DNP3: dnp3_data, dnp3_func, dnp3_ind, dnp3_obj rule keywords

src/Makefile.am

@@ -91,6 +91,7 @@ detect-dce-stub-data.c detect-dce-stub-data.h \
 detect-depth.c detect-depth.h \
 detect-detection-filter.c detect-detection-filter.h \
 detect-distance.c detect-distance.h \
+detect-dnp3.c detect-dnp3.h \
 detect-dns-query.c detect-dns-query.h \
 detect-tls-sni.c detect-tls-sni.h \
 detect-tls-cert-issuer.c detect-tls-cert-issuer.h \

src/detect-dnp3.h

@@ -0,0 +1,34 @@
+/* Copyright (C) 2015 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_DNP3_H__
+#define __DETECT_DNP3_H__
+
+/**
+ * Struct for mapping symbolic names to values.
+ */
+typedef struct DNP3Mapping_ {
+    char     *name;
+    uint16_t  value;
+} DNP3Mapping;
+
+/* Map of internal indicators to value for external use. */
+extern DNP3Mapping DNP3IndicatorsMap[];
+
+void DetectDNP3Register(void);
+
+#endif /* __DETECT_DNP3_H__ */

src/detect-engine-analyzer.c

@@ -491,6 +491,8 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
         fprintf(rule_engine_analysis_FD, "tls issuer content");
     else if (list_type == DETECT_SM_LIST_TLSSUBJECT_MATCH)
         fprintf(rule_engine_analysis_FD, "tls subject content");
+    else if (list_type == DETECT_SM_LIST_DNP3_DATA_MATCH)
+        fprintf(rule_engine_analysis_FD, "dnp3 data content");
 
     fprintf(rule_engine_analysis_FD, "\" buffer.\n");
 

src/detect-engine.c

@@ -2532,6 +2532,10 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
 
         case DETECT_SM_LIST_MODBUS_MATCH:
             return "modbus";
+        case DETECT_SM_LIST_DNP3_DATA_MATCH:
+            return "dnp3_data";
+        case DETECT_SM_LIST_DNP3_MATCH:
+            return "dnp3";
 
         case DETECT_SM_LIST_CIP_MATCH:
             return "cip";

src/detect-parse.c

@@ -1600,6 +1600,11 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
     if (sig->sm_lists[DETECT_SM_LIST_HRHHDMATCH])
         sig->flags |= SIG_FLAG_STATE_MATCH;
 
+    /* DNP3. */
+    if (sig->sm_lists[DETECT_SM_LIST_DNP3_DATA_MATCH]) {
+        sig->flags |= SIG_FLAG_STATE_MATCH;
+    }
+
     /* Template. */
     if (sig->sm_lists[DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH]) {
         sig->flags |= SIG_FLAG_STATE_MATCH;

src/detect.c

@@ -187,6 +187,7 @@
 #include "detect-ssl-state.h"
 #include "detect-modbus.h"
 #include "detect-cipservice.h"
+#include "detect-dnp3.h"
 
 #include "action-globals.h"
 #include "tm-threads.h"
@@ -2262,6 +2263,9 @@ PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto, int has_state
                 case ALPROTO_ENIP:
                     SCLogDebug("packet/flow has enip state");
                     (*mask) |= SIG_MASK_REQUIRE_ENIP_STATE;
+                case ALPROTO_DNP3:
+                    SCLogDebug("packet/flow has dnp3 state");
+                    (*mask) |= SIG_MASK_REQUIRE_DNP3_STATE;
                     break;
                 case ALPROTO_TEMPLATE:
                     SCLogDebug("packet/flow has template state");
@@ -2500,6 +2504,10 @@ static int SignatureCreateMask(Signature *s)
         s->mask |= SIG_MASK_REQUIRE_DNS_STATE;
         SCLogDebug("sig requires dns state");
     }
+    if (s->alproto == ALPROTO_DNP3) {
+        s->mask |= SIG_MASK_REQUIRE_DNP3_STATE;
+        SCLogDebug("sig requires dnp3 state");
+    }
     if (s->alproto == ALPROTO_FTP) {
         s->mask |= SIG_MASK_REQUIRE_FTP_STATE;
         SCLogDebug("sig requires ftp state");
@@ -2521,6 +2529,7 @@ static int SignatureCreateMask(Signature *s)
         (s->mask & SIG_MASK_REQUIRE_HTTP_STATE) ||
         (s->mask & SIG_MASK_REQUIRE_SSH_STATE) ||
         (s->mask & SIG_MASK_REQUIRE_DNS_STATE) ||
+        (s->mask & SIG_MASK_REQUIRE_DNP3_STATE) ||
         (s->mask & SIG_MASK_REQUIRE_FTP_STATE) ||
         (s->mask & SIG_MASK_REQUIRE_SMTP_STATE) ||
         (s->mask & SIG_MASK_REQUIRE_ENIP_STATE) ||
@@ -4227,6 +4236,7 @@ void SigTableSetup(void)
     DetectModbusRegister();
     DetectCipServiceRegister();
     DetectEnipCommandRegister();
+    DetectDNP3Register();
 
     DetectTlsSniRegister();
     DetectTlsIssuerRegister();

src/detect.h

@@ -141,6 +141,9 @@ enum DetectSigmatchListEnum {
 
     DETECT_SM_LIST_BASE64_DATA,
 
+    DETECT_SM_LIST_DNP3_DATA_MATCH,
+    DETECT_SM_LIST_DNP3_MATCH,
+
     DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH,
 
     /* Demarcation between detection and post-detection lists. All
@@ -313,6 +316,7 @@ typedef struct DetectPort_ {
 #define SIG_MASK_REQUIRE_SMTP_STATE         (1<<12)
 #define SIG_MASK_REQUIRE_TEMPLATE_STATE     (1<<13)
 #define SIG_MASK_REQUIRE_ENIP_STATE         (1<<14)
+#define SIG_MASK_REQUIRE_DNP3_STATE         (1<<15)
 
 /* for now a uint8_t is enough */
 #define SignatureMask uint16_t
@@ -1332,6 +1336,11 @@ enum {
     DETECT_CIPSERVICE,
     DETECT_ENIPCOMMAND,
 
+    DETECT_AL_DNP3DATA,
+    DETECT_AL_DNP3FUNC,
+    DETECT_AL_DNP3IND,
+    DETECT_AL_DNP3OBJ,
+
     DETECT_XBITS,
     DETECT_BASE64_DECODE,
     DETECT_BASE64_DATA,