search

cisagov / icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
BSD 3-Clause "New" or "Revised" License
15 stars 11 forks source link

Updated DPD Signature #21

Closed keithjjones closed 1 year ago

keithjjones commented 1 year ago

💡 Summary

What is the work, as a high-level summary?

This provides a DPD signature for Bacnet. I've been running this on several live networks for many months and have been happy with the results. It has uncovered several Bacnet networks I did not know about on non standard ports, which is pretty common for this protocol.

Motivation and context

Why does this work belong in this project?

This would be useful because...

It would detect Bacnet networks on non standard ports, which is pretty common in networks I monitor. Non standard ports are often used to separate networks logically on the same IP address.

Implementation notes

The DPD signature I've been testing for many months:

signature bacnet_dpd {
  ip-proto == udp
  src-port == 1024-65535
  dst-port == 1024-65535
  payload /\x81\x0a..\x01/
  enable "bacnet"
}

Acceptance criteria

How do we know when this work is done?

You will be able to see Bacnet networks on non standard ports.

Kleinspider commented 1 year ago

We merged your DPD signature into the main branch with one additional change. We have added 0x0b to the payload check to capture both "Original_Unicast_NPDU" and "Original_Broadcast_NPDU" functions