├── README.md ├── myicsrules.rules └── scada_all.rules /README.md: -------------------------------------------------------------------------------- 1 | # SCADA-Rules 2 | Snort rules 3 | -------------------------------------------------------------------------------- /myicsrules.rules: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # $Id: myicsrules.rules,v 0.1, 4 | #---------- 5 | # myicsrules RULES 6 | # ICS protocal/ICS Software communication identification/Filter 7 | # Siemens S7 TCP 102 8 | # Modbus TCP 502 9 | # 10 | # 11 | # 12 | # 13 | # 14 | #---------- 15 | # Siemens S7 Filter rules 16 | #---------- 17 | #设置S7 PLC内部时钟的时间 18 | alert tcp any any -> any 102 (msg:"Request Time functions Set clock";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 47 02 00|";offset:17;depth:8;sid:8999907;) 19 | #设置与S7 PLC会话的密码 20 | alert tcp any any -> any 102 (msg:"Request Security functions Set PLC session password";content:"|03 00|";offset:0;depth:2;content:"|00 01 12 04 11 45 01 00|";offset:17;depth:8;sid:8999908;) 21 | #设置S7 PLC的CPU到STOP状态 22 | alert tcp any any -> any 102 (msg:"Request CPU functions Set PLC CPU STOP";content:"|29 00 00 00 00 00 09 50 5f 50 52 4f 47 52 41 4d|";sid:8999909;) 23 | #暖启动S7 PLC的CPU到RUN状态 24 | alert tcp any any -> any 102 (msg:"Request CPU functions Set PLC CPU Hot Restart";content:"|28 00 00 00 00 00 00 fd 00 00 09 50 5f 50 52 4f|";sid:8999910;) 25 | #冷启动S7 PLC的CPU到RUN状态 26 | alert tcp any any -> any 102 (msg:"Request CPU functions Set PLC CPU Cold Restart";content:"|28 00 00 00 00 00 00 fd 00 02 43 20 09 50 5f 50 52 4f 47 52 41 4d|";sid:8999911;) 27 | #正在写S7 PLC内部的内存变量 28 | alert tcp any any -> any 102 (msg:"Write Var";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|05|";offset:17;depth:1;sid:8999912;) 29 | #正在请求下载程序块 30 | alert tcp any any -> any 102 (msg:"Request download";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1a|";offset:17;depth:1;sid:8999913;) 31 | #开始请求下载程序块 32 | alert tcp any any -> any 102 (msg:"Download block";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1b|";offset:17;depth:1;sid:8999914;) 33 | #程序块下载结束 34 | alert tcp any any -> any 102 (msg:"Download ended";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1c|";offset:17;depth:1;sid:8999915;) 35 | #正在请求上载程序块 36 | alert tcp any any -> any 102 (msg:"Start upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1d|";offset:17;depth:1;sid:8999916;) 37 | #开始上载程序块 38 | alert tcp any any -> any 102 (msg:"Upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1e|";offset:17;depth:1;sid:8999917;) 39 | #结束上载程序块 40 | alert tcp any any -> any 102 (msg:"End upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1f|";offset:17;depth:1;sid:8999918;) 41 | #删除S7 PLC内部程序块操作 42 | alert tcp any any -> any 102 (msg:"Delet block";content:"|03 00|";offset:0;depth:2content:"|05 5f 44 45 4c 45|";sid:8999919;) 43 | 44 | # 45 | #---------- 46 | # Modbus Filter rules 47 | #---------- 48 | #正在写单线圈寄存器 49 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Coil";content:"|00 00|";offset:2; depth:2; content:"|05|";offset:7;depth:1;sid:8999100;) 50 | #正在写单个保持寄存器 51 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Register";content:"|00 00|";offset:2; depth:2; content:"|06|";offset:7;depth:1;sid:8999101;) 52 | #正在读从站状态 53 | alert tcp any any -> any 502 (msg:"Modbus TCP/Read Exception Status";content:"|00 00|";offset:2; depth:2; content:"|07|";offset:7;depth:1;sid:8999102;) 54 | #诊断设备命令 55 | alert tcp any any -> any 502 (msg:"Modbus TCP/Diagnostics Device";content:"|00 00|";offset:2; depth:2; content:"|08|";offset:7;depth:1;sid:8999103;) 56 | #正在写多个线圈寄存器 57 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple Coils";content:"|00 00|";offset:2; depth:2; content:"|0f|";offset:7;depth:1;sid:8999104;) 58 | #正在写多个保持寄存器 59 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|10|";offset:7;depth:1;sid:8999105;) 60 | #正在写文件参数 61 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write File Record";content:"|00 00|";offset:2; depth:2; content:"|15|";offset:7;depth:1;sid:8999106;) 62 | #屏蔽写寄存器 63 | alert tcp any any -> any 502 (msg:"Modbus TCP/Mask Write Register";content:"|00 00|";offset:2; depth:2; content:"|16|";offset:7;depth:1;sid:8999107;) 64 | #读写多个寄存器 65 | lert tcp any any -> any 502 (msg:"Modbus TCP/Read/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|17|";offset:7;depth:1;sid:8999108;) 66 | #正在枚举设备信息 67 | alert tcp any any -> any 502 (msg:"Modbus TCP/Read Device Identification";content:"|00 00|";offset:2; depth:2; content:"|2B|";offset:7;depth:1;sid:8999109;) 68 | #正在枚举施耐德昆腾PLC的内存串号 69 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Request Memory Card ID";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 06 06|";offset:8;depth:3;sid:8999110;) 70 | #正在枚举施耐德昆腾PLC的CPU模块信息 71 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Request CPU Module info";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 02|";offset:8;depth:2;dsize:10;sid:8999111;) 72 | #正在枚举施耐德昆腾PLC内部的工程名称 73 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Request Project Project file name";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|f6 00|";offset:17;depth:2;sid:8999112;) 74 | #正在枚举施耐德昆腾PLC内部的工程上次修改时间 75 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Request Project Information(Revision and Last Modified)";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|03 00|";offset:17;depth:2;sid:8999113;) 76 | #正在将施耐德昆腾PLC的CPU设置到STOP状态 77 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Set PLC CPU STOP";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|40|";offset:9;depth:1;sid:8999114;) 78 | #正在将施耐德昆腾PLC的CPU设置到RUN状态 79 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software Set PLC CPU Restart";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|41|";offset:9;depth:1;sid:8999115;) 80 | -------------------------------------------------------------------------------- /scada_all.rules: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # $Id: scada_all.rules,v 0.1, 4 | #---------- 5 | # scada_all RULES 6 | # ICS protocal/ICS Software communication identification/Filter 7 | # Siemens S7 TCP 102 8 | # Modbus Tcp 502 9 | # 10 | # 11 | # 12 | # 13 | # 14 | #---------- 15 | # Siemens S7 Filter rules 16 | #---------- 17 | #alert tcp any any -> any 102 (msg:"COTP CR Connect Request";content:"|03 00|";offset:0;depth:2;content:"|e0 00 00|";offset:5;depth:3;sid:1;) 18 | #alert tcp any any -> any 102 (msg:"S7 Setup communication";content:"|03 00|";offset:0;depth:2;content:"|32 01 00|";offset:7;depth:3;content:"|f0|";offset:17;depth:1;sid:2;) 19 | #alert tcp any any -> any 102 (msg:"Read SZL";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;sid:3;) 20 | #alert tcp any any -> any 102 (msg:"Read SZL ID=0x0011";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;content:"|11 00|";offset:30;depth:2;sid:4;) 21 | #alert tcp any any -> any 102 (msg:"Read SZL ID=0x001c";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;content:"|1c 00|";offset:30;depth:2;sid:5;) 22 | #alert tcp any any -> any 102 (msg:"Request Time functions/Read clock";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 47 01 00|";offset:17;depth:8;sid:6;) 23 | alert tcp any any -> any 102 (msg:"Request Time functions/Set clock";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 47 02 00|";offset:17;depth:8;sid:7;) 24 | alert tcp any any -> any 102 (msg:"Request Security functions/Set PLC session password";content:"|03 00|";offset:0;depth:2;content:"|00 01 12 04 11 45 01 00|";offset:17;depth:8;sid:8;) 25 | alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU STOP";content:"|29 00 00 00 00 00 09 50 5f 50 52 4f 47 52 41 4d|";sid:9;) 26 | alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU Hot Restart";content:"|28 00 00 00 00 00 00 fd 00 00 09 50 5f 50 52 4f|";sid:10;) 27 | alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU Cold Restart";content:"|28 00 00 00 00 00 00 fd 00 02 43 20 09 50 5f 50 52 4f 47 52 41 4d|";sid:11;) 28 | alert tcp any any -> any 102 (msg:"Write Var";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|05|";offset:17;depth:1;sid:12;) 29 | alert tcp any any -> any 102 (msg:"Request download";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1a|";offset:17;depth:1;sid:13;) 30 | alert tcp any any -> any 102 (msg:"Download block";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1b|";offset:17;depth:1;sid:14;) 31 | alert tcp any any -> any 102 (msg:"Download ended";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1c|";offset:17;depth:1;sid:15;) 32 | alert tcp any any -> any 102 (msg:"Start upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1d|";offset:17;depth:1;sid:16;) 33 | alert tcp any any -> any 102 (msg:"Upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1e|";offset:17;depth:1;sid:17;) 34 | alert tcp any any -> any 102 (msg:"End upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1f|";offset:17;depth:1;sid:18;) 35 | #alert tcp any any -> any 102 (msg:"PLC Control";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|28|";offset:17;depth:1;sid:19;) 36 | alert tcp any any -> any 102 (msg:"Delet block";content:"|03 00|";offset:0;depth:2content:"|05 5f 44 45 4c 45|";sid:20;) 37 | # 38 | #---------- 39 | # Modbus Filter rules 40 | #---------- 41 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Coil";content:"|00 00|";offset:2; depth:2; content:"|05|";offset:7;depth:1;sid:100;) 42 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Register";content:"|00 00|";offset:2; depth:2; content:"|06|";offset:7;depth:1;sid:101;) 43 | alert tcp any any -> any 502 (msg:"Modbus TCP/Read Exception Status";content:"|00 00|";offset:2; depth:2; content:"|07|";offset:7;depth:1;sid:102;) 44 | alert tcp any any -> any 502 (msg:"Modbus TCP/Diagnostics Device";content:"|00 00|";offset:2; depth:2; content:"|08|";offset:7;depth:1;sid:103;) 45 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple Coils";content:"|00 00|";offset:2; depth:2; content:"|0f|";offset:7;depth:1;sid:104;) 46 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|10|";offset:7;depth:1;sid:105;) 47 | alert tcp any any -> any 502 (msg:"Modbus TCP/Write File Record";content:"|00 00|";offset:2; depth:2; content:"|15|";offset:7;depth:1;sid:106;) 48 | alert tcp any any -> any 502 (msg:"Modbus TCP/Mask Write Register";content:"|00 00|";offset:2; depth:2; content:"|16|";offset:7;depth:1;sid:107;) 49 | alert tcp any any -> any 502 (msg:"Modbus TCP/Read/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|17|";offset:7;depth:1;sid:108;) 50 | alert tcp any any -> any 502 (msg:"Modbus TCP/Read Device Identification";content:"|00 00|";offset:2; depth:2; content:"|2B|";offset:7;depth:1;sid:109;) 51 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Memory Card ID";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 06 06|";offset:8;depth:3;sid:110;) 52 | #alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request CPU Module info";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 02|";offset:8;depth:2;dsize:10;sid:111;) 53 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Project Project file name";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|f6 00|";offset:17;depth:2;sid:112;) 54 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Project Information(Revision and Last Modified)";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|03 00|";offset:17;depth:2;sid:113;) 55 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Set PLC CPU STOP";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|40|";offset:9;depth:1;sid:114;) 56 | alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Set PLC CPU Restart";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|41|";offset:9;depth:1;sid:115;) 57 | 58 | 59 | # 60 | #---------- 61 | # IEC60870-5-104 Filter rules 62 | #---------- 63 | # 64 | 65 | # 66 | #---------- 67 | # Vulnerabilities Filter rules 68 | #---------- 69 | # 70 | #------------- 71 | # CODESYS SCADA RULES 72 | #------------- 73 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:6;) 74 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:6;) 75 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:5;) 76 | # alert tcp any any -> any [12397,12399] (msg:"SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:1;) 77 | # alert tcp any any -> any 502 (msg:"SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:1;) 78 | alert tcp any any -> any 20171 (msg:"SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:1;) 79 | #------------- 80 | #------------- 81 | # CODESYS SCADA RULES 82 | #------------- 83 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:6;) 84 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:6;) 85 | alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:5;) 86 | # alert tcp any any -> any [12397,12399] (msg:"SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:1;) 87 | # alert tcp any any -> any 502 (msg:"SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:1;) 88 | alert tcp any any -> any 20171 (msg:"SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:1;) 89 | #------------- 90 | #----------------------------- 91 | # 92 | # CVE 2008-2639: CitectSCADA ODBC Overflow Attempt 93 | # 94 | alert tcp any any -> any 20222 (msg:"CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; byte_test:4,>,399,0; dsize:4; reference:cve, CVE-2008-2639; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111601; rev:2; priority:1;) 95 | # 96 | # CVE-2008-2005: WonderWare SuiteLink DOS Attempt 97 | # 98 | alert tcp any any -> any 5413 (msg:"WonderWare SuiteLink DOS Attempt"; flow:established,to_server; byte_test:4,>,2742,56,little; reference:cve, CVE-2008-2005; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111602; rev:2; priority:1;) 99 | # 100 | # CVE-2008-4322: RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow 101 | # 102 | alert tcp any any -> any 910 (msg:"RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow"; content:"|10 23 54 67|"; depth:4; byte_test:4,>,739,0,little,relative; flow:established,to_server; reference:cve, CVE-2008-4322; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111603; rev:2; priority:1;) 103 | # 104 | # ICS A-10-314-01A: ClearSCADA Heap Overflow Attempt 105 | # 106 | alert tcp any any -> any 5481 (msg:"ClearSCADA Heap Overflow Attempt"; flow:established,to_server; dsize:>500; content: "|a7 0d 44 06 10 00 00 00 08 00 00 00|"; depth: 12; isdataat: 1000; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111604; rev:1; priority:1;) 107 | # 108 | # ICS A-10-314-01A: ClearSCADA Cross-site Scripting Attempt 109 | # sid:1111605 In Development 110 | # 111 | # ICS A-10-314-01A: ClearSCADA Insecure Web Authentication Attempt 112 | # sid:1111606 In Development 113 | # 114 | # CVE 2010-4557: Wonderware InBatch Buffer Overflow Attempt 115 | # 116 | alert tcp any any -> any 9001 (msg:"Wonderware InBatch Buffer Overflow Attempt"; flow:established,to_server; content:"|00 00 4b 14 00 00 00 00 00 00 00 01 00 00 00 00 00 01 00 00|"; depth:20; isdataat: 151; reference:cve, CVE-2010-4557; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111607; rev:1; priority:1;) 117 | # 118 | # CVE 2011-0517: Sielco Sistemi WinLog Stack Overflow Attempt 119 | # 120 | alert tcp any any -> any 46823 (msg:"Sielco Sistemi WinLog Stack Overflow Attempt"; flow:established,to_server; content:"|02 01 01|"; depth:3; isdataat: 61; reference:cve, CVE-2011-0517; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111608; rev:1; priority:1;) 121 | # 122 | # CVE 2010-4598: Ecava IntegraXor Directory Traversal Attempt 123 | # 124 | alert tcp any any -> any 7131 (msg:"Ecava IntegraXor Directory Traversal Attempt"; flow:established,to_server; uricontent: "open?filename"; reference:cve, CVE-2010-4598; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111609; rev:1; priority:2;) 125 | # 126 | # CVE-2010-4142: RealWin HMI Service Buffer Overflow 1 127 | # 128 | alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 1"; flow:established,to_server; content:"|64 12 54 6a 02 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111610; rev:1; priority:1;) 129 | # 130 | # CVE-2010-4142: RealWin HMI Service Buffer Overflow 2 131 | # 132 | alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 2"; flow:established,to_server; content:"|64 12 54 6a 20 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111611; rev:1; priority:1;) 133 | # 134 | # CVE-2010-4142: RealWin HMI Service Buffer Overflow 3 135 | # 136 | alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 3"; flow:established,to_server; content:"|64 12 54 6a 10 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111612; rev:1; priority:1;) 137 | # 138 | # CVE 2009-4462: Intellicom NetBiter Config HICP Hostname Buffer Overflow 139 | # 140 | alert udp any any -> any 3250 (msg:"NetBiter Config HICP Hostname Buffer Overflow"; content:"hn|20 3d|"; content:!"|3b|"; within: 19; reference:cve, CVE-2009-4462; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111613; rev:1; priority:1;) 141 | # 142 | # CVE 2011-0406: WellinTech KingView Remote Heap Overflow Attempt 143 | # 144 | alert tcp any any -> any 777 (msg:"WellinTech KingView Remote Heap Overflow Attempt"; flow:established,to_server; stream_size: client,>,32800; content:"|eb 14|"; content: "|ad bb c3 77 b4 73 ed 77|"; within: 15; reference:cve, CVE-2011-0406; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111614; rev:1; priority:1;) 145 | #alert tcp any any -> any 777 (msg:"Kingview Touchview 6.53 EIP Overwrite Attempt";content:"|90 90|";offset:2;depth:2;content:"|90|";offset:7;depth:1;content:"|90|";offset:9;depth:1;sid:1195;) 146 | #alert tcp any any -> any 777 (msg:"Kingview 6.53 Remote Heap Overflow Attempt";content:"|90 90|";offset:2;depth:2;content:"|90|";offset:7;depth:1;content:"|90|";offset:9;depth:1;sid:1195;) 147 | # CVE 20xx-xxx: IntelliCom NetBiter NB100 and NB200 - Directory Traversal Attempt 148 | # 149 | alert tcp any any -> any any (msg:"NetBiter NB100 and NB200 Directory Traversal Attempt"; flow:established,to_server; uricontent: "/cgi-bin/read.cgi"; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111615; rev:1; priority:2;) 150 | # 151 | # CVE 20xx-xxx: VxWorks Information Disclosure Attempt 152 | # 153 | alert udp any any -> any 17185 (msg:"VxWorks Debug Service Information Disclosure Attempt"; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111616; rev:1; priority:2;) 154 | # 155 | # CVE 2010-4709: Automated Solutions Modbus/TCP Master OPC server Modbus TCP Header Corruption Attempt 156 | # 157 | #alert tcp any any -> any 502 (msg:"Automated Solutions: Modbus/TCP Master OPC server Modbus TCP Header Corruption Attempt"; byte_test: 2,>,500,4; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111617; rev:1; priority:1;) 158 | # 159 | # CVE 20xx-xxx: BroadWin/AdvancTech RPC Information Disclosure Vulnerability 160 | # 161 | alert tcp any any -> any 4592 (msg:"BroadWin/AdvancTech RPC Information Disclosure Vulnerability"; flow:to_server,established; dce_iface: 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum: 0-3; dce_stub_data; byte_jump:4,-4,relative,align,dce; byte_test:2,=,50003,4,relative,dce; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111618; rev:1; priority:1;) 162 | # 163 | # CVE 20xx-xxx: BroadWin/AdvancTech RPC/RCE Vulnerability 164 | # 165 | alert tcp any any -> any 4592 (msg:"BroadWin/AdvancTech RPC/RCE Vulnerability"; flow:to_server,established; dce_iface: 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum: 0-3; dce_stub_data;byte_jump:4,-4,relative,align,dce; byte_test:2,=,10000,4,relative,dce; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111619; rev:1; priority:1;) 166 | # 167 | # ---------------------- 168 | # 169 | # Rules 1111620 to 1111680 were donated by Emerging Threats Pro with assistance from Nitro Security 170 | # 171 | # They are distributed under the ET-PRO license that is included in the download zip and is available at 172 | # http://rules.emergingthreats.net/open/snort-2.4.0/ETPRO-License.txt 173 | # 174 | # ---------------------- 175 | # 176 | # CVE 20xx-xxx: IGSS SCADA System Directory Traversal and Download 177 | # 178 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA System Directory Traversal and Download"; flow:to_server,established; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111620; rev:1;) 179 | # 180 | # CVE 20xx-xxx: IGSS SCADA system Directory Traversal Upload and Overwrite 181 | # 182 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA system Directory Traversal Upload and Overwrite"; flow:to_server,established; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111621; rev:1;) 183 | # 184 | # CVE 20xx-xxx: IGSS SCADA ListAll Function Buffer Overflow 185 | # 186 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA ListAll Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|01|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111622; rev:1;) 187 | # 188 | # CVE 20xx-xxx: IGSS SCADA Write File Function Buffer Overflow 189 | # 190 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA Write File Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111623; rev:1;) 191 | # 192 | # CVE 20xx-xxx: IGSS SCADA ReadFile Function Buffer Overflow 193 | # 194 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA ReadFile Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111624; rev:1;) 195 | # 196 | # CVE 20xx-xxx: IGSS SCADA Delete Function Buffer Overflow 197 | # 198 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA Delete Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111625; rev:1;) 199 | # 200 | # CVE 20xx-xxx: IGSS SCADA RenameFile Function Buffer Overflow 201 | # 202 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RenameFile Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|05|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111626; rev:1;) 203 | # 204 | # CVE 20xx-xxx: IGSS SCADA FileInfo Function Buffer Overflow 205 | # 206 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA FileInfo Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|06|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111627; rev:1;) 207 | # 208 | # CVE 20xx-xxx: IGSS SCADA RMS Report Add Command Buffer Overflow 209 | # 210 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Add Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111628; rev:1;) 211 | # 212 | # CVE 20xx-xxx: IGSS SCADA RMS Report Template ReadFile Command Buffer Overflow 213 | # 214 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template ReadFile Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|06|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111629; rev:1;) 215 | # 216 | # CVE 20xx-xxx: IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow 217 | # 218 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|05|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111630; rev:1;) 219 | # 220 | # CVE 20xx-xxx: IGSS SCADA RMS Report Template Add Command Buffer Overflow 221 | # 222 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Add Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111631; rev:1;) 223 | # 224 | # CVE 20xx-xxx: IGSS SCADA RMS Report Template Rename Command Buffer Overflow 225 | # 226 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Rename Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111632; rev:1;) 227 | # 228 | # CVE 20xx-xxx: IGSS SCADA RMS Report Template Delete Command Buffer Overflow 229 | # 230 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Delete Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111633; rev:1;) 231 | # 232 | # CVE 20xx-xxx: IGSS SCADA STDREP Request Buffer Overflow 233 | # 234 | alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA STDREP Request Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 08|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111634; rev:1;) 235 | # 236 | # CVE 20xx-xxx: IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0xa 237 | # 238 | alert tcp any any -> any 12397 (msg:"ETPRO SCADA IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0xa"; flow:to_server,established; content:"|0a|"; offset:12; depth:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111635; rev:1;) 239 | # 240 | # CVE 20xx-xxx: IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0x17 241 | # 242 | alert tcp any any -> any 12397 (msg:"ETPRO SCADA IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0x17"; flow:to_server,established; content:"|17|"; offset:12; depth:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111636; rev:1;) 243 | # 244 | # CVE 20xx-xxx: RealFlex RealWin SCADA SCPC_TXTEVENT strcpy() Buffer Overflow 245 | # 246 | alert tcp any any -> any 912 (msg:"ETPRO SCADA RealFlex RealWin SCADA SCPC_TXTEVENT strcpy() Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|64 12 54 6a 10 00 00 00|"; offset:0; byte_test:4,>,200,0,relative,little; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111637; rev:1;) 247 | # 248 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CONNECT_FCS_LOGIN Buffer Overflow 249 | # 250 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CONNECT_FCS_LOGIN Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|01 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111638; rev:1;) 251 | # 252 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CADDTAG Buffer Overflow 253 | # 254 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CADDTAG Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111639; rev:1;) 255 | # 256 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CDELTAG Buffer Overflow 257 | # 258 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CDELTAG Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 02 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111640; rev:1;) 259 | # 260 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow 261 | # 262 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 05 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111641; rev:1;) 263 | # 264 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_RFUSER_FCS_LOGIN Buffer Overflow 265 | # 266 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_RFUSER_FCS_LOGIN Buffer Overflow"; flow:to_server,established; isdataat:59; content:"|10 23 54 67|"; offset:0; byte_test:4,>,44,0,relative,little; content:"|11 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111642; rev:1;) 267 | # 268 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 1 269 | # 270 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 1"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111643; rev:1;) 271 | # 272 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 2 273 | # 274 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 2"; flow:to_server; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 03 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111644; rev:1;) 275 | # 276 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 3 277 | # 278 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 3"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 08 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111645; rev:1;) 279 | # 280 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 4 281 | # 282 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 4"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0A 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111646; rev:1;) 283 | # 284 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 5 285 | # 286 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 5"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0B 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111647; rev:1;) 287 | # 288 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 6 289 | # 290 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 6"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0D 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111648; rev:1;) 291 | # 292 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_MISC_FCS_MSGBROADCAST Buffer Overflow 293 | # 294 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_MISC_FCS_MSGBROADCAST Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|0F 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111649; rev:1;) 295 | # 296 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_MISC_FCS_MSGSEND Buffer Overflow 297 | # 298 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_MISC_FCS_MSGSEND Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|0F 00 03 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111650; rev:1;) 299 | # 300 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETTELEMETRY Buffer Overflow 301 | # 302 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|02 00 0F 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111651; rev:1;) 303 | # 304 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY Buffer Overflow 305 | # 306 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|02 00 10 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111652; rev:1;) 307 | # 308 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETTELEMETRY Buffer Overflow 309 | # 310 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|04 00 12 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111653; rev:1;) 311 | # 312 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY Buffer Overflow 313 | # 314 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|04 00 13 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111654; rev:1;) 315 | # 316 | # CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_SCRIPT_FCS_STARTPROG Buffer Overflow 317 | # 318 | alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_SCRIPT_FCS_STARTPROG Buffer Overflow"; flow:to_server,established; isdataat:1000; content:"|10 23 54 67|"; offset:0; byte_test:4,>,1000,0,relative,little; content:"|09 00 12 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111655; rev:1;) 319 | # 320 | # CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 1 321 | # 322 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 1"; flow:to_server,established; dsize:62;content:"|b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111656; rev:1;) 323 | # 324 | # CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 2 325 | # 326 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 2"; flow:to_server,established; dsize:28;content:"|B2 04 00 00 FF 0F 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111657; rev:1;) 327 | # 328 | # CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 3 329 | # 330 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 3"; flow:to_server,established;dsize:38;content:"|b5 04 00 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111658; rev:1;) 331 | # 332 | # CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 4 333 | # 334 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 4"; flow:to_server,established; dsize:28;content:"|AE 0D 00 00 FF 0F 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111659; rev:1;) 335 | # 336 | # CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 5 337 | # 338 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 5"; flow:to_server,established; dsize:37;content:"|bc 1b 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111660; rev:1;) 339 | # 340 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x9a08 341 | # 342 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x9a08"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|9A 08|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111661; rev:1;) 343 | # 344 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x5304 345 | # 346 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x5304"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|53 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111662; rev:1;) 347 | # 348 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b0 349 | # 350 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b0"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B0 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111663; rev:1;) 351 | # 352 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b2 353 | # 354 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b2"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B2 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111664; rev:1;) 355 | # 356 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b5 357 | # 358 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b5"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B5 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111665; rev:1;) 359 | # 360 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x7d0 361 | # 362 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x7d0"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|d0 07|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111666; rev:1;) 363 | # 364 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xdae 365 | # 366 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xdae"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|ae 0d|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111667; rev:1;) 367 | # 368 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xfa4 369 | # 370 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xfa4"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|a4 0f|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111668; rev:1;) 371 | # 372 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xfa7 373 | # 374 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xfa7"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|a7 0f|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111669; rev:1;) 375 | # 376 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x1bbc 377 | # 378 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x1bbc"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|bc 1b|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111670; rev:1;) 379 | # 380 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x1c84 381 | # 382 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x1c84"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|84 1c|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111671; rev:1;) 383 | # 384 | # CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x26ac 385 | # 386 | alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x26ac"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|ac 26|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111672; rev:1;) 387 | # 388 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG path Buffer Overflow 389 | # 390 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111673; rev:1;) 391 | # 392 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG filter Buffer Overflow 393 | # 394 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1024,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; distance:0; byte_test:4,<,1029,0,big; byte_jump:4,0,big,relative; content:"|06|"; distance:0; within:1; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111674; rev:1;) 395 | # 396 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFile path Buffer Overflow 397 | # 398 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 08 00 00 00 02 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111675; rev:1;) 399 | # 400 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFileInfo path Buffer Overflow 401 | # 402 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 0a 00 00 00 01 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111676; rev:1;) 403 | # 404 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG path possible file download 405 | # 406 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-recon; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111677; rev:1;) 407 | # 408 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG filter possible file download 409 | # 410 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; byte_test:4,<,1029,0,big; byte_jump:4,0,big,relative; content:"|06|"; distance:0; within:1; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111678; rev:1;) 411 | # 412 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFile possible file download 413 | # 414 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 08 00 00 00 02 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111679; rev:1;) 415 | # 416 | # CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFileInfo possible file download 417 | # 418 | alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 0a 00 00 00 01 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111680; rev:1;) 419 | # 420 | # 421 | # 422 | # 423 | # The following five rules were developed in response to ICSA-11-273-03 Rockwell RSLogix Denial of Service Vulnerability. They were developed by NitroSecurity in 424 | # partnership with Rockwell Automation and graciously donated to the Quickdraw SCADA IDS. 425 | # 426 | # Note 1: In addition to identifying the denial of service attack on the RSLogix and FactoryTalk vulnerability, these signatures will also identify out of spec 427 | # behavior that could be used in other attacks. 428 | # 429 | # Note 2: You need to add the following variable, 44818 to the conf file. 430 | # 431 | # 44818 = [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281] 432 | # 433 | # 434 | # Check for Large Header Length 435 | # 436 | alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Large Header Length - 8Kb"; flow:to_server; content:"rna|f2|"; byte_test:4,>,0x2000,0,relative,little; classtype:attempted-dos; sid:1111681; rev:1;) 437 | # 438 | # Check for Negative Header Length 439 | # 440 | alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Negative Header Length"; flow:to_server; content:"rna|f2|"; byte_test:1,&,0x80,3,relative,little; classtype:attempted-dos; sid:1111682; rev:1;) 441 | # 442 | # Check for Large Body Length 443 | # 444 | alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Large Body Length - 8Mb"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; byte_test:4,>,0x800000,0,relative,little; classtype:attempted-dos; sid:1111683; rev:1;) 445 | # 446 | # Check for Negative Body Length 447 | # 448 | alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Negative Body Length"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; byte_test:1,&,0x80,3,relative,little; classtype:attempted-dos; sid:1111684; rev:1;) 449 | # 450 | # Ensure Null Terminated Header 451 | # 452 | alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Header Not Null Terminated"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; content:!"|00|"; distance:-1; within:1; classtype:attempted-dos; sid:1111685; rev:1;) 453 | # 454 | # 455 | # 456 | # The following six rules were developed and donated to Quickdraw by Rockwell Automation in response to vulnerabilities identified in Project Basecamp. 457 | # 458 | # 459 | # Attack: Forcing a CPU Stop 460 | # Impact: Stops the CPU, leaving it in a ÔMajor recoverable faultÕ state. In order to clear the fault the key needs to be turned manually from RUN to PROG twice. 461 | # // CIP - Unconnected send Ð CM via 0x52 462 | # // Service: 0x7 (STOP) 463 | # // Class: 0x64 unsigned char packetCPUStop[]= 464 | # "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" 465 | # "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01" 466 | # "\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00"; 467 | # 468 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Denial of Service (CPU Stop)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|52|"; distance:2; within:1; byte_jump:1,0,relative,multiplier 2; content:"|07|"; distance:4; within:1; classtype:attempted-dos; reference:osvdb,78489; reference:secunia,47737; sid:1111686; rev:1;) 469 | # 470 | # Attack: Crash CPU 471 | # Impact: Crashes the CPU due to a malformed request, leaving it in a ÔMajor recoverable faultÕ state. In order to clear the fault the key needs to be turned manually from RUN to PROG twice. 472 | # // CIP - Unconnected send Ð CM via 0x52 473 | # // Service: 0xa Multipel service packet 474 | # // Class: 0x2 Message Router unsigned char packetCrashCPU[]= 475 | # "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" 476 | # "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" 477 | # "\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00"; 478 | # 479 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Denial of Service (Crash CPU)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|52|"; distance:2; within:1; byte_jump:1,0,relative,multiplier 2; content:"|0a|"; distance:4; within:1; classtype:attempted-dos; reference:osvdb,78486; reference:secunia,47737; sid:1111687; rev:1;) 480 | # 481 | # Attack: Dump 1756- ENBTÕs module boot code 482 | # Impact: A ÔcuriousÕ undocumented service that allows remotely dumping of the EtherNET/IP moduleÕs boot code 483 | # // CIP - Unconnected send 484 | # // Service: 0x97 485 | # // Class: 0xc0 unsigned char packetDump[]= 486 | # "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" 487 | # "\x97\x02\x20\xc0\x24\x00\x00\x00"; 488 | # 489 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP modules boot code dump (Dump)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|97 02 20 c0 24|"; distance:2; within:5; reference:osvdb,78490; reference:secunia,47737; sid:1111688; rev:1;) 490 | # 491 | # Attack: Reset 1756-ENBT module 492 | # Impact: Resets the EtherNET/IP module. 493 | # // CIP - Unconnected send 494 | # // Service: 0x5 (RESET) 495 | # // Class: 0x01 (Identity Manager) unsigned char packetResetEth[]= 496 | # "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" 497 | # "\x05\x03\x20\x01\x24\x01\x30\x03"; 498 | # 499 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP reset command Denial Of Service (ResetEth)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|05|"; distance:2; within:1; content:"|20 01|"; distance:1; within:2; classtype:attempted-dos; reference:osvdb,78491; reference:secunia,47737; sid:1111689; rev:1;) 500 | # 501 | # Attack: Crash 1756-ENBT module 502 | # Impact: Crashes the module due to a vulnerability in the CIP stack 503 | # (ci_ParseSegment function) so other packets can also trigger this 504 | # flaw. 505 | # // CIP - Unconnected send 506 | # // Service: 0xe ( Get Attribute Single) 507 | # // Class: 0xF5 (TCP/IP) [Others can be possible] unsigned char packetCrashEth[]= 508 | # "\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00" 509 | # "\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43"; 510 | # 511 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Crash 1756-ENBT module (CrashEth)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|0e|"; distance:2; within:1; content:"|20 f5|"; distance:1; within:2; classtype:attempted-admin; reference:osvdb,78487; reference:secunia,47737; sid:1111690; rev:1;) 512 | # 513 | # Attack: Flash Update 514 | # Impact: Initialize the device to update the firmware. 515 | # // CIP - Unconnected send 516 | # // Service: 0x4b ( NV_UPDATE Ðvendor specific name extracted from firmware ) 517 | # // Class: 0xA1 (Non-Volatile Object Ð vendor specific name extracted from firmware) 518 | # // After issuing this service we would load our own firmware via the service code 0x4d (nv_transfer) unsigned char packetFlashUp[]= 519 | # "\x00\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x16\x00" 520 | # "\x4b\x02\x20\xa1\x24\x01\x05\x99\x07\x00\x4f\x02\x20\x37\x24\xc8" 521 | # "\x00\x00\x01\x00\x01\x00"; 522 | # 523 | alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP Initialize the device to update the firmware (FlashUp)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|4b|"; distance:2; within:1; content:"|20 a1|"; distance:1; within:2; classtype:attempted-admin; reference:osvdb,78492; reference:secunia,47737; sid:1111691; rev:1;) --------------------------------------------------------------------------------