Dear all,
I am wondering whether there is some existing signatures of Bro for Modbus and DNP3. I found something named quickdraw, which are signatures for Modbus and DNP3. But it is for Snort and Bro does not support signature for Snort anymore as far as I know. Does anyone know some similar signature available for Bro? Thanks a lot.
Wenyu
Here are the sigs for dnp3 <https://github.com/bro/bro/blob/master/scripts/base/protocols/dnp3/dpd.sig>.
-AK
Hi Anthony,
Thanks for your reply. I am sorry but I probably did not make myself clear. I am not looking for signature that help you to identify Modbus and DNP3 packets. Instead, I am looking for signatures that help you to detect attacks on Modbus and DNP3. Do you know any signature like that available for Bro? Thanks a lot.
Wenyu
In general, Bro doesn’t use signatures for attack determinations. If you look at the way Bro identifies things like SQLi you can see Bro uses signatures only to assist its behavioral approach (implemented in policy scripts) to identify attack situations.
https://www.bro.org/sphinx/_downloads/detect-sqli.bro
-AK