Merge pull request #7 from iadgov/3.2.1

3.2.1 updates
nsacyber · Jun 27, 2017 · 1c4fd93 · 1c4fd93
2 parents b1cf932 + 776fc0b
commit 1c4fd93
Show file tree

Hide file tree

Showing 162 changed files with 5,516 additions and 519 deletions.
diff --git a/GM3/build-ant.xml b/GM3/build-ant.xml
@@ -80,7 +80,7 @@ where methods that are used in GRASSMARLIN are declared private).
     <target name="compile" depends="gensrc-Fingerprinting" description="Compile sources to .class files">
         <mkdir dir="${build.classes.dir}"/>
 
-        <javac includeantruntime="false" srcdir="${src.dir}" destdir="${build.classes.dir}" verbose="true" debug="false">
+        <javac includeantruntime="false" srcdir="${src.dir}" destdir="${build.classes.dir}" verbose="true" debug="true">
             <src path="${gen.dir}"/>
             <classpath refid="lib.classpath"/>
         </javac>
@@ -226,11 +226,11 @@ where methods that are used in GRASSMARLIN are declared private).
             <arg value="${build.dir}\temp\grassmarlin-64.wixobj" />
         </exec>
 
-        <!-- Builds with live pcap disabled -->
+        <!-- Build with live pcap disabled (works on 32- and 64-bit) -->
         <echo message="Building Windows Installer with Live PCAP Disabled..." />
         <exec executable="${exec.candle}">
             <arg value="-dStagingPath=${build.app}" />
-            <arg value="-dLauncherFile=Installers\WindowsInstallers\GrassMarlin.bat" />
+            <arg value="-dLauncherFile=Installers\WindowsInstallers\GrassMarlin_NoPcap.bat" />
             <arg value="-o" />
             <arg value="${build.dir}\temp\grassmarlin-nolive.wixobj" />
             <arg value="Installers\WindowsInstallers\Windows.wix" />
@@ -303,7 +303,7 @@ where methods that are used in GRASSMARLIN are declared private).
         <echo message="Building Windows ZIP without Live PCAP..." />
         <zip destfile="${build.dir}/GrassMarlin-Win-NoLivePcap.zip">
             <zipfileset dir="${build.app}" excludes="**\iadgov.csvimport.jar,**\iadgov.sessioneventtest.jar" />
-            <zipfileset file="Installers/WindowsInstallers/GrassMarlin.bat" />
+            <zipfileset file="Installers/WindowsInstallers/GrassMarlin_NoPcap.bat" />
         </zip>
 
         <delete dir="${build.dir}/temp" />

diff --git a/GM3/data/fingerprint/ADA Control.xml b/GM3/data/fingerprint/ADA Control.xml
@@ -3,16 +3,19 @@
     <Header>
         <Name>ADA Control</Name>
         <Author>Default</Author>
-        <Description>This fingerprint looks for the evidence of ADA Control traffic.</Description>
-        <Tag>Original</Tag>
+        <Description>This fingerprint looks for evidence of ADA Control traffic.</Description>
     </Header>
-    <Filter For="default">
+    <Filter For="ADA-CIP" Name="DstPort">
         <DstPort>2085</DstPort>
     </Filter>
-    <Payload For="default">
+    <Payload For="ADA-CIP">
+		<Description>TCP/UDP ADA-CIP</Description>
         <Always>
-            <Return Confidence="1">
-                <Extract Name="ADA-CIP" From="CURSOR_START" To="CURSOR_END"/>
+            <Return Confidence="5">
+				<Details>
+                    <Category>ICS_HOST</Category>
+                    <Detail Name="ICSProtocol">ADA-CIP</Detail>
+                </Details>
             </Return>
         </Always>
     </Payload>

diff --git a/GM3/data/fingerprint/AIMPP.xml b/GM3/data/fingerprint/AIMPP.xml
@@ -3,22 +3,34 @@
     <Header>
         <Name>AIMPP</Name>
         <Author>Default</Author>
-        <Description>This fingerprint looks for the evidence of AIMPP Hello traffic.This fingerprint looks for the evidence of AIMPP Port Req traffic.</Description>
+        <Description>This fingerprint looks for evidence of TCP/UDP AIMPP Hello traffic. This fingerprint looks for evidence of TCP/UDP AIMPP Port Req traffic.</Description>
     </Header>
-    <Filter For=" Hello">
+    <Filter For="Hello" Name="Hello 2846">
         <DstPort>2846</DstPort>
-    </Filter>
-    <Filter For=" Port Req">
+    </Filter>	
+    <Filter For="Port Req" Name="Port Req 2847">
         <DstPort>2847</DstPort>
     </Filter>
-    <Payload For=" Hello">
+    <Payload For="Hello">
+        <Description>Hello AIMPP that hits on destination port</Description>
         <Always>
-            <Return Confidence="1"/>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>ICS_HOST</Category>
+                    <Detail Name="Product">AIMPP Hello</Detail>
+                </Details>
+            </Return>
         </Always>
-    </Payload>
-    <Payload For=" Port Req">
+	</Payload>	
+    <Payload For="Port Req">
+        <Description>Port Req AIMPP that hits on destination port</Description>
         <Always>
-            <Return Confidence="1"/>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>ICS_HOST</Category>
+                    <Detail Name="Product">AIMPP Port Req</Detail>
+                </Details>
+            </Return>
         </Always>
-    </Payload>
+    </Payload>	
 </Fingerprint>
diff --git a/GM3/data/fingerprint/ANSI.xml b/GM3/data/fingerprint/ANSI.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Fingerprint>
+    <Header>
+        <Name>ANSI</Name>
+        <Author>Default</Author>
+        <Description>This fingerprint identifies evidenece of ANSI x3.28, z39.50, and c1222-asse traffic.</Description>
+    </Header>
+    <Filter For="ANSI 1" Name="z39.50">
+        <DstPort>210</DstPort>
+    </Filter>
+    <Filter For="ANSI 2" Name="c1222-asse">
+        <DstPort>1153</DstPort>
+    </Filter>
+    <Payload For="ANSI 1">
+        <Description>Developed by Allen Bradley to communicate between stations and substations. Z39.50</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Detail Name="ISCProtocol">ANSI</Detail>
+                </Details>
+            </Return>
+        </Always>
+    </Payload>
+    <Payload For="ANSI 2">
+        <Description>Developed by Allen Bradley to communicate between stations and substations. C1222-ASSE.</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Detail Name="ICSProtocol">ANSI</Detail>
+                </Details>
+            </Return>
+        </Always>
+    </Payload>
+</Fingerprint>
diff --git a/GM3/data/fingerprint/ASP.Net.xml b/GM3/data/fingerprint/ASP.Net.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Fingerprint>
+    <Header>
+        <Name>ASP.Net</Name>
+        <Author>Default</Author>
+        <Description>This fingerprint identifies evidence of session states that stores data out of process.</Description>
+    </Header>
+    <Filter For="ASP.Net" Name="State Service">
+        <DstPort>42424</DstPort>
+    </Filter>
+    <Payload For="ASP.Net">
+        <Description>Payload supports asp.net state service</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Detail Name="Microsoft Server Product">ASP.NET</Detail>
+                </Details>
+            </Return>
+        </Always>
+    </Payload>
+</Fingerprint>
diff --git a/GM3/data/fingerprint/Allen Bradley.xml b/GM3/data/fingerprint/Allen Bradley.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Fingerprint>
+    <Header>
+        <Name>Allen Bradley</Name>
+        <Author>Default</Author>
+        <Description>This is the response seen from a device running an Allen Bradley specific web server and providing its device description via a web page. 
+This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). 
+	This is the response seen from a device running an Allen Bradley specific web server. "Server: A-B WWW/0.1" 
+This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). 
+	This is the response seen from a device running an Allen Bradley specific web server and providing its device name via a web page. 
+This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). 
+	</Description>
+    </Header>
+    <Filter For="Bradley Web Server Device Description" Name="Server Device">
+        <TransportProtocol>6</TransportProtocol>
+        <Ethertype>2048</Ethertype>
+        <SrcPort>80</SrcPort>
+    </Filter>
+    <Filter For="Bradley Web Server" Name="Web Server">
+        <TransportProtocol>6</TransportProtocol>
+        <Ethertype>2048</Ethertype>
+        <SrcPort>80</SrcPort>
+    </Filter>
+    <Filter For="Bradley Web Server Device Name" Name="Server Device Name">
+        <TransportProtocol>6</TransportProtocol>
+        <Ethertype>2048</Ethertype>
+        <SrcPort>80</SrcPort>
+    </Filter>
+    <Filter For="All newer Rockwell PLC" Name="Rockwell PLC">
+        <TransportProtocol>6</TransportProtocol>
+		<DstPort>44818</DstPort>
+    </Filter>	
+    <Payload For="Bradley Web Server Device Description">
+	<Description>Bradley Web Server Device Description</Description>
+        <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
+            <Pattern>Description&lt;/td&gt;&lt;td&gt;</Pattern>
+            <AndThen>
+                <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false">
+                    <Content Type="HEX">3C</Content>
+                    <AndThen>
+                        <Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/>
+                        <Return Direction="SOURCE" Confidence="4">
+                            <Details>
+                                <Category>IED</Category>
+                                <Role>SERVER</Role>
+                                <Detail Name="ICSProtocol">Bradley Web Server Device Description</Detail>
+                            </Details>
+                        </Return>
+                    </AndThen>
+                </Match>
+            </AndThen>
+        </Match>
+    </Payload>
+    <Payload For="Bradley Web Server">
+		<Description>Bradley Web Server</Description>
+        <Match Offset="17" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
+            <Content Type="HEX">5365727665723A20412D42205757572F302E310D0A</Content>
+            <AndThen>
+                <Return Direction="SOURCE" Confidence="4">
+                    <Details>
+                        <Category>IED</Category>
+                        <Role>SERVER</Role>
+                        <Detail Name="ICSProtocol">Bradley Web Server</Detail>
+                    </Details>
+                </Return>
+            </AndThen>
+        </Match>
+    </Payload>
+    <Payload For="Bradley Web Server Device Name">
+		<Description>Bradley Web Server Device Name</Description>
+        <Match Offset="184" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
+            <Content Type="HEX">73733D52363E446576696365204E616D653C2F74643E3C74643E</Content>
+            <AndThen>
+                <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false">
+                    <Content Type="HEX">3C</Content>
+                    <AndThen>
+                        <Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/>
+                        <Return Direction="SOURCE" Confidence="4">
+                            <Details>
+                                <Category>IED</Category>
+                                <Role>SERVER</Role>
+                                <Detail Name="ICSProtocol">Bradely Web Server Device Name</Detail>
+                            </Details>
+                        </Return>
+                    </AndThen>
+                </Match>
+            </AndThen>
+        </Match>
+    </Payload>
+	<Payload For="All newer Rockwell PLC">
+        <Description>Allen Bradley Rockwell PLC</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>PLC</Category>
+                    <Detail Name="ICSProtocol">Allen Bradley Rockwell PLC</Detail>
+                </Details>
+            </Return>
+        </Always>
+    </Payload>
+</Fingerprint>
diff --git a/GM3/data/fingerprint/Automation Direct DirectNET.xml b/GM3/data/fingerprint/Automation Direct DirectNET.xml
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Fingerprint>
+    <Header>
+        <Name>Automation Direct DirectNET</Name>
+        <Author>Default</Author>
+        <Description>This fingerprint looks for evidence of Automation Direct's DirectNet protocol traffic.</Description>
+    </Header>
+    <Filter For="DirectNet Master TCP" Name="MASTER TCP">
+        <TransportProtocol>6</TransportProtocol>
+        <DstPort>3447</DstPort>
+    </Filter>
+    <Filter For="DirectNet Slave TCP" Name="SLAVE TCP">
+        <TransportProtocol>17</TransportProtocol>
+        <SrcPort>3447</SrcPort>
+    </Filter>
+    <Filter For="DirectNet Master UDP" Name="MASTER UDP">
+        <TransportProtocol>17</TransportProtocol> 
+        <DstPort>3447</DstPort>
+    </Filter>
+    <Filter For="DirectNet Slave UDP" Name="SLAVE UDP">
+        <TransportProtocol>17</TransportProtocol>
+        <SrcPort>3447</SrcPort>
+    </Filter>	
+    <Payload For="DirectNet Master TCP">
+        <Description>DirectNet MASTER that matches the HEX pattern</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>MTU</Category>
+                    <Role>MASTER</Role>
+                    <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                </Details>
+            </Return>
+        </Always>
+        <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
+            <Content Type="HEX">4E2105</Content>
+            <AndThen>
+                <Return Direction="SOURCE" Confidence="5">
+                    <Details>
+                        <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                    </Details>
+                </Return>
+            </AndThen>
+        </Match>
+    </Payload>
+    <Payload For="DirectNet Slave TCP">
+        <Description>DirectNet SLAVE that matches the HEX pattern</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>RTU</Category>
+                    <Role>SLAVE</Role>
+                    <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                </Details>
+            </Return>
+        </Always>
+        <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
+            <Content Type="HEX">4E2105</Content>
+            <AndThen>
+                <Return Direction="SOURCE" Confidence="5">
+                    <Details>
+                        <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                    </Details>
+                </Return>
+            </AndThen>
+        </Match>
+    </Payload>
+    <Payload For="DirectNet Master UDP">
+        <Description>DirectNet MASTER that matches the HEX pattern</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>MTU</Category>
+                    <Role>MASTER</Role>
+                    <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                </Details>
+            </Return>
+        </Always>
+        <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
+            <Content Type="HEX">4E2105</Content>
+            <AndThen>
+                <Return Direction="SOURCE" Confidence="5">
+                    <Details>
+                        <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                    </Details>
+                </Return>
+            </AndThen>
+        </Match>
+    </Payload>	
+    <Payload For="DirectNet Slave UDP">
+        <Description>DirectNet SLAVE that matches the HEX pattern</Description>
+        <Always>
+            <Return Direction="SOURCE" Confidence="5">
+                <Details>
+                    <Category>RTU</Category>
+                    <Role>SLAVE</Role>
+                    <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                </Details>
+            </Return>
+        </Always>
+        <Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
+            <Content Type="HEX">4E2105</Content>
+            <AndThen>
+                <Return Direction="SOURCE" Confidence="5">
+                    <Details>
+                        <Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
+                    </Details>
+                </Return>
+            </AndThen>
+        </Match>
+    </Payload>		
+</Fingerprint>