CN111277617A - Method for monitoring Siemens S7-PLC uploading and downloading program block - Google Patents

Method for monitoring Siemens S7-PLC uploading and downloading program block Download PDF

Info

Publication number
CN111277617A
CN111277617A CN201811477105.0A CN201811477105A CN111277617A CN 111277617 A CN111277617 A CN 111277617A CN 201811477105 A CN201811477105 A CN 201811477105A CN 111277617 A CN111277617 A CN 111277617A
Authority
CN
China
Prior art keywords
data packet
executing
plc
siemens
s7comm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811477105.0A
Other languages
Chinese (zh)
Inventor
梁效宁
黄旭
向科林
杨先珉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi Cisco Rudi Network Security Technology Co Ltd
Original Assignee
Shaanxi Cisco Rudi Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shaanxi Cisco Rudi Network Security Technology Co Ltd filed Critical Shaanxi Cisco Rudi Network Security Technology Co Ltd
Priority to CN201811477105.0A priority Critical patent/CN111277617A/en
Publication of CN111277617A publication Critical patent/CN111277617A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for monitoring Siemens S7-PLC uploading and downloading program blocks, which is characterized by comprising the following steps: s001: setting the switch into a bypass mirroring working mode, and mirroring all PLC communication flows of Siemens S7-PLC; s002: analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002; s003: judging whether the remote operation service control field value of the head part of the S7comm data packet is a designated value, if so, executing step S004, otherwise, executing step S002; s004: judging whether the function field value of the parameter part of the S7comm data packet is a designated value, if so, executing the step S005, otherwise, executing the step S002; s005: and recording a source IP address, a source MAC address, a source port number, a target IP address, a target MAC address and a target port number in the current data packet.

Description

Method for monitoring Siemens S7-PLC uploading and downloading program block
Technical Field
The invention belongs to the field of industrial control network safety, particularly relates to a method for monitoring Siemens S7-PLC, and particularly relates to a method for monitoring Siemens S7-PLC uploading and downloading program blocks.
Background
With the continuous cross fusion of industrial 4.0, Chinese manufacturing 2025, Internet +, Internet of things and two-way fusion processes, more and more information technologies are applied to the field of industrial control, the openness of industrial control systems is higher and higher, and safety problems such as Trojan, virus and network attack are brought while great promotion is brought to industrial production. These all become important factors restricting the development of informatization and industrialization, and the traditional protective measures mainly based on physical isolation are far from meeting the requirements of industrial informatization development. Currently, industrial control systems generally have some serious safety problems, which are mainly expressed as follows:
firstly, various security holes cannot be reinforced in time, and serious potential safety hazards exist in the system
The existing industrial control system generally has security holes in the layers of equipment, systems, protocols and the like, and based on a special operation mechanism of the industrial control system, the industrial control has the characteristics that system software is difficult to upgrade in real time, the security holes are difficult to reinforce in time, the service cycle of the equipment is long, the compatibility of system patches is poor, the release cycle is long and the like, so that the industrial control system has serious potential safety hazards.
Secondly, the industrial network and bus communication lack a safety mechanism and are easy to be attacked and utilized
The industrial control system aims at real-time performance and reliability, pursues efficiency and speed, lacks security measures for identity authentication, rule check, encryption transmission, integrity check and the like, and is extremely easy to attack. The industrial control system field bus uses clear code transmission in a large quantity, and is easy to decipher and forge.
Thirdly, the internet and the industrial control system are integrated, and the safety threat of the industrial control system is comprehensively upgraded
The potential attack path in the industrial environment is increased by the integration of deep networking and multi-level interconnection, more security holes are brought by the introduction of the traditional IT products, the security theory and the protection system of the emerging information technology in the industrial control field are not mature, and the security protection means is also insufficient, so that the industrial control network can 'attack' one by one in front of the network attack.
Incompatibility of security products in the field of traditional information security in industrial control networks
Because the traditional information network security product has wide application scenes, the detection of characteristics and dangerous behaviors can be only carried out on the basis of a blacklist, and a large number of characteristics, behaviors and protocols of the traditional information security do not exist in an industrial control environment. Moreover, the safety detection in the blacklist mode needs long-term and mature technology accumulation and large amount of sample analysis in the industrial control safety industry to possibly achieve certain detection effectiveness. In the industrial control environment, the number of communication devices is relatively small, the communication protocol is relatively single, and the communication service is relatively fixed, so that the safety detection based on the white list is provided.
The programmable controller produced by SIEMENS (SIEMENS) of germany has wide application in China, and has application in the fields of metallurgy, chemical engineering, printing production lines and the like. PLC products of Siemens (SIEMENS) include LOGO, S7-200, S7-1200, S7-300, S7-400, and the like. Siemens S7 series PLC has small volume, high speed, standardization, network communication capability, stronger function and high reliability. The S7 series PLC products can be divided into micro PLC (such as S7-200), PLC with small-scale performance requirement (such as S7-300) and PLC with medium and high performance requirement (such as S7-400), etc. However, Siemens S7-PLC also faces the above problems in the art, and specifically, there is no method for monitoring Siemens S7-PLC uploading and downloading program blocks in the prior art.
Disclosure of Invention
The invention provides a method for monitoring Siemens S7-PLC uploading and downloading program block, which solves the problem of the deficiency of the prior art, judges whether uploading and downloading behaviors exist and records key information such as source IP address, source MAC address, source port number, target IP address, target MAC address, target port number and the like for subsequent analysis and use by analyzing communication data of Siemens S7-PLC controller, and comprises the following steps:
s001: setting the switch into a bypass mirroring working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002: analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002;
s003: judging whether the remote operation service control field value of the head part of the S7comm data packet is a designated value, if so, executing step S004, otherwise, executing step S002;
s004: judging whether the function field value of the parameter part of the S7comm data packet is a designated value, if so, executing the step S005, otherwise, executing the step S002;
s005: and recording a source IP address, a source MAC address, a source port number, a target IP address, a target MAC address and a target port number in the current data packet for subsequent analysis.
Preferably, the step S002 includes the steps of:
s0021: searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022: and searching whether the data packet after the request connection identifier 0x11e00000000100c0010ac1020100c202 contains a confirmation connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing step S003, otherwise, executing step S0021, wherein 0xd0 represents confirmation connection.
Preferably, the specified value in the step S003 is 0x 1.
Preferably, in the step S003, the content of the 2 nd byte of the header portion of the S7comm packet is the remote operation service control field value.
Preferably, in step S004, the specified value is to start uploading or start downloading, where the start of uploading is represented by 0x1d and the start of downloading is represented by 0x1 e.
Preferably, in the step S004, the content of the 11 th byte of the parameter part of the S7comm packet is the function field value.
Preferably, the content of the 1 st byte to the 6 th byte of the current data packet is the destination MAC address, the content of the 7 th byte to the 12 th byte is the source MAC address, the content of the 27 th byte to the 30 th byte is the source IP address, the content of the 31 st byte to the 34 th byte is the destination IP address, the content of the 35 th byte to the 36 th byte is the source port number, and the content of the 37 th byte to the 38 th byte is the destination port number.
The invention has the beneficial effects that:
1. the method and the system access the industrial control network through the switch bypass mirror mode to acquire the communication data, passively receive the data, and do not influence the function and performance of the industrial control system of the production enterprise.
Whether the behavior of uploading or downloading the program block exists or not is identified by analyzing the Siemens PLC network data packet, and the safety of the industrial control network is improved.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The invention is further illustrated with reference to the figures and examples. As shown in fig. 1, the method of the present invention comprises the steps of:
s001, setting the switch to be in a bypass mirror image working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002, analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002, wherein the specific steps of the step S002 comprise:
s0021, searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022, searching whether the data packet after requesting the connection identifier 0x11e00000000100c0010ac1020100c202 contains the confirmed connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing the step S003, otherwise, executing the step S0021, wherein 0xd0 represents the confirmed connection.
S003, judging whether the value of the remote operation service control ROSCTR field of the Header (namely the head part) of the S7comm data packet is a specified value 0x1 (namely Job), if so, executing the step S004, otherwise, executing the step S002; wherein, the content of the 2 nd byte of the Header (i.e. the Header part) of the s7comm packet is the remote operation service control ROSCTR field value, and the following is the data of the Header (i.e. the Header part) of the s7comm packet in the embodiment of the present invention:
320100000188005600000407120a10060001000184000d70120a10010001000184000c82120a10010001000184000c86120a10010001000184000c88120a10010001000184000c89120a10060001000184000d90120a10060001000184000db0
as indicated by the underlined portion of the data, the content 0x01 of byte 2 of the header portion of the s7comm packet is the remote operation service control ROSCTR field value.
S004, judging whether the Function field value of the Parameter (namely the Parameter part) of the S7comm data packet is a designated value 0x1d or 0x1e, if so, executing the step S005, otherwise, executing the step S002, wherein 0x1d represents uploading (Start Upload), and 0x1e represents downloading (Start Download); the content of the 11 th byte of the Parameter (i.e., Parameter part) of the s7comm packet is a Function field value, and the following is the data of the Parameter (i.e., Parameter part) of the s7comm packet in the embodiment of the present invention:
320100001800001200001d00000000000000095f3041303030303141
as indicated by the underlined portion of the data above, the content 0x1d of the 11 th byte of the Parameter (i.e., Parameter portion) of the packet indicates Start Upload; similarly, if the content of the 11 th byte is 0x1e, it indicates that downloading is started (Start Download).
And S005, recording the source IP address, the source MAC address, the source port number, the target IP address, the target MAC address and the target port number in the current data packet for subsequent analysis. The following is the data of the current data packet in the embodiment of the present invention:
e0dca03a331ce0dca040519708004500008f1dd740004006993ac0a80104c0a80103da25 0066f30ecbc5000874585018390840d000000300006702f080320100000188005600000407120a10060001000184000d70120a10010001000184000c82120a10010001000184000c86120a10010001000184000c88120a10010001000184000c89120a10060001000184000d90120a10060001000184000db0
as indicated by the italic part of the data, the contents of the 1 st byte to the 6 th byte of the current packet are the target MAC address 0xe0dca03a331c, i.e. the target MAC address is e0-dc-a0-3a-33-1 c; the contents of bytes 7 to 12 are source MAC address 0xe0dca0405197, i.e., source MAC address e0-dc-a 0-40-51-97.
As shown by the underlined part in the above data, the content of the 27 th byte to the 30 th byte is the source IP address 0xc0a80104, i.e. the source IP address is 192.168.1.4; the contents of bytes 31 to 34 are the target IP address 0xc0a80103, i.e., the target IP address is 192.168.1.3; the content of the 35 th byte to the 36 th byte is the source port number 0xda25, i.e. the source port number 55845; the content of the 37 th byte to the 38 th byte is a target port number 0x0066, i.e., the target port number is 102.
The method solves the technical problem that no method for monitoring the uploading and downloading of the Siemens S7-PLC program blocks exists in the prior art.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations are possible to those skilled in the art in light of the above teachings, and that all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (7)

1. A method for monitoring Siemens S7-PLC uploading and downloading program blocks is characterized by comprising the following steps:
s001: setting the switch into a bypass mirroring working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002: analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002;
s003: judging whether the remote operation service control field value of the head part of the S7comm data packet is a designated value, if so, executing step S004, otherwise, executing step S002;
s004: judging whether the function field value of the parameter part of the S7comm data packet is a designated value, if so, executing the step S005, otherwise, executing the step S002;
s005: and recording a source IP address, a source MAC address, a source port number, a target IP address, a target MAC address and a target port number in the current data packet for subsequent analysis.
2. The method for monitoring Siemens S7-PLC uploading and downloading of program blocks as set forth in claim 1, wherein the specific steps of the step S002 comprise:
s0021: searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022: and searching whether the data packet after the request connection identifier 0x11e00000000100c0010ac1020100c202 contains a confirmation connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing step S003, otherwise, executing step S0021, wherein 0xd0 represents confirmation connection.
3. The method for monitoring Siemens S7-PLC uploading and downloading of a program block as set forth in claim 1, wherein said specified value in said step S003 is 0x 1.
4. The method for monitoring Siemens S7-PLC upload and download procedure as set forth in claim 1, wherein in said step S003, the content of byte 2 of the header portion of said S7comm data packet is said teleoperational service control field value.
5. The method for monitoring Siemens S7-PLC upload and download program block according to claim 1, wherein in step S004, said designated value is upload start or download start, wherein upload start is represented by 0x1d and download start is represented by 0x1 e.
6. The method for monitoring siemens S7-PLC upload and download procedure as set forth in claim 1, wherein in said step S004, the content of the 11 th byte of the parameter portion of said S7comm data packet is said function field value.
7. The method of claim 1, wherein bytes 1-6 of the current data packet are the destination MAC address, bytes 7-12 of the current data packet are the source MAC address, bytes 27-30 of the current data packet are the source IP address, bytes 31-34 of the current data packet are the destination IP address, bytes 35-36 of the current data packet are the source port number, and bytes 37-38 of the current data packet are the destination port number.
CN201811477105.0A 2018-12-05 2018-12-05 Method for monitoring Siemens S7-PLC uploading and downloading program block Pending CN111277617A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811477105.0A CN111277617A (en) 2018-12-05 2018-12-05 Method for monitoring Siemens S7-PLC uploading and downloading program block

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811477105.0A CN111277617A (en) 2018-12-05 2018-12-05 Method for monitoring Siemens S7-PLC uploading and downloading program block

Publications (1)

Publication Number Publication Date
CN111277617A true CN111277617A (en) 2020-06-12

Family

ID=71001420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811477105.0A Pending CN111277617A (en) 2018-12-05 2018-12-05 Method for monitoring Siemens S7-PLC uploading and downloading program block

Country Status (1)

Country Link
CN (1) CN111277617A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105574168A (en) * 2015-12-17 2016-05-11 福建六壬网安股份有限公司 Security audit system and audit method for in-memory database
CN105847251A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Security protection method and system for industrial control system using S7 protocol
WO2017092502A1 (en) * 2015-11-30 2017-06-08 上海斐讯数据通信技术有限公司 System and method for identifying wireless terminal type in router network bridge mode
CN107046509A (en) * 2016-12-30 2017-08-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network data integration method parsed based on mirror port

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017092502A1 (en) * 2015-11-30 2017-06-08 上海斐讯数据通信技术有限公司 System and method for identifying wireless terminal type in router network bridge mode
CN105574168A (en) * 2015-12-17 2016-05-11 福建六壬网安股份有限公司 Security audit system and audit method for in-memory database
CN105847251A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Security protection method and system for industrial control system using S7 protocol
CN107046509A (en) * 2016-12-30 2017-08-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network data integration method parsed based on mirror port

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GONGMO: "工控协议 | 西门子S7协议学习分享", 《搜狐HTTPS://WWW.SOUHU.COM/A/207043694_354899 》 *
LIUKERTEAM: "工控安全|西门子通信协议S7COMM(Part 2)", 《百度HTTPS://WWW.SOHU.COM/A/274716812_354899》 *

Similar Documents

Publication Publication Date Title
CN109922085B (en) Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller)
CN102045331B (en) Method, device and system for processing inquiry request message
US20140298399A1 (en) Apparatus and method for detecting anomality sign in controll system
CN101518023A (en) Apparatus and methods for authenticating voice and data devices on the same port
CN112738022B (en) Attack method for ROS message of robot operating system
CN109450928B (en) Cross-cloud data transparent transmission method and system based on UDP (user Datagram protocol) and Modbus TCP (Transmission control protocol)
CN111131154A (en) Network management data ferrying method and system, storage medium and computer equipment
CN104283749A (en) Communication system based on RS-485 half-duplex bus and service disc communication upgrading method
CN112187583B (en) Method, device and storage medium for recognizing action information in private industrial control protocol
CN105959289A (en) Self-learning-based safety detection method for OPC Classic protocol
CN113676459B (en) Real-time industrial control passive identification method for Rockwell equipment
WO2016008212A1 (en) Terminal as well as method for detecting security of terminal data interaction, and storage medium
CN107579993A (en) The security processing and device of a kind of network data flow
CN111277617A (en) Method for monitoring Siemens S7-PLC uploading and downloading program block
CN106899616B (en) Security rule configuration method of IP-free firewall
CN111277448A (en) Method for monitoring deletion of Siemens S7-PLC internal program block
CN111277545A (en) Method for monitoring start and stop of Siemens S7-PLC controller
CN111277547A (en) Method for monitoring Siemens S7-PLC setting internal clock
CN111277548A (en) Method for monitoring Siemens S7-PLC to set session password
CN111277546A (en) Method for monitoring illegal reading and writing Siemens S7-PLC data
CN111272255A (en) Method for monitoring water level border crossing of Siemens S7-PLC water storage tank
US20210006567A1 (en) Using crc for sender authentication in a serial network
CN101547127A (en) Identification method of inside and outside network messages
CN114401103B (en) SMB remote transmission file detection method and device, electronic equipment and storage medium
CN112822211B (en) Power-controlled portable self-learning industrial firewall system, device and use method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200612