search

CybOXProject / schemas

CybOX Schemas and Schema Development
42 stars 17 forks source link

Add DNP3/ModBus Object #351

Open bworrell opened 9 years ago

ikiril01 commented 9 years ago 
DNP3
APPLICATION LAYER
Application Header
Request Header (APCI)
Application Control (AC)
Octet
Bit 7
FIR
Bit 6
FIN
Bit 5
CON
Bit 4
UNS
Bits 3, 2, 1, 0
SEQUENCE
Function Code (FC)
Requests (Hex)
0 Confirm
1 Read
2 Write
3 Select
4 Operate
5 Direct operate
6 Direct operate - No Acknowledgment
7 Immediate Freeze
8 Immediate Freeze - No Acknowledgment
9 Freeze and Clear
A Freeze and Clear - No Acknowledgment
B Freeze with Time
C Freeze with Time - No Acknowledgment
D Cold restart
E Warm restart
F Initialize data
10 Initialize application
11 Start application
12 Stop application
13 Save application
14 Enable unsolicited
15 Disable unsolicited
16 Assign class
17 Delay measurement
18 Record current time
19 Open file
1A Close file
1B Delete file
1C Get file information
1D Authenticate file
1E Abort file
Responses (Hex)
81 Response
82 Unsolicited response
Response Header
Application Control (AC)
Octet
Bit 7
FIR
Bit 6
FIN
Bit 5
CON
Bit 4
UNS
Bits 3, 2, 1, 0
SEQUENCE
Function Code (FC)
Requests (Hex)
0 Confirm
1 Read
2 Write
3 Select
4 Operate
5 Dir operate
6 Dir operate - No resp
7 Freeze
8 Freeze - No resp
9 Freeze clear
A Freeze clear - No resp
B Freeze at time
C Freeze at time - No resp
D Cold restart
E Warm restart
F Initialize data
10 Initialize application
11 Start application
12 Stop application
13 Save application
14 Enable unsolicited
15 Disable unsolicited
16 Assign class
17 Delay measurement
18 Record current time
19 Open file
1A Close file
1B Delete file
1C Get file information
1D Authenticate file
1E Abort file
Responses (Hex)
81 Response
82 Unsolicited response
Internal Indications (IIN)
LSB
Bit 0
IIN1.0 All Stations
Bit 1
IIN1.1 Class 1 events
Bit 2
IIN1.2 Class 2 events
Bit 3
IIN1.3 Class 3 Events
Bit 4
IIN1.4 Need time
Bit 5
IIN1.5 Local control
Bit 6
IIN1.6 Device trouble
Bit 7
IIN1.7 Device restart
MSB
Bit 0
IIN2.0 Function code not supported
Bit 1
IIN2.1 Object unknown
Bit 2
IIN2.2 Parameter Error
Bit 3
IIN2.3 Event buffer overflow
Bit 4
IIN2.4 Already executing
Bit 5
IIN2.5 Configuration corrupt
Bit 6
IIN2.6 Reserved 1
Bit 7
IIN2.7 Reserved 2
First Object Header
Object Type
Group
Variation
Qualifier
Qualifier Octet
Bit 7
Reserved
Index Size / Object Prefix Code (6, 5, 4)
Object Prefix
Bit 0 Objs packed without a prefix
Bit 1 Objs prefixed with 1-octet index
Bit 2 Objs prefixed with 2-octet index
Bit 3 Objs prefixed with 4-octet index
Bit 4 Objs prefixed with 1-octet object size
Bit 5 Objs prefixed with 2-octet object size
Bit 6 Objs prefixed with 4-octet object size
Bit 7 Reserved
Qualifier Code / Range Specifier Code (3, 2, 1, 0)
Range Field Contains
0 1-octet start - stop indexes
1 2-octet start - stop indexes
2 4-octet start - stop indexes
3 1-octet start - stop virtual addresses
4 2-octet start - stop virtual addresses
5 4-octet start - stop virtual addresses
6 No range field used. Implies all objects
7 1-octet count of objects
8 2-octet count of objects
9 4-octet count of objects
A Reserved
B 1-octet count of objects (variable format)
C Reserved
D Reserved
E Reserved
F Reserved
Range
Start Range
Stop Range
DNP3 Objects 1
Last Object Header
DNP3 Objects 2
DATA LINK LAYER
DNP3 Frame
Header Block
Start/Sync
0x05
0x64
Len
5 to 255
Ctrl
Control Octet
7
DIR

1 = From Master
0 = From Outstation
6
PRM
1 = Primary to Secondary
0 = Secondary to Primary
5
FCB
FCB: Frame Count Bit
Alternates 1 and 0
0
4
FCV
Frame Count Valid
1 = examine FCB bit
0 = ignore FCB bit
DFC
Data Flow Control
1 = receive buffer full
0 = receive buffer available
3, 2, 1, 0
Function Code
Primary to Secondary (PRM = 1)
Primary Function Code
0
Function Code Name
RESET_LINK_STATES
FCV Bit
0
1
Function Code Name
-
FCV Bit
-
2
Function Code Name
TEST_LINK_STATES
FCV Bit
1
3
Function Code Name
CONFIRMED_USER_DATA
FCV Bit
1
4
Function Code Name
UNCONFIRMED_USER_DATA
FCV Bit
0
5
Function Code Name
-
FCV Bit
-
6
Function Code Name
-
FCV Bit
-
7
Function Code Name
-
FCV Bit
-
8
Function Code Name
-
FCV Bit
-
9
Function Code Name
REQUEST_LINK_STATUS
FCV Bit
0
A
Function Code Name
-
FCV Bit
-
B
Function Code Name
-
FCV Bit
-
C
Function Code Name
-
FCV Bit
-
D
Function Code Name
-
FCV Bit
-
E
Function Code Name
-
FCV Bit
-
F
Function Code Name
-
FCV Bit
-
Secondary to Primary (PRM = 0)
Secondary Function Code
0
Function Code Name
ACK
1
Function Code Name
NACK
2
Function Code Name
3
Function Code Name
4
Function Code Name
5
Function Code Name
6
Function Code Name
7
Function Code Name
8
Function Code Name
9
Function Code Name
A
Function Code Name
B
Function Code Name
LINK_STATUS
C
Function Code Name
D
Function Code Name
E
Function Code Name
F
Function Code Name
NOT_SUPPORTED
Destination
0 to 65535
LSB
MSB
Source
0 to 65519
LSB
MSB
CRC
LSB
MSB
Data/Payload
TRANSPORT FUNCTIONS
Transport Header octet
FIN (7)
FIR (6)
SEQUENCE (5, 4, 3, 2, 1, 0)
OBJECT LAYER
gtback commented 9 years ago

Is there a use case in mind for this object? Are there known attacks or indicators which would need to use this object? It seems like a lot of detail, so I just want to make sure there's value in adding it.

ikiril01 commented 9 years ago

@gtback good questions. I think this came out of the context of capturing observables/indicators in CybOX related to malicious DNP3 traffic: https://isc.sans.edu/diary/Looking+for+malicious+traffic+in+electrical+SCADA+networks+-+part+1/17967

ikiril01 commented 9 years ago

This is really a sub-component of #143, so it has similar context/LOE.