S7CommPlus Specific Options
S7 Communication (S7Comm) and S7CommPlus are Siemens protocols that run between programmable logic controllers (PLCs) of the Siemens S7-300/400 and S7-1500/1200(v4.0) families. Traffic of this service typically runs on TCP port 102.
S7Comm and S7CommPlus data is sent in the payload of Connection Oriented Transport Protocol (COTP) data packets. Snort 3 features a S7CommPlus service inspector that provides three rule options: s7commplus_content, s7commplus_func, and s7commplus_opcode.
To be able to use the various s7commplus rule options, one must make sure to enable the inspector and add an approriate Binder entry in the Snort 3 config. For example:
-- enable the s7commplus wizard support
wizard = { curses = {'s7commplus'}, }
-- enable the s7commplus service inspector
s7commplus = { }
-- add the s7commplus binder entry
binder =
{
{ when = { service = 's7commplus' }, use = { type = 's7commplus' } },
{ use = { type = 'wizard' } }
}
s7commplus_content
The s7commplus_content rule option is used to set the detection cursor to the start of S7CommPlus content.
Format:
s7commplus_content;
Examples:
s7commplus_content;
content:"|01 02 03 04|";
s7commplus_func
The s7commplus_func rule option is used to check for a particular S7CommPlus function code.
This option takes in a single argument, either the name of a function code or the integer value of a function code. The currently supported function names and codes can be found in the Snort 3 source code here.
Format:
s7commplus_func:{function_code_name|function_code_number};Examples:
s7commplus_func:explore;
s7commplus_func:0x586;
s7commplus_opcode
The s7commplus_opcode rule option is used to check for a particular S7CommPlus opcode code.
This option takes in a single argument, either the name of the opcode code or an integer value of the opcode code. The currently supported opcode names and codes can be found in the Snort 3 source code here.
Format:
s7commplus_opcode:{opcode_code_name|opcode_code_number};Examples:
s7commplus_opcode:request;
s7commplus_opcode:0x31;