search

chamara84 / snort-2.9_RTDS

This repository contains a modified version of Snort. Here the user is able to decode and modify the Industrial control system protocols like DNP3, MODBUS, PMU, IEC104 and IEC61850.
GNU General Public License v2.0
5 stars 1 forks source link

snort-2.9_RTDS for windows #2

Closed MiShtaz closed 4 months ago

MiShtaz commented 1 year ago

Hello! When I compiling for windows, some files are not enough, for example, IEC104_Roptions.c,iec104_map.h etc. Is it possible to compile snort-2.9_RTDS preprocessors iec61850, iec104,pmu for Windows?

chamara84 commented 1 year ago

Hi, I have never tried it on Windows. I do not think it can be compiled on windows. You will need to use a Linux virtual machine running on Virtual box. Thanks

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: MiShtaz @.> Sent: Monday, July 24, 2023 11:41:54 PM To: chamara84/snort-2.9_RTDS @.> Cc: Subscribed @.***> Subject: [chamara84/snort-2.9_RTDS] snort-2.9_RTDS for windows (Issue #2)

Caution: This message was sent from outside the University of Manitoba.

Hello! When I compiling for windows, some files are not enough, for example, IEC104_Roptions.c,iec104_map.h etc. Is it possible to compile snort-2.9_RTDS preprocessors iec61850, iec104,pmu for Windows?

— Reply to this email directly, view it on GitHubhttps://github.com/chamara84/snort-2.9_RTDS/issues/2, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADM6E66I7IBZ2F3XESWKS6TXR5FBFANCNFSM6AAAAAA2WPPDDQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

MiShtaz commented 1 year ago

I used snort-2.9.20. Modbus is included. I dont know what is profinet. In src\dynamic-preprocessors _buffer_dump files are of the same type, but _Roptions are different.

chamara84 commented 1 year ago

Hi, The version I used is 2.9.14. I added the code to modify the DNP3 and Modbus. Then I added the protocol decoders for PMU, IEC104, GOOSE and Sample value with the ability to modify the packets on the fly. Hope this answers your question. I think Version 3.0 of Snort fullt supports Windows. However, it works a bit differently than version 2. I did not get a chance to have a look at that. Thanks, Best regards, Chamara

MiShtaz commented 1 year ago

Thanks for the answer! There are a couple of questions: What does it mean in etc\snort.conf (for example modbus: change 3 0 4 \ and dnp3: change 3 41 31 0 49.0 ) and how to check the performance of these changes. In dnp3_reassembly.c what value should be set instead of sizeOfOneDataPoint (uint8_t tempValueToCopy[sizeOfOneDataPoint];). Visual Studio is swearing, requires expected constant expression.

chamara84 commented 1 year ago

Hi MiShtaz, Can I ask what is your application of this repo? For MODBUS the format of the string is as follows change

In MODBUS each variable type has a function code. There are many variables that belongs to the function code. Therefore, each variable belonging to a function code is identified by an index.

In DNP3 the format is as follows: change In there variable types are identified with group and variance. Each variable belonging to a type is accessed using an index.

You need to have a DNP3 server and client running and have the Linux PC running this version of SNORT in the middle. Then you can modify the variables and see.

The sizeOfOneDataPoint is assigned based on the group number and variance. It should be done in the code.

Hope I answered your questions. Best regards, Chamara

chamara84 commented 1 year ago

Hi PrajwalML, What do you mean by integration? Snort will capture data on a network interface and send them using a different interface like a network bridge. Only difference is SNORT will examine the packets.

MiShtaz commented 1 year ago

I use Version 2.9.20-WIN32 GRE (Build 82) that already contains Preprocessor Object: SF_MODBUS and SF_DNP3. So I thought that your modifications could be suitable for my snort version . Thanks for the detailed explanation!