Terms,
1
2
3
4
5
6
7
8
| spm: single pattern match
mpm: multi pattern matcher
bm: boyer moore
hs: hyperscan
ppt: packet processing thread
cidr: classless inter-domain routing, such as a.b.c.d/x
tsap: transport service access point
scada: supervisory control and data acquisition |
spm: single pattern match
mpm: multi pattern matcher
bm: boyer moore
hs: hyperscan
ppt: packet processing thread
cidr: classless inter-domain routing, such as a.b.c.d/x
tsap: transport service access point
scada: supervisory control and data acquisition
Protocols,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
| opc: ole for process control/Microsoft
opcua/tcp/started bytes/
opcda/dcerpc/started bytes/
modbus: /port 502/Schneider
rtu: remote terminal unit
ascii
tcp
s7comm: /port 102/*(base + 7) == 0x32/Siemens
tpkt:
cotp: connection-oriented transport protocol
ed: 0x1, expedited data
ea: 0x2, expedited data acknowledgement
ud: 0x4, user data
rj: 0x5, reject
dr: 0x8, disconnect request
dc: 0xC, disconnect confirm
cc: 0xD, connect confirm
cr: 0xE, connect request
dt: 0xF, data
rosctr: remote operating service control
bacnet/ip: building automation and control networks/udp/port 47808/ISO standards
bvlc: bacnet virtual link control
npdu: bacnet network layer
apdu: bacnet application layer
bbmd: bacnet/ip broadcast management device
ethernet-ip: /ODVA
cip: common industrial protocol/tcp/port 44818
cip i/o: /udp/port 2222
iec: International Electrotechnical Commission
iec60870-5:
101: basic telecontrol tasks
104: network access for iec60870-5-101
iec104: /tcp/port 2404/*base == 0x68/
apdu: application protocol data unit
apci: application protocol control information
cf1: first control field
i-format: information transfer format/cf1 == 0/variable length
s-format: numbered supervisory functions/cf1 == 01/fixed length
u-format: unnumbered control functions/cf1 == 11/fixed length
asdu: application service data unit
sq: structure qualifier
cot: cause of transmission
oa: originator address
ioa: information object address
siq: single point of information
diq: double point information
sco: single command
dco: double command
rco: regulating step command
vti: value with transient state indication
sva: scaled value
coa: common address of asdu
102/电量
103/保护
iec61850:
smv: iec61850-9-2
goose: 通用变电站事件
sntp: 时间同步
acsi: abstract service communication interface
mms: manufacturing message specification/port 102/
tpkt
cotp
vmd: virtual manufacturing device
gsse: 通用变站状态事件
dnp3: distributed network protocol/port 20000/resembles iec60870-5 FT3
rtu: remote terminal unit
ied: intelligent electronic device
iccp: inter-control center communications protocol
data link layer
prm: primary
fcb: frame count bit
fcv: frame count valid bit
dfc: data flow control bit
application layer
apci: application protocol control information
fir: first fragment
fin: final fragment
con: expect a confirmation
fins: /tcp/port 9600/ |
opc: ole for process control/Microsoft
opcua/tcp/started bytes/
opcda/dcerpc/started bytes/
modbus: /port 502/Schneider
rtu: remote terminal unit
ascii
tcp
s7comm: /port 102/*(base + 7) == 0x32/Siemens
tpkt:
cotp: connection-oriented transport protocol
ed: 0x1, expedited data
ea: 0x2, expedited data acknowledgement
ud: 0x4, user data
rj: 0x5, reject
dr: 0x8, disconnect request
dc: 0xC, disconnect confirm
cc: 0xD, connect confirm
cr: 0xE, connect request
dt: 0xF, data
rosctr: remote operating service control
bacnet/ip: building automation and control networks/udp/port 47808/ISO standards
bvlc: bacnet virtual link control
npdu: bacnet network layer
apdu: bacnet application layer
bbmd: bacnet/ip broadcast management device
ethernet-ip: /ODVA
cip: common industrial protocol/tcp/port 44818
cip i/o: /udp/port 2222
iec: International Electrotechnical Commission
iec60870-5:
101: basic telecontrol tasks
104: network access for iec60870-5-101
iec104: /tcp/port 2404/*base == 0x68/
apdu: application protocol data unit
apci: application protocol control information
cf1: first control field
i-format: information transfer format/cf1 == 0/variable length
s-format: numbered supervisory functions/cf1 == 01/fixed length
u-format: unnumbered control functions/cf1 == 11/fixed length
asdu: application service data unit
sq: structure qualifier
cot: cause of transmission
oa: originator address
ioa: information object address
siq: single point of information
diq: double point information
sco: single command
dco: double command
rco: regulating step command
vti: value with transient state indication
sva: scaled value
coa: common address of asdu
102/电量
103/保护
iec61850:
smv: iec61850-9-2
goose: 通用变电站事件
sntp: 时间同步
acsi: abstract service communication interface
mms: manufacturing message specification/port 102/
tpkt
cotp
vmd: virtual manufacturing device
gsse: 通用变站状态事件
dnp3: distributed network protocol/port 20000/resembles iec60870-5 FT3
rtu: remote terminal unit
ied: intelligent electronic device
iccp: inter-control center communications protocol
data link layer
prm: primary
fcb: frame count bit
fcv: frame count valid bit
dfc: data flow control bit
application layer
apci: application protocol control information
fir: first fragment
fin: final fragment
con: expect a confirmation
fins: /tcp/port 9600/
用suricata分析pcap文件,
1
2
| #--runmode single
suricata -c /path/to/suricata.yaml -r /path/to/sample.pcap --runmode autofp |
#--runmode single
suricata -c /path/to/suricata.yaml -r /path/to/sample.pcap --runmode autofp
Plc protocol in https://github.com/wireshark/wireshark/tree/master
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| Siemens S7 /epan/dissectors/packet-s7comm.c 西门子PLC支持的通讯协议
MMS(IEC61850) /asn1/mms 输配电通讯协议
GOOSE(IEC61850) /asn1/goose 输配电通讯协议
SV(IEC61850) /asn1/sv 输配电通讯协议
Modbus /epan/dissectors/packet-mbtcp.c 工控标准协议
OPC DA /epan/dissectors/packet-dcom.c 工控标准协议
FF HSE /epan/dissectors/packet-ff.c 基金会现场总线以太网通信协定
IEC 104 /epan/dissectors/packet-iec104.c 输配电通讯协议
Ethernet POWERLINK /epan/dissectors/packet-epl.c 开放式实时以太网通信
OPC UA /plugins/opcua/opcua.c OPC新一代标准
HART-IP /epan/dissectors/packet-hartip.c 高速可寻址远程传感器协议
CoAP /epan/dissectors/packet-coap.c 轻量应用层协议
Omron FINS /epan/dissectors/packet-omron-fins.c 欧姆龙PLC支持的通讯协定
openSAFETY /epan/dissectors/packet-opensafety.c 开源安全应用协议
EGD(Ethernet Global Data) /epan/dissectors/packet-egd.c GE Fanuc为PLC开发的通讯协定
DNP3 /epan/dissectors/packet-dnp.c 分布式网络协议,主要用于电力行业
Sinec H1 /epan/dissectors/packet-h1.c 西门子PLC支持的通讯协议
Profinet /plugins/profinet/ 开放式的工业以太网通讯协定
EtherCAT /plugins/ethercat/ 德国Beckhoff公司推动的开放式实时以太网通讯协定
SERCOS III /epan/dissectors/packet-sercosiii.c 实时以太网通讯协定
RTPS /epan/dissectors/packet-rtps.c 实时流传输协议
TTEthernet /epan/dissectors/packet-tte.c 实时以太网通讯协定
CDT /dissectors/packet-cdt.c 远动规约
EtherNet/IP /epan/dissectors/packet-etherip.c 工业通讯协定(Industrial Protocol),是一种CIP的实现方式,由罗克韦尔自动化公司所设计
CIP /epan/dissectors/packet-cip.c 通用工业协定
CIP Safety /epan/dissectors/packet-cipsafety.c 安全通用工业协定
DeviceNet /epan/dissectors/ packet-devicenet.c 一种CIP的实现方式,由Allen-Bradley公司所设计
BACnet /epan/dissectors/packet-bacnet.c 楼宇自动控制网络数据通讯协议
KNXnet/IP /epan/dissectors/packet-knxnetip.c 住宅和楼宇控制标准
Lontalk /epan/dissectors/packet-lon.c 埃施朗公司的LonWorks技术所使用的通讯协议
CANopen /epan/dissectors/packet-canopen.c 控制局域网通讯协定
SAE J1939 /epan/dissectors/packet-j1939.c 一种CAN的变种,适用在农业车辆及商用车辆
USITT DMX512-A /epan/dissectors/packet-dmx.c 灯光控制数据传输协议
BSSAP/BSAP /epan/dissectors/packet-bssap.c 由Bristol Babcock Inc发展的通讯协定
Gryphon /plugins/gryphon 车用通讯协定
ZigBee /epan/dissectors/packet-zbee.h 开放式的无线通讯协定 |
Siemens S7 /epan/dissectors/packet-s7comm.c 西门子PLC支持的通讯协议
MMS(IEC61850) /asn1/mms 输配电通讯协议
GOOSE(IEC61850) /asn1/goose 输配电通讯协议
SV(IEC61850) /asn1/sv 输配电通讯协议
Modbus /epan/dissectors/packet-mbtcp.c 工控标准协议
OPC DA /epan/dissectors/packet-dcom.c 工控标准协议
FF HSE /epan/dissectors/packet-ff.c 基金会现场总线以太网通信协定
IEC 104 /epan/dissectors/packet-iec104.c 输配电通讯协议
Ethernet POWERLINK /epan/dissectors/packet-epl.c 开放式实时以太网通信
OPC UA /plugins/opcua/opcua.c OPC新一代标准
HART-IP /epan/dissectors/packet-hartip.c 高速可寻址远程传感器协议
CoAP /epan/dissectors/packet-coap.c 轻量应用层协议
Omron FINS /epan/dissectors/packet-omron-fins.c 欧姆龙PLC支持的通讯协定
openSAFETY /epan/dissectors/packet-opensafety.c 开源安全应用协议
EGD(Ethernet Global Data) /epan/dissectors/packet-egd.c GE Fanuc为PLC开发的通讯协定
DNP3 /epan/dissectors/packet-dnp.c 分布式网络协议,主要用于电力行业
Sinec H1 /epan/dissectors/packet-h1.c 西门子PLC支持的通讯协议
Profinet /plugins/profinet/ 开放式的工业以太网通讯协定
EtherCAT /plugins/ethercat/ 德国Beckhoff公司推动的开放式实时以太网通讯协定
SERCOS III /epan/dissectors/packet-sercosiii.c 实时以太网通讯协定
RTPS /epan/dissectors/packet-rtps.c 实时流传输协议
TTEthernet /epan/dissectors/packet-tte.c 实时以太网通讯协定
CDT /dissectors/packet-cdt.c 远动规约
EtherNet/IP /epan/dissectors/packet-etherip.c 工业通讯协定(Industrial Protocol),是一种CIP的实现方式,由罗克韦尔自动化公司所设计
CIP /epan/dissectors/packet-cip.c 通用工业协定
CIP Safety /epan/dissectors/packet-cipsafety.c 安全通用工业协定
DeviceNet /epan/dissectors/ packet-devicenet.c 一种CIP的实现方式,由Allen-Bradley公司所设计
BACnet /epan/dissectors/packet-bacnet.c 楼宇自动控制网络数据通讯协议
KNXnet/IP /epan/dissectors/packet-knxnetip.c 住宅和楼宇控制标准
Lontalk /epan/dissectors/packet-lon.c 埃施朗公司的LonWorks技术所使用的通讯协议
CANopen /epan/dissectors/packet-canopen.c 控制局域网通讯协定
SAE J1939 /epan/dissectors/packet-j1939.c 一种CAN的变种,适用在农业车辆及商用车辆
USITT DMX512-A /epan/dissectors/packet-dmx.c 灯光控制数据传输协议
BSSAP/BSAP /epan/dissectors/packet-bssap.c 由Bristol Babcock Inc发展的通讯协定
Gryphon /plugins/gryphon 车用通讯协定
ZigBee /epan/dissectors/packet-zbee.h 开放式的无线通讯协定
refer to:
https://reference.opcfoundation.org/v104/Core/docs/Part6/7.1.2/
https://plcscan.org/
https://www.fit.vut.cz/research/publication-file/11570/TR-IEC104.pdf
https://suricata.readthedocs.io/en/suricata-5.0.6/configuration/suricata-yaml.html