-
Notifications
You must be signed in to change notification settings - Fork 64
/
bacnet.rules
27 lines (27 loc) · 2.38 KB
/
bacnet.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Version 1.0 06 March 2015
# 1.0 - Initial Release - Stephen Hilt (hilt at digitalbond dot com)
#
#
####################################################################
# Variables to set in snort.conf
# BACNET_CLIENT IP addresses of valid BACnet clients
# BACNET_DEVICES IP addresses of valid BACnet Devices
#
#-----------------------------
# Alert on a Foreign Device Join attempt
alert udp any any -> any 47808 (content: "|05|"; offset: 1; depth: 1; msg: "BACnet Foreign Device Join Attempt";sid:1111701;priority:3;rev:1;)
# Alert on Foreign Device Join attempt by non authorized host
alert udp !$BACNET_CLIENT any -> any 47808 (content: "|05|"; offset:1; depth:1; msg:"BACnet foreign Device Join Attempt From Non Authorized Host"; sid:1111702;priority:1;rev:1;)
# Alert on a Non Acknowledgement (NAK) of a foreign Device join, this is a device denying access to join to the FDT
alert udp any 47808 -> any any (content: "|00 30|"; offset: 4; depth: 2; msg: "BACnet Register-Foreign-Device NAK";sid:1111703;;priority:3;rev:1;)
# Alert on a BACnet Read Property Attempt, this rule can be altered to allow specific hosts that are allowed to read properties
alert udp any any -> any 47808 (content: "|0c|"; offset: 10; depth: 1; msg: "BACnet Read Property Attempt";sid:1111704;;priority:3;rev:1;)
alert udp !$BACNET_CLIENT any -> any 47808 (content: "|0c|"; offset: 10; depth: 1; msg: "BACnet Read Property Attempt From Non Authorized Host";sid:1111705;priority:1;rev:1;)
# Alert on the attempt of a Read-Foreign-Device-Table
alert udp any any -> any 47808 (content: "|06|"; offset: 1; depth: 1; msg: "BACnet Read-Foreign-Device-Table Attempt";sid:1111706;priority:3;rev:1;)
# If foreign device read is replied with a NAK then this will trigger an alert
alert udp any 47808 -> any any (content: "|00 40|"; offset: 4; depth: 2; msg: "BACnet Read-Foreign-Device-Table NAK, Device was denied access to reading the FDT";sid:1111707;priority:3;rev:1;)
# Alert if there is a Read-Broadcast-Distribution-Table Attempt (BDT)
alert udp any any -> any 47808 (content: "|02|"; offset: 1; depth: 1; msg: "BACnet Read-Broadcast-Distribution-Table Attempt";sid:1111708;priority:3;rev:1;)
# Alter if there is a Read-Broadcast-Distribution-Table NAK
alert udp any 47808 -> any any (content: "|00 20|"; offset: 4; depth: 2; msg: "BACnet Read-Broadcast-Distribution-Table NAK, Device was denied access to reading the BDT";sid:1111709;priority:3;rev:1;)