Snort rules to check protocol 104

Guest post from the ICS cyber security blog:
Snort rules to control protocol 104

27 February 2021 – icscybersec

Protocol 104 (more formally known as IEC 60870-5-104) is a communication protocol primarily used in the European power system domain, and Snort is the basis for most traditional network or host-IDS/IPS solutions. I recently found a very good publication in the SANS Reading Room. The author of the paper, Adrian Aron, not only provides a complete protocol analysis of the 104 protocol in the publication, but also shows how power system security professionals can use five example Snort rules to create IDS rules tailored to the specific needs of their own environment and systems, thereby improving the effectiveness of network traffic control.

The publication can be found in the SANS Reading Room.


The original guest post was published on the ICS cyber security blog.

Translated by DeepL.