suricata备忘录

keywords

1
2
3
4
5
6
7
8
spm: single pattern match
mpm: multi pattern matcher
bm: boyer moore
hs: hyperscan
ppt: packet processing thread
cidr: classless inter-domain routing, such as a.b.c.d/x
tsap: transport service access point
scada: supervisory control and data acquisition

protocols

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
opc: ole for process control/Microsoft
	opcua/tcp/started bytes/
	opcda/dcerpc/started bytes/
modbus: /port 502/Schneider
	rtu: remote terminal unit
	ascii
	tcp
s7comm: /port 102/*(base + 7) == 0x32/Siemens
	tpkt:
	cotp: connection-oriented transport protocol
		ed: 0x1, expedited data
		ea: 0x2, expedited data acknowledgement
		ud: 0x4, user data
		rj: 0x5, reject
		dr: 0x8, disconnect request
		dc: 0xC, disconnect confirm
		cc: 0xD, connect confirm
		cr: 0xE, connect request
		dt: 0xF, data
	rosctr: remote operating service control
bacnet/ip: building automation and control networks/udp/port 47808/ISO standards
	bvlc: bacnet virtual link control
	npdu: bacnet network layer
	apdu: bacnet application layer
	bbmd: bacnet/ip broadcast management device
ethernet-ip: /ODVA
	cip: common industrial protocol/tcp/port 44818
	cip i/o: /udp/port 2222
iec: International Electrotechnical Commission
	iec60870-5:
		101: basic telecontrol tasks
		104: network access for iec60870-5-101
			iec104: /tcp/port 2404/*base == 0x68/
				apdu: application protocol data unit
					apci: application protocol control information
						cf1: first control field
						i-format: information transfer format/cf1 == 0/variable length
						s-format: numbered supervisory functions/cf1 == 01/fixed length
						u-format: unnumbered control functions/cf1 == 11/fixed length
					asdu: application service data unit
						sq: structure qualifier
						cot: cause of transmission
						oa: originator address
						ioa: information object address
						siq: single point of information
						diq: double point information
						sco: single command
						dco: double command
						rco: regulating step command
						vti: value with transient state indication
						sva: scaled value
				coa: common address of asdu
		102/电量
		103/保护
	iec61850:
		smv: iec61850-9-2
		goose: 通用变电站事件
		sntp: 时间同步
		acsi: abstract service communication interface
			mms: manufacturing message specification/port 102/
				tpkt
				cotp
				vmd: virtual manufacturing device
		gsse: 通用变站状态事件
dnp3: distributed network protocol/port 20000/resembles iec60870-5 FT3
	rtu: remote terminal unit
	ied: intelligent electronic device
	iccp: inter-control center communications protocol
	data link layer
		prm: primary
		fcb: frame count bit
		fcv: frame count valid bit
		dfc: data flow control bit
	application layer
		apci: application protocol control information
		fir: first fragment
		fin: final fragment
		con: expect a confirmation
fins: /tcp/port 9600/

suricata分析pcap文件

1
2
#--runmode single
suricata -c /path/to/suricata.yaml -r /path/to/sample.pcap --runmode autofp

plc protocol in https://github.com/wireshark/wireshark/tree/master

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Siemens S7	/epan/dissectors/packet-s7comm.c	西门子PLC支持的通讯协议
MMS(IEC61850)	/asn1/mms				输配电通讯协议
GOOSE(IEC61850)	/asn1/goose				输配电通讯协议
SV(IEC61850)	/asn1/sv				输配电通讯协议
Modbus		/epan/dissectors/packet-mbtcp.c		工控标准协议
OPC DA		/epan/dissectors/packet-dcom.c		工控标准协议
FF HSE		/epan/dissectors/packet-ff.c		基金会现场总线以太网通信协定
IEC 104		/epan/dissectors/packet-iec104.c	输配电通讯协议
Ethernet POWERLINK	/epan/dissectors/packet-epl.c	开放式实时以太网通信
OPC UA		/plugins/opcua/opcua.c			OPC新一代标准
HART-IP		/epan/dissectors/packet-hartip.c	高速可寻址远程传感器协议
CoAP		/epan/dissectors/packet-coap.c		轻量应用层协议
Omron FINS	/epan/dissectors/packet-omron-fins.c	欧姆龙PLC支持的通讯协定
openSAFETY	/epan/dissectors/packet-opensafety.c	开源安全应用协议
EGD(Ethernet Global Data)	/epan/dissectors/packet-egd.c	GE Fanuc为PLC开发的通讯协定
DNP3		/epan/dissectors/packet-dnp.c		分布式网络协议,主要用于电力行业
Sinec H1	/epan/dissectors/packet-h1.c		西门子PLC支持的通讯协议
Profinet	/plugins/profinet/			开放式的工业以太网通讯协定
EtherCAT	/plugins/ethercat/			德国Beckhoff公司推动的开放式实时以太网通讯协定
SERCOS III	/epan/dissectors/packet-sercosiii.c	实时以太网通讯协定
RTPS		/epan/dissectors/packet-rtps.c		实时流传输协议
TTEthernet	/epan/dissectors/packet-tte.c		实时以太网通讯协定
CDT		/dissectors/packet-cdt.c		远动规约
EtherNet/IP	/epan/dissectors/packet-etherip.c	工业通讯协定(Industrial Protocol),是一种CIP的实现方式,由罗克韦尔自动化公司所设计
CIP		/epan/dissectors/packet-cip.c		通用工业协定
CIP Safety	/epan/dissectors/packet-cipsafety.c	安全通用工业协定
DeviceNet	/epan/dissectors/ packet-devicenet.c	一种CIP的实现方式,由Allen-Bradley公司所设计
BACnet		/epan/dissectors/packet-bacnet.c	楼宇自动控制网络数据通讯协议
KNXnet/IP	/epan/dissectors/packet-knxnetip.c	住宅和楼宇控制标准
Lontalk		/epan/dissectors/packet-lon.c		埃施朗公司的LonWorks技术所使用的通讯协议
CANopen		/epan/dissectors/packet-canopen.c	控制局域网通讯协定
SAE J1939	/epan/dissectors/packet-j1939.c		一种CAN的变种,适用在农业车辆及商用车辆
USITT DMX512-A	/epan/dissectors/packet-dmx.c		灯光控制数据传输协议
BSSAP/BSAP	/epan/dissectors/packet-bssap.c		由Bristol Babcock Inc发展的通讯协定
Gryphon		/plugins/gryphon			车用通讯协定
ZigBee		/epan/dissectors/packet-zbee.h		开放式的无线通讯协定

refer to:
https://reference.opcfoundation.org/v104/Core/docs/Part6/7.1.2/
https://plcscan.org/
https://www.fit.vut.cz/research/publication-file/11570/TR-IEC104.pdf
https://suricata.readthedocs.io/en/suricata-5.0.6/configuration/suricata-yaml.html