suricata备忘录

spm: single pattern match

mpm: multi pattern matcher

bm: boyer moore

hs: hyperscan

ppt: packet processing thread

cidr: classless inter-domain routing, such as a.b.c.d/x

tsap: transport service access point

scada: supervisory control and data acquisition

协议：

opc: ole for process control/Microsoft opcua/tcp/started bytes/ opcda/dcerpc/started bytes/modbus: /port 502/Schneider rtu: remote terminal unit ascii tcps7comm: /port 102/*(base + 7) == 0x32/Siemens tpkt: cotp: connection-oriented transport protocol ed: 0x1, expedited data ea: 0x2, expedited data acknowledgement ud: 0x4, user data rj: 0x5, reject dr: 0x8, disconnect request dc: 0xC, disconnect confirm cc: 0xD, connect confirm cr: 0xE, connect request dt: 0xF, data rosctr: remote operating service controlbacnet/ip: building automation and control networks/udp/port 47808/ISO standards bvlc: bacnet virtual link control npdu: bacnet network layer apdu: bacnet application layer bbmd: bacnet/ip broadcast management deviceethernet-ip: /ODVA cip: common industrial protocol/tcp/port 44818 cip i/o: /udp/port 2222iec: International Electrotechnical Commission iec60870-5: 101: basic telecontrol tasks 104: network access for iec60870-5-101 iec104: /tcp/port 2404/*base == 0x68/ apdu: application protocol data unit apci: application protocol control information cf1: first control field i-format: information transfer format/cf1 == 0/variable length s-format: numbered supervisory functions/cf1 == 01/fixed length u-format: unnumbered control functions/cf1 == 11/fixed length asdu: application service data unit sq: structure qualifier cot: cause of transmission oa: originator address ioa: information object address siq: single point of information diq: double point information sco: single command dco: double command rco: regulating step command vti: value with transient state indication sva: scaled value coa: common address of asdu 102/电量 103/保护 iec61850: smv: iec61850-9-2 goose: 通用变电站事件 sntp: 时间同步 acsi: abstract service communication interface mms: manufacturing message specification/port 102/ tpkt cotp vmd: virtual manufacturing device gsse: 通用变站状态事件dnp3: distributed network protocol/port 20000/resembles iec60870-5 FT3 rtu: remote terminal unit ied: intelligent electronic device iccp: inter-control center communications protocol data link layer prm: primary fcb: frame count bit fcv: frame count valid bit dfc: data flow control bit application layer apci: application protocol control information fir: first fragment fin: final fragment con: expect a confirmationfins: /tcp/port 9600/

分析pcap文件

#--runmode singlesuricata -c /path/to/suricata.yaml -r /path/to/sample.pcap --runmode autofp

plc protocol in https://github.com/wireshark/wireshark/tree/master

Siemens S7 /epan/dissectors/packet-s7comm.c 西门子PLC支持的通讯协议 MMS(IEC61850) /asn1/mms 输配电通讯协议 GOOSE(IEC61850) /asn1/goose 输配电通讯协议 SV(IEC61850) /asn1/sv 输配电通讯协议 Modbus /epan/dissectors/packet-mbtcp.c 工控标准协议 OPC DA /epan/dissectors/packet-dcom.c 工控标准协议 FF HSE /epan/dissectors/packet-ff.c 基金会现场总线以太网通信协定 IEC 104 /epan/dissectors/packet-iec104.c 输配电通讯协议 Ethernet POWERLINK /epan/dissectors/packet-epl.c 开放式实时以太网通信 OPC UA /plugins/opcua/opcua.c OPC新一代标准 HART-IP /epan/dissectors/packet-hartip.c 高速可寻址远程传感器协议 CoAP /epan/dissectors/packet-coap.c 轻量应用层协议 Omron FINS /epan/dissectors/packet-omron-fins.c 欧姆龙PLC支持的通讯协定 openSAFETY /epan/dissectors/packet-opensafety.c 开源安全应用协议 EGD(Ethernet Global Data) /epan/dissectors/packet-egd.c GE Fanuc为PLC开发的通讯协定 DNP3 /epan/dissectors/packet-dnp.c 分布式网络协议，主要用于电力行业 Sinec H1 /epan/dissectors/packet-h1.c 西门子PLC支持的通讯协议 Profinet /plugins/profinet/ 开放式的工业以太网通讯协定 EtherCAT /plugins/ethercat/ 德国Beckhoff公司推动的开放式实时以太网通讯协定 SERCOS III /epan/dissectors/packet-sercosiii.c 实时以太网通讯协定 RTPS /epan/dissectors/packet-rtps.c 实时流传输协议 TTEthernet /epan/dissectors/packet-tte.c 实时以太网通讯协定 CDT /dissectors/packet-cdt.c 远动规约 EtherNet/IP /epan/dissectors/packet-etherip.c 工业通讯协定（Industrial Protocol），是一种CIP的实现方式，由罗克韦尔自动化公司所设计 CIP /epan/dissectors/packet-cip.c 通用工业协定 CIP Safety /epan/dissectors/packet-cipsafety.c 安全通用工业协定 DeviceNet /epan/dissectors/ packet-devicenet.c 一种CIP的实现方式，由Allen-Bradley公司所设计 BACnet /epan/dissectors/packet-bacnet.c 楼宇自动控制网络数据通讯协议 KNXnet/IP /epan/dissectors/packet-knxnetip.c 住宅和楼宇控制标准 Lontalk /epan/dissectors/packet-lon.c 埃施朗公司的LonWorks技术所使用的通讯协议 CANopen /epan/dissectors/packet-canopen.c 控制局域网通讯协定 SAE J1939 /epan/dissectors/packet-j1939.c 一种CAN的变种，适用在农业车辆及商用车辆 USITT DMX512-A /epan/dissectors/packet-dmx.c 灯光控制数据传输协议 BSSAP/BSAP /epan/dissectors/packet-bssap.c 由Bristol Babcock Inc发展的通讯协定 Gryphon /plugins/gryphon 车用通讯协定 ZigBee /epan/dissectors/packet-zbee.h 开放式的无线通讯协定

摘自：http://euhat.com/wp/2021/08/05/suricata%E5%A4%87%E5%BF%98%E5%BD%95/