编写s7协议的suricata规则-测试(9004193-9004198)
1.测试规则(9004193-9004198)
1.主机B开启监听102端口 nc -lvkp 102 >/dev/null 2.主机A发送请求至主机B的102端口 import socket import time TARGET_IP = "10.10.10.2" TARGET_PORT = 102 def send_s7_packet(hex_data, description): print(f"正在测试: {description}") try: # 1. 建立 TCP 连接 (完成三路握手) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) s.connect((TARGET_IP, TARGET_PORT)) # 2. 将十六进制字符串转为字节流 payload = bytes.fromhex(hex_data.replace(" ", "")) # 3. 发送载荷 s.send(payload) # 4. 保持一小会儿连接确保 Suricata 处理完毕 time.sleep(0.5) s.close() print(f"成功发送 {len(payload)} 字节数据\n") except Exception as e: print(f"发送失败: {e}\n") # SID: 9004193 - 异常上传请求 (阈值测试: 60秒内10次) # offset 0: 03 00 | offset 7: 32 01 | offset 17: 1d UPLOAD_PAYLOAD = "03 00 00 1f 02 f0 80 32 01 00 00 00 01 00 02 00 00 1d 00 00 00 00 00 00 00" # SID: 9004194 - 请求下载 (offset 17: 1a) REQ_DOWNLOAD_PAYLOAD = "03 00 00 1f 02 f0 80 32 01 00 00 00 01 00 02 00 00 1a 00 00 00 00 00 00 00" # SID: 9004195 - 全量下载/密码 (offset 17: 1c) FULL_DOWNLOAD_PAYLOAD = "03 00 00 1f 02 f0 80 32 01 00 00 00 01 00 02 00 00 1c 00 00 00 00 00 00 00" # SID: 9004196 - PLC STOP (offset 17: 29) PLC_STOP = "03 00 00 1f 02 f0 80 32 01 00 00 00 01 00 02 00 00 29 00 00 00 00 00 00 00" # SID: 9004197 - PLC START (offset 17: 28) PLC_START = "03 00 00 1f 02 f0 80 32 01 00 00 00 01 00 02 00 00 28 00 00 00 00 00 00 00" # SID: 9004198 - 安全配置解锁 (offset 7: 32 07 | offset 12: 01 12) SEC_UNLOCK = "03 00 00 1f 02 f0 80 32 07 00 00 00 01 12 00 00 00 00 00 00 00 00 00 00 00" if __name__ == "__main__": # 测试上传请求频率限制 (阈值: 60s 内发送 10 次以上) print("正在模拟高频上传请求以触发阈值规则 (SID: 9004193)...") for i in range(12): send_s7_packet(UPLOAD_PAYLOAD, f"Upload Request {i+1}/12") time.sleep(0.1) # 测试常规指令 send_s7_packet(REQ_DOWNLOAD_PAYLOAD, "9004194 - request download") send_s7_packet(FULL_DOWNLOAD_PAYLOAD, "9004195 - start download") send_s7_packet(PLC_STOP, "9004196 - PLC STOP Command") send_s7_packet(PLC_START, "9004197 - PLC START Command") send_s7_packet(SEC_UNLOCK, "9004198 - Security Unlock")
浙公网安备 33010602011771号