blob: 36f5afd69904ccd35f0f745b9bf3c5006cbfeb5f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
DNP3 Keywords
=============
The DNP3 keywords can be used to match on fields in decoded DNP3
messages. The keywords are based on Snort's DNP3 keywords and aim to
be 100% compatible.
dnp3_func
---------
This keyword will match on the application function code found in DNP3
request and responses. It can be specified as the integer value or
the symbolic name of the function code.
Syntax
~~~~~~
::
dnp3_func:<value>;
Where value is one of:
* An integer value between 0 and 255 inclusive.
* Function code name:
* confirm
* read
* write
* select
* operate
* direct_operate
* direct_operate_nr
* immed_freeze
* immed_freeze_nr
* freeze_clear
* freeze_clear_nr
* freeze_at_time
* freeze_at_time_nr
* cold_restart
* warm_restart
* initialize_data
* initialize_appl
* start_appl
* stop_appl
* save_config
* enable_unsolicited
* disable_unsolicited
* assign_class
* delay_measure
* record_current_time
* open_file
* close_file
* delete_file
* get_file_info
* authenticate_file
* abort_file
* activate_config
* authenticate_req
* authenticate_err
* response
* unsolicited_response
* authenticate_resp
dnp3_ind
--------
This keyword matches on the DNP3 internal indicator flags in the
response application header.
Syntax
~~~~~~
::
dnp3_ind:<flag>{,<flag>...}
Where flag is the name of the internal indicator:
* all_stations
* class_1_events
* class_2_events
* class_3_events
* need_time
* local_control
* device_trouble
* device_restart
* no_func_code_support
* object_unknown
* parameter_error
* event_buffer_overflow
* already_executing
* config_corrupt
* reserved_2
* reserved_1
This keyword will match of any of the flags listed are set. To match
on multiple flags (AND type match), use dnp3_ind for each flag that
must be set.
Examples
~~~~~~~~
::
dnp3_ind:all_stations;
::
dnp3_ind:class_1_events,class_2_events;
dnp3_obj
--------
This keyword matches on the DNP3 application data objects.
Syntax
~~~~~~
::
dnp3_obj:<group>,<variation>
Where <group> and <variation> are integer values between 0 and 255 inclusive.
dnp3_data
---------
This keyword will cause the following content options to match on the
re-assembled application buffer. The reassembled application buffer is
a DNP3 fragment with CRCs removed (which occur every 16 bytes), and
will be the complete fragment, possibly reassembled from multiple DNP3
link layer frames.
Syntax
~~~~~~
::
dnp3_data;
Example
~~~~~~~
::
dnp3_data; content:"|c3 06|";
|
