We have issued a minor update to two ICCP rules, 1111404 and 1111405. These rules are related to the MMS layer. The new rules eliminate a small number of false negatives that were based on a specific implementation and a typical write request. The new rules also should lessen the number of false positives because they check additional content.

Like the other protocol rules, the ICCP rules require the asset owner to define the valid ICCP clients and servers. The MMS write rules may warrant creating another set of variables for ICCP clients that are authorized to write to the server.

One other note, we will be moving the SCADA IDS site over to 37 Signals shortly. We are using their software for the NIST/PCSRF Protection Profile Project collaboration site and like what we see. It offers better and easier security, better user management, a RSS feed, and other tools that will be important as the signatures and other tools change.

(Hat Tip: Herb Falk. Herb is the man when it comes to the ICCP protocol details.)