Rule Options

The DNP3 preprocessor adds 4 new rule options. These rule options match on various pieces of the DNP3 headers:

    dnp3_func
    dnp3_obj
    dnp3_ind
    dnp3_data

The preprocessor must be enabled for these rule option to work.

dnp3_func

This option matches against the Function Code inside of a DNP3 Application-Layer request/response header. The code may be a number (in decimal format), or a string from the list provided below.

Syntax

    dnp3_func:<code>

    code  = 0-255 |
            "confirm" |
            "read" |
            "write" |
            "select" |
            "operate" |
            "direct_operate" |
            "direct_operate_nr" |
            "immed_freeze" |
            "immed_freeze_nr" |
            "freeze_clear" |
            "freeze_clear_nr" |
            "freeze_at_time" |
            "freeze_at_time_nr" |
            "cold_restart" |
            "warm_restart" |
            "initialize_data" |
            "initialize_appl" |
            "start_appl" |
            "stop_appl" |
            "save_config" |
            "enable_unsolicited" |
            "disable_unsolicited" |
            "assign_class" |
            "delay_measure" |
            "record_current_time" |
            "open_file" |
            "close_file" |
            "delete_file" |
            "get_file_info" |
            "authenticate_file" |
            "abort_file" |
            "activate_config" |
            "authenticate_req" |
            "authenticate_err" |
            "response" |
            "unsolicited_response" |
            "authenticate_resp"

Examples

    dnp3_func:1;
    dnp3_func:delete_file;

dnp3_ind

This option matches on the Internal Indicators flags present in a DNP3 Application Response Header. Much like the TCP flags rule option, providing multiple flags in one option will cause the rule to fire if ANY one of the flags is set. To alert on a combination of flags, use multiple rule options.

Syntax

    dnp3_ind:<flag>{,<flag>...]

    flag =  "all_stations"
            "class_1_events"
            "class_2_events"
            "class_3_events"
            "need_time"
            "local_control"
            "defice_trouble"
            "device_restart"
            "no_func_code_support"
            "object_unknown"
            "parameter_error"
            "event_buffer_overflow"
            "already_executing"
            "config_corrupt"
            "reserved_2"
            "reserved_1"

Examples

    # Alert on reserved_1 OR reserved_2
    dnp3_ind:reserved_1,reserved_2;

    # Alert on class_1 AND class_2 AND class_3 events
    dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events;

dnp3_obj

This option matches on DNP3 object headers present in a request or response.

Syntax

    dnp3_obj:<group>,<var>

    group = 0 - 255
    var   = 0 - 255

Examples

    # Alert on DNP3 "Date and Time" object
    dnp3_obj:50,1;

dnp3_data

As Snort processes DNP3 packets, the DNP3 preprocessor collects Link-Layer Frames and reassembles them back into Application-Layer Fragments. This rule option sets the cursor to the beginning of an Application-Layer Fragment, so that other rule options can work on the reassembled data.

With the dnp3_data rule option, you can write rules based on the data within Fragments without splitting up the data and adding CRCs every 16 bytes.

Syntax

    dnp3_data;

Examples

    dnp3_data; content:"badstuff_longer_than_16chars";