--- /dev/null
+iec104 inspector is a service inspector for the IEC 60870-5-104 protocol.
+
+==== Overview
+
+IEC 60870-5-104 (iec104) is a protocol distributed by the International
+Electrotechnical Commission (IEC) that provides a standardized method of
+sending telecontrol messages between central stations and outstations,
+typically running on TCP port 2404.
+
+It is used in combination with the companion specifications in the
+IEC 60870-5 family, most notably IEC 60870-5-101, to provide reliable
+transport via TCP/IP.
+
+An iec104 Application Protocol Data Unit (APDU) consists of one of three
+Application Protocol Control Information (APCI) structures, each beginning
+with the start byte 0x68. In the case of an Information Transfer APCI, an
+Application Service Data Unit (ASDU) follows the APCI.
+
+The iec104 inspector decodes the iec104 protocol and provides rule options
+to access certain protocol fields and data content. This allows the user to
+write rules for iec104 packets without decoding the protocol.
+
+
+==== Configuration
+
+iec104 messages can be normalized to either combine a message spread across
+multiple frames, or to split apart multiple messages within one frame. No
+manual configuration is necessary to leverage this functionality.
+
+
+==== Quick Guide
+
+A typical iec104 configuration looks like this:
+
+ binder =
+ {
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '2404'
+ },
+ use =
+ {
+ type = 'iec104'
+ },
+ },
+ }
+
+ iec104 = { }
+
+In this example, the tcp inspector is defined based on port. All
+configurations are default.
+
+Debug logging can be enabled with the following additional configuration:
+
+ trace =
+ {
+ modules =
+ {
+ iec104 =
+ {
+ all = 1
+ }
+ }
+ }
+
+
+==== Rule Options
+
+New rule options are supported by enabling the iec104 inspector:
+
+* iec104_apci_type
+* iec104_asdu_func
+
+===== iec104_apci_type
+
+Determining the APCI type of an iec104 message involves checking the state
+of one to two bits in the message's first control field octet. This can
+be completed with a `byte_test` in a plaintext rule, however it adds unnecessary
+complexity to the rule. Since most rules inspecting iec104 traffic will target
+APCI Type I messages, this option was created to alleviate the need to manually
+check the type and subsequently reduce the complexity of the rule.
+
+This option takes one argument with three acceptable configurations.
+
+Examples:
+
+ iec104_apci_type:unnumbered_control_function;
+ iec104_apci_type:S;
+ iec104_apci_type:i;
+
+This option is used to verify that the message being processed is of the
+specified type. The argument passed to this rule option can be specified
+in one of three ways: the full type name, the lowercase type abbreviation,
+or the uppercase type abbreviation.
+
+===== iec104_asdu_func
+
+Determining the ASDU function of an iec104 message can be completed with a
+plaintext rule that checks a single byte in the message, however it also
+requires verifying that the message's APCI is of Type I. Since a rule writer
+may not necessarily know that this additional check must be made, this
+option was created to simplify the process of verifying the function type
+and subsequently reduce the complexity of the rule.
+
+This option takes one argument with two acceptable configurations.
+
+Examples:
+
+ iec104_asdu_func:M_SP_NA_1;
+ iec104_asdu_func:m_ps_na_1;
+
+This option is used to verify that the message being processed is using
+the specified ASDU function. The argument passed to this rule option can
+be specified in one of two ways: the uppercase function name, or the
+lowercase function name.
+
projects / thirdparty / snort3.git / commitdiff
