[Oisf-users] DNP3 Preprocessor Keyword Changes

Fred Austin fred.austin at n-dimension.com
Thu Aug 10 14:26:39 UTC 2017


I updated a copy of the Quickdraw Dnp3 rules based on the following:

1) Replace dnp3_cmd_fc with dnp3_func
2) Replace dnp3_cmd_ot with dnp3_obj, a variation value is needed and
research indicated a value of 1 would be appropriate for an object value of
50, but I am not 100% certain
3) Comment out rules that use dnp3_checksum

Most of the rules trigger using the pcap files that come with the Quickdraw
set, including the one using the keyword dnp3_obj.


On Thu, Aug 10, 2017 at 9:18 AM, Jason Ish <ish at unx.ca> wrote:

> Hi Fred,
>
> > On Aug 9, 2017, at 11:01 AM, Fred Austin <fred.austin at n-dimension.com>
> wrote:
> >
> > Examining the lastest version (v1.3, 2015 on Github) of the Quickdraw
> IDS rules set for Snort/Suricata the DNP3 rules, they contain dnp3 keywords
> which are no longer supported, namely:
> >
> >     - dnp3_cmd_fc
> >     - dnp3_cmd_ot
> >     - dnp3_checksum
> >
> > The currently supported dnp3 keywords are:
> >
> >     - dnp3_func
> >     - dnp3_ind
> >     - dnp3_obj
> >     - dnp3_data
> >
> > I could not find any documentation about the previous dnp3 keywords
> (dnp3_cmd_fc, etc). Does anyone have any documentation about the previous
> dnp3 keywords and how they map to the new (supported) keywords? At first
> guess, I would assume that "dnp3_cmd_fc" maps to "dnp3_func", but it is not
> clear about the other keywords.
>
> To the best of my knowledge Suricata has never been compatible with the
> Quickdraw DNP3 rules, instead our DNP3 keywords are designed to be
> compatible with those built into Snort. Unfortunately while those keywords
> above are used in some rulesets, they have never worked with Suricata.  At
> some point I’d like to look at the Quickdraw rules and rewrite them for
> Suricata, but I’m not sure when I can get around to that.
>
> Jason
>
>


-- 
Fred Austin
VP Product Development
N-Dimension Solutions


*Cyber Security Protection for Critical Infrastructure Assets*This email
and any files transmitted with it are solely intended for the use of the
named recipient(s) and may contain information that is privileged and
confidential. If you receive this email in error, please immediately notify
the sender and delete this message in all its forms.  E-mail transmission
cannot be guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.  Therefore N-Dimension Solutions Inc. does not accept
liability for any errors or omission in the contents of the message which
arise as a result of e-mail transmission.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170810/679f7eb7/attachment-0002.html>


More information about the Oisf-users mailing list