Snort mailing list archives
Re: New Snort Rules for PCOM protocol
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Mon, 14 Jan 2019 09:27:26 -0500
On Mon, Jan 14, 2019 at 7:40 AM Luís Rosa <lmrosa () dei uc pt> wrote:
Hi folks, You can find below a list of Snort rules that I'm currently testing for PCOM protocol. PCOM is a SCADA protocol to interact with Unitronics PLCs. You can find more information about the protocol here [0] and you can also find some pcaps for testing here [1]. alert tcp any any -> any 20256 (flow:established; content:"ID"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Identification (ID)"; classtype:attempted-recon; sid: 1000001; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"ID"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Identification (ID)"; classtype:attempted-recon; sid: 1000002; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCE"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Reset Device (CCE)"; classtype:attempted-dos; sid: 1000003; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCS"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Stop Device (CCE)"; classtype:attempted-dos; sid: 1000004; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCR"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Start Device (CCR)"; classtype:attempted-dos; sid: 1000005; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"CCI"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Init Device (CCI)"; classtype:attempted-dos; sid: 1000006; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"UG"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000007; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"UG"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get UnitID (UG)"; classtype:attempted-recon; sid: 1000008; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"US"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set UnitID (US)"; classtype:attempted-recon; sid: 1000009; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"US"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set UnitID (US)"; classtype:attempted-recon; sid: 1000010; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Get RTC (RC)"; classtype:attempted-recon; sid: 1000011; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Get RTC (RC)"; classtype:attempted-recon; sid: 1000012; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SC"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Set RTC (SC)"; classtype:attempted-recon; sid: 1000013; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SC"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Set RTC (SC)"; classtype:attempted-recon; sid: 1000014; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RE"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000015; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RE"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Inputs (RE)"; classtype:attempted-recon; sid: 1000016; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000017; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Ouputs (RA)"; classtype:attempted-recon; sid: 1000018; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"GS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000019; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"GS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Bits (GS)"; classtype:attempted-recon; sid: 1000020; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"GF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000021; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"GF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read System Integers (GF)"; classtype:attempted-recon; sid: 1000022; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read System Longs (RNH)"; classtype:attempted-recon; sid: 1000023; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"RN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Longs (RN)"; classtype:attempted-recon; sid: 1000024; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"MB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000025; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"MB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Bits (MB)"; classtype:attempted-recon; sid: 1000026; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"MI"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000027; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"MI"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Read Memory Integers (MI)"; classtype:attempted-recon; sid: 1000028; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"RNL"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Read Memory Longs (RNL)"; classtype:attempted-recon; sid: 1000029; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SA"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000030; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SA"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Ouputs (SA)"; classtype:attempted-recon; sid: 1000031; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SS"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000032; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SS"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Bits (SS)"; classtype:attempted-recon; sid: 1000033; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SF"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000034; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SF"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write System Integers (SF)"; classtype:attempted-recon; sid: 1000035; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SNH"; offset: 9; depth:3; msg:"PCOM/ASCII Request - Write System Longs (SNH)"; classtype:attempted-recon; sid: 1000036; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SN"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Longs (SN)"; classtype:attempted-recon; sid: 1000037; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SB"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000038; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SB"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Bits (SB)"; classtype:attempted-recon; sid: 1000039; rev:1;) alert tcp any any -> any 20256 (flow:established; content:"SW"; offset: 9; depth:2; msg:"PCOM/ASCII Request - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000040; rev:1;) alert tcp any 20256 -> any any (flow:established; content:"SW"; offset: 10; depth:2; msg:"PCOM/ASCII Reply - Write Memory Integers (SW)"; classtype:attempted-recon; sid: 1000041; rev:1;) -- [0] https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf [1] https://github.com/lmrosa/pcom-misc/tree/master/pcaps
Hi Luis, Thank you so much for your submission. We'll place these rules through our testing procedures and ensure you receive credit should they get added to the community ruleset. Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- New Snort Rules for PCOM protocol Luís Rosa (Jan 14)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 15)
- Re: New Snort Rules for PCOM protocol Ankit Bhadage via Snort-sigs (Jan 15)
- Re: New Snort Rules for PCOM protocol Luís Rosa (Jan 15)
- Re: New Snort Rules for PCOM protocol Marcos Rodriguez (Jan 14)
- Re: New Snort Rules for PCOM protocol ivan ninichuck via Snort-sigs (Jan 14)