mirror of https://github.com/OISF/suricata
doc: dnp3 keywords
Jason Ish
9 years ago
committed by
Victor Julien
parent
9dea001c7d
commit
98f56f9916
@ -0,0 +1,149 @@
|
||||
DNP3 keyword (Currently in development, not available yet)
|
||||
==========================================================
|
||||
|
||||
The DNP3 keywords can be used to match on fields in decoded DNP3
|
||||
messages. The keywords are based on Snort's DNP3 keywords and aim to
|
||||
be 100% compatible.
|
||||
|
||||
dnp3_func
|
||||
---------
|
||||
|
||||
This keyword will match on the application function code found in DNP3
|
||||
request and responses. It can be specified as the integer value or
|
||||
the symbolic name of the function code.
|
||||
|
||||
Syntax
|
||||
~~~~~~
|
||||
|
||||
::
|
||||
|
||||
dnp3_func:<value>;
|
||||
|
||||
Where value is one of:
|
||||
|
||||
* An integer value between 0 and 255 inclusive.
|
||||
* Function code name:
|
||||
|
||||
* confirm
|
||||
* read
|
||||
* write
|
||||
* select
|
||||
* operate
|
||||
* direct_operate
|
||||
* direct_operate_nr
|
||||
* immed_freeze
|
||||
* immed_freeze_nr
|
||||
* freeze_clear
|
||||
* freeze_clear_nr
|
||||
* freeze_at_time
|
||||
* freeze_at_time_nr
|
||||
* cold_restart
|
||||
* warm_restart
|
||||
* initialize_data
|
||||
* initialize_appl
|
||||
* start_appl
|
||||
* stop_appl
|
||||
* save_config
|
||||
* enable_unsolicited
|
||||
* disable_unsolicited
|
||||
* assign_class
|
||||
* delay_measure
|
||||
* record_current_time
|
||||
* open_file
|
||||
* close_file
|
||||
* delete_file
|
||||
* get_file_info
|
||||
* authenticate_file
|
||||
* abort_file
|
||||
* activate_config
|
||||
* authenticate_req
|
||||
* authenticate_err
|
||||
* response
|
||||
* unsolicited_response
|
||||
* authenticate_resp
|
||||
|
||||
dnp3_ind
|
||||
--------
|
||||
|
||||
This keyword matches on the DNP3 internal indicator flags in the
|
||||
response application header.
|
||||
|
||||
Syntax
|
||||
~~~~~~
|
||||
|
||||
::
|
||||
|
||||
dnp3_ind:<flag>{,<flag>...}
|
||||
|
||||
|
||||
Where flag is the name of the internal indicator:
|
||||
|
||||
* all_stations
|
||||
* class_1_events
|
||||
* class_2_events
|
||||
* class_3_events
|
||||
* need_time
|
||||
* local_control
|
||||
* device_trouble
|
||||
* device_restart
|
||||
* no_func_code_support
|
||||
* object_unknown
|
||||
* parameter_error
|
||||
* event_buffer_overflow
|
||||
* already_executing
|
||||
* config_corrupt
|
||||
* reserved_2
|
||||
* reserved_1
|
||||
|
||||
This keyword will match of any of the flags listed are set. To match
|
||||
on multiple flags (AND type match), use dnp3_ind for each flag that
|
||||
must be set.
|
||||
|
||||
Examples
|
||||
~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
dnp3_ind:all_stations;
|
||||
|
||||
::
|
||||
|
||||
dnp3_ind:class_1_events,class_2_events;
|
||||
|
||||
dnp3_obj
|
||||
--------
|
||||
|
||||
This keyword matches on the DNP3 application data objects.
|
||||
|
||||
Syntax
|
||||
~~~~~~
|
||||
|
||||
::
|
||||
|
||||
|
||||
dnp3_obj:<group>,<variation>
|
||||
|
||||
Where <group> and <variation> are integer values between 0 and 255 inclusive.
|
||||
|
||||
dnp3_data
|
||||
---------
|
||||
|
||||
This keyword will cause the following content options to match on the
|
||||
re-assembled application buffer. The reassembled application buffer is
|
||||
a DNP3 fragment with CRCs removed (which occur every 16 bytes), and
|
||||
will be the complete fragment, possibly reassembled from multiple DNP3
|
||||
link layer frames.
|
||||
|
||||
Syntax
|
||||
~~~~~~
|
||||
|
||||
::
|
||||
|
||||
dnp3_data;
|
||||
|
||||
Example
|
||||
~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
dnp3_data; content:|c3 06|;
|
||||
Loading…
Reference in New Issue