SCADA - Snort rules not firing for DNP3 and Modbus
747 views
Skip to first unread message
Chris Sistrunk
Mar 27, 2015, 12:27:21 PM3/27/15
to securit...@googlegroups.com
Hey!
I have a Snort question. I have Security Onion set up with the quick setup (so Snort and Bro are my IDS). I have sent good and malformed DNP3 and modbus traffic. Bro picks it up (and spits out logs) but Snort does not.
I looked in the Snort settings and the DNP3 and Modbus preprocessors are enabled. I am sending DNP3 and modbus traffic on their standard ports (20000 and 502).
Snort is firing on other traffic and other rules just fine.
Does anyone have any suggestions why the default Snort settings aren't working?
Do I need to add some custom rules?
I am an expert in DNP3 and modbus, but still quite new to Security Onion and snort.
Also...I will keep tagging any SCADA-related SO questions with SCADA in the subject for easier search.
Thanks!
Chris
I have a Snort question. I have Security Onion set up with the quick setup (so Snort and Bro are my IDS). I have sent good and malformed DNP3 and modbus traffic. Bro picks it up (and spits out logs) but Snort does not.
I looked in the Snort settings and the DNP3 and Modbus preprocessors are enabled. I am sending DNP3 and modbus traffic on their standard ports (20000 and 502).
Snort is firing on other traffic and other rules just fine.
Does anyone have any suggestions why the default Snort settings aren't working?
Do I need to add some custom rules?
I am an expert in DNP3 and modbus, but still quite new to Security Onion and snort.
Also...I will keep tagging any SCADA-related SO questions with SCADA in the subject for easier search.
Thanks!
Chris
Jim Solderitsch
Mar 27, 2015, 1:24:07 PM3/27/15
to securit...@googlegroups.com
Chris,
Did you install the Snort signatures from Digitalbond? I had to install them into Snort's local rules file. But then I was able to see modbus related alerts in squert and sguil. I have not done any work with DNP3. This was with actual modbus traffic on my small local network rather than pcap replays.
Jim
Did you install the Snort signatures from Digitalbond? I had to install them into Snort's local rules file. But then I was able to see modbus related alerts in squert and sguil. I have not done any work with DNP3. This was with actual modbus traffic on my small local network rather than pcap replays.
Jim
Chris Sistrunk
Mar 27, 2015, 1:31:50 PM3/27/15
to securit...@googlegroups.com
No I didn't install any extra signatures yet. (I assumed that they were built in). I have seen the procedure to rerun something for new rules in SO...but I have no idea where to put them.
I appreciate any help you can give me on installing rules.
I've generated traffic on a network and done tcpreplays as well.
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/6maNKPAdN6w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Mar 27, 2015, 1:44:35 PM3/27/15
to securit...@googlegroups.com
Hi Chris,
You'll need to download the Snort signatures from DigitalBond and add
them to /etc/nsm/rules/local.rules:
https://github.com/Security-Onion-Solutions/security-onion/wiki/AddingLocalRules
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
You'll need to download the Snort signatures from DigitalBond and add
them to /etc/nsm/rules/local.rules:
https://github.com/Security-Onion-Solutions/security-onion/wiki/AddingLocalRules
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Chris Sistrunk
Mar 27, 2015, 3:16:42 PM3/27/15
to securit...@googlegroups.com
It would be nice to keep them separate. If not possible (due to a ton of re-coding etc), then I know copying all the rules to local.rules will work.
Doug Burks
Mar 28, 2015, 11:52:55 AM3/28/15
to securit...@googlegroups.com
Chris Sistrunk
Mar 30, 2015, 11:56:49 AM3/30/15
to securit...@googlegroups.com
Thanks Doug for helping me! I will try this and report back. I eventually want to make a checklist or wiki for getting Security Onion setup for an ICS/SCADA environment.
1. Install SO
2. Run SO setup (ports etc)
3. Install SiLK, FlowBAT
4. Install Digitalbond Snort rules (and any other custom rules)
5. Fine tune the Snort rules to the specific ICS environment
-add new rules
-remove noisy rules that don't matter
I've gotten pretty good at 1-3.
Chris
1. Install SO
2. Run SO setup (ports etc)
3. Install SiLK, FlowBAT
4. Install Digitalbond Snort rules (and any other custom rules)
5. Fine tune the Snort rules to the specific ICS environment
-add new rules
-remove noisy rules that don't matter
I've gotten pretty good at 1-3.
Chris
Doug Burks
Mar 30, 2015, 12:21:55 PM3/30/15
to securit...@googlegroups.com
On Mon, Mar 30, 2015 at 11:56 AM, Chris Sistrunk
<chriss...@gmail.com> wrote:
> Thanks Doug for helping me! I will try this and report back. I eventually want to make a checklist or wiki for getting Security Onion setup for an ICS/SCADA environment.
>
> 1. Install SO
> 2. Run SO setup (ports etc)
> 3. Install SiLK, FlowBAT
Just out of curiosity, is there something specific to ICS/SCADA
<chriss...@gmail.com> wrote:
> Thanks Doug for helping me! I will try this and report back. I eventually want to make a checklist or wiki for getting Security Onion setup for an ICS/SCADA environment.
>
> 1. Install SO
> 2. Run SO setup (ports etc)
> 3. Install SiLK, FlowBAT
environments that necessitates SiLK and FlowBAT?
Is there a way to get the same data using ELSA and Bro's conn.log?
Chris Sistrunk
Mar 30, 2015, 12:35:10 PM3/30/15
to securit...@googlegroups.com
I'd imagine some analysts like SiLK or the FlowBAT GUI than bro/ELSA conn.log kind of like Snorby & Sguil which do similar things (to my knowledge at least).
I prefer GUIs myself. My background is in power electrical engineering and SCADA and I'm not an analyst by training.
Lots of ways to skin a cat.
In an actual installation, there may just be some Bro sensors reporting to SO with highly specific IDS rules. So for beginners...I'll give them everything and then they can choose what they like the best.
I could be waaay off in my understanding of all of these tools. I'm just trying to learn and help defend ICS.
I definitely appreciate Doug and all of the SO developers to bring NSM to new people.
Doug Burks
Mar 30, 2015, 12:54:12 PM3/30/15
to securit...@googlegroups.com
Replies inline.
On Mon, Mar 30, 2015 at 12:35 PM, Chris Sistrunk
<chriss...@gmail.com> wrote:
> I'd imagine some analysts like SiLK or the FlowBAT GUI than bro/ELSA
> conn.log kind of like Snorby & Sguil which do similar things (to my
> knowledge at least).
>
> I prefer GUIs myself. My background is in power electrical engineering and
> SCADA and I'm not an analyst by training.
>
> Lots of ways to skin a cat.
Agreed. I'm not trying to dictate or mandate any particular tool,
just trying to understand your use case and make sure that we're not
duplicating effort unnecessarily.
> In an actual installation, there may just be some Bro sensors reporting to
> SO with highly specific IDS rules. So for beginners...I'll give them
> everything and then they can choose what they like the best.
Please note that if you run Quick Setup (or run Advanced Setup and
enable all services), then you've already got 3 different forms of
session data:
Bro conn.log
Argus
Prads
Adding SiLK would increase that to 4 forms of session data. Make sure
that you're not duplicating effort unnecessarily.
> I could be waaay off in my understanding of all of these tools. I'm just
> trying to learn and help defend ICS.
What kinds of questions do you ask of FlowBAT in your typical
ICS/SCADA environment?
Are those questions different than the kinds of questions that we
would of ask of session data in a more "traditional" network
environment?
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
On Mon, Mar 30, 2015 at 12:35 PM, Chris Sistrunk
<chriss...@gmail.com> wrote:
> I'd imagine some analysts like SiLK or the FlowBAT GUI than bro/ELSA
> conn.log kind of like Snorby & Sguil which do similar things (to my
> knowledge at least).
>
> I prefer GUIs myself. My background is in power electrical engineering and
> SCADA and I'm not an analyst by training.
>
> Lots of ways to skin a cat.
just trying to understand your use case and make sure that we're not
duplicating effort unnecessarily.
> In an actual installation, there may just be some Bro sensors reporting to
> SO with highly specific IDS rules. So for beginners...I'll give them
> everything and then they can choose what they like the best.
enable all services), then you've already got 3 different forms of
session data:
Bro conn.log
Argus
Prads
Adding SiLK would increase that to 4 forms of session data. Make sure
that you're not duplicating effort unnecessarily.
> I could be waaay off in my understanding of all of these tools. I'm just
> trying to learn and help defend ICS.
ICS/SCADA environment?
Are those questions different than the kinds of questions that we
would of ask of session data in a more "traditional" network
environment?
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Chris Sistrunk
Mar 30, 2015, 1:39:04 PM3/30/15
to securit...@googlegroups.com
> Agreed. I'm not trying to dictate or mandate any particular tool,
> just trying to understand your use case and make sure that we're not
> duplicating effort unnecessarily.
I'm still in the learning how to use SO phase. I have some ICS devices in my office and I am letting SO watch the traffic. After I get the snort rules set up, then I will focus on a specific use case.
> just trying to understand your use case and make sure that we're not
> duplicating effort unnecessarily.
> Adding SiLK would increase that to 4 forms of session data. Make sure
> that you're not duplicating effort unnecessarily.
> What kinds of questions do you ask of FlowBAT in your typical
> ICS/SCADA environment?
>
> Are those questions different than the kinds of questions that we
> would of ask of session data in a more "traditional" network
> environment?
That's why FlowBAT was created according to Chris and Jason...for people like me who like GUIs.
If I can learn how to use this platform, then I can continue to show the way that NSM is desperately needed in ICS networks. I have a gut feeling that many ICS are already breached...and certainly more ICS-specific malware is on the way.
Doug Burks
Mar 30, 2015, 1:47:20 PM3/30/15
to securit...@googlegroups.com
Replies inline.
On Mon, Mar 30, 2015 at 1:39 PM, Chris Sistrunk <chriss...@gmail.com> wrote:
>> Adding SiLK would increase that to 4 forms of session data. Make sure
>> that you're not duplicating effort unnecessarily.
>
> I've never used Argus or Prads. Perhaps I should learn how to use those too. I have looked at the bro.conn log. The FlowBAT gui is very helpful to me...as I can export it right to Excel (my favorite tool...I'm an engineer you know). I didn't have to train myself on the SiLK command line queries...I just used the query builder and boom there is the data.
FYI, you can use ELSA as a GUI to slice and dice the Bro conn.log
(without having to use the command line) and you can export right to
Excel as well.
>> What kinds of questions do you ask of FlowBAT in your typical
>> ICS/SCADA environment?
>>
>> Are those questions different than the kinds of questions that we
>> would of ask of session data in a more "traditional" network
>> environment?
>
> I don't really ask FlowBAT questions (because I don't know the SiLK command line yet). I use the Query Builder...I use the default output and then filter on the ports (scan through the list), then the top bytes (then scan through the list). I am not familiar enough with bro to know what's all there and how to leverage the unique IDs. The GUIs are helpful that I get results right away without having to learn the command line stuff.
Take a look at some of our default ELSA queries for Bro's conn.log including:
Connections - Top SRC IPs
Connections - Top DST IPs
Connections - Top DST ports
Connections: Top Services
Please see the screenshots on the following pages:
http://blog.securityonion.net/2014/01/new-securityonion-web-page-package.html
http://blog.securityonion.net/2015/01/new-elsa-packages-parse-country-code.html
On Mon, Mar 30, 2015 at 1:39 PM, Chris Sistrunk <chriss...@gmail.com> wrote:
>> Adding SiLK would increase that to 4 forms of session data. Make sure
>> that you're not duplicating effort unnecessarily.
>
> I've never used Argus or Prads. Perhaps I should learn how to use those too. I have looked at the bro.conn log. The FlowBAT gui is very helpful to me...as I can export it right to Excel (my favorite tool...I'm an engineer you know). I didn't have to train myself on the SiLK command line queries...I just used the query builder and boom there is the data.
(without having to use the command line) and you can export right to
Excel as well.
>> What kinds of questions do you ask of FlowBAT in your typical
>> ICS/SCADA environment?
>>
>> Are those questions different than the kinds of questions that we
>> would of ask of session data in a more "traditional" network
>> environment?
>
> I don't really ask FlowBAT questions (because I don't know the SiLK command line yet). I use the Query Builder...I use the default output and then filter on the ports (scan through the list), then the top bytes (then scan through the list). I am not familiar enough with bro to know what's all there and how to leverage the unique IDs. The GUIs are helpful that I get results right away without having to learn the command line stuff.
Connections - Top SRC IPs
Connections - Top DST IPs
Connections - Top DST ports
Connections: Top Services
Please see the screenshots on the following pages:
http://blog.securityonion.net/2014/01/new-securityonion-web-page-package.html
http://blog.securityonion.net/2015/01/new-elsa-packages-parse-country-code.html
Chris Sistrunk
Mar 30, 2015, 5:44:25 PM3/30/15
to securit...@googlegroups.com
I was already aware of the ELSA conn log page with the TOP IPs, ports, etc. The only thing is it won't show ALL of the connections.
In other words it can miss a dedicated link like a webcam (high bandwidth...one connection). I have to verify small connection numbers with the bro log itself or FlowBAT.
On a production ICS you may have a limited number of IPs with lots of connections...but I'd imagine there will be low connections as well (webcams, streaming data out, etc).
Great discussion!
Doug Burks
Mar 31, 2015, 8:53:19 AM3/31/15
to securit...@googlegroups.com
Yes, that's why I asked about your use case and/or the questions that
you are asking of your data. Depending on what you're looking for,
there may be other data types that may help you.
For your webcam example, many webcams have an HTTP webserver and so
that's going to generate lots of HTTP logs. Even if the HTTP
transactions are pipelined into a single TCP connection, Bro will
generate individual HTTP logs for each HTTP transaction, so those
webcam hits will start bubbling up to the top of the ELSA HTTP
queries.
Since the webcam has its own webserver, that will show up as an asset
in the ELSA Software query.
If the webcam is using HTTPS, it most likely has a self-signed SSL
cert that will show up in the ELSA Notices query.
If the webcam is hardcoded to use certain DNS servers, you might catch
those DNS requests using ELSA' s DNS - Top DST IPs query.
If the webcam does DDNS, you might catch it beaconing to the DDNS provider.
Again, I'm not trying to dictate or mandate any particular tool, just
trying to make sure that folks understand the data types that can be
used to find things on their networks.
you are asking of your data. Depending on what you're looking for,
there may be other data types that may help you.
For your webcam example, many webcams have an HTTP webserver and so
that's going to generate lots of HTTP logs. Even if the HTTP
transactions are pipelined into a single TCP connection, Bro will
generate individual HTTP logs for each HTTP transaction, so those
webcam hits will start bubbling up to the top of the ELSA HTTP
queries.
Since the webcam has its own webserver, that will show up as an asset
in the ELSA Software query.
If the webcam is using HTTPS, it most likely has a self-signed SSL
cert that will show up in the ELSA Notices query.
If the webcam is hardcoded to use certain DNS servers, you might catch
those DNS requests using ELSA' s DNS - Top DST IPs query.
If the webcam does DDNS, you might catch it beaconing to the DDNS provider.
Again, I'm not trying to dictate or mandate any particular tool, just
trying to make sure that folks understand the data types that can be
used to find things on their networks.
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Ihab Darwish
Dec 20, 2016, 8:04:43 AM12/20/16
to security-onion
Hi Chris,,
I am doing a research on DNP3 attack detection and I was wondering if you have any data set of malformed or good DNP3 traffic? From your post I have learned that you are doing some work in this areas and I hope if you can help? If you have the info, please email to idar...@hotmail.com.
Regards,
Ihab Darwish
I am doing a research on DNP3 attack detection and I was wondering if you have any data set of malformed or good DNP3 traffic? From your post I have learned that you are doing some work in this areas and I hope if you can help? If you have the info, please email to idar...@hotmail.com.
Regards,
Ihab Darwish
Chris Sistrunk
Dec 20, 2016, 8:54:09 AM12/20/16
to securit...@googlegroups.com
Hi Ihab,
There is an online repository of good DNP3 pcaps as well as an open source version of a DNP3 fuzzer here: https://github.com/ITI/ICS-Security-Tools?files=1
Jason Smith also has some additional DNP3 pcaps as well. https://github.com/automayt/ICS-pcap/tree/master/DNP3
I hope this helps.
Chris
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/6maNKPAdN6w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
Ihab Darwish
Dec 20, 2016, 1:23:53 PM12/20/16
to security-onion
Thanks Chris for the prompt response! I have checked these links and I could not find an injection of packet or DNP3 packet manipulation type of attacks that usually go unnoticeable by the DNP3 devices. Can you help, I just need some traffic related to injection or packet manipualtion along with a good normal DNP3 request and respone traffic to analyze my detection scheme.
It will be great if you have these type of traffic?
Regards,
Ihab
It will be great if you have these type of traffic?
Regards,
Ihab
Message has been deleted
Doug Burks
Jan 6, 2018, 4:12:26 PM1/6/18
to securit...@googlegroups.com
Hi Ed,
Instead of replying to old threads, please start a new thread as described here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one
Thanks!
On Fri, Jan 5, 2018 at 4:44 PM, Ed <infos...@gmail.com> wrote:
> Chris/Doug,
>
> Reviving this thread from the dead. I'm having a similar issue, and I figured I could ask this group for help. My scenario is as follows:
>
> 1) I would like to run the test pcap files (no live traffic) from the QUICKDRAW rules and test pcap files inside my Security Onion VM.
>
> 2) I've tried running the "bro -r <filename.pcap>", but I'm not seeing anything pop up in ELSA?? I did notice that if I run the "bro -r modbus_test_data_part1.pcap" command inside my QUICKDRAW folder, a Modbus.log file gets created. But I still don't see any associated hits in ELSA.
>
> 3) Regarding the snort rules, I updated the local.rules file with the QUICKDRAW signatures. I also followed this process: https://github.com/Security-Onion-Solutions/security-onion/wiki/AddingLocalRules. I noticed that the "download.rules" didn't contain the QUICKDRAW rules, even though they're in my local.rules file???
> I tried using the command: "sudo tcpreplay -i eth0 -t modbus_test_data_part1.pcap" (and the DNP3 pcap files as well), and I get 0 hits in SGUIL/squert, but I see Modbus and DNP3 activity in ELSA only???
>
>
>
> Quickdraw$ sudo tcpreplay -i eth1 -t modbus_test_data_part1.pcap
> [sudo] password for :
> sending out eth1
> processing file: modbus_test_data_part1.pcap
> Actual: 118 packets (8269 bytes) sent in 0.07 seconds. Rated: 118128.6 bps, 0.90 Mbps, 1685.71 pps
> Statistics for network device: eth1
> Attempted packets: 118
> Successful packets: 118
> Failed packets: 0
> Retried packets (ENOBUFS): 0
> Retried packets (EAGAIN): 0
>
>
>
>
>
> Anyone tried this and had success??? Please help!?
>
> Thanks in advance,
> -Ed
Doug Burks
Instead of replying to old threads, please start a new thread as described here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one
Thanks!
On Fri, Jan 5, 2018 at 4:44 PM, Ed <infos...@gmail.com> wrote:
> Chris/Doug,
>
> Reviving this thread from the dead. I'm having a similar issue, and I figured I could ask this group for help. My scenario is as follows:
>
> 1) I would like to run the test pcap files (no live traffic) from the QUICKDRAW rules and test pcap files inside my Security Onion VM.
>
> 2) I've tried running the "bro -r <filename.pcap>", but I'm not seeing anything pop up in ELSA?? I did notice that if I run the "bro -r modbus_test_data_part1.pcap" command inside my QUICKDRAW folder, a Modbus.log file gets created. But I still don't see any associated hits in ELSA.
>
> 3) Regarding the snort rules, I updated the local.rules file with the QUICKDRAW signatures. I also followed this process: https://github.com/Security-Onion-Solutions/security-onion/wiki/AddingLocalRules. I noticed that the "download.rules" didn't contain the QUICKDRAW rules, even though they're in my local.rules file???
> I tried using the command: "sudo tcpreplay -i eth0 -t modbus_test_data_part1.pcap" (and the DNP3 pcap files as well), and I get 0 hits in SGUIL/squert, but I see Modbus and DNP3 activity in ELSA only???
>
>
>
> Quickdraw$ sudo tcpreplay -i eth1 -t modbus_test_data_part1.pcap
> [sudo] password for :
> sending out eth1
> processing file: modbus_test_data_part1.pcap
> Actual: 118 packets (8269 bytes) sent in 0.07 seconds. Rated: 118128.6 bps, 0.90 Mbps, 1685.71 pps
> Statistics for network device: eth1
> Attempted packets: 118
> Successful packets: 118
> Failed packets: 0
> Retried packets (ENOBUFS): 0
> Retried packets (EAGAIN): 0
>
>
>
>
>
> Anyone tried this and had success??? Please help!?
>
> Thanks in advance,
> -Ed
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Reply all
Reply to author
Forward
0 new messages