The typical content option is in the format (content:‘‘ ’’ ).
Modbus TCP packets contain a MBAP Header and PDU as illustrated in Figure 1, and patterns in these may be matched using the content keyword. As Snort provides a Modbus preprocessor, specific rules can be written to examine the contents of the Modbus pay- load.
JAVA MODBUS SERVER CODE
Since the attacks described in Section 3.1, floods TCP port 502 to write to a single coil (Modbus function code 0x05 ), the Snort rules may be refined further to alert on specific Modbus traffic. Alterna- tively, the threshold values may be derived experimentally, to ensure that no false positive alerts are generated as a result of the threshold rules. To prevent the false-positive paradox, the threshold values employed in the Snort rule need to be based on some statistical mean of normal traffic. The threshold rate may be tracked by the traffic source address ( by src ) or destination ( by dst ) address, for a count ( c ), which specifies the number of alerts within the time specified as time in seconds ( s ). The typical format of the Snort threshold 2 rule is as follows threshold: type threshold, track, count, seconds.
Thresholds are applied to Snort rules to detect any changes in parameters which result from anomalous traffic such as a flooding-based DoS traffic. Thus, similar to the change detection threshold discussed in Section 4.1, Snort rule thresholds can be applied as part of a Snort rule or as a stand-alone rule. Snort alerts may be generated by preprocessors or the detection engine, and specific detection rules can be specified to suit deployment. The transformed buffer is subsequently passed to the Snort detection engine, which detects traffic matching a signature or rule to generate alerts. In the work presented in this paper, the Modbus preprocessor (Peterson 2009) is used. Preprocessors operate on the de- coded buffer to perform appropriate transformations to the buffer. The de- coded buffer is then made accessible to one or more Snort preprocessors. The purpose of the decode is to identify the type of network traffic.
Snort captures network traffic utilising libpcap or win- pcap libraries (depending on the platform it is deployed on) and decodes it. Due to its wide deployment, Snort has become the de facto standard for intrusion detection. Snort (Roesch 1999) is an open source signature-based network IDS. The following section presents alternate signature- based attack detection technique using Snort. k 1 is a parameter indicating the number of consecutive time intervals for which the change detection condition is violated before flagging an actual change in the observed parameter.
0 kommentar(er)
