During research on the S7 industrial protocol for alert and detection.
I found out that Wireshark can decode classic S7comm (on TCP 102) in plain text. When a packet corresponds to a STOP command from the PLC, Wireshark will display it as “Function: PLC Stop (0x29),” for example, with details in the decoding panel. Similarly, a program block download sequence will appear with the decoded functions 0x1A/0x1B (Request download / Download block). Display filters can be used if Wireshark exposes the fields—for example, s7comm.func == 0x05 to identify all variable writes (however, depending on the version, the field may be presented differently in Wireshark).
Snort provide S7CommPlus Specific Options and Support
But as we can see into the dev_notes.txt of the S7commplus service inspectors folder in snort3
""The same inspector will be used for both protocols, although currently only S7commplus is supported"
As previously said in the issue 379 of the hub, should we add a S7classic support based on port, S7comm protocol, TPKP version, job request and function ? Is it easy to do ?
To remind here is how a S7 is catch by snort :
pkt_data; # Use packet data buffer for precision
content:"|32 0x|"; # S7comm protocol + Job Request [here is why](https://wiki.wireshark.org/S7comm#:~:text=The%20first%20byte%20is%20always%200x32%20as%20protocol%20identifier.)
content:"|xx| # Action code (different for each action)
During research on the S7 industrial protocol for alert and detection.
I found out that Wireshark can decode classic S7comm (on TCP 102) in plain text. When a packet corresponds to a STOP command from the PLC, Wireshark will display it as “Function: PLC Stop (0x29),” for example, with details in the decoding panel. Similarly, a program block download sequence will appear with the decoded functions 0x1A/0x1B (Request download / Download block). Display filters can be used if Wireshark exposes the fields—for example, s7comm.func == 0x05 to identify all variable writes (however, depending on the version, the field may be presented differently in Wireshark).
Snort provide S7CommPlus Specific Options and Support
But as we can see into the dev_notes.txt of the S7commplus service inspectors folder in snort3
""The same inspector will be used for both protocols, although currently only S7commplus is supported"
As previously said in the issue 379 of the hub, should we add a S7classic support based on port, S7comm protocol, TPKP version, job request and function ? Is it easy to do ?
To remind here is how a S7 is catch by snort :