The DNP3 service inspector in Snort 3 provides anomaly detection and IPS rule options for matching on data, functions, indications and objects in DNP3 messages. Configuration of the ports is handled by the binder. This service inspector offers four IPS rule options:
dnp3_func rule option is used to check for DNP3 function codes. This rule option takes in either a function code number or a function code string. The supported function codes and their string and number mappings are defined in Snort's dnp3_map.cc file.
dnp3_ind rule option is used to check DNP3 indicator flags. This rule option takes in a "indicator flag list" that is one or more indicator flag values separated by spaces. The indicator flag values are string values corresponding to the table defined in Snort's dnp3_map.cc file.
Additionally, the entire flag list should also be enclosed in double quotes.
If more than one flag is provided, Snort will trigger an event if any one of them is seen on the wire.
dnp3_ind:"indicator_flag[ indicator_flag ]…";
dnp3_ind:"config_corrupt event_buffer_overflow need_time";
dnp3_obj rule option is used to check DNP3 object headers. This rule option enables users the ability to check for specific DNP3 data object types by checking for a specific object group and a specific object group variation. Thus, this option takes as arguments two things: a group number and a variation number.
dnp3_obj:group group_number, var varation_number;
dnp3_obj:group 80, var 1;
dnp3_obj:group 60, var 2;
dnp3_data rule option sets the cursor to the beginning of DNP3 Application Layer data. This is a sticky buffer, so once set, all subsequent rule options will be evaluated against
dnp3_data unless the cursor is reset or moved to another buffer.