From a0aa2307322cd47bbf416810ac0292925e03be87 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:39:49 +0200 Subject: Adding upstream version 1:7.0.3. Signed-off-by: Daniel Baumann --- rules/dnp3-events.rules | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/dnp3-events.rules (limited to 'rules/dnp3-events.rules') diff --git a/rules/dnp3-events.rules b/rules/dnp3-events.rules new file mode 100644 index 0000000..e4890f8 --- /dev/null +++ b/rules/dnp3-events.rules @@ -0,0 +1,26 @@ +# DNP3 application decoder event rules. +# +# This SIDs fall in the 2270000+ range. See: +# http://doc.emergingthreats.net/bin/view/Main/SidAllocation + +# Flooded. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \ + app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) + +# Length to small for PDU type. For example, link specifies the type +# as user data, but the length field is not large enough for user +# data. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; \ + app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) + +# Bad link layer CRC. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; \ + app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) + +# Bad transport layer CRC. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; \ + app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) + +# Unknown object. +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; \ + app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) -- cgit v1.2.3