S7comm Specific Options

S7 Communication (S7comm) and S7commplus are Siemens protocols that run between programmable logic controllers (PLCs) of the Siemens S7-300/400 and S7-1500/1200(v4.0) families. Traffic of this service typically runs on TCP port 102.

S7comm and S7commplus data sent in the payloads of Connection Oriented Transport Protocol (COTP) data packets. Snort 3 features a an S7commplus service inspector that provides three rule options: s7commplus_content, s7commplus_func, and s7commplus_opcode.

To be able to use the various s7commplus rule options, one must make sure to enable the inspector and add an approriate Binder entry in the Snort 3 config. For example:

-- enable the s7commplus service inspector
s7commplus = { }
-- add the s7commplus binder entry
binder =
{
    { when = { proto = 'tcp', ports = '102' }, use = { type = 's7commplus' }, },
}

s7commplus_content

The s7commplus_content rule option is used to set the detection cursor to the start of S7commplus content.

Format:

s7commplus_content;

Examples:

s7commplus_content;
content:"|01 02 03 04|"; 

s7commplus_func

The s7commplus_func rule option is used to check for a particular S7commplus function code.

This option takes in a single argument, either the name of a function code or the integer value of a function code. The currently supported function names and codes can be found in the Snort 3 source code here.

Format:

s7commplus_func:{function_code_name|function_code_number};

Examples:

s7commplus_func:explore;

s7commplus_func:0x586;

s7commplus_opcode

The s7commplus_opcode rule option is used to check for a particular S7commplus opcode code.

This option takes in a single argument, either the name of the opcode code or an integer value of the opcode code. The currently supported opcode names and codes can be found in the Snort 3 source code here.

Format:

s7commplus_opcode:{opcode_code_name|opcode_code_number};

Examples:

s7commplus_opcode:request;

s7commplus_opcode:0x31;