Sbharadwaj05/ot-sentinel-rules

GitHub: Sbharadwaj05/ot-sentinel-rules

Stars: 7 | Forks: 0

# OT Sentinel — Open-Source Detection Rules for ICS/OT Protocols [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE) [![Rules](https://img.shields.io/badge/rules-29-blue)](rules/) [![ATT&CK](https://img.shields.io/badge/ATT&CK%20ICS-7%20techniques-orange)](mappings/) [![CI](https://img.shields.io/badge/CI-passing-brightgreen)]() [![Lab](https://img.shields.io/badge/lab-OpenPLC%2BWazuh%204.14-informational)]() **OT Sentinel** is an open-source detection rule library for Industrial Control Systems (ICS) and Operational Technology (OT) protocols. It provides **Wazuh** and **Sigma** rules mapped to MITRE ATT&CK for ICS — built for learning, lab testing, and kickstarting OT detection engineering. ![OT Sentinel Architecture](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/59ae2ca9ef082057.png) ## The Problem OT/ICS security teams face a critical gap: - **No open-source detection rules exist** for OT protocols (Modbus, DNP3, IEC 104, MQTT, OPC-UA) on major SIEM/XDR platforms - Commercial OT security tools cost $50K–$200K+ per site - Existing rules are proprietary, locked behind vendor contracts - Small water treatment plants, power substations, and factories are left blind **OT Sentinel fills this gap** — free, open-source, lab-validated detection rules for learning, testing, and accelerating your OT detection engineering. ## What This Is (and Isn't) | This IS | This IS NOT | |---------|-------------| | A detection engineering accelerator | A drop-in replacement for Dragos/Nozomi/Claroty | | Lab-validated against real OpenPLC hardware | Production-tested across diverse OT environments | | A learning resource for OT protocol security | A complete OT security solution | | A foundation you can build on and customize | A set of rules you should blindly deploy to prod | ## Production Readiness | Protocol | Rules Written | HW-Tested (OpenPLC) | Wazuh-Validated | Test Scripts | |----------|-------------|---------------------|-----------------|-------------| | **Modbus** | 8 | ✅ 8/8 | ✅ 8/8 | ✅ All 8 | | **DNP3** | 7 | — | ✅ 7/7 | 💤 Stubs | | **IEC 104** | 6 | — | ✅ 6/6 | 💤 Stubs | | **MQTT** | 5 | — | ✅ 5/5 | 💤 Stubs | | **OPC-UA** | 3 | — | ✅ 3/3 | 💤 Stubs | ## How OT Sentinel Compares ### vs Commercial OT Security | Concern | Dragos / Nozomi / Claroty | OT Sentinel | |---------|--------------------------|-------------| | Logic visible? | ❌ Black box | ✅ Open-source | | Custom rules? | Limited UI | Full control (XML) | | Works with Wazuh? | ❌ Separate platform | ✅ Drop-in | | Auditable? | ❌ No | ✅ Apache 2.0 | | ATT&CK mapped? | Varies | ✅ Every rule | | Cost | $50K-200K+/year | Free | ### vs Open-Source Tools | Tool | Purpose | OT Sentinel's Role | |------|---------|-------------------| | [Conpot](https://github.com/mushorg/conpot) | ICS honeypot | Alerts on real device attacks | | [GRASSMARLIN](https://github.com/nsacyber/GRASSMARLIN) | Passive mapping | Detection after discovery | | [QuickDraw](https://github.com/digitalbond/QuickDraw) | SNORT rules | SIEM-layer (Wazuh/Sigma) | ## Screenshots | Wazuh Alert (logtest) | Attack Test | |-----------------------|-------------| | ![Alert](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/b339db3210082058.png) | ![Test](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/b5eec685d5082059.png) | ## Repository Structure ot-sentinel/ ├── rules/ │ ├── wazuh/ # Wazuh XML rules (deploy to /var/ossec/etc/rules/) │ │ ├── decoders/ # Custom Wazuh decoders for OT protocols │ │ ├── modbus/ │ │ ├── dnp3/ │ │ ├── iec104/ │ │ ├── mqtt/ │ │ └── opc-ua/ │ └── sigma/ # Sigma YAML rules (SIEM-agnostic) │ ├── modbus/ │ ├── dnp3/ │ ├── iec104/ │ ├── mqtt/ │ └── opc-ua/ ├── cdb-lists/ # Wazuh CDB allowlists ├── tests/ # Test scripts (pymodbus, paho-mqtt, etc.) ├── docs/ # Protocol primers, attack catalogs, lab guides ├── mappings/ # ATT&CK for ICS coverage maps ├── tools/ # Validation & CI/CD tooling └── .github/workflows/ # CI pipeline ## Quick Start ### Prerequisites - Wazuh Manager 4.x+ - Python 3.9+ (for test scripts) - Optional: OpenPLC, GNS3 lab (see [lab setup guide](docs/lab-setup/)) ### Deploy Rules # Clone the repo git clone https://github.com/Sbharadwaj05/ot-sentinel.git cd ot-sentinel # Copy Wazuh rules to manager sudo cp rules/wazuh/decoders/*.xml /var/ossec/etc/decoders/ sudo cp rules/wazuh/modbus/*.xml /var/ossec/etc/rules/ # Copy CDB lists sudo cp cdb-lists/* /var/ossec/etc/lists/ # Restart Wazuh sudo systemctl restart wazuh-manager ### Run Tests cd tests/modbus/ python test_unauthorized_write.py --target 192.168.1.100 --port 502 ## MITRE ATT&CK for ICS Coverage Every rule maps to [MITRE ATT&CK for ICS](https://attack.mitre.org/matrices/ics/). Current coverage: | Tactic | Techniques Covered | Rules | |--------|-------------------|-------| | Initial Access | — | — | | Execution | T0855 | 7 | | Persistence | — | — | | Evasion | — | — | | Discovery | T0840, T0846 | 10 | | Lateral Movement | — | — | | Collection | — | — | | Command and Control | — | — | | Inhibit Response Function | T0858 | 2 | | Impair Process Control | T0814, T0836, T0855, T0856 | 6 | | Impact | — | — | ## Author **Subhash Bharadwaj** — Security Engineer - Production experience: Wazuh, SIEM/SOAR, Kubernetes (RKE2), Terraform, Ansible - OT/ICS: OpenPLC, GNS3, air-gapped digital twin environments - Prior work: [Wazuh NIST Rules Set](https://github.com/Sbharadwaj05/Wazuh-NIST-Rules-Set) — 50 rules, NIST CSF 2.0 + ATT&CK mapped ## License Apache 2.0 — see [LICENSE](LICENSE). ## Disclaimer **Phase 0 ✅ | Phase 1 ✅ | Phase 2 ✅ | Phase 3 ✅ | Phase 4 ✅ | Phase 5 ✅**