DNP3 Keywords
You can use DNP3 keywords alone or in combination with other
keywords such as
content and
byte_jump.
dnp3_data
You can use the
dnp3_data keyword to point to the beginning of
reassembled DNP3 application layer fragments.
The DNP3 preprocessor reassembles link layer frames into
application layer fragments. The
dnp3_data keyword points to the beginning of each
application layer fragment; other rule options can match against the
reassembled data within fragments without separating the data and adding
checksums every 16 bytes.
dnp3_func
You can use the
dnp3_func keyword to match against the Function Code
field in a DNP3 application layer request or response header. You can specify
either a single defined decimal value or a single defined string for a DNP3
function code.
The following table lists the defined values and strings recognized by the system for DNP3 function codes.
|
Value |
String |
|---|---|
|
0 |
confirm |
|
1 |
read |
|
2 |
write |
|
3 |
select |
|
4 |
operate |
|
5 |
direct_operate |
|
6 |
direct_operate_nr |
|
7 |
immed_freeze |
|
8 |
immed_freeze_nr |
|
9 |
freeze_clear |
|
10 |
freeze_clear_nr |
|
11 |
freeze_at_time |
|
12 |
freeze_at_time_nr |
|
13 |
cold_restart |
|
14 |
warm_restart |
|
15 |
initialize_data |
|
16 |
initialize_appl |
|
17 |
start_appl |
|
18 |
stop_appl |
|
19 |
save_config |
|
20 |
enable_unsolicited |
|
21 |
disable_unsolicited |
|
22 |
assign_class |
|
23 |
delay_measure |
|
24 |
record_current_time |
|
25 |
open_file |
|
26 |
close_file |
|
27 |
delete_file |
|
28 |
get_file_info |
|
29 |
authenticate_file |
|
30 |
abort_file |
|
31 |
activate_config |
|
32 |
authenticate_req |
|
33 |
authenticate_err |
|
129 |
response |
|
130 |
unsolicited_response |
|
131 |
authenticate_resp |
dnp3_ind
You can use the
dnp3_ind keyword to match against flags in the Internal
Indications field in a DNP3 application layer response header.
You can specify the string for a single known flag or a comma-separated list of flags, as seen in the following example:
class_1_events, class_2_events
When you specify multiple flags, the keyword matches against any
flag in the list. To detect a combination of flags, use the
dnp3_ind keyword multiple times in a rule.
The following list provides the string syntax recognized by the system for defined DNP3 internal indications flags.
class_1_events
class_2_events
class_3_events
need_time
local_control
device_trouble
device_restart
no_func_code_support
object_unknown
parameter_error
event_buffer_overflow
already_executing
config_corrupt
reserved_2
reserved_1
dnp3_obj
You can use the
dnp3_obj keyword to match against DNP3 object headers
in a request or response.
DNP3 data is comprised of a series of DNP3 objects of different types such as analog input, binary input, and so on. Each type is identified with a group such as analog input group, binary input group, and so on, each of which can be identified by a decimal value. The objects in each group are further identified by an object variation such as 16-bit integers, 32-bit integers, short floating point, and so on, each of which specifies the data format of the object. Each type of object variation can also be identified by a decimal value.
You identify object headers by specifying the decimal number for the type of object header group and the decimal number for the type of object variation. The combination of the two defines a specific type of DNP3 object.