1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 19 // iec104_module.h author Jared Rittle <jared.rittle@cisco.com> 20 // modeled after modbus_module.h (author Russ Combs <rucombs@cisco.com>) 21 // modeled after s7comm_module.h (author Pradeep Damodharan <prdamodh@cisco.com>) 22 23 #ifndef IEC104_MODULE_H 24 #define IEC104_MODULE_H 25 26 #include "framework/module.h" 27 28 #define GID_IEC104 151 29 30 #define IEC104_NAME "iec104" 31 #define IEC104_HELP "iec104 inspection" 32 33 extern THREAD_LOCAL snort::ProfileStats iec104_prof; 34 35 class Iec104Module: public snort::Module 36 { 37 public: 38 Iec104Module(); 39 get_gid()40 unsigned get_gid() const override 41 { 42 return GID_IEC104; 43 } 44 45 const snort::RuleMap* get_rules() const override; 46 47 const PegInfo* get_pegs() const override; 48 PegCount* get_counts() const override; 49 get_profile()50 snort::ProfileStats* get_profile() const override 51 { 52 return &iec104_prof; 53 } 54 get_usage()55 Usage get_usage() const override 56 { 57 return INSPECT; 58 } 59 is_bindable()60 bool is_bindable() const override 61 { 62 return true; 63 } 64 65 void set_trace(const snort::Trace*) const override; 66 const snort::TraceOption* get_trace_options() const override; 67 }; 68 69 #define IEC104_BAD_LENGTH 1 70 #define IEC104_BAD_START 2 71 #define IEC104_RESERVED_ASDU_TYPE 3 72 #define IEC104_APCIU_RESERVED_FIELD_IN_USE 4 73 #define IEC104_APCIU_INVALID_MESSAGE_TYPE 5 74 #define IEC104_APCIS_RESERVED_FIELD_IN_USE 6 75 #define IEC104_APCII_NUM_ELEMENTS_SET_TO_ZERO 7 76 #define IEC104_APCII_INVALID_SQ_VALUE 8 77 #define IEC104_APCII_INVALID_NUM_ELEMENTS_VALUE 9 78 #define IEC104_RESERVED_COI 10 79 #define IEC104_RESERVED_QOI 11 80 #define IEC104_RESERVED_QCC 12 81 #define IEC104_RESERVED_QPM_KPA 13 82 #define IEC104_ABNORMAL_QPM_LPC 14 83 #define IEC104_ABNORMAL_QPM_POP 15 84 #define IEC104_RESERVED_QPA 16 85 #define IEC104_RESERVED_QOC 17 86 #define IEC104_RESERVED_QRP 18 87 #define IEC104_RESERVED_FRQ 19 88 #define IEC104_RESERVED_SRQ 20 89 #define IEC104_RESERVED_SCQ 21 90 #define IEC104_RESERVED_LSQ 22 91 #define IEC104_RESERVED_AFQ 23 92 #define IEC104_VSQ_ABNORMAL_SQ 24 93 #define IEC104_RESERVED_SIQ 25 94 #define IEC104_RESERVED_DIQ 26 95 #define IEC104_RESERVED_CAUSE_TX 27 96 #define IEC104_INVALID_CAUSE_TX 28 97 #define IEC104_INVALID_COMMON_ADDRESS 29 98 #define IEC104_RESERVED_QDS 30 99 #define IEC104_RESERVED_QDP 31 100 #define IEC104_RESERVED_IEEE_STD_754_NAN 32 101 #define IEC104_RESERVED_IEEE_STD_754_INFINITY 33 102 #define IEC104_RESERVED_SEP 34 103 #define IEC104_RESERVED_SPE 35 104 #define IEC104_RESERVED_OCI 36 105 #define IEC104_INVALID_FBP 37 106 #define IEC104_RESERVED_SCO 38 107 #define IEC104_INVALID_DCO 39 108 #define IEC104_RESERVED_RCO 40 109 #define IEC104_INVALID_MS_IN_MINUTE 41 110 #define IEC104_INVALID_MINS_IN_HOUR 42 111 #define IEC104_RESERVED_MINS_IN_HOUR 43 112 #define IEC104_INVALID_HOURS_IN_DAY 44 113 #define IEC104_RESERVED_HOURS_IN_DAY 45 114 #define IEC104_INVALID_DAY_OF_MONTH 46 115 #define IEC104_INVALID_MONTH 47 116 #define IEC104_RESERVED_MONTH 48 117 #define IEC104_INVALID_YEAR 49 118 #define IEC104_RESERVED_YEAR 50 119 #define IEC104_NULL_LOS_VALUE 51 120 #define IEC104_INVALID_LOS_VALUE 52 121 #define IEC104_RESERVED_SOF 53 122 #define IEC104_RESERVED_QOS 54 123 124 #define IEC104_BAD_LENGTH_STR "Length in IEC104 APCI header does not match the length needed for the given IEC104 ASDU type id" 125 #define IEC104_BAD_START_STR "IEC104 Start byte does not match 0x68" 126 #define IEC104_RESERVED_ASDU_TYPE_STR "Reserved IEC104 ASDU type id in use" 127 #define IEC104_APCIU_RESERVED_FIELD_IN_USE_STR "IEC104 APCI U Reserved field contains a non-default value" 128 #define IEC104_APCIU_INVALID_MESSAGE_TYPE_STR "IEC104 APCI U message type was set to an invalid value" 129 #define IEC104_APCIS_RESERVED_FIELD_IN_USE_STR "IEC104 APCI S Reserved field contains a non-default value" 130 #define IEC104_APCII_NUM_ELEMENTS_SET_TO_ZERO_STR "IEC104 APCI I number of elements set to zero" 131 #define IEC104_APCII_INVALID_SQ_VALUE_STR "IEC104 APCI I SQ bit set on an ASDU that does not support the feature" 132 #define IEC104_APCII_INVALID_NUM_ELEMENTS_VALUE_STR "IEC104 APCI I number of elements set to greater than one on an ASDU that does not support the feature" 133 #define IEC104_RESERVED_COI_STR "IEC104 APCI I Cause of Initialization set to a reserved value" 134 #define IEC104_RESERVED_QOI_STR "IEC104 APCI I Qualifier of Interrogation Command set to a reserved value" 135 #define IEC104_RESERVED_QCC_STR "IEC104 APCI I Qualifier of Counter Interrogation Command request parameter set to a reserved value" 136 #define IEC104_RESERVED_QPM_KPA_STR "IEC104 APCI I Qualifier of Parameter of Measured Values kind of parameter set to a reserved value" 137 #define IEC104_ABNORMAL_QPM_LPC_STR "IEC104 APCI I Qualifier of Parameter of Measured Values local parameter change set to a technically valid but unused value" 138 #define IEC104_ABNORMAL_QPM_POP_STR "IEC104 APCI I Qualifier of Parameter of Measured Values parameter option set to a technically valid but unused value" 139 #define IEC104_RESERVED_QPA_STR "IEC104 APCI I Qualifier of Parameter Activation set to a reserved value" 140 #define IEC104_RESERVED_QOC_STR "IEC104 APCI I Qualifier of Command set to a reserved value" 141 #define IEC104_RESERVED_QRP_STR "IEC104 APCI I Qualifier of Reset Process set to a reserved value" 142 #define IEC104_RESERVED_FRQ_STR "IEC104 APCI I File Ready Qualifier set to a reserved value" 143 #define IEC104_RESERVED_SRQ_STR "IEC104 APCI I Section Ready Qualifier set to a reserved value" 144 #define IEC104_RESERVED_SCQ_STR "IEC104 APCI I Select and Call Qualifier set to a reserved value" 145 #define IEC104_RESERVED_LSQ_STR "IEC104 APCI I Last Section or Segment Qualifier set to a reserved value" 146 #define IEC104_RESERVED_AFQ_STR "IEC104 APCI I Acknowledge File or Section Qualifier set to a reserved value" 147 #define IEC104_VSQ_ABNORMAL_SQ_STR "IEC104 APCI I Structure Qualifier set on a message where it should have no effect" 148 #define IEC104_RESERVED_CAUSE_TX_STR "IEC104 APCI I Cause of Transmission set to a reserved value" 149 #define IEC104_INVALID_CAUSE_TX_STR "IEC104 APCI I Cause of Transmission set to a value not allowed for the ASDU" 150 #define IEC104_INVALID_COMMON_ADDRESS_STR "IEC104 APCI I invalid two octet common address value detected" 151 #define IEC104_RESERVED_SIQ_STR "IEC104 APCI I Single Point Information Reserved field contains a non-default value" 152 #define IEC104_RESERVED_DIQ_STR "IEC104 APCI I Double Point Information Reserved field contains a non-default value" 153 #define IEC104_RESERVED_QDS_STR "IEC104 APCI I Quality Descriptor Structure Reserved field contains a non-default value" 154 #define IEC104_RESERVED_QDP_STR "IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a non-default value" 155 #define IEC104_RESERVED_IEEE_STD_754_NAN_STR "IEC104 APCI I IEEE STD 754 value results in NaN" 156 #define IEC104_RESERVED_IEEE_STD_754_INFINITY_STR "IEC104 APCI I IEEE STD 754 value results in infinity" 157 #define IEC104_RESERVED_SEP_STR "IEC104 APCI I Single Event of Protection Equipment Structure Reserved field contains a non-default value" 158 #define IEC104_RESERVED_SPE_STR "IEC104 APCI I Start Event of Protection Equipment Structure Reserved field contains a non-default value" 159 #define IEC104_RESERVED_OCI_STR "IEC104 APCI I Output Circuit Information Structure Reserved field contains a non-default value" 160 #define IEC104_INVALID_FBP_STR "IEC104 APCI I Abnormal Fixed Test Bit Pattern detected" 161 #define IEC104_RESERVED_SCO_STR "IEC104 APCI I Single Command Structure Reserved field contains a non-default value" 162 #define IEC104_INVALID_DCO_STR "IEC104 APCI I Double Command Structure contains an invalid value" 163 #define IEC104_RESERVED_RCO_STR "IEC104 APCI I Regulating Step Command Structure Reserved field contains a non-default value" 164 #define IEC104_INVALID_MS_IN_MINUTE_STR "IEC104 APCI I Time2a Millisecond set outside of the allowable range" 165 #define IEC104_INVALID_MINS_IN_HOUR_STR "IEC104 APCI I Time2a Minute set outside of the allowable range" 166 #define IEC104_RESERVED_MINS_IN_HOUR_STR "IEC104 APCI I Time2a Minute Reserved field contains a non-default value" 167 #define IEC104_INVALID_HOURS_IN_DAY_STR "IEC104 APCI I Time2a Hours set outside of the allowable range" 168 #define IEC104_RESERVED_HOURS_IN_DAY_STR "IEC104 APCI I Time2a Hours Reserved field contains a non-default value" 169 #define IEC104_INVALID_DAY_OF_MONTH_STR "IEC104 APCI I Time2a Day of Month set outside of the allowable range" 170 #define IEC104_INVALID_MONTH_STR "IEC104 APCI I Time2a Month set outside of the allowable range" 171 #define IEC104_RESERVED_MONTH_STR "IEC104 APCI I Time2a Month Reserved field contains a non-default value" 172 #define IEC104_INVALID_YEAR_STR "IEC104 APCI I Time2a Year set outside of the allowable range" 173 #define IEC104_NULL_LOS_VALUE_STR "IEC104 APCI I a null Length of Segment value has been detected" 174 #define IEC104_INVALID_LOS_VALUE_STR "IEC104 APCI I an invalid Length of Segment value has been detected" 175 #define IEC104_RESERVED_YEAR_STR "IEC104 APCI I Time2a Year Reserved field contains a non-default value" 176 #define IEC104_RESERVED_SOF_STR "IEC104 APCI I Status of File set to a reserved value" 177 #define IEC104_RESERVED_QOS_STR "IEC104 APCI I Qualifier of Set Point Command ql field set to a reserved value" 178 179 #endif 180 181