Using SNORT for intrusion detection in MODBUS TCP/IP communications

The regular IP traffic analysis has been well studied from an intrusion detection point of view in the field of the Information Security. Nevertheless the convergence process among conventional IT (networks and services) and industrial communication technologies is creating new environments with purpose built networks and new security requirements. On this scenario MODBUS TCP/IP comes up as a 'de facto' communication standard. For those networks there are commercial products that can analyze traffic, detect intrusions and even take actions. However most of them have their own hardware and software platforms and are not always as transparent and flexible as could be expected. Additionally their cost can even made them not suitable for all deployments. This paper proposes a method to approach the problem in a cost effective manner, based on the use of well known open source tools and a methodology to develop the rules to detect intrusions. As a result the IT resources of an organization (employees, hardware and software) can also take care of the company industrial network security without high additional cost in equipment or training time.