I am trying to define a sub-set on my HOME_NET IP addresses that will be allowed to send certain DNP3 messages without alerting. I wanted to create a variable in the suricata.yaml file under the address-groups section. I called the variable KNOWN_DNP3 and have the IPs that I want to allow to send the DNP3 traffic, thusly:
KNOWN_DNP3: “[10.17.2.2,10.100.27,61]”
then in my rules, to test things, I first wrote a rule to alert me when either of these sent DNP3 traffic.
alert dnp3 $KNOWN_DNP3 any → $HOME_NET any (msg:“Traffic from KNOWN_DNP3 address”; target:dest_ip; sid:1000016; rev:1;)
Later, I plan on restricting it to specific group/variation and using the ! to let me know when those come from another IP, but for the moment I just want to see if I can get this rule to fire. But it doesn’t. If I rewrite the rule and put in one of the IPs I defined in the variable in its place then it works fine, but if I try to use the variable defined in the yaml file it does not.
I have tried stopping and restarting the suricata service, as well as rebooting the entire machine, but it doesn’t seem to pay attention to the variable in the yaml file.
Any ideas on what I am doing wrong?
Hi Paul,
Which version of Suricata are you using?
You have the right setup so I was wondering why this wasn’t working for you, so I set up the same config settings are you have and was running into issues with the dnp3 parser properly detecting dnp3 traffic.
I switched to an http pcap and was able to alert with the same settings you have just substituting http where you have dnp3 in the sample alert.
This leads me to wondering if you are running into a dnp3 parser issue. I was seeing Warning: app-layer-dnp3: Failed to set event, state or tx pointer was NULL. [DNP3SetEvent:app-layer-dnp3.c:474] in my logs with various pcaps from GitHub - ITI/ICS-pcap: A collection of ICS/SCADA PCAPs The pcaps I was using appear to have the proper handshakes and are using the defined dnp3 port so I am curious if you are seeing the same.
Would you be able to share a pcap?
So, it turned out that for SOME reason, I had two suricata.yaml files in different locations. I was modding the wrong one, so naturally it didn’t work!
That would do it, glad you all got it sorted out!
JT