MMS Specific Options
IEC 61850 is a family of protocols, including the Manufacturing Message Specification (MMS), distributed by the International Electrotechnical Commission (IEC). It provides a standardized method of sending service messages between various manufacturing and process control devices, typically running on TCP port 102.
This inspector decodes MMS traffic and provides two rule options: mms_func and mms_data.
To be able to use the various mms rule options, one must make sure to enable the inspector and add an approriate Binder entry in the Snort 3 config. For example:
-- enable the mms wizard support
wizard = { curses = {'mms'}, }
-- enable the mms service inspector
mms = { }
-- add the mms binder entry
binder =
{
{ when = { service = 'mms' }, use = { type = 'mms' } },
{ use = { type = 'wizard' } }
}
mms_func
The mms_func rule option takes a single argument, a service name or a service number, and compares it with the Confirmed Service field in the MMS request or response packet that's being analyzed. The argument passed to this rule option can be specified in one of two ways: either as the full service name, or as a number that corresponds to a particular service. The full list of service names and their associated numbers can be found in the Snort3 source code here.
Format:
mms_func:{full_service_name|service_number};Examples:
In this example the rule is using the mms_func rule option with a string argument containing the Confirmed Service Request service name on which to alert:
mms_func:get_name_list;
The following example also uses the mms_func rule option to alert on a GetNameList message, but this time an integer argument containing the function number is used:
mms_func:1;
mms_data
The mms_data rule option is used to set the detection cursor to the start of MMS PDU, bypassing all of the OSI encapsulation layers and allowing subsequent rule options to start processing from the MMS PDU field.
Format:
mms_data;
Examples:
In this example, the rule is using the mms_data rule option to set the cursor position to the beginning of the MMS PDU, and then checking the byte at that position for the value indicative of an Initiate-Request message:
mms_data;
content:"|A8|", depth 1;