IEC 104 Specific Options

Snort 3 contains a service inspector for the IEC 60870-5-104 (IEC 104) protocol, a protocol that is distributed by the International Electrotechnical Commission (IEC) and provides a standardized method of sending telecontrol messages between central stations and outstations. Traffic using this protocol typically runs on TCP port 2404.

This inspector decodes IEC104 traffic and provides two rule options to let rule writers evaluate the (1) IEC104 APCI type and (2) IEC104 function code.

To be able to use the various iec104 rule options, one must make sure to enable the inspector and add an approriate Binder entry in the Snort 3 config. For example:

-- enable the IEC104 inspector
iec104 = { }
-- add the IEC104 binder entry
binder =
{
    { when = { proto = 'tcp', ports = '2404' }, use = { type = 'iec104' }, },
}

iec104_apci_type

The iec104_apci_type rule option is used to verify that the message being processed is of the specified type. The argument passed to this rule option can be specified in one of three ways: the full type name, the lowercase type abbreviation, or the uppercase type abbreviation.

Format:

iec104_apci_type:{u|U|unnumbered_control_function|s|S|numbered_supervisory_function \
    |i|I|information_transfer_format};

Examples:

iec104_apci_type:unnumbered_control_function;

iec104_apci_type:S;

iec104_apci_type:i;

iec104_asdu_func

The iec104_asdu_func rule option is used to verify that the message being processed is using the specified ASDU function. The argument passed to this rule option can be specified in one of two ways: the uppercase function name, or the lowercase function name.

A list of accepted function cames can be found in the Snort 3 code here.

Format:

iec104_asdu_func:function_name;

Examples:

iec104_asdu_func:M_SP_NA_1;

iec104_asdu_func:m_ps_na_1;