Feature #5752
Updated by Alex Lasky over 1 year ago
Currently, the usefulness of the DNP3 keywords is severely hindered by their limitations. This is especially true for dnp3_obj, where hundreds of rules may be required to specify the objects you want to filter/detect especially if the var field contains a length in bytes. There is also no current mechanism to filter by point index or (less important) point value, as the Modbus keywords already let you do. index. To address this I propose the following alternative syntax for the dnp3_obj keyword, with associated detection code: dnp3_obj:group <ranges> [, var <ranges>] [, index <ranges>] [, value <ranges>] extensions to DNP3 rules keywords: where: ranges ::= <range> [, <range> ...] range ::= <min>-<max>|[<|>|!]<value> Alternatively you could use the <> operator * Add dnp3_obj.group, dnp3_obj.var, dnp3_obj.index and (if it's not too much to indicate max/min range as some ask) dnp3_obj.value keywords, useable individually or in combination. The first 2 of these are already keywords in the other keywords do, but that is a poor syntax given its extensive prior use to mean "not-equals". Snort 3 User Manual. * For file or data set objects, value would be the name of above new keywords plus the file or data set as a double-quoted string. existing dnp3_func, allow all operators supported for tcp.mss keyword ( viz <min>-<max>, < and > ) in addition to equality.