Abstract
The paper addresses the problem of intrusion detection in industrial networks. A novel approach to processing non-IP protocols in Snort Intrusion Detection System is presented, based on Snort Data Acquisition Module (DAQ). An example implementation for industry-standard Modbus RTU protocol is presented, which allows Snort to natively process Modbus RTU frames, without need to use external programs or hardware and without modification of Snort code. The structure of implementation and frame processing path is outlined. The solution is compared against existing attempts to process Modbus family protocols in Snort IDS. Results of tests in an virtualised environment are given, together with indications of future work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Tylman, W.: SCADA Intrusion Detection Based on Modelling of Allowed Communication Patterns. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) New Results in Dependability & Comput. Syst. AISC, vol. 224, pp. 489–500. Springer, Heidelberg (2013)
Modbus RTU specification (2012), http://www.modbus.com (accessed February 2012)
Snort home page (2012), http://www.snort.org (accessed February 2012)
Snort DAQ description (2012), http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html (accessed February 2012)
Digital Bond Quickdraw SCADA IDS (2010), http://www.digitalbond.com/tools/quickdraw (accessed February 2012)
Morris, T., Pavurapu, K.: A retrofit network transaction data logger and intrusion detection system for transmission and distribution substations. In: Proc. IEEE Int. Conf. Power and Energy (PECon), Kuala Lumpur, Malaysia, pp. 958–963 (2010)
Morris, T., Vaughn, R., Dandass, Y.: A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems. In: Proc. Int. Conf. System Sciences, Maui, Hawaii, USA, pp. 2338–2345 (2010)
Graham, I.: Achieving Zero-loss Multi-gigabit IDS Results from Testing Snort on Endace Accelerated Multi-CPU Platforms (2012), http://www.touchbriefings.com/pdf/2259/graham.pdf (accessed February 2012)
Tylman, W.: Detecting Computer Intrusions with Bayesian Networks. In: Corchado, E., Yin, H. (eds.) IDEAL 2009. LNCS, vol. 5788, pp. 82–91. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Tylman, W. (2013). Native Support for Modbus RTU Protocol in Snort Intrusion Detection System. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) New Results in Dependability and Computer Systems. Advances in Intelligent Systems and Computing, vol 224. Springer, Heidelberg. https://doi.org/10.1007/978-3-319-00945-2_44
Download citation
DOI: https://doi.org/10.1007/978-3-319-00945-2_44
Publisher Name: Springer, Heidelberg
Print ISBN: 978-3-319-00944-5
Online ISBN: 978-3-319-00945-2
eBook Packages: Chemistry and Materials ScienceChemistry and Material Science (R0)