Created
April 20, 2015 16:48
-
-
Save jasonish/d22a6c3961b33d123808 to your computer and use it in GitHub Desktop.
dnp3-samples.rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1 - Function code match - either direction. | |
| alert dnp3 any any -> any any ( \ | |
| msg:"DNP3 Sample function code match"; \ | |
| dnp3_func:21; \ | |
| sid:1; rev:1;) | |
| # 2 - Internal indicators. Applies to client only. | |
| # - Providing multiple flags in one dnp3_ind option will match if any | |
| # of the flags are set. Use dnp3_ind multiple times to alert on a specific | |
| # combination of flags. | |
| alert dnp3 any any -> any any ( \ | |
| msg:"DNP3 Sample internal indicators match"; \ | |
| dnp3_ind:class_1_events,class_2_events,class_3_events; \ | |
| sid:2; rev:1;) | |
| # 3 - Content match, any direction. | |
| alert dnp3 any any -> any any ( \ | |
| msg:"DNP3 Content match, any direction"; \ | |
| dnp3_data; content:"|3c 02 06 3c 03 06 3c|"; \ | |
| sid:3; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment