Added Snort rules and pcap samples for Industroyer2

Author: eset-research

industroyer2/Industroyer2_Sample1.pcap

@@ -0,0 +1,49 @@
+= Industroyer2 Playground
+
+These PCAPs contain captured network traffic produced by
+https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/[
+**Industroyer2**] malware.
+
+ - link:Industroyer2_Sample1.pcap[`Industroyer2_Sample1.pcap`]
+ - link:Industroyer2_Sample2.pcap[`Industroyer2_Sample2.pcap`]
+
+IP addresses are intentionally redacted by ESET Research.
+
+== Snort rules
+
+Snort rules that alert on IEC-104 traffic that contains single (`C_SC_NA_1`) or
+double (`C_DC_NA_1`) commands using specific Information Object Addresses (IOAs).
+
+You must *identify important IOAs* in equipment in your network and *edit rules
+accordingly*.
+
+These examples contain single command using IOAs
+
+ - 160924 (`\x9C\x74\x02`),
+ - 160925 (`\x9D\x74\x02`) and
+ - 160926 (`\x9E\x74\x02`)
+
+and double command using IOAs:
+
+ - 1101 (`\x4D\x04\x00`),
+ - 1102 (`\x4E\x04\x00`) and
+ - 1103 (`\x4F\x04\x00`).
+
+.`important_ioas.rules`
+----
+alert tcp any any -> any 2404 \
+    (msg:"IEC-104 single command with important IOAs"; gid:45534554; sid:45104001; rev:1;\
+    metadata: author "ESET Research", date "2022-08-10,\
+    copyright "ESET spol s r.o.";\
+    content:"|68|"; offset:0; depth:1;\
+    content:"|2D|"; offset:6; depth:1;\
+    pcre:"/.{5}(\x9C\x74\x02|\x9D\x74\x02|\x9E\x74\x02)/sAR";)
+
+alert tcp any any -> any 2404 \
+    (msg:"IEC-104 double command with important IOAs"; gid:45534554; sid:45104002; rev:1;\
+    metadata: author "ESET Research", date "2022-08-10,\
+    copyright "ESET spol s r.o.";\
+    content:"|68|"; offset:0; depth:1;\
+    content:"|2E|"; offset:6; depth:1;\
+    pcre:"/.{5}(\x4D\x04\x00|\x4E\x04\x00|\x4F\x04\x00)/sAR";)
+----