This is a team project on the subject of information security of cyber industrial systems. Made by students of MEPhI group B17-505.
For installation:
pip install snap7
- download snap7.dll from snap7 opensource lib and copy it to directory with python files
Firstly, download packages and configure project, then build suricata
cd ~
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev liblz4-dev m4 autoconf autogen cargo python3-pip cbindgen
sudo pip install python-snap7
sudo pip install --upgrade suricata-update
git clone https://github.com/yerseg/suricata.git
cd suricata/
git checkout yerseg/s7comm_investigation
git clone https://github.com/OISF/libhtp.git
sudo ./autogen.sh
sudo ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
sudo mkdir /var/log/suricata
sudo mkdir /etc/suricata
sudo make && sudo make install && sudo make install-conf
sudo cp suricata.yaml /etc/suricata
sudo suricata-update -D /etc/suricata
sudo ifconfig lo mtu 1522
After each edits in .c and .h src files run sudo make install
Install testing stend for S7
cd ~
git clone https://github.com/yerseg/s7comm_investigation.git
cd s7comm_investigation/
sudo cp ./libsnap7.so /usr/lib
sudo ldconfig
- Now you can run server and client by python3. Don't forget use sudo.
Edit rules and configs
sudo gedit /etc/suricata/suricata.yaml
-- set interface tolo
- You can edit rules
sudo gedit /etc/suricata/rules/suricata.rules
Now we can run suricata sudo suricata -c /etc/suricata/suricata.yaml -i lo --set capture.disable-offloading=false
Use Wireshark to check packets.
Our test rule
alert tcp 127.0.0.1 any -> 127.0.0.100 any (s7comm: function 4;)
sudo cat /var/log/suricata/eve.json | grep "\"event_type\":\"s7comm\""