With the advent of exploits of control system component and application vulnerabilities in the wild, we have added a fourth category to Digital Bond’s IDS signature package – – Vulnerability Exploit IDS Signatures. There are currently three of vulnerability exploit signatures.
All can see the list of IDS signatures in the SCADApedia:
- DNP3 Signature List
- ICCP Signature List
- Modbus TCP Signature List
- Vulnerability Exploit Signature List
Subscribers can download the complete IDS package that is now on Release 3.3. The package includes the signatures files by category, configuration files, and test data to trigger the protocol signatures.
Most IDS vendors, i.e. Cisco, Juniper, Tipping Point, …, have added the Digital Bond SCADA IDS signatures at some point over the last three years. Unfortunately we have no idea of how they are updating these signatures or tracking new signatures we develop. You will have to check with your IDS vendor, especially if you have a control system application with an exploit in the wild.
Subscribers also have access to the documentation page for each signature. The documentation pages are classic Snort documentation format and include useful information such as impact, ease of attack, false positives and false negatives. They are linked to the tables by category, see this page, and if you use the reference file in the package your results will directly link to these pages.
As a harbinger for future signatures, imagine what we will be able to do with control system protocol preprocessors developed as part of the Quickdraw project.