Snort - digital bond rules/preprocessors
-
Guys any chance we could get the following rules and preprocessors installed in the snort package?
Cheers
http://www.digitalbond.com/tools/quickdraw/
-
We've integrated those into a private build before, but deprecated it in favor of a better approach we wrote from scratch that can actually do proper filtering of SCADA protocols. The major work with quickdraw is no one keeps it up to date for new Snort versions, and the patches wouldn't apply to every new version, so it requires a decent amount of work for every Snort update. Probably a couple weeks a year of a dev's time. If I had that to spare on Snort work, it'd be improving the package in general first. So not likely to see that in the near future at least.
-
That's a fair call, thanks for replying.
I tried the patches they had on their site with little success after compiling snort from source on a *nix build.
That being said I'm in the same boat as you, very little time to spare and need to come up with a proof of concept to protect SCADA networks/devices.
Would i be able to get a copy of the 'private' or 'deprecated' build to prepare a paper? Just need to do a real basic inside/outside design to show mitigation strategies.. Its either that or i look at getting an ASA with the SCADA rules. :-\
Specifically interested in the Ethernet/IP and CIP rules/attacks
Thanks again for your time