Skip to content
/ s7comm_investigation Public

This is a team project on the subject of information security of cyber industrial systems. Made by students of MEPhI group B17-505.

9 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yerseg/s7comm_investigation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
client.py
client.py
 
 
help.txt
help.txt
 
 
libsnap7.so
libsnap7.so
 
 
report.pdf
report.pdf
 
 
s7comm_traffic.pcapng
s7comm_traffic.pcapng
 
 
server.py
server.py
 
 

Repository files navigation

s7comm_investigation

This is a team project on the subject of information security of cyber industrial systems. Made by students of MEPhI group B17-505.

For installation:

  • pip install snap7
  • download snap7.dll from snap7 opensource lib and copy it to directory with python files

How to build Suricata for S7 protocol on Linux

You can see my fork of Suricata repo

Firstly, download packages and configure project, then build suricata

  1. cd ~
  2. sudo apt-get update && sudo apt-get upgrade -y
  3. sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev liblz4-dev m4 autoconf autogen cargo python3-pip cbindgen
  4. sudo pip install python-snap7
  5. sudo pip install --upgrade suricata-update
  6. git clone https://github.com/yerseg/suricata.git
  7. cd suricata/
  8. git checkout yerseg/s7comm_investigation
  9. git clone https://github.com/OISF/libhtp.git
  10. sudo ./autogen.sh
  11. sudo ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
  12. sudo mkdir /var/log/suricata
  13. sudo mkdir /etc/suricata
  14. sudo make && sudo make install && sudo make install-conf
  15. sudo cp suricata.yaml /etc/suricata
  16. sudo suricata-update -D /etc/suricata
  17. sudo ifconfig lo mtu 1522

After each edits in .c and .h src files run sudo make install

Install testing stend for S7

  1. cd ~
  2. git clone https://github.com/yerseg/s7comm_investigation.git
  3. cd s7comm_investigation/
  4. sudo cp ./libsnap7.so /usr/lib
  5. sudo ldconfig
  6. Now you can run server and client by python3. Don't forget use sudo.

Edit rules and configs

  • sudo gedit /etc/suricata/suricata.yaml -- set interface to lo
  • You can edit rules sudo gedit /etc/suricata/rules/suricata.rules

Now we can run suricata sudo suricata -c /etc/suricata/suricata.yaml -i lo --set capture.disable-offloading=false Use Wireshark to check packets.

Our test rule alert tcp 127.0.0.1 any -> 127.0.0.100 any (s7comm: function 4;)

How to check Suricata alerts?

sudo cat /var/log/suricata/eve.json | grep "\"event_type\":\"s7comm\""

About

This is a team project on the subject of information security of cyber industrial systems. Made by students of MEPhI group B17-505.

Resources

Readme
Activity

Stars

9 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages