-
Notifications
You must be signed in to change notification settings - Fork 24
/
scada_all.rules
523 lines (520 loc) · 54.1 KB
/
scada_all.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
#
#
# $Id: scada_all.rules,v 0.1,
#----------
# scada_all RULES
# ICS protocal/ICS Software communication identification/Filter
# Siemens S7 TCP 102
# Modbus Tcp 502
#
#
#
#
#
#----------
# Siemens S7 Filter rules
#----------
#alert tcp any any -> any 102 (msg:"COTP CR Connect Request";content:"|03 00|";offset:0;depth:2;content:"|e0 00 00|";offset:5;depth:3;sid:1;)
#alert tcp any any -> any 102 (msg:"S7 Setup communication";content:"|03 00|";offset:0;depth:2;content:"|32 01 00|";offset:7;depth:3;content:"|f0|";offset:17;depth:1;sid:2;)
#alert tcp any any -> any 102 (msg:"Read SZL";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;sid:3;)
#alert tcp any any -> any 102 (msg:"Read SZL ID=0x0011";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;content:"|11 00|";offset:30;depth:2;sid:4;)
#alert tcp any any -> any 102 (msg:"Read SZL ID=0x001c";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 44 01 00|";offset:17;depth:8;content:"|1c 00|";offset:30;depth:2;sid:5;)
#alert tcp any any -> any 102 (msg:"Request Time functions/Read clock";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 47 01 00|";offset:17;depth:8;sid:6;)
alert tcp any any -> any 102 (msg:"Request Time functions/Set clock";content:"|03 00|";offset:0;depth:2;content:"|32 07 00|";offset:7;depth:3;content:"|00 01 12 04 11 47 02 00|";offset:17;depth:8;sid:7;)
alert tcp any any -> any 102 (msg:"Request Security functions/Set PLC session password";content:"|03 00|";offset:0;depth:2;content:"|00 01 12 04 11 45 01 00|";offset:17;depth:8;sid:8;)
alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU STOP";content:"|29 00 00 00 00 00 09 50 5f 50 52 4f 47 52 41 4d|";sid:9;)
alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU Hot Restart";content:"|28 00 00 00 00 00 00 fd 00 00 09 50 5f 50 52 4f|";sid:10;)
alert tcp any any -> any 102 (msg:"Request CPU functions/Set PLC CPU Cold Restart";content:"|28 00 00 00 00 00 00 fd 00 02 43 20 09 50 5f 50 52 4f 47 52 41 4d|";sid:11;)
alert tcp any any -> any 102 (msg:"Write Var";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|05|";offset:17;depth:1;sid:12;)
alert tcp any any -> any 102 (msg:"Request download";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1a|";offset:17;depth:1;sid:13;)
alert tcp any any -> any 102 (msg:"Download block";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1b|";offset:17;depth:1;sid:14;)
alert tcp any any -> any 102 (msg:"Download ended";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1c|";offset:17;depth:1;sid:15;)
alert tcp any any -> any 102 (msg:"Start upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1d|";offset:17;depth:1;sid:16;)
alert tcp any any -> any 102 (msg:"Upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1e|";offset:17;depth:1;sid:17;)
alert tcp any any -> any 102 (msg:"End upload";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|1f|";offset:17;depth:1;sid:18;)
#alert tcp any any -> any 102 (msg:"PLC Control";content:"|03 00|";offset:0;depth:2;content:"|32 01|";offset:7;depth:2;content:"|28|";offset:17;depth:1;sid:19;)
alert tcp any any -> any 102 (msg:"Delet block";content:"|03 00|";offset:0;depth:2content:"|05 5f 44 45 4c 45|";sid:20;)
#
#----------
# Modbus Filter rules
#----------
alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Coil";content:"|00 00|";offset:2; depth:2; content:"|05|";offset:7;depth:1;sid:100;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Write Single Register";content:"|00 00|";offset:2; depth:2; content:"|06|";offset:7;depth:1;sid:101;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Read Exception Status";content:"|00 00|";offset:2; depth:2; content:"|07|";offset:7;depth:1;sid:102;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Diagnostics Device";content:"|00 00|";offset:2; depth:2; content:"|08|";offset:7;depth:1;sid:103;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple Coils";content:"|00 00|";offset:2; depth:2; content:"|0f|";offset:7;depth:1;sid:104;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|10|";offset:7;depth:1;sid:105;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Write File Record";content:"|00 00|";offset:2; depth:2; content:"|15|";offset:7;depth:1;sid:106;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Mask Write Register";content:"|00 00|";offset:2; depth:2; content:"|16|";offset:7;depth:1;sid:107;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Read/Write Multiple registers";content:"|00 00|";offset:2; depth:2; content:"|17|";offset:7;depth:1;sid:108;)
alert tcp any any -> any 502 (msg:"Modbus TCP/Read Device Identification";content:"|00 00|";offset:2; depth:2; content:"|2B|";offset:7;depth:1;sid:109;)
alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Memory Card ID";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 06 06|";offset:8;depth:3;sid:110;)
#alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request CPU Module info";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|00 02|";offset:8;depth:2;dsize:10;sid:111;)
alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Project Project file name";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|f6 00|";offset:17;depth:2;sid:112;)
alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Request Project Information(Revision and Last Modified)";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|03 00|";offset:17;depth:2;sid:113;)
alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Set PLC CPU STOP";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|40|";offset:9;depth:1;sid:114;)
alert tcp any any -> any 502 (msg:"Schneider PLC(Quantumn) uses function code 90 for communications the Unity pro software/Set PLC CPU Restart";content:"|00 00|";offset:2;depth:2;content:"|5a|";offset:7;depth:1;content:"|41|";offset:9;depth:1;sid:115;)
#
#----------
# IEC60870-5-104 Filter rules
#----------
#
#
#----------
# Vulnerabilities Filter rules
#----------
#
#-------------
# CODESYS SCADA RULES
#-------------
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:6;)
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:6;)
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:5;)
# alert tcp any any -> any [12397,12399] (msg:"SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:1;)
# alert tcp any any -> any 502 (msg:"SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:1;)
alert tcp any any -> any 20171 (msg:"SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:1;)
#-------------
#-------------
# CODESYS SCADA RULES
#-------------
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:6;)
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:6;)
alert tcp any any -> any [1210,1211] (msg:"SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:5;)
# alert tcp any any -> any [12397,12399] (msg:"SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:1;)
# alert tcp any any -> any 502 (msg:"SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:1;)
alert tcp any any -> any 20171 (msg:"SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:1;)
#-------------
#-----------------------------
#
# CVE 2008-2639: CitectSCADA ODBC Overflow Attempt
#
alert tcp any any -> any 20222 (msg:"CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; byte_test:4,>,399,0; dsize:4; reference:cve, CVE-2008-2639; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111601; rev:2; priority:1;)
#
# CVE-2008-2005: WonderWare SuiteLink DOS Attempt
#
alert tcp any any -> any 5413 (msg:"WonderWare SuiteLink DOS Attempt"; flow:established,to_server; byte_test:4,>,2742,56,little; reference:cve, CVE-2008-2005; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111602; rev:2; priority:1;)
#
# CVE-2008-4322: RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow
#
alert tcp any any -> any 910 (msg:"RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow"; content:"|10 23 54 67|"; depth:4; byte_test:4,>,739,0,little,relative; flow:established,to_server; reference:cve, CVE-2008-4322; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111603; rev:2; priority:1;)
#
# ICS A-10-314-01A: ClearSCADA Heap Overflow Attempt
#
alert tcp any any -> any 5481 (msg:"ClearSCADA Heap Overflow Attempt"; flow:established,to_server; dsize:>500; content: "|a7 0d 44 06 10 00 00 00 08 00 00 00|"; depth: 12; isdataat: 1000; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111604; rev:1; priority:1;)
#
# ICS A-10-314-01A: ClearSCADA Cross-site Scripting Attempt
# sid:1111605 In Development
#
# ICS A-10-314-01A: ClearSCADA Insecure Web Authentication Attempt
# sid:1111606 In Development
#
# CVE 2010-4557: Wonderware InBatch Buffer Overflow Attempt
#
alert tcp any any -> any 9001 (msg:"Wonderware InBatch Buffer Overflow Attempt"; flow:established,to_server; content:"|00 00 4b 14 00 00 00 00 00 00 00 01 00 00 00 00 00 01 00 00|"; depth:20; isdataat: 151; reference:cve, CVE-2010-4557; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111607; rev:1; priority:1;)
#
# CVE 2011-0517: Sielco Sistemi WinLog Stack Overflow Attempt
#
alert tcp any any -> any 46823 (msg:"Sielco Sistemi WinLog Stack Overflow Attempt"; flow:established,to_server; content:"|02 01 01|"; depth:3; isdataat: 61; reference:cve, CVE-2011-0517; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111608; rev:1; priority:1;)
#
# CVE 2010-4598: Ecava IntegraXor Directory Traversal Attempt
#
alert tcp any any -> any 7131 (msg:"Ecava IntegraXor Directory Traversal Attempt"; flow:established,to_server; uricontent: "open?filename"; reference:cve, CVE-2010-4598; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111609; rev:1; priority:2;)
#
# CVE-2010-4142: RealWin HMI Service Buffer Overflow 1
#
alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 1"; flow:established,to_server; content:"|64 12 54 6a 02 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111610; rev:1; priority:1;)
#
# CVE-2010-4142: RealWin HMI Service Buffer Overflow 2
#
alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 2"; flow:established,to_server; content:"|64 12 54 6a 20 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111611; rev:1; priority:1;)
#
# CVE-2010-4142: RealWin HMI Service Buffer Overflow 3
#
alert tcp any any -> any 912 (msg:"RealWin HMI Service Buffer Overflow Attempt 3"; flow:established,to_server; content:"|64 12 54 6a 10 00 00 00|"; depth:8; byte_test:4,>,739,0,little,relative; reference:cve, CVE-2010-4142; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111612; rev:1; priority:1;)
#
# CVE 2009-4462: Intellicom NetBiter Config HICP Hostname Buffer Overflow
#
alert udp any any -> any 3250 (msg:"NetBiter Config HICP Hostname Buffer Overflow"; content:"hn|20 3d|"; content:!"|3b|"; within: 19; reference:cve, CVE-2009-4462; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111613; rev:1; priority:1;)
#
# CVE 2011-0406: WellinTech KingView Remote Heap Overflow Attempt
#
alert tcp any any -> any 777 (msg:"WellinTech KingView Remote Heap Overflow Attempt"; flow:established,to_server; stream_size: client,>,32800; content:"|eb 14|"; content: "|ad bb c3 77 b4 73 ed 77|"; within: 15; reference:cve, CVE-2011-0406; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111614; rev:1; priority:1;)
#alert tcp any any -> any 777 (msg:"Kingview Touchview 6.53 EIP Overwrite Attempt";content:"|90 90|";offset:2;depth:2;content:"|90|";offset:7;depth:1;content:"|90|";offset:9;depth:1;sid:1195;)
#alert tcp any any -> any 777 (msg:"Kingview 6.53 Remote Heap Overflow Attempt";content:"|90 90|";offset:2;depth:2;content:"|90|";offset:7;depth:1;content:"|90|";offset:9;depth:1;sid:1195;)
# CVE 20xx-xxx: IntelliCom NetBiter NB100 and NB200 - Directory Traversal Attempt
#
alert tcp any any -> any any (msg:"NetBiter NB100 and NB200 Directory Traversal Attempt"; flow:established,to_server; uricontent: "/cgi-bin/read.cgi"; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111615; rev:1; priority:2;)
#
# CVE 20xx-xxx: VxWorks Information Disclosure Attempt
#
alert udp any any -> any 17185 (msg:"VxWorks Debug Service Information Disclosure Attempt"; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111616; rev:1; priority:2;)
#
# CVE 2010-4709: Automated Solutions Modbus/TCP Master OPC server Modbus TCP Header Corruption Attempt
#
#alert tcp any any -> any 502 (msg:"Automated Solutions: Modbus/TCP Master OPC server Modbus TCP Header Corruption Attempt"; byte_test: 2,>,500,4; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111617; rev:1; priority:1;)
#
# CVE 20xx-xxx: BroadWin/AdvancTech RPC Information Disclosure Vulnerability
#
alert tcp any any -> any 4592 (msg:"BroadWin/AdvancTech RPC Information Disclosure Vulnerability"; flow:to_server,established; dce_iface: 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum: 0-3; dce_stub_data; byte_jump:4,-4,relative,align,dce; byte_test:2,=,50003,4,relative,dce; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111618; rev:1; priority:1;)
#
# CVE 20xx-xxx: BroadWin/AdvancTech RPC/RCE Vulnerability
#
alert tcp any any -> any 4592 (msg:"BroadWin/AdvancTech RPC/RCE Vulnerability"; flow:to_server,established; dce_iface: 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum: 0-3; dce_stub_data;byte_jump:4,-4,relative,align,dce; byte_test:2,=,10000,4,relative,dce; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111619; rev:1; priority:1;)
#
# ----------------------
#
# Rules 1111620 to 1111680 were donated by Emerging Threats Pro with assistance from Nitro Security
#
# They are distributed under the ET-PRO license that is included in the download zip and is available at
# http://rules.emergingthreats.net/open/snort-2.4.0/ETPRO-License.txt
#
# ----------------------
#
# CVE 20xx-xxx: IGSS SCADA System Directory Traversal and Download
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA System Directory Traversal and Download"; flow:to_server,established; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111620; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA system Directory Traversal Upload and Overwrite
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA system Directory Traversal Upload and Overwrite"; flow:to_server,established; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111621; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA ListAll Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA ListAll Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|01|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111622; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA Write File Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA Write File Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111623; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA ReadFile Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA ReadFile Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111624; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA Delete Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA Delete Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111625; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RenameFile Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RenameFile Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|05|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111626; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA FileInfo Function Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA FileInfo Function Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 0D|"; offset:2; depth:5; content:"|06|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111627; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Add Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Add Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111628; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Template ReadFile Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template ReadFile Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|06|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111629; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|05|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111630; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Template Add Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Add Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111631; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Template Rename Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Rename Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|02|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111632; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA RMS Report Template Delete Command Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA RMS Report Template Delete Command Buffer Overflow"; flow:to_server,established; byte_test:2,>,534,0,little; content:"|01 00 34 12 07|"; offset:2; depth:5; content:"|03|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111633; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA STDREP Request Buffer Overflow
#
alert tcp any any -> any 12401 (msg:"ETPRO SCADA IGSS SCADA STDREP Request Buffer Overflow"; flow:to_server,established; byte_test:2,>,278,0,little; content:"|01 00 34 12 08|"; offset:2; depth:5; content:"|04|"; distance:11; within:1; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111634; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0xa
#
alert tcp any any -> any 12397 (msg:"ETPRO SCADA IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0xa"; flow:to_server,established; content:"|0a|"; offset:12; depth:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111635; rev:1;)
#
# CVE 20xx-xxx: IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0x17
#
alert tcp any any -> any 12397 (msg:"ETPRO SCADA IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution - 0x17"; flow:to_server,established; content:"|17|"; offset:12; depth:1; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C|"; distance:0; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111636; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA SCPC_TXTEVENT strcpy() Buffer Overflow
#
alert tcp any any -> any 912 (msg:"ETPRO SCADA RealFlex RealWin SCADA SCPC_TXTEVENT strcpy() Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|64 12 54 6a 10 00 00 00|"; offset:0; byte_test:4,>,200,0,relative,little; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111637; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CONNECT_FCS_LOGIN Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CONNECT_FCS_LOGIN Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|01 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111638; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CADDTAG Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CADDTAG Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111639; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CDELTAG Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_CDELTAG Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 02 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111640; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|05 00 05 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111641; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_RFUSER_FCS_LOGIN Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_RFUSER_FCS_LOGIN Buffer Overflow"; flow:to_server,established; isdataat:59; content:"|10 23 54 67|"; offset:0; byte_test:4,>,44,0,relative,little; content:"|11 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111642; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 1
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 1"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111643; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 2
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 2"; flow:to_server; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 03 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111644; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 3
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 3"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 08 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111645; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 4
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 4"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0A 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111646; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 5
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 5"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0B 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111647; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 6
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 6"; flow:to_server,established; isdataat:270; content:"|10 23 54 67|"; offset:0; byte_test:4,>,256,0,relative,little; content:"|10 00 0D 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111648; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_MISC_FCS_MSGBROADCAST Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_MISC_FCS_MSGBROADCAST Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|0F 00 01 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111649; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_MISC_FCS_MSGSEND Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_MISC_FCS_MSGSEND Buffer Overflow"; flow:to_server,established; isdataat:768; content:"|10 23 54 67|"; offset:0; byte_test:4,>,768,0,relative,little; content:"|0F 00 03 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111650; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETTELEMETRY Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|02 00 0F 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111651; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|02 00 10 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111652; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETTELEMETRY Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|04 00 12 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111653; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY Buffer Overflow"; flow:to_server,established; isdataat:215; content:"|10 23 54 67|"; offset:0; byte_test:4,>,200,0,relative,little; content:"|04 00 13 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111654; rev:1;)
#
# CVE 20xx-xxx: RealFlex RealWin SCADA On_FC_SCRIPT_FCS_STARTPROG Buffer Overflow
#
alert tcp any any -> any 910 (msg:"ETPRO SCADA RealFlex RealWin SCADA On_FC_SCRIPT_FCS_STARTPROG Buffer Overflow"; flow:to_server,established; isdataat:1000; content:"|10 23 54 67|"; offset:0; byte_test:4,>,1000,0,relative,little; content:"|09 00 12 00|"; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111655; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 1
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 1"; flow:to_server,established; dsize:62;content:"|b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111656; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 2
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 2"; flow:to_server,established; dsize:28;content:"|B2 04 00 00 FF 0F 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111657; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 3
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 3"; flow:to_server,established;dsize:38;content:"|b5 04 00 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111658; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 4
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 4"; flow:to_server,established; dsize:28;content:"|AE 0D 00 00 FF 0F 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111659; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 5
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Freeing of Unitialized Memory Trigger Option 5"; flow:to_server,established; dsize:37;content:"|bc 1b 00 00 00 00 00 00 00 00 00 00 00 ff 0f 00 00|"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111660; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x9a08
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x9a08"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|9A 08|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111661; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x5304
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x5304"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|53 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111662; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b0
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b0"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B0 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111663; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b2
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b2"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B2 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111664; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x04b5
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x04b5"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|B5 04|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111665; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x7d0
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x7d0"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|d0 07|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111666; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xdae
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xdae"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|ae 0d|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111667; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xfa4
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xfa4"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|a4 0f|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111668; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0xfa7
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0xfa7"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|a7 0f|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111669; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x1bbc
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x1bbc"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|bc 1b|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111670; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x1c84
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x1c84"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|84 1c|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111671; rev:1;)
#
# CVE 20xx-xxx: Iconics Genesis SCADA Integer Overflow 0x26ac
#
alert tcp any any -> any 38080 (msg:"ETPRO SCADA Iconics Genesis SCADA Integer Overflow 0x26ac"; flow:to_server,established; content:"|01 00 00 15 00 00 00 01 00 00 1F F4 01 00 00 00|"; content:"|ac 26|"; distance:4; within:2; isdataat:1024; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111672; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG path Buffer Overflow
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111673; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG filter Buffer Overflow
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1024,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; distance:0; byte_test:4,<,1029,0,big; byte_jump:4,0,big,relative; content:"|06|"; distance:0; within:1; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111674; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFile path Buffer Overflow
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 08 00 00 00 02 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111675; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFileInfo path Buffer Overflow
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo path Buffer Overflow"; flow:to_server,established; content:"LEN|00|"; depth:4; byte_test:4,>,1028,0,little; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 0a 00 00 00 01 06|"; distance:0; byte_test:4,>,1024,0,big; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111676; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG path possible file download
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG path possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-recon; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111677; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService CSMSG filter possible file download
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService CSMSG filter possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 06 00 00 00 03 06|"; byte_test:4,<,1029,0,big; byte_jump:4,0,big,relative; content:"|06|"; distance:0; within:1; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111678; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFile possible file download
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFile possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 08 00 00 00 02 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111679; rev:1;)
#
# CVE 20xx-xxx: Siemens Tecnomatix FactoryLink CSService GetFileInfo possible file download
#
alert tcp any any -> any 7580 (msg:"ETPRO SCADA Siemens Tecnomatix FactoryLink CSService GetFileInfo possible file download"; flow:to_server,established; content:"LEN|00|"; depth:4; content:"|99|"; distance:8; within:1; content:"|99 00 00 00 0a 00 00 00 01 06|"; pcre:"/^.{8}([A-Z]\x00?\x3a\x00?\x5c\x00?\x5c\x00?|\x2e\x00?\x2e\x00?\x5c\x00?)/Ri"; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111680; rev:1;)
#
#
#
#
# The following five rules were developed in response to ICSA-11-273-03 Rockwell RSLogix Denial of Service Vulnerability. They were developed by NitroSecurity in
# partnership with Rockwell Automation and graciously donated to the Quickdraw SCADA IDS.
#
# Note 1: In addition to identifying the denial of service attack on the RSLogix and FactoryTalk vulnerability, these signatures will also identify out of spec
# behavior that could be used in other attacks.
#
# Note 2: You need to add the following variable, 44818 to the conf file.
#
# 44818 = [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281]
#
#
# Check for Large Header Length
#
alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Large Header Length - 8Kb"; flow:to_server; content:"rna|f2|"; byte_test:4,>,0x2000,0,relative,little; classtype:attempted-dos; sid:1111681; rev:1;)
#
# Check for Negative Header Length
#
alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Negative Header Length"; flow:to_server; content:"rna|f2|"; byte_test:1,&,0x80,3,relative,little; classtype:attempted-dos; sid:1111682; rev:1;)
#
# Check for Large Body Length
#
alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Large Body Length - 8Mb"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; byte_test:4,>,0x800000,0,relative,little; classtype:attempted-dos; sid:1111683; rev:1;)
#
# Check for Negative Body Length
#
alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Negative Body Length"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; byte_test:1,&,0x80,3,relative,little; classtype:attempted-dos; sid:1111684; rev:1;)
#
# Ensure Null Terminated Header
#
alert tcp any any -> any 44818 (msg:"Rockwell RNA Message Header Not Null Terminated"; flow:to_server; content:"rna|f2|"; byte_jump:4,0,relative,little; content:!"|00|"; distance:-1; within:1; classtype:attempted-dos; sid:1111685; rev:1;)
#
#
#
# The following six rules were developed and donated to Quickdraw by Rockwell Automation in response to vulnerabilities identified in Project Basecamp.
#
#
# Attack: Forcing a CPU Stop
# Impact: Stops the CPU, leaving it in a ÔMajor recoverable faultÕ state. In order to clear the fault the key needs to be turned manually from RUN to PROG twice.
# // CIP - Unconnected send Ð CM via 0x52
# // Service: 0x7 (STOP)
# // Class: 0x64 unsigned char packetCPUStop[]=
# "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00"
# "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01"
# "\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Denial of Service (CPU Stop)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|52|"; distance:2; within:1; byte_jump:1,0,relative,multiplier 2; content:"|07|"; distance:4; within:1; classtype:attempted-dos; reference:osvdb,78489; reference:secunia,47737; sid:1111686; rev:1;)
#
# Attack: Crash CPU
# Impact: Crashes the CPU due to a malformed request, leaving it in a ÔMajor recoverable faultÕ state. In order to clear the fault the key needs to be turned manually from RUN to PROG twice.
# // CIP - Unconnected send Ð CM via 0x52
# // Service: 0xa Multipel service packet
# // Class: 0x2 Message Router unsigned char packetCrashCPU[]=
# "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00"
# "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01"
# "\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Denial of Service (Crash CPU)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|52|"; distance:2; within:1; byte_jump:1,0,relative,multiplier 2; content:"|0a|"; distance:4; within:1; classtype:attempted-dos; reference:osvdb,78486; reference:secunia,47737; sid:1111687; rev:1;)
#
# Attack: Dump 1756- ENBTÕs module boot code
# Impact: A ÔcuriousÕ undocumented service that allows remotely dumping of the EtherNET/IP moduleÕs boot code
# // CIP - Unconnected send
# // Service: 0x97
# // Class: 0xc0 unsigned char packetDump[]=
# "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00"
# "\x97\x02\x20\xc0\x24\x00\x00\x00";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP modules boot code dump (Dump)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|97 02 20 c0 24|"; distance:2; within:5; reference:osvdb,78490; reference:secunia,47737; sid:1111688; rev:1;)
#
# Attack: Reset 1756-ENBT module
# Impact: Resets the EtherNET/IP module.
# // CIP - Unconnected send
# // Service: 0x5 (RESET)
# // Class: 0x01 (Identity Manager) unsigned char packetResetEth[]=
# "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00"
# "\x05\x03\x20\x01\x24\x01\x30\x03";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP reset command Denial Of Service (ResetEth)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|05|"; distance:2; within:1; content:"|20 01|"; distance:1; within:2; classtype:attempted-dos; reference:osvdb,78491; reference:secunia,47737; sid:1111689; rev:1;)
#
# Attack: Crash 1756-ENBT module
# Impact: Crashes the module due to a vulnerability in the CIP stack
# (ci_ParseSegment function) so other packets can also trigger this
# flaw.
# // CIP - Unconnected send
# // Service: 0xe ( Get Attribute Single)
# // Class: 0xF5 (TCP/IP) [Others can be possible] unsigned char packetCrashEth[]=
# "\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00"
# "\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix Crash 1756-ENBT module (CrashEth)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|0e|"; distance:2; within:1; content:"|20 f5|"; distance:1; within:2; classtype:attempted-admin; reference:osvdb,78487; reference:secunia,47737; sid:1111690; rev:1;)
#
# Attack: Flash Update
# Impact: Initialize the device to update the firmware.
# // CIP - Unconnected send
# // Service: 0x4b ( NV_UPDATE Ðvendor specific name extracted from firmware )
# // Class: 0xA1 (Non-Volatile Object Ð vendor specific name extracted from firmware)
# // After issuing this service we would load our own firmware via the service code 0x4d (nv_transfer) unsigned char packetFlashUp[]=
# "\x00\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x16\x00"
# "\x4b\x02\x20\xa1\x24\x01\x05\x99\x07\x00\x4f\x02\x20\x37\x24\xc8"
# "\x00\x00\x01\x00\x01\x00";
#
alert tcp any any -> any 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP Initialize the device to update the firmware (FlashUp)"; flow:to_server; content:"|6f 00|"; offset:0; depth:2; content:"|00 00 00 00|"; distance:22; within:4; byte_extract:2,2,count,relative,multiplier 4,little; content:"|b2 00|"; distance:0; within:count; content:"|4b|"; distance:2; within:1; content:"|20 a1|"; distance:1; within:2; classtype:attempted-admin; reference:osvdb,78492; reference:secunia,47737; sid:1111691; rev:1;)