Daniel has developed and tested a Snort rule to detect this attack.
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:”CitectSCADA ODBC Overflow Attempt”; flow:established,to_server; byte_test:4,>,399,0; dsize:4; reference:cve,2008-2639; sid:1111601; rev:1; priority:1;)
We have tested it in the lab; any feedback is welcome. It will be included in our SCADA IDS signature set later this week. For those who don’t use Snort, it should be very easy to convert this to your Cisco, IBM/ISS, Juniper, … IDS/IPS.
Thanks to Kevin Finisterre of the Netragard sponsored Digitalmunition team for his help and encouragement to get this done. Also, you may see this or a similar signature coming from Matt Jonkman and the guys at Emerging Threats.