-
Notifications
You must be signed in to change notification settings - Fork 30
/
enip-rules
140 lines (118 loc) · 9.17 KB
/
enip-rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# (C) Copyright 2011-2017, Digital Bond, Inc.
# All rights reserved.
#
# Version 1.1 02/27/2011
#
# Version 1.0 01/29/2011 Initial Release
# Version 1.1 02/27/2011 Changed reference to reflect new web site
# Version 1.2 09/29/2017 Updated all enip Snort preprocessors rules for use with Suricata enip and cip keywords
#
# Acknowledgements
# Digital Bond developed a EtherNet/IP preprocessor and ruleset for Snort in 2007. This preprocessor no longer worked in
# later versions of Snort and the EtherNet/IP ruleset that relied on the preprocessor were removed. Suricata R3.2 added
# the capability in the older Snort prepocessor including two keywords that could be used in the rules.
#
# A team at N-Dimension Solutions, with the assistance of Solana Networks, updated and tested the rules to work with
# Suricata and EtherNet/IP keywords. This work was completed as part of a project with Public Safety Canada and Defence R&D
# Canada. Version 1.2 you see here is due to the good work of N-Dimension Solutions and Solana Networks.
#
#----------------------------------------------------------
#
# All EtherNet/IP rules in this file use the Suricata enip and cip keywords that were added in R3.2.
#
# The enip and cip keywords make possible Suricata rule writing for EtherNet/IP and the underlying CIP
# It would be difficult to write reliable rules without these keywords because it is necessary to know
# the session state to avoid false positives and negatives.
#
# Variables that must be defined in the .conf/.yaml file
#
# ENIP_CLIENT The IP addresses of valid EtherNet/IP clients (eg. SCADA system)
# ENIP_SERVER The IP addresses of valid EtherNet/IP servers (PLC's)
#
#----------------------------------------------------------
# Suricata Supports 1 enip keyword and 1 cip keyword:
#----------------------------------------------------------
#
# Keyword: cip_service:<value(s)>
# Purpose: matches on the CIP service field of a packet
# Value: decimal value of the CIP service to match on
# Dependencies: preprocessor enip must be active; matches only if the matching reply packet is also recorded by the session
#
# Keyword: enip_command:<value> (NOTE: None of the rules below use the enip_command keyword)
# Purpose: matches on the CIP response field of a packet
# Value: decimal value of the CIP response
# Dependencies: preprocessor enip must be active
#
#----------------------------------------------------------
#
# Rules Summary:
# SID: 1111501 - 1111504 => Reboot or Restart
# SID: 1111505 - 1111506 => Unlock Rockwell PLC
# SID: 1111507 - 1111510 => Lock Rockwell PLC
# SID: 1111511 - 1111512, 1111519 - 1111520 => Stop Detected
# SID: 1111513 - 1111514 => Rockwell, Remote Mode Change Attempt
# SID: 1111515 - 1111516 => Rockwell, Software Upload
# SID: 1111517 - 1111518 => TCP/UDP ENIP Identity Request
#
# SID's: 1111505, 1111506, 1111507, 1111508, 1111509, 1111510, 1111513, 1111514, 1111515, & 1111516 have
# a threshold of 1 alert per second that was based on the sample pcaps.
#
# The CL5000eip pcaps can be used to test that your Suricata deployment is working properly
#
#----------------------------------------------------------
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Reboot or Restart from Unauthorized Client"; cip_service:5; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111501; rev:1; priority:1;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Reboot or Restart from Unauthorized Client"; cip_service:6; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111502; rev:1; priority:1;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Reboot or Restart from Authorized Client"; cip_service:5; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111503; rev:1; priority:2;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Reboot or Restart from Authorized Client"; cip_service:6; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111504; rev:1; priority:2;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Unlock Rockwell PLC Attempt from Unauthorized Client"; cip_service:76; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111505; rev:1; priority:1;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Unlock Rockwell PLC Attempt from Authorized Client"; cip_service:76; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111506; rev:1; priority:2;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Lock Rockwell PLC Attempt from Unauthorized Client"; cip_service:77; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111507; rev:1; priority:1;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Lock Rockwell PLC Attempt from Unauthorized Client"; cip_service:78; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111508; rev:1; priority:1;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Lock Rockwell PLC Attempt from Authorized Client"; cip_service:77; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111509; rev:1; priority:2;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Lock Rockwell PLC Attempt from Authorized Client"; cip_service:78; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111510; rev:1; priority:2;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Stop Detected from Unauthorized Client"; \
flow:to_server,established; cip_service:7; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; \
classtype:denial-of-service; flowbits:set,detstop; sid:1111511; rev:1; priority:2;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Stop Detected from Authorized Client"; \
flow:to_server,established; cip_service:7; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; \
classtype:denial-of-service; flowbits:set,detstop; sid:1111512; rev:1; priority:2;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Rockwell, Remote Mode Change Attempt from Unauthorized Client"; \
flow:to_server,established; flowbits:isset,detstop; cip_service:76; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111513; rev:1; priority:1;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Rockwell, Remote Mode Change Attempt from Authorized Client"; \
flow:to_server,established; flowbits:isset,detstop; cip_service:76; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111514; rev:1; priority:2;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Rockwell, Software Upload from Unauthorized Client"; cip_service:79; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111515; rev:1;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Rockwell, Software Upload from Authorized Client"; cip_service:79; \
threshold: type limit, track by_src, seconds 1, count 1; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:1111516; rev:1;)
# Alert on a Request Identity command that was sent via Redpoint Nmap NSE
alert tcp any any -> any 44818 (content: "|63|"; offset: 0; depth: 1; content: "|C1 DE BE D1|"; offset: 16; depth: 4; \
msg: "TCP EtherNet/IP Request Identity Attempt Via Redpoint Nmap NSE"; sid:1111517; priority:3;)
# Alert on a Request Identity command that was sent via Redpoint Nmap NSE
alert udp any any -> any 44818 (content: "|63|"; offset: 0; depth: 1; content: "|C1 DE BE D1|"; offset: 16; depth: 4; \
msg: "UDP EtherNet/IP Request Identity Attempt Via Redpoint Nmap NSE"; sid:1111518; priority:3;)
alert enip !$ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Stop Detected from Unauthorized Client"; cip_service:7; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111519; rev:1; priority:2;)
alert enip $ENIP_CLIENT any -> $ENIP_SERVER 44818 (msg:"SCADA_IDS: ENIP/CIP - Stop Detected from Authorized Client"; cip_service:7; \
reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:1111520; rev:1; priority:2;)