conpot icon indicating copy to clipboard operation
conpot copied to clipboard

Published 20 hours ago verified publisher icon mushorg

OPC UA protocol

Open glaslos opened this issue 11 years ago • 8 comments

OPC UA seems interesting as it allows file transfer: http://en.wikipedia.org/wiki/OPC_Unified_Architecture

http://opycua.sourceforge.net/tutorial/hello.html http://sourceforge.net/p/opycua/code/ci/default/tree/

glaslos avatar Sep 26 '13 15:09 glaslos

From what I understand, to implement OPC UA we need to:

  1. Create a OPC UA server in python.
  2. Start it along with the http,snmp,modbus and s7 servers and add it to gevent. 3)Log all incoming connections (Just the IP or the data too?) Am I missing anything? I'm thinking of creating a separate directory for it like the other protocols.

Sp3ctr3 avatar Nov 10 '13 18:11 Sp3ctr3

  1. Implement unit tests ... this is what I try to get away without - but Lukas is a man with eagle eyes :P
  2. extend the manual with necessary configuration directives you added to the configuration XML

Of course you're right - creating a seperate directory for it is the way to go. For the logging - you just pass the information as requested by the logging module - so all the fields requested by the logging function.

I'm really curious about the OPC UA server :) great having you on board :)

creolis avatar Nov 10 '13 18:11 creolis

Cool! I'll get started then. So just logging the IP of the attacker would do right? I'm interested too! And it's great to be involved in this great project!

Sp3ctr3 avatar Nov 10 '13 18:11 Sp3ctr3

This is how logging is handled in the HTTP module:

    def log(self, version, request_type, addr, request, response=None):

        log_dict = {'remote': addr,
                    'timestamp': datetime.utcnow(),
                    'data_type': 'http',
                    'data': {0: {'request': '{0} {1}: {2}'.format(version, request_type, request)}}}

        if response:
            logger.info('{0} response to {1}: {2}'.format(version, addr, response))
            log_dict['data'][0]['response'] = '{0} response: {1}'.format(version, response)

        self.server.log_queue.put(log_dict)

For each request, the remote address, timestamp, service type and the request itself is collected, if we send a response to the remote address, we attach the response (in this case the response code) too.

creolis avatar Nov 10 '13 21:11 creolis

As OPC is used for file transfer, one of the goals would be storing any files to a separate directory and create an md5 entry in the data section of the log entry so we are able to link it back to the attacker.

glaslos avatar Nov 10 '13 23:11 glaslos

This seems interesting: http://www.f-secure.com/weblog/archives/00002718.html This sample looks for OPC devices.

glaslos avatar Jun 24 '14 11:06 glaslos

This seems to be a good starting point: http://openopc.sourceforge.net/api.html

glaslos avatar Oct 16 '14 07:10 glaslos

OPC simulator: http://www.gray-box.net/download_graysim.php

glaslos avatar Sep 10 '15 12:09 glaslos