Skip to content

Add DNP3 protocol analyzer #8

Open
Open
Add DNP3 protocol analyzer#8
Labels
analyzerProtocol analyzer modulesenhancementNew feature or requestics/otIndustrial control system / OT protocolsprotocol:dnp3DNP3 protocol analysis (ICS/OT)
@Zious11

Description

@Zious11
Zious11
opened on Apr 3, 2026

Summary

Implement a DNP3 (Distributed Network Protocol 3) analyzer for ICS/OT forensics.

Requirements

  • Detect DNP3 on port 20000 (TCP/UDP)
  • Parse DNP3 data link layer header (start bytes 0x0564, length, control, destination, source)
  • Parse transport and application layer function codes
  • Track: reads vs writes, direct operate commands, cold/warm restarts
  • Detect anomalies: unauthorized control commands, broadcast messages, unsolicited responses
  • Map to MITRE ICS: T0855, T0803 (Block Command Message)

Acceptance Criteria

  • `Dnp3Analyzer` implements `ProtocolAnalyzer`
  • Tests with crafted DNP3 packets
  • Summarize: function code distribution, control operation counts
  • Findings for unauthorized control operations

Metadata

Metadata

Assignees

No one assigned

    Labels

    analyzerProtocol analyzer modulesenhancementNew feature or requestics/otIndustrial control system / OT protocolsprotocol:dnp3DNP3 protocol analysis (ICS/OT)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions