Re: [security-onion] Using Digital Bond's Quickdraw SCADA plugins/preprocessors w/Security Onion?
351 views
Skip to first unread message
Liam Randall
Nov 29, 2012, 8:41:57 PM11/29/12
to securit...@googlegroups.com
Greg,
Also please note that Bro now has experimental support for modbus:
Events:
Liam
On Thu, Nov 29, 2012 at 8:00 PM, Greg Porter <gspo...@gmail.com> wrote:
Has any had any experiance using Digital Bond's Quickdraw SCADA snort plugins and preprocessors? They require applying a patch and recompiling snort. I am wondering if anyone has the ./configure switches used to compile the securityonion-snort package.
I have been able to apply their patch and compile snort-2.8.5.3 on a clean install of Ubuntu 10.04. I am concerned about the switches and what config files I will break if I try in either a stable or testing Security Onion install.
I am trying to put together some SCADA labs for a class and I thought this would be a great way to expose students to security onion and save myself some grief.
Thanks for your attention to this matter,
GP
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
Seth Hall
Dec 4, 2012, 9:46:57 AM12/4/12
to securit...@googlegroups.com
Thanks Liam! I'll add a few more notes.
On Nov 29, 2012, at 8:41 PM, Liam Randall <liam.r...@gmail.com> wrote:
> Also please note that Bro now has experimental support for modbus:
(In our git repository, not in a release yet)
> http://git.bro-ids.org/bro.git/blob/HEAD:/testing/btest/Baseline/scripts.base.protocols.modbus.policy/modbus.log
This is the standard protocol log for now, but we have an example script that does register memory mapping and tracking for modbus slaves (based on seen reads). Here's the script if you'd like to take a look:
http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/policy/protocols/modbus/track-memmap.bro
> Events:
> http://www.bro-ids.org/documentation-git/scripts/base/event.bif.html#id-modbus_message
Unfortunately the coil events and a couple of others aren't working quite right yet. I believe that all of the register events work correctly though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
On Nov 29, 2012, at 8:41 PM, Liam Randall <liam.r...@gmail.com> wrote:
> Also please note that Bro now has experimental support for modbus:
> http://git.bro-ids.org/bro.git/blob/HEAD:/testing/btest/Baseline/scripts.base.protocols.modbus.policy/modbus.log
This is the standard protocol log for now, but we have an example script that does register memory mapping and tracking for modbus slaves (based on seen reads). Here's the script if you'd like to take a look:
http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/policy/protocols/modbus/track-memmap.bro
> Events:
> http://www.bro-ids.org/documentation-git/scripts/base/event.bif.html#id-modbus_message
Unfortunately the coil events and a couple of others aren't working quite right yet. I believe that all of the register events work correctly though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Victor Julien
Dec 5, 2012, 1:20:51 AM12/5/12
to securit...@googlegroups.com
On 12/05/2012 01:45 AM, controlling chaos wrote:
> I thought these had already been integrated into the regular ruleset? Or maybe it was the ET ruleset...?
>
> About a year ago I had some back and forth with the Digitalbond folks, gist of which they weren't maintaining them any more and had turned them over to somebody else. I think. It was a while ago.
>
On the same topic, we're building something very similar into Suricata
early next year together with EnergySec[1][2]
I had a look at the implementation last week and I think it should be
able to land in Suricata 1.5. It will also support the Digital Bond
rules, which are now maintained at Emerging Threats I believe.
Cheers,
Victor
[1]
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/133-energysec-and-the-oisf-announce-new-scada-research
[2] https://redmine.openinfosecfoundation.org/issues/639
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
> I thought these had already been integrated into the regular ruleset? Or maybe it was the ET ruleset...?
>
> About a year ago I had some back and forth with the Digitalbond folks, gist of which they weren't maintaining them any more and had turned them over to somebody else. I think. It was a while ago.
>
On the same topic, we're building something very similar into Suricata
early next year together with EnergySec[1][2]
I had a look at the implementation last week and I think it should be
able to land in Suricata 1.5. It will also support the Digital Bond
rules, which are now maintained at Emerging Threats I believe.
Cheers,
Victor
[1]
http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/133-energysec-and-the-oisf-announce-new-scada-research
[2] https://redmine.openinfosecfoundation.org/issues/639
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
Doug Burks
Apr 19, 2013, 5:18:59 PM4/19/13
to securit...@googlegroups.com
Hi Philippe,
I don't have any experience with Digital Bond. What does the patch script do?
Thanks,
Doug
On Thu, Apr 18, 2013 at 4:07 AM, Philippe Lacouche
<philla...@gmail.com> wrote:
> Hi all,
>
> I've just setup the latest Security Onion distribution (thanks for this great tool by the way); but I can't get it to trap any modbus-tcp related event.
>
> I've tried to install the digital bond rules but the patch script won't work as the Security Onion setup seems different from a standard Snort installation.
>
> Where should I start in order to setup Security Onion for modbus-tcp monitoring ?
>
> Thanks !
>
>
--
Doug Burks
http://securityonion.blogspot.com
I don't have any experience with Digital Bond. What does the patch script do?
Thanks,
Doug
On Thu, Apr 18, 2013 at 4:07 AM, Philippe Lacouche
<philla...@gmail.com> wrote:
> Hi all,
>
> I've just setup the latest Security Onion distribution (thanks for this great tool by the way); but I can't get it to trap any modbus-tcp related event.
>
> I've tried to install the digital bond rules but the patch script won't work as the Security Onion setup seems different from a standard Snort installation.
>
> Where should I start in order to setup Security Onion for modbus-tcp monitoring ?
>
> Thanks !
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Reply all
Reply to author
Forward
0 new messages