"best guess" for identifying potential ICS/OT protocols #49
Assignees
Labels
enhancement
New feature or request
ics
Relating to ICS (Industrial Control Systems) devices
zeek
Relating to Malcolm's use of Zeek
Comments
mmguero
added
enhancement
|
Will be released in 3.1.1 |
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and #171) * Deny access to uploaded files (#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (#169)
mmguero
added a commit
that referenced
this issue
Jul 9, 2021
Merge remote-tracking branch 'cisa/master' * New features * ["Best Guess" Fingerprinting for ICS Protocols](#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This outlines the new "best guess" feature for identifying potential ICS protocols.
There are many, many ICS (industrial control systems)/OT protocols and Malcolm parses a handful of them. A lot of them, particularly the more obscure or proprietary ones, are unlikely to ever be supported with a full parser. But it would be nice to identify more of them even without a full parser.
This feature involves a mapping/lookup file (in the Malcolm source under
zeek/config/guess_ics_map.txt) and a zeek script (zeek/config/guess.zeek) that hooks on Zeek's connection close event and looks up the protocol (e.g., tcp or udp) and destination port and/or source port to make a "best guess" at whether a connection belongs to one of those protocols based on those values alone. Of course, this could mean a much higher false positive rate than usual, so these logs (which get written intobestguess.log) are only shown in their own dashboard (Best Guess under the ICS section of the dashboards navigation pane) with a disclaimer that they might have false positives. Values such as IP addresses, ports, or UID can be used to pivot to other dashboards to investigate further.These are categorized by vendor, where possible.
As it's not likely that all users of Malcolm will want this enabled, the environment variable
ZEEK_DISABLE_BEST_GUESS_ICSindocker-compose.ymlis set totrueby default, meaning thebestguess.logfile won't be written. Clearing this value out (setting it to empty,'') will enable it.The text was updated successfully, but these errors were encountered: