Integrating Threat Detection with ACID framework and MMS Parser #691
rayhan028
started this conversation in
General Discussions
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello, greetings. I am currently working with the ACID framework of Zeek, which leverages the parsing capabilities of the ICSNPP parser. However, my target protocol dissector is the MMS IEC61850 MMS parser. Now, this part is a bit tricky thats why I am looking for some suggestions. So, after installing both ACID and MMS in my local zeek instance, what I did was, I modified the four core ACID scripts to enable mitre attack techniques and specific logging alerts for MMS. Secondly, I have modified the mDOTS_config_change file and included the protocol and the indicators there. I have also tried to create a sample detection script which can at least give some possible alerts. Now the issue is, the alert/notice.log is not generating, and I am pretty sure the issue is how I am setting up the indicators and then trying to match them against the incoming traffic and detection rules defined in my script. I have attached all the files in txt format that I have been working on along with the detection script. The problem is: its not generating any kind of notice/alert, even though a few pcap file at least contains a few of the targetted traffic:
ACID_ics_report.txt
ACID_input.txt
mDOTS_config_change.txt
ACID_ics_consts.txt
ACID_ics_options.txt
ACID_mms_detect.txt
would love to get some ideas on how to proceed, or what I might be doing wrong. Thank you for your time
https://github.com/tbfhg/zeek-iec61850-mms this is the github repository of the MMS parser which I am trying to utilize.
Beta Was this translation helpful? Give feedback.
All reactions