Hey everyone,
Long time, no post. I wanted to talk about a set of signatures that Rockwell and CISA collaborated on to provide coverage for CVE 2023-3595 and 2023-3596. Take a look at the CISA advisory here for more details.
To make a long story short, There were a series of rules that rockwell provided in a downloadable PDF for Snort3 and Snort 2.9.x to help detect possible exploitation attempts. If you’d like to see the PDF in question, you’ll need to create an account on the Rockwell automation support site, and navigate to this page.
Snort3 has a robust enip/cip preprocessor/handler, and that enables some nice rule options. Suricata also has a nice enip/cip preprocessor/handler, but in the default suricata.yaml, it is disabled. To make a bit of a long story short here, there are some limitations right now that are preventing us from shipping these rules as a part of the official ET ruleset:
–We need to make some slight changes to our QA environment to enable the ENIP/CIP preprocessors to properly QA these rules. Every rule we ship must be QA checked before we can give them to customers. No exceptions. Some studious suricata users will note that there are some rules in ET SCADA that make use of dnp3 options in spite of that preprocessor shipping disabled, but we have the preprocessor enabled in our QA environment to test those rules, and on top of that, the rules that use specific dnp3 options are disabled by default in the suricata ruleset to prevent the rule from causing suricata to crash on startup.
–We don’t really like to give customers rules that use features that are disabled by default in suricata.yaml. So, to work around that I looked at the Snort 2.9.x version of the rules provided, and one of the options that rule used was byte_test using the bitmask feature. Well, it turns out that up until Suricata 6, the bitmask feature was actually not implemented. Rules that we ship have to be compatible with Snort 2.9.x, Suricata 4 If possible, as well as Suricata 5 and above. Because of the problems with bitmask in versions prior to Suricata 6, this wasn’t going to happen.
So, my options were to do nothing, or to make the rules available via an official channel and enable you as users to enable them as you see fit until such a time as our QA environment is configured to allow us to officially ship the rules that make use of enip/cip handler features. So, here are some rules for Snort 2.9, and Suricata 5.x for the aforementioned Rockwell Automation CVEs:
- Suricata 5.x:
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object unconnected ucmmread with unusual length detected"; flow:established,to_server; cip_service:77,834; content:"|6f 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000001; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object connected read withunusual length detected"; flow:established,to_server; cip_service:77,834; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000002; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object connected ucmm readwith unusual length detected"; flow:established,to_server; cip_service:77,834; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000003; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected parameter 1 contains unusual length"; flow:established,to_server; cip_service:80,849; content:"|6f 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000004; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected parameter 2 contains unusual length"; flow:established,to_server; cip_service:80,849; content:"|6f 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000005; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected ucmm parameter 1 contains unusual length"; flow:established,to_server; cip_service:80,849; content:"|6f 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000006; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object attributewith unusual length detected"; flow:established,to_server; cip_service:80,849; content:"|6f 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000007; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connectedparameter 1 contains unusual length"; flow:established,to_server; cip_service:80,849; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000008; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connectedparameter 2 with unusual length"; flow:established,to_server; cip_service:80,849; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000009; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connecteducmm parameter 1 contains unusual length"; flow:established,to_server; cip_service:80,849; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000010; rev:2;)
alert enip any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connecteducmm parameter 2 with unusual length"; flow:established,to_server; cip_service:80,849; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000011; rev:2;)
- Snort 2.9.x:
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object unconnected readwith unusual length detected"; flow:established,to_server; content:"|42 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|4D|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|4D|"; within:1; distance:2; byte_extract:1,0,toss,relative,multiplier 2; content:"|42 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000000; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object unconnected ucmmread with unusual length detected"; flow:established,to_server; content:"|42 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|42 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000001; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object connected read withunusual length detected"; flow:established,to_server; content:"|42 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; content:"|B1 00|"; offset:30; depth:90; content:"|4D|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|42 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000002; rev:2;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Socket Object connected ucmm readwith unusual length detected"; flow:established,to_server; content:"|42 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,0x7FFFFFFF,4,relative,little; content:"|B100|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|4D|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|42 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000003; rev:2;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected parameter 1 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; sid:1000004; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected parameter 2 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:2; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000005; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected ucmm parameter 1 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000006; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Objectunconnected ucmm parameter 2 with unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|6F 00|"; depth:2; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; content:"|B2 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:2; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000007; rev:3;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connectedparameter 1 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000008; rev:2;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connectedparameter 2 with unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; content:"|B1 00|"; offset:30; depth:90; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000009; rev:2;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connecteducmm parameter 1 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_test:4,>,64,0,relative,little; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000010; rev:2;)
alert tcp any any -> any 44818 (msg:"ET SCADA [Rockwell/CISA] ENIP CIP Vendor Specific Object connecteducmm parameter 2 contains unusual length"; flow:established,to_server; content:"|51 03|"; fast_pattern; content:"|70 00|"; depth:2; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; byte_jump:4,0,relative,little; byte_test:4,>,64,0,relative,little; content:"|B1 00|"; offset:30; depth:90; content:"|52|"; within:1; distance:4; byte_jump:1,0,relative,multiplier 2; content:"|50|"; within:1; distance:4; byte_extract:1,0,toss,relative,multiplier 2; content:"|51 03|"; within:toss; byte_test:1,=,8,-4,relative,bitmask fc; classtype:attempted-admin; reference:cve,2023-3595; reference:cve,2023-3596; sid:1000011; rev:2;)
As a general reminder, these rules are not yet officially supported until they have been added to the Emerging Threats ruleset. The Suricata rules require enabling the enip/cip handler in suricata.yaml, or else they will result in a stop error when Suricata is starting up. Find this section of your suricata.yaml:
# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
and change enabled: no to enabled: yes in order to use these rules. Please remember that, any time you change suricata.yaml or add any rules to Suricata, you will need to restart the Suricata process in order for those changes to take effect.
I am providing these rules to the community here and now to provide detection against these threats until such a time as these rules can be added to an official Emerging Threats rule release.
Happy Hunting,
Tony “da_667” Robinson