IDS Signature for Citect Vuln

As Daniel Peck noted in a blog entry yesterday, the Metasploit module exploiting the Citect ODBC vulnerability is out and there was a related spike in traffic on that port.

Daniel has developed and tested a Snort rule to detect this attack.

alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:”CitectSCADA ODBC Overflow Attempt”; flow:established,to_server; byte_test:4,>,399,0; dsize:4; reference:cve,2008-2639; sid:1111601; rev:1; priority:1;)

We have tested it in the lab; any feedback is welcome. It will be included in our SCADA IDS signature set later this week. For those who don’t use Snort, it should be very easy to convert this to your Cisco, IBM/ISS, Juniper, … IDS/IPS.

Thanks to Kevin Finisterre of the Netragard sponsored Digitalmunition team for his help and encouragement to get this done. Also, you may see this or a similar signature coming from Matt Jonkman and the guys at Emerging Threats.

1 comment to IDS Signature for Citect Vuln

  • Dale, Kevin, and Daniel, I want to thank you guys for coming up with this. With signatures like this, we can have some hope of detecting attacks aimed directly at control systems. One whiff of something like this is enough for me to remove any connections to our office network. It means we’re being probed. I’m not going to wait around to see what happens next.

Leave a Reply