[Oisf-users] DNP3 Preprocessor Keyword Changes
Jason Ish
ish at unx.ca
Thu Aug 10 13:18:01 UTC 2017
Hi Fred,
> On Aug 9, 2017, at 11:01 AM, Fred Austin <fred.austin at n-dimension.com> wrote:
>
> Examining the lastest version (v1.3, 2015 on Github) of the Quickdraw IDS rules set for Snort/Suricata the DNP3 rules, they contain dnp3 keywords which are no longer supported, namely:
>
> - dnp3_cmd_fc
> - dnp3_cmd_ot
> - dnp3_checksum
>
> The currently supported dnp3 keywords are:
>
> - dnp3_func
> - dnp3_ind
> - dnp3_obj
> - dnp3_data
>
> I could not find any documentation about the previous dnp3 keywords (dnp3_cmd_fc, etc). Does anyone have any documentation about the previous dnp3 keywords and how they map to the new (supported) keywords? At first guess, I would assume that "dnp3_cmd_fc" maps to "dnp3_func", but it is not clear about the other keywords.
To the best of my knowledge Suricata has never been compatible with the Quickdraw DNP3 rules, instead our DNP3 keywords are designed to be compatible with those built into Snort. Unfortunately while those keywords above are used in some rulesets, they have never worked with Suricata. At some point I’d like to look at the Quickdraw rules and rewrite them for Suricata, but I’m not sure when I can get around to that.
Jason
More information about the Oisf-users
mailing list