aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DNP3: Application layer decoder.

Browse Source 
Decodes TCP DNP3 and raises some DNP3 decoder alerts.
pull/2391/head
Jason Ish 11 years ago committed by Victor Julien
parent 240d789c40
commit bbaa79b80e
15 changed files with 13601 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
Makefile.am
Unescape Escape View File

@ -44,6 +44,7 @@ endif
@test -e "$(DESTDIR)$(e_sysconfrulesdir)tls-events.rules" || install -m 600 "$(top_srcdir)/rules/tls-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)" @test -e "$(DESTDIR)$(e_sysconfrulesdir)tls-events.rules" || install -m 600 "$(top_srcdir)/rules/tls-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)"
@test -e "$(DESTDIR)$(e_sysconfrulesdir)modbus-events.rules" || install -m 600 "$(top_srcdir)/rules/modbus-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)" @test -e "$(DESTDIR)$(e_sysconfrulesdir)modbus-events.rules" || install -m 600 "$(top_srcdir)/rules/modbus-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)"
@test -e "$(DESTDIR)$(e_sysconfrulesdir)app-layer-events.rules" || install -m 600 "$(top_srcdir)/rules/app-layer-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)" @test -e "$(DESTDIR)$(e_sysconfrulesdir)app-layer-events.rules" || install -m 600 "$(top_srcdir)/rules/app-layer-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)"
@test -e "$(DESTDIR)$(e_sysconfrulesdir)dnp3-events.rules" || install -m 600 "$(top_srcdir)/rules/dnp3-events.rules" "$(DESTDIR)$(e_sysconfrulesdir)"
@echo "" @echo ""
@echo "You can now start suricata by running as root something like '$(DESTDIR)$(bindir)/suricata -c $(DESTDIR)$(e_sysconfdir)/suricata.yaml -i eth0'." @echo "You can now start suricata by running as root something like '$(DESTDIR)$(bindir)/suricata -c $(DESTDIR)$(e_sysconfdir)/suricata.yaml -i eth0'."
@echo "" @echo ""

3
rules/Makefile.am
Unescape Escape View File

@ -7,4 +7,5 @@ dns-events.rules \
tls-events.rules \ tls-events.rules \
modbus-events.rules \ modbus-events.rules \
app-layer-events.rules \ app-layer-events.rules \
files.rules files.rules \
dnp3-events.rules

26
rules/dnp3-events.rules
Unescape Escape View File

@ -0,0 +1,26 @@
# DNP3 application decoder event rules.
#
# This SIDs fall in the 2270000+ range. See:
# http://doc.emergingthreats.net/bin/view/Main/SidAllocation
# Flooded.
alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
app-layer-event:dnp3.flooded; sid:2270000; rev:1;)
# Length to small for PDU type. For example, link specifies the type
# as user data, but the length field is not large enough for user
# data.
alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; \
app-layer-event:dnp3.len_too_small; sid:2270001; rev:2;)
# Bad link layer CRC.
alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; \
app-layer-event:dnp3.bad_link_crc; sid:2270002; rev:1;)
# Bad transport layer CRC.
alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; \
app-layer-event:dnp3.bad_transport_crc; sid:2270003; rev:1;)
# Unknown object.
alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; \
app-layer-event:dnp3.unknown_object; sid:2270004; rev:1;)

2
src/Makefile.am
Unescape Escape View File

@ -16,6 +16,8 @@ app-layer.c app-layer.h \
app-layer-dcerpc.c app-layer-dcerpc.h \ app-layer-dcerpc.c app-layer-dcerpc.h \
app-layer-dcerpc-udp.c app-layer-dcerpc-udp.h \ app-layer-dcerpc-udp.c app-layer-dcerpc-udp.h \
app-layer-detect-proto.c app-layer-detect-proto.h \ app-layer-detect-proto.c app-layer-detect-proto.h \
app-layer-dnp3.c app-layer-dnp3.h \
app-layer-dnp3-objects.c app-layer-dnp3-objects.h \
app-layer-dns-common.c app-layer-dns-common.h \ app-layer-dns-common.c app-layer-dns-common.h \
app-layer-dns-tcp.c app-layer-dns-tcp.h \ app-layer-dns-tcp.c app-layer-dns-tcp.h \
app-layer-dns-udp.c app-layer-dns-udp.h \ app-layer-dns-udp.c app-layer-dns-udp.h \

4
src/app-layer-detect-proto.c
Unescape Escape View File

@ -695,6 +695,8 @@ void AppLayerProtoDetectPrintProbingParsers(AppLayerProtoDetectProbingParser *pp
printf(" alproto: ALPROTO_ENIP\n"); printf(" alproto: ALPROTO_ENIP\n");
else if (pp_pe->alproto == ALPROTO_TEMPLATE) else if (pp_pe->alproto == ALPROTO_TEMPLATE)
printf(" alproto: ALPROTO_TEMPLATE\n"); printf(" alproto: ALPROTO_TEMPLATE\n");
else if (pp_pe->alproto == ALPROTO_DNP3)
printf(" alproto: ALPROTO_DNP3\n");
else else
printf("impossible\n"); printf("impossible\n");
@ -750,6 +752,8 @@ void AppLayerProtoDetectPrintProbingParsers(AppLayerProtoDetectProbingParser *pp
printf(" alproto: ALPROTO_ENIP\n"); printf(" alproto: ALPROTO_ENIP\n");
else if (pp_pe->alproto == ALPROTO_TEMPLATE) else if (pp_pe->alproto == ALPROTO_TEMPLATE)
printf(" alproto: ALPROTO_TEMPLATE\n"); printf(" alproto: ALPROTO_TEMPLATE\n");
else if (pp_pe->alproto == ALPROTO_DNP3)
printf(" alproto: ALPROTO_DNP3\n");
else else
printf("impossible\n"); printf("impossible\n");

9148
src/app-layer-dnp3-objects.c
View File

File diff suppressed because it is too large Load Diff

1464
src/app-layer-dnp3-objects.h
View File

File diff suppressed because it is too large Load Diff

2661
src/app-layer-dnp3.c
View File

File diff suppressed because it is too large Load Diff

277
src/app-layer-dnp3.h
Unescape Escape View File

@ -0,0 +1,277 @@
/* Copyright (C) 2015 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#ifndef __APP_LAYER_DNP3_H__
#define __APP_LAYER_DNP3_H__
#include "detect-engine-state.h"
#include "util-hashlist.h"
#include "util-byte.h"
/**
* The maximum size of a DNP3 link PDU.
*/
#define DNP3_MAX_LINK_PDU_LEN 292
/* DNP3 application request function codes. */
#define DNP3_APP_FC_CONFIRM 0x00
#define DNP3_APP_FC_READ 0x01
#define DNP3_APP_FC_WRITE 0x02
#define DNP3_APP_FC_SELECT 0x03
#define DNP3_APP_FC_OPERATE 0x04
#define DNP3_APP_FC_DIR_OPERATE 0x05
#define DNP3_APP_FC_DIR_OPERATE_NR 0x06
#define DNP3_APP_FC_FREEZE 0x07
#define DNP3_APP_FC_FREEZE_NR 0x08
#define DNP3_APP_FC_FREEZE_CLEAR 0x09
#define DNP3_APP_FC_FREEZE_CLEAR_NR 0x0a
#define DNP3_APP_FC_FREEZE_AT_TIME 0x0b
#define DNP3_APP_FC_FREEZE_AT_TIME_NR 0x0c
#define DNP3_APP_FC_COLD_RESTART 0x0d
#define DNP3_APP_FC_WARM_RESTART 0x0e
#define DNP3_APP_FC_INITIALIZE_DATA 0x0f
#define DNP3_APP_FC_INITIALIZE_APPLICATION 0x10
#define DNP3_APP_FC_START_APPLICATION 0x11
#define DNP3_APP_FC_STOP_APPLICATION 0x12
#define DNP3_APP_FC_SAVE_CONFIGURATION 0x13
#define DNP3_APP_FC_ENABLE_UNSOLICITED 0x14
#define DNP3_APP_FC_DISABLE_UNSOLICTED 0x15
#define DNP3_APP_FC_ASSIGN_CLASS 0x16
#define DNP3_APP_FC_DELAY_MEASUREMENT 0x17
#define DNP3_APP_FC_RECORD_CURRENT_TIME 0x18
#define DNP3_APP_FC_OPEN_TIME 0x19
#define DNP3_APP_FC_CLOSE_FILE 0x1a
#define DNP3_APP_FC_DELETE_FILE 0x1b
#define DNP3_APP_FC_GET_FILE_INFO 0x1c
#define DNP3_APP_FC_AUTHENTICATE_FILE 0x1d
#define DNP3_APP_FC_ABORT_FILE 0x1e
#define DNP3_APP_FC_ACTIVATE_CONFIG 0x1f
#define DNP3_APP_FC_AUTH_REQ 0x20
#define DNP3_APP_FC_AUTH_REQ_NR 0x21
/* DNP3 application response function codes. */
#define DNP3_APP_FC_RESPONSE 0x81
#define DNP3_APP_FC_UNSOLICITED_RESP 0x82
#define DNP3_APP_FC_AUTH_RESP 0x83
/* Extract fields from the link control octet. */
#define DNP3_LINK_DIR(control) (control & 0x80)
#define DNP3_LINK_PRI(control) (control & 0x40)
#define DNP3_LINK_FCB(control) (control & 0x20)
#define DNP3_LINK_FCV(control) (control & 0x10)
#define DNP3_LINK_FC(control) (control & 0x0f)
/* Extract fields from transport layer header octet. */
#define DNP3_TH_FIN(x) (x & 0x80)
#define DNP3_TH_FIR(x) (x & 0x40)
#define DNP3_TH_SEQ(x) (x & 0x3f)
/* Extract fields from the application control octet. */
#define DNP3_APP_FIR(x) (x & 0x80)
#define DNP3_APP_FIN(x) (x & 0x40)
#define DNP3_APP_CON(x) (x & 0x20)
#define DNP3_APP_UNS(x) (x & 0x10)
#define DNP3_APP_SEQ(x) (x & 0x0f)
/* DNP3 values are stored in little endian on the wire, so swapping will be
* needed on big endian architectures. */
#if __BYTE_ORDER == __BIG_ENDIAN
#define DNP3_SWAP16(x) SCByteSwap16(x)
#define DNP3_SWAP32(x) SCByteSwap32(x)
#define DNP3_SWAP64(x) SCByteSwap64(x)
#elif __BYTE_ORDER == __LITTLE_ENDIAN
#define DNP3_SWAP16(x) x
#define DNP3_SWAP32(x) x
#define DNP3_SWAP64(x) x
#endif
/* DNP3 decoder events. */
enum {
DNP3_DECODER_EVENT_FLOODED = 1,
DNP3_DECODER_EVENT_LEN_TOO_SMALL,
DNP3_DECODER_EVENT_BAD_LINK_CRC,
DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC,
DNP3_DECODER_EVENT_MALFORMED,
DNP3_DECODER_EVENT_UNKNOWN_OBJECT,
};
/**
* \brief DNP3 link header.
*/
typedef struct DNP3LinkHeader_ {
uint8_t start_byte0; /**< First check byte. */
uint8_t start_byte1; /**< Second check byte. */
uint8_t len; /**< Length of PDU without CRCs. */
uint8_t control; /**< Control flags. */
uint16_t dst; /**< DNP3 destination address. */
uint16_t src; /**< DNP3 source address. */
uint16_t crc; /**< Link header CRC. */
} __attribute__((__packed__)) DNP3LinkHeader;
/**
* \brief DNP3 transport header.
*/
typedef uint8_t DNP3TransportHeader;
/**
* \brief DNP3 application header.
*/
typedef struct DNP3ApplicationHeader_ {
uint8_t control; /**< Control flags. */
uint8_t function_code; /**< Application function code. */
} __attribute__((__packed__)) DNP3ApplicationHeader;
/**
* \brief DNP3 internal indicators.
*
* Part of the application header for responses only.
*/
typedef struct DNP3InternalInd_ {
uint8_t iin1;
uint8_t iin2;
} __attribute__((__packed__)) DNP3InternalInd;
/**
* \brief A struct used for buffering incoming data prior to reassembly.
*/
typedef struct DNP3Buffer_ {
uint8_t *buffer;
size_t size;
int len;
int offset;
} DNP3Buffer;
/**
* \brief DNP3 application object header.
*/
typedef struct DNP3ObjHeader_ {
uint8_t group;
uint8_t variation;
uint8_t qualifier;
} __attribute__((packed)) DNP3ObjHeader;
/**
* \brief DNP3 object point.
*
* Each DNP3 object can have 0 or more points representing the values
* of the object.
*/
typedef struct DNP3Point_ {
uint32_t prefix; /**< Prefix value for point. */
uint32_t index; /**< Index of point. If the object is prefixed
* with an index then this will be that
* value. Otherwise this is the place the point
* was in the list of points (starting at 0). */
uint32_t size; /**< Size of point if the object prefix was a
* size. */
void *data; /**< Data for this point. */
TAILQ_ENTRY(DNP3Point_) next;
} DNP3Point;
typedef TAILQ_HEAD(DNP3PointList_, DNP3Point_) DNP3PointList;
/**
* \brief Struct to hold the list of decoded objects.
*/
typedef struct DNP3Object_ {
uint8_t group;
uint8_t variation;
uint8_t qualifier;
uint8_t prefix_code;
uint8_t range_code;
uint32_t start;
uint32_t stop;
uint32_t count;
DNP3PointList *points; /**< List of points for this object. */
TAILQ_ENTRY(DNP3Object_) next;
} DNP3Object;
typedef TAILQ_HEAD(DNP3ObjectList_, DNP3Object_) DNP3ObjectList;
/**
* \brief DNP3 transaction.
*/
typedef struct DNP3Transaction_ {
uint64_t tx_num; /**< Internal transaction ID. */
uint32_t logged; /**< Flags indicating which loggers have logged this tx. */
struct DNP3State_ *dnp3;
uint8_t has_request;
uint8_t request_done;
DNP3LinkHeader request_lh;
DNP3TransportHeader request_th;
DNP3ApplicationHeader request_ah;
uint8_t *request_buffer; /**< Reassembled request
* buffer. */
uint32_t request_buffer_len;
uint8_t request_complete; /**< Was the decode
* complete. It will not be
* complete if we hit objects
* we do not know. */
DNP3ObjectList request_objects;
uint8_t has_response;
uint8_t response_done;
DNP3LinkHeader response_lh;
DNP3TransportHeader response_th;
DNP3ApplicationHeader response_ah;
DNP3InternalInd response_iin;
uint8_t *response_buffer; /**< Reassembed response
* buffer. */
uint32_t response_buffer_len;
uint8_t response_complete; /**< Was the decode
* complete. It will not be
* complete if we hit objects
* we do not know. */
DNP3ObjectList response_objects;
AppLayerDecoderEvents *decoder_events; /**< Per transcation
* decoder events. */
DetectEngineState *de_state;
TAILQ_ENTRY(DNP3Transaction_) next;
} DNP3Transaction;
TAILQ_HEAD(TxListHead, DNP3Transaction_);
/**
* \brief Per flow DNP3 state.
*/
typedef struct DNP3State_ {
TAILQ_HEAD(, DNP3Transaction_) tx_list;
DNP3Transaction *curr; /**< Current transaction. */
uint64_t transaction_max;
uint16_t events;
uint32_t unreplied; /**< Number of unreplied requests. */
uint8_t flooded; /**< Flag indicating flood. */
DNP3Buffer request_buffer; /**< Request buffer for buffering
* incomplete request PDUs received
* over TCP. */
DNP3Buffer response_buffer; /**< Response buffer for buffering
* incomplete response PDUs received
* over TCP. */
} DNP3State;
void RegisterDNP3Parsers(void);
void DNP3ParserRegisterTests(void);
int DNP3PrefixIsSize(uint8_t);
#endif /* __APP_LAYER_DNP3_H__ */

2
src/app-layer-parser.c
Unescape Escape View File

@ -59,6 +59,7 @@
#include "app-layer-dns-tcp.h" #include "app-layer-dns-tcp.h"
#include "app-layer-modbus.h" #include "app-layer-modbus.h"
#include "app-layer-enip.h" #include "app-layer-enip.h"
#include "app-layer-dnp3.h"
#include "app-layer-template.h" #include "app-layer-template.h"
#include "conf.h" #include "conf.h"
@ -1222,6 +1223,7 @@ void AppLayerParserRegisterProtocolParsers(void)
RegisterModbusParsers(); RegisterModbusParsers();
RegisterENIPUDPParsers(); RegisterENIPUDPParsers();
RegisterENIPTCPParsers(); RegisterENIPTCPParsers();
RegisterDNP3Parsers();
RegisterTemplateParsers(); RegisterTemplateParsers();
/** IMAP */ /** IMAP */

3
src/app-layer-protos.c
Unescape Escape View File

@ -78,6 +78,9 @@ const char *AppProtoToString(AppProto alproto)
case ALPROTO_ENIP: case ALPROTO_ENIP:
proto_name = "enip"; proto_name = "enip";
break; break;
case ALPROTO_DNP3:
proto_name = "dnp3";
break;
case ALPROTO_TEMPLATE: case ALPROTO_TEMPLATE:
proto_name = "template"; proto_name = "template";
break; break;

1
src/app-layer-protos.h
Unescape Escape View File

@ -43,6 +43,7 @@ enum AppProtoEnum {
ALPROTO_DNS, ALPROTO_DNS,
ALPROTO_MODBUS, ALPROTO_MODBUS,
ALPROTO_ENIP, ALPROTO_ENIP,
ALPROTO_DNP3,
ALPROTO_TEMPLATE, ALPROTO_TEMPLATE,
/* used by the probing parser when alproto detection fails /* used by the probing parser when alproto detection fails

1
src/util-error.c
Unescape Escape View File

@ -330,6 +330,7 @@ const char * SCErrorToString(SCError err)
CASE_CODE (SC_ERR_INVALID_HASH); CASE_CODE (SC_ERR_INVALID_HASH);
CASE_CODE (SC_ERR_NO_SHA1_SUPPORT); CASE_CODE (SC_ERR_NO_SHA1_SUPPORT);
CASE_CODE (SC_ERR_NO_SHA256_SUPPORT); CASE_CODE (SC_ERR_NO_SHA256_SUPPORT);
CASE_CODE (SC_ERR_DNP3_CONFIG);
} }
return "UNKNOWN_ERROR"; return "UNKNOWN_ERROR";

1
src/util-error.h
Unescape Escape View File

@ -320,6 +320,7 @@ typedef enum {
SC_ERR_NO_SHA1_SUPPORT, SC_ERR_NO_SHA1_SUPPORT,
SC_ERR_NO_SHA256_SUPPORT, SC_ERR_NO_SHA256_SUPPORT,
SC_ERR_ENIP_CONFIG, SC_ERR_ENIP_CONFIG,
SC_ERR_DNP3_CONFIG,
} SCError; } SCError;
const char *SCErrorToString(SCError); const char *SCErrorToString(SCError);

8
suricata.yaml.in
Unescape Escape View File

@ -99,6 +99,7 @@ rule-files:
- tls-events.rules # available in suricata sources under rules dir - tls-events.rules # available in suricata sources under rules dir
# - modbus-events.rules # available in suricata sources under rules dir # - modbus-events.rules # available in suricata sources under rules dir
# - app-layer-events.rules # available in suricata sources under rules dir # - app-layer-events.rules # available in suricata sources under rules dir
# - dnp3-events.rules # available in suricata sources under rules dir
classification-file: @e_sysconfdir@classification.config classification-file: @e_sysconfdir@classification.config
reference-config-file: @e_sysconfdir@reference.config reference-config-file: @e_sysconfdir@reference.config
@ -163,6 +164,7 @@ outputs:
tls: yes # enable dumping of tls fields tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields smtp: yes # enable dumping of smtp fields
dnp3: yes # enable dumping of DNP3 fields
# Enable the logging of tagged packets for rules using the # Enable the logging of tagged packets for rules using the
# "tag" keyword. # "tag" keyword.
@ -231,6 +233,7 @@ outputs:
- flow - flow
# uni-directional flows # uni-directional flows
#- netflow #- netflow
#- dnp3
# alert output for use with Barnyard2 # alert output for use with Barnyard2
- unified2-alert: - unified2-alert:
@ -722,6 +725,11 @@ app-layer:
# and not to open and close it for each MODBUS/TCP transaction. In that # and not to open and close it for each MODBUS/TCP transaction. In that
# case, it is important to set the depth of the stream reassembling as # case, it is important to set the depth of the stream reassembling as
# unlimited (stream.reassembly.depth: 0) # unlimited (stream.reassembly.depth: 0)
# DNP3
dnp3:
enabled: no
detection-ports:
dp: 20000
# smb2 detection is disabled internally inside the engine. # smb2 detection is disabled internally inside the engine.
#smb2: #smb2:
# enabled: yes # enabled: yes

Write Preview
Loading…
Cancel
Save