Cisco Cisco FirePOWER Appliance 7110
25-76
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Working with SCADA Preprocessors
The Distributed Network Protocol (DNP3) is a SCADA protocol that was originally developed to
provide consistent communication between electrical stations. DNP3 has also become widely used in the
water, waste, transportation, and many other industries.
provide consistent communication between electrical stations. DNP3 has also become widely used in the
water, waste, transportation, and many other industries.
The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for
processing by the rules engine, which uses DNP3 keywords to access certain protocol fields. See
processing by the rules engine, which uses DNP3 keywords to access certain protocol fields. See
for more information.
You must enable the DNP3 preprocessor rules in the following table if you want these rules to generate
events. See
events. See
for information on enabling rules.
Note the following information regarding the use of the DNP3 preprocessor:
•
If your network does not contain any DNP3-enabled devices, you should not enable this
preprocessor in an intrusion policy that you apply to traffic.
preprocessor in an intrusion policy that you apply to traffic.
•
The DNP3 preprocessor requires TCP stream configuration. When you enable the DNP3
preprocessor and TCP stream configuration is disabled, you are prompted whether to enable the
advanced setting when you save the policy.
preprocessor and TCP stream configuration is disabled, you are prompted whether to enable the
advanced setting when you save the policy.
See
and
for more information.
•
Both TCP stream configuration and the DNP3 preprocessor must be enabled to allow processing of
rules using DNP3 keywords. When either is disabled and you enable rules that use DNP3 keywords,
you are prompted whether to enable the disabled advanced setting when you save the policy. See
rules using DNP3 keywords. When either is disabled and you enable rules that use DNP3 keywords,
you are prompted whether to enable the disabled advanced setting when you save the policy. See
for more information.
The following list describes the DNP3 preprocessor options you can configure.
Ports
Enables inspection of DNP3 traffic on each specified port. You can specify a single port or a
comma-separated list of ports. You can specify a value from 0 to 65535 for each port.
comma-separated list of ports. You can specify a value from 0 to 65535 for each port.
Table 25-14
DNP3 Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
145:1
When
Log bad CRC
is enabled, generates an event when the preprocessor detects a
link layer frame with an invalid checksum.
145:2
Generates an event and blocks the packet when the preprocessor detects a DNP3
link layer frame with an invalid length.
link layer frame with an invalid length.
145:3
Generates an event and blocks the packet during reassembly when the
preprocessor detects a transport layer segment with an invalid sequence number.
preprocessor detects a transport layer segment with an invalid sequence number.
145:4
Generates an event when the DNP3 reassembly buffer is cleared before a complete
fragment can be reassembled. This happens when a segment carrying the FIR flag
appears after other segments have been queued.
fragment can be reassembled. This happens when a segment carrying the FIR flag
appears after other segments have been queued.
145:5
Generates an event when the preprocessor detects a DNP3 link layer frame that
uses a reserved address.
uses a reserved address.
145:6
Generates an event when the preprocessor detects a DNP3 request or response that
uses a reserved function code.
uses a reserved function code.