Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Commit

Permalink
Merge pull request #7 from iadgov/3.2.1
Browse files Browse the repository at this point in the history
3.2.1 updates
  • Loading branch information
iadgovuser5 authored Jun 27, 2017
2 parents b1cf932 + 776fc0b commit 1c4fd93
Show file tree
Hide file tree
Showing 162 changed files with 5,516 additions and 519 deletions.
8 changes: 4 additions & 4 deletions GM3/build-ant.xml
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ where methods that are used in GRASSMARLIN are declared private).
<target name="compile" depends="gensrc-Fingerprinting" description="Compile sources to .class files">
<mkdir dir="${build.classes.dir}"/>

<javac includeantruntime="false" srcdir="${src.dir}" destdir="${build.classes.dir}" verbose="true" debug="false">
<javac includeantruntime="false" srcdir="${src.dir}" destdir="${build.classes.dir}" verbose="true" debug="true">
<src path="${gen.dir}"/>
<classpath refid="lib.classpath"/>
</javac>
Expand Down Expand Up @@ -226,11 +226,11 @@ where methods that are used in GRASSMARLIN are declared private).
<arg value="${build.dir}\temp\grassmarlin-64.wixobj" />
</exec>

<!-- Builds with live pcap disabled -->
<!-- Build with live pcap disabled (works on 32- and 64-bit) -->
<echo message="Building Windows Installer with Live PCAP Disabled..." />
<exec executable="${exec.candle}">
<arg value="-dStagingPath=${build.app}" />
<arg value="-dLauncherFile=Installers\WindowsInstallers\GrassMarlin.bat" />
<arg value="-dLauncherFile=Installers\WindowsInstallers\GrassMarlin_NoPcap.bat" />
<arg value="-o" />
<arg value="${build.dir}\temp\grassmarlin-nolive.wixobj" />
<arg value="Installers\WindowsInstallers\Windows.wix" />
Expand Down Expand Up @@ -303,7 +303,7 @@ where methods that are used in GRASSMARLIN are declared private).
<echo message="Building Windows ZIP without Live PCAP..." />
<zip destfile="${build.dir}/GrassMarlin-Win-NoLivePcap.zip">
<zipfileset dir="${build.app}" excludes="**\iadgov.csvimport.jar,**\iadgov.sessioneventtest.jar" />
<zipfileset file="Installers/WindowsInstallers/GrassMarlin.bat" />
<zipfileset file="Installers/WindowsInstallers/GrassMarlin_NoPcap.bat" />
</zip>

<delete dir="${build.dir}/temp" />
Expand Down
15 changes: 9 additions & 6 deletions GM3/data/fingerprint/ADA Control.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,19 @@
<Header>
<Name>ADA Control</Name>
<Author>Default</Author>
<Description>This fingerprint looks for the evidence of ADA Control traffic.</Description>
<Tag>Original</Tag>
<Description>This fingerprint looks for evidence of ADA Control traffic.</Description>
</Header>
<Filter For="default">
<Filter For="ADA-CIP" Name="DstPort">
<DstPort>2085</DstPort>
</Filter>
<Payload For="default">
<Payload For="ADA-CIP">
<Description>TCP/UDP ADA-CIP</Description>
<Always>
<Return Confidence="1">
<Extract Name="ADA-CIP" From="CURSOR_START" To="CURSOR_END"/>
<Return Confidence="5">
<Details>
<Category>ICS_HOST</Category>
<Detail Name="ICSProtocol">ADA-CIP</Detail>
</Details>
</Return>
</Always>
</Payload>
Expand Down
32 changes: 22 additions & 10 deletions GM3/data/fingerprint/AIMPP.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,34 @@
<Header>
<Name>AIMPP</Name>
<Author>Default</Author>
<Description>This fingerprint looks for the evidence of AIMPP Hello traffic.This fingerprint looks for the evidence of AIMPP Port Req traffic.</Description>
<Description>This fingerprint looks for evidence of TCP/UDP AIMPP Hello traffic. This fingerprint looks for evidence of TCP/UDP AIMPP Port Req traffic.</Description>
</Header>
<Filter For=" Hello">
<Filter For="Hello" Name="Hello 2846">
<DstPort>2846</DstPort>
</Filter>
<Filter For=" Port Req">
</Filter>
<Filter For="Port Req" Name="Port Req 2847">
<DstPort>2847</DstPort>
</Filter>
<Payload For=" Hello">
<Payload For="Hello">
<Description>Hello AIMPP that hits on destination port</Description>
<Always>
<Return Confidence="1"/>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>ICS_HOST</Category>
<Detail Name="Product">AIMPP Hello</Detail>
</Details>
</Return>
</Always>
</Payload>
<Payload For=" Port Req">
</Payload>
<Payload For="Port Req">
<Description>Port Req AIMPP that hits on destination port</Description>
<Always>
<Return Confidence="1"/>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>ICS_HOST</Category>
<Detail Name="Product">AIMPP Port Req</Detail>
</Details>
</Return>
</Always>
</Payload>
</Payload>
</Fingerprint>
34 changes: 34 additions & 0 deletions GM3/data/fingerprint/ANSI.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Fingerprint>
<Header>
<Name>ANSI</Name>
<Author>Default</Author>
<Description>This fingerprint identifies evidenece of ANSI x3.28, z39.50, and c1222-asse traffic.</Description>
</Header>
<Filter For="ANSI 1" Name="z39.50">
<DstPort>210</DstPort>
</Filter>
<Filter For="ANSI 2" Name="c1222-asse">
<DstPort>1153</DstPort>
</Filter>
<Payload For="ANSI 1">
<Description>Developed by Allen Bradley to communicate between stations and substations. Z39.50</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ISCProtocol">ANSI</Detail>
</Details>
</Return>
</Always>
</Payload>
<Payload For="ANSI 2">
<Description>Developed by Allen Bradley to communicate between stations and substations. C1222-ASSE.</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ICSProtocol">ANSI</Detail>
</Details>
</Return>
</Always>
</Payload>
</Fingerprint>
21 changes: 21 additions & 0 deletions GM3/data/fingerprint/ASP.Net.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Fingerprint>
<Header>
<Name>ASP.Net</Name>
<Author>Default</Author>
<Description>This fingerprint identifies evidence of session states that stores data out of process.</Description>
</Header>
<Filter For="ASP.Net" Name="State Service">
<DstPort>42424</DstPort>
</Filter>
<Payload For="ASP.Net">
<Description>Payload supports asp.net state service</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="Microsoft Server Product">ASP.NET</Detail>
</Details>
</Return>
</Always>
</Payload>
</Fingerprint>
101 changes: 101 additions & 0 deletions GM3/data/fingerprint/Allen Bradley.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Fingerprint>
<Header>
<Name>Allen Bradley</Name>
<Author>Default</Author>
<Description>This is the response seen from a device running an Allen Bradley specific web server and providing its device description via a web page.
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED).
This is the response seen from a device running an Allen Bradley specific web server. "Server: A-B WWW/0.1"
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED).
This is the response seen from a device running an Allen Bradley specific web server and providing its device name via a web page.
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED).
</Description>
</Header>
<Filter For="Bradley Web Server Device Description" Name="Server Device">
<TransportProtocol>6</TransportProtocol>
<Ethertype>2048</Ethertype>
<SrcPort>80</SrcPort>
</Filter>
<Filter For="Bradley Web Server" Name="Web Server">
<TransportProtocol>6</TransportProtocol>
<Ethertype>2048</Ethertype>
<SrcPort>80</SrcPort>
</Filter>
<Filter For="Bradley Web Server Device Name" Name="Server Device Name">
<TransportProtocol>6</TransportProtocol>
<Ethertype>2048</Ethertype>
<SrcPort>80</SrcPort>
</Filter>
<Filter For="All newer Rockwell PLC" Name="Rockwell PLC">
<TransportProtocol>6</TransportProtocol>
<DstPort>44818</DstPort>
</Filter>
<Payload For="Bradley Web Server Device Description">
<Description>Bradley Web Server Device Description</Description>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
<Pattern>Description&lt;/td&gt;&lt;td&gt;</Pattern>
<AndThen>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false">
<Content Type="HEX">3C</Content>
<AndThen>
<Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/>
<Return Direction="SOURCE" Confidence="4">
<Details>
<Category>IED</Category>
<Role>SERVER</Role>
<Detail Name="ICSProtocol">Bradley Web Server Device Description</Detail>
</Details>
</Return>
</AndThen>
</Match>
</AndThen>
</Match>
</Payload>
<Payload For="Bradley Web Server">
<Description>Bradley Web Server</Description>
<Match Offset="17" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
<Content Type="HEX">5365727665723A20412D42205757572F302E310D0A</Content>
<AndThen>
<Return Direction="SOURCE" Confidence="4">
<Details>
<Category>IED</Category>
<Role>SERVER</Role>
<Detail Name="ICSProtocol">Bradley Web Server</Detail>
</Details>
</Return>
</AndThen>
</Match>
</Payload>
<Payload For="Bradley Web Server Device Name">
<Description>Bradley Web Server Device Name</Description>
<Match Offset="184" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true">
<Content Type="HEX">73733D52363E446576696365204E616D653C2F74643E3C74643E</Content>
<AndThen>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false">
<Content Type="HEX">3C</Content>
<AndThen>
<Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/>
<Return Direction="SOURCE" Confidence="4">
<Details>
<Category>IED</Category>
<Role>SERVER</Role>
<Detail Name="ICSProtocol">Bradely Web Server Device Name</Detail>
</Details>
</Return>
</AndThen>
</Match>
</AndThen>
</Match>
</Payload>
<Payload For="All newer Rockwell PLC">
<Description>Allen Bradley Rockwell PLC</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>PLC</Category>
<Detail Name="ICSProtocol">Allen Bradley Rockwell PLC</Detail>
</Details>
</Return>
</Always>
</Payload>
</Fingerprint>
112 changes: 112 additions & 0 deletions GM3/data/fingerprint/Automation Direct DirectNET.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Fingerprint>
<Header>
<Name>Automation Direct DirectNET</Name>
<Author>Default</Author>
<Description>This fingerprint looks for evidence of Automation Direct's DirectNet protocol traffic.</Description>
</Header>
<Filter For="DirectNet Master TCP" Name="MASTER TCP">
<TransportProtocol>6</TransportProtocol>
<DstPort>3447</DstPort>
</Filter>
<Filter For="DirectNet Slave TCP" Name="SLAVE TCP">
<TransportProtocol>17</TransportProtocol>
<SrcPort>3447</SrcPort>
</Filter>
<Filter For="DirectNet Master UDP" Name="MASTER UDP">
<TransportProtocol>17</TransportProtocol>
<DstPort>3447</DstPort>
</Filter>
<Filter For="DirectNet Slave UDP" Name="SLAVE UDP">
<TransportProtocol>17</TransportProtocol>
<SrcPort>3447</SrcPort>
</Filter>
<Payload For="DirectNet Master TCP">
<Description>DirectNet MASTER that matches the HEX pattern</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>MTU</Category>
<Role>MASTER</Role>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</Always>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
<Content Type="HEX">4E2105</Content>
<AndThen>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</AndThen>
</Match>
</Payload>
<Payload For="DirectNet Slave TCP">
<Description>DirectNet SLAVE that matches the HEX pattern</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>RTU</Category>
<Role>SLAVE</Role>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</Always>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
<Content Type="HEX">4E2105</Content>
<AndThen>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</AndThen>
</Match>
</Payload>
<Payload For="DirectNet Master UDP">
<Description>DirectNet MASTER that matches the HEX pattern</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>MTU</Category>
<Role>MASTER</Role>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</Always>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
<Content Type="HEX">4E2105</Content>
<AndThen>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</AndThen>
</Match>
</Payload>
<Payload For="DirectNet Slave UDP">
<Description>DirectNet SLAVE that matches the HEX pattern</Description>
<Always>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Category>RTU</Category>
<Role>SLAVE</Role>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</Always>
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true">
<Content Type="HEX">4E2105</Content>
<AndThen>
<Return Direction="SOURCE" Confidence="5">
<Details>
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail>
</Details>
</Return>
</AndThen>
</Match>
</Payload>
</Fingerprint>
Loading

0 comments on commit 1c4fd93

Please sign in to comment.