[Bro] Is there existing signatures for modbus and dnp3

anthony kasza anthony.kasza at gmail.com
Wed Nov 4 10:38:12 PST 2015


In general, Bro doesn't use signatures for attack determinations. If you
look at the way Bro identifies things like SQLi you can see Bro uses
signatures only to assist its behavioral approach (implemented in policy
scripts) to identify attack situations.

https://www.bro.org/sphinx/_downloads/detect-sqli.bro

-AK
On Nov 3, 2015 6:23 PM, "Ren, Wenyu" <wren3 at illinois.edu> wrote:

> Hi Anthony,
>
> Thanks for your reply. I am sorry but I probably did not make myself
> clear. I am not looking for signature that help you to identify Modbus and
> DNP3 packets. Instead, I am looking for signatures that help you to detect
> attacks on Modbus and DNP3. Do you know any signature like that available
> for Bro? Thanks a lot.
>
> Wenyu
> ------------------------------
> *From:* anthony kasza [anthony.kasza at gmail.com]
> *Sent:* Tuesday, November 03, 2015 5:31 PM
> *To:* Ren, Wenyu
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Is there existing signatures for modbus and dnp3
>
> Here are the sigs for dnp3 <
> https://github.com/bro/bro/blob/master/scripts/base/protocols/dnp3/dpd.sig
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro_blob_master_scripts_base_protocols_dnp3_dpd.sig&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=6F7DPPylFZLWp3oYlcjGbgu2HwPUnfL5RQWtcrYLrzk&m=tfO86BFO_XDEofmdfDJpyNyiDqkoar5FQFQlEMEi8_4&s=tdtB9KCU_mhRRfqx5ZufT65iZUcNRS8nQpJdhJA_0hg&e=>
> >.
>
> -AK
> On Nov 3, 2015 2:04 PM, "Ren, Wenyu" <wren3 at illinois.edu> wrote:
>
>> Dear all,
>>
>> I am wondering whether there is some existing signatures of Bro for
>> Modbus and DNP3. I found something named quickdraw, which are signatures
>> for Modbus and DNP3. But it is for Snort and Bro does not support signature
>> for Snort anymore as far as I know. Does anyone know some similar signature
>> available for Bro? Thanks a lot.
>>
>> Wenyu
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=6F7DPPylFZLWp3oYlcjGbgu2HwPUnfL5RQWtcrYLrzk&m=tfO86BFO_XDEofmdfDJpyNyiDqkoar5FQFQlEMEi8_4&s=L3cT7fD-zBzvbUquSbGs-xDCMlx5Cd6Y_UgGNC5fT4g&e=>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151104/ea2b2654/attachment-0001.html 


More information about the Bro mailing list