Updated DPD Signature
keithjjones opened this issue · 1 comments
💡 Summary
What is the work, as a high-level summary?
This provides a DPD signature for Bacnet. I've been running this on several live networks for many months and have been happy with the results. It has uncovered several Bacnet networks I did not know about on non standard ports, which is pretty common for this protocol.
Motivation and context
Why does this work belong in this project?
This would be useful because...
It would detect Bacnet networks on non standard ports, which is pretty common in networks I monitor. Non standard ports are often used to separate networks logically on the same IP address.
Implementation notes
The DPD signature I've been testing for many months:
signature bacnet_dpd {
ip-proto == udp
src-port == 1024-65535
dst-port == 1024-65535
payload /\x81\x0a..\x01/
enable "bacnet"
}
Acceptance criteria
How do we know when this work is done?
- Criterion
You will be able to see Bacnet networks on non standard ports.
We merged your DPD signature into the main branch with one additional change. We have added 0x0b to the payload check to capture both "Original_Unicast_NPDU" and "Original_Broadcast_NPDU" functions