We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the crux of the Quickdraw project. They are:

  • DNP3
  • Ethernet Industrial Protocol (EtherNet/IP and the encapsulated CIP protocol)
  • Modbus TCP

We’ll follow up with some more detailed blog posts about functionality in the next few days, but for now here are some of the basics. This package adds three preprocessors to the Snort IDS/IPS application, these do the heavy lifting and parse out the protocol into nice structures for later use. We’ve also included several detection plugins that expand the Snort language to allow matched based on the data that the preprocessors have given us. From there you can send off an alert using the standard Snort mechanisms or the syslog support.

Specifically, the plugins in this release include matching on the Modbus/TCP function code or unit code, the DNP3 checksum and internal indications, EtherNet/IP CIP service and several others. And if your comfortable with the Snort source code you can easily add more of these plugins yourself, but if your not then you’ll have to wait on our next release thats coming soon. We plan on adding many more plugins so writing Snort IDS rules is simple and have many examples of where this would be useful not only for detecting attacks, but also for troubleshooting.

We appreciate any feedback you have and will continue working on this project to make these modules as useful as possible. Look for updates coming regularly, and more specific details on using and extending
Quickdraw here and on the Scadapedia.

Key Links:

  • Main SCADApedia documentation page on SCADA IDS Preprocessors
  • SCADA IDS Preprocessors download page

Dale’s Note – Like many research projects, we have learned a lot in the program. My guess is that two or three years from now these SCADA preprocessors will be viewed as the major contribution from this research program. Not only are they needed to detect and write security events for legacy field devices – – Quickdraw, but they are also hugely useful in enabling and making more effective many more SCADA IDS/IPS rules, adding deep inspection to field firewalls and probably three or four uses we have not thought about yet. Once you have easy access to the decoded SCADA protocol fields there is a lot that becomes much easier.

Congratulations to Daniel and Victor Julien from the Netherlands for some really great work.

As Daniel said, we will follow up with some very practical posts and examples on how these SCADA IDS Preprocessors can be used.