S7Commplus Keywords

You can use the S7Commplus keywords alone or in combination to create custom intrusion rules that identify attacks against traffic detected by the S7Commplus preprocessor. For configurable keywords, specify a single known value or a single integer within the allowed range. See The S7Commplus Preprocessor for more information.

Note the following:

  • Multiple S7commplus keywords in the same rule are AND-ed.

  • Using multiple s7commplus_func or s7commplus_opcode keywords in the same rule negates the rule and it will never match traffic. To search for multiple values with these keywords, create multiple rules.

s7commplus_content

Before using a content or protected_content keyword in an S7Commplus intrusion rule, use the s7commplus_content keyword to position the cursor to the beginning of the packet payload. See The content and protected_content Keywords for more information.

s7commplus_func

Use the s7commplus_func keyword to match against one of the following values in an S7Commplus header:

  • explore

  • createobject

  • deleteobject

  • setvariable

  • getlink

  • setmultivar

  • getmultivar

  • beginsequence

  • endsequence

  • invoke

  • getvarsubstr

  • 0x0 through 0xFFF

    Note that numeric expressions allow for additional values.

s7commplus_opcode

Use the s7commplus_opcode keyword to match against one of the following values in an S7Commplus header:

  • request

  • response

  • notification

  • response2

  • 0x0 through 0xFF

    Note that numeric expressions allow for additional values.