest.
>
>
>
> [Ayan]:
>
> Please provide some good third party reference who are strong in rule
> development?
>
>
>
>
>
> *Thanks & Regards,*
>
> Ayan Bandyopadhyay,
>
> Mobile: +91 9836654548
>
>
>
>
>
> Internal to Wipro
>
> *From:* Snort User <snort.user () gmail com>
> *Sent:* Monday, October 31, 2022 6:58 PM
> *To:* Ayan Bandyopadhyay <ayan.bandyopadhyay () wipro com>
> *Cc:* snort-sigs () lists snort org; Swapnil Rajendra Patil <
> swapnil.patil31 () wipro com>; Akhilesh Kumar Gupta <
> akhilesh.gupta10 () wipro com>
> *Subject:* Re: [Snort-sigs] Please help me to get Snort rules for
> Automotive
>
>
>
> CAUTION:This email is received from an external domain. Open the
> hyperlink(s) & attachment(s) with caution.
> .
>
>
> Ok. That gives more clarity.
>
>
>
> However, with regards to Snort, its traffic analysis, and rules what you
> have to ask yourself and answer is this -
>
>
>
> 1. What type of traffic and network protocols is used between Zonal
> Controllers and ECU? and maybe between the 4 Zonal controllers?
>
> -- IPv4? TCP/UDP/ICMP? What application level protocols? What ports?
>
> -- Do you expect to monitor that traffic?
>
>
>
> ** Snort does not have any capability to analyze custom application level
> protocols. Snort can very well do analysis of well known application level
> protocols (HTTP, SMTP, and all such..).
>
>
>
> 2. Do you run other servers on these Zonal controllers and ECUs? For e.g.
> Web servers or FTP servers?
>
>
>
> ** If yes, then Snort can inspect and detect any attacks against
> those applications. Towards that you do not need any custom rules, the
> regular snort rules that are available will suffice. The publicly available
> rules will be a bit old. You will need to contact any 3rd party providers
> who sell snort rules to get the latest.
>
>
>
> IMPORTANT: I also want to make you aware that this is a public forum, and
> any information that you provide here is available to ALL. So, be vary and
> think twice before writing any details about the architectures, servers,
> applications etc.
>
>
>
> Best regards
>
>
>
>
>
>
>
> On Mon, Oct 31, 2022 at 6:04 AM Ayan Bandyopadhyay <
> ayan.bandyopadhyay () wipro com> wrote:
>
> Hi,
>
> Thanks for asking. Let me give you a brief detail of our project:
>
>
>
>     We are developing for a SW driven Electric Vehicle. As a major
> architecture change w.r.t previous Automotive era, there will be 4 zonal
> controllers which are connected in a circular fashion via 10Gbps Ethernet.
> All other ECUs are connected to the Zonal Controllers by different
> connection types like CAN, MOST, Ethernet etc. One of these 4 Zonal
> controller is working as master and will be connected to internet via 5G
> wifi. This connection will be used for FOTA update and other connected
> features.
>     We are planning to run Snort on this master zonal controller as a
> Network IDS tool and alert the admin (or log) whenever there is any
> unwanted transaction happens through it. We should consider that all the
> other Automotive ECUs (like Infotainment, Cluster, Body, Power Transmission
> etc.) will be communicating through this master zonal controller to outside
> world.
>     So we are expecting Snort rules which will help us capture typical
> attacks that can compromise any of the internal Automotive ECU or can try
> to control any of the Zonal controllers. Please let us know if you need
> further details of area.
>
>
>
>
>
> *Thanks & Regards,*
>
> Ayan Bandyopadhyay,
>
> Mobile: +91 9836654548
>
>
> ------------------------------
>
> *From:* Snort User <snort.user () gmail com>
> *Sent:* Saturday, October 29, 2022 2:04 AM
> *To:* Ayan Bandyopadhyay <ayan.bandyopadhyay () wipro com>
> *Cc:* snort-sigs () lists snort org <snort-sigs () lists snort org>; Swapnil
> Rajendra Patil <swapnil.patil31 () wipro com>
> *Subject:* Re: [Snort-sigs] Please help me to get Snort rules for
> Automotive
>
>
>
> CAUTION:This email is received from an external domain. Open the
> hyperlink(s) & attachment(s) with caution.
> .
>
>
> Ayan,
>
>
>
> Does the Automative domains have any specific networking protocols? Can
> you be a bit more detailed as to what is different about
> Automative domain/field?
>
> For e.g. there are SCADA networks that have specific protocols, and Snort
> has created preprocessors and rules that are specific to that domain.
>
> Does Automative domain fall under that category?
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Oct 27, 2022 at 1:09 PM Ayan Bandyopadhyay via Snort-sigs <
> snort-sigs () lists snort org> wrote:
>
> Hi,
>
> Please help me to get Snort rules for Automotive.
>
>
>
> If you can forward me some link, document to community address who works
> on Automotive specific Snort rules will be a great help.
>
>
>
> *Thanks & Regards,*
>
> Ayan Bandyopadhyay,
>
> Mobile: +91 9836654548
>
> 'The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s) and
> may contain proprietary, confidential or privileged information. If you are
> not the intended recipient, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately and destroy all copies of
> this message and any attachments. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. The company accepts no liability
> for any damage caused by any virus transmitted by this email.
> www.wipro.com
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wipro.com%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=llQ5B2T2PNFLQ%2FHuOzyqDuBiay8HacrRj%2BCFTU7smcE%3D&reserved=0>'
>
>
> Internal to Wipro
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.snort.org%2Fmailman%2Flistinfo%2Fsnort-sigs&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=uqYj%2FcCoiTJRombrvGROijpkElgDRF9iFZTGZIXB%2Bl8%3D&reserved=0>
>
> Please visit http://blog.snort.org
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.snort.org%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7H1elhIjoaSW3hN2O8I5dB%2BfYGayXd2CLWDR8ov53Y%3D&reserved=0>
> for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnort.org%2Ffaq%2Fwhat-is-the-mailing-list-etiquette&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740671155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oQlG5mTAPtNuc91E8w5qmFJukqtGB8qJSYoVuJFHh04%3D&reserved=0>
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnort.org%2Fdownloads%2F%23rule-downloads&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740827408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hNw3fMnwPpGu4xGmskzef1WHpNspm3zuNM8nI1lCAPc%3D&reserved=0>">emerging
> threats</a>!
>
> 'The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s) and
> may contain proprietary, confidential or privileged information. If you are
> not the intended recipient, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately and destroy all copies of
> this message and any attachments. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. The company accepts no liability
> for any damage caused by any virus transmitted by this email.
> www.wipro.com
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wipro.com%2F&data=05%7C01%7Cayan.bandyopadhyay%40wipro.com%7C4d3c6eef672746f8b53b08dabb43b399%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C638028196740827408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=paW1%2Bo4wyOBgt1itM%2F%2BPOvtxH0indua%2BXQmP7s4jhSw%3D&reserved=0>'
>
>
> Internal to Wipro
>
> 'The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s) and
> may contain proprietary, confidential or privileged information. If you are
> not the intended recipient, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately and destroy all copies of
> this message and any attachments. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. The company accepts no liability
> for any damage caused by any virus transmitted by this email.
> www.wipro.com'
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!