We released two new Modbus TCP IDS signatures and some improvements and updates today. The download of the entire new SCADA IDS package and links to the documentation are available on our IDS research page.

The new signatures identify Modbus scanners in two different ways.

• SID 1111013, Modbus TCP - Function Code Scan, identifies a scanner attempting to determine what function codes are implemented. This is common in the reconnaissance phase of an attack and also can identify the controller vendor if they use proprietary function codes.
• SID 1111014, Modbus TCP - Points List Scan, identifies when a scanner is “walking” all valid coils, discrete inputs and registers to see which are being used. This could be the precursor to a detailed analysis of the process or simply a way of identifying points that could be written to create chaos.

A few other improvements and comments on this latest release:

• We have created a SCADApedia page for the Modbus TCP Signatures that includes a list of the signatures and brief description. The Snort rules and detailed documentation pages are still subscriber only content.
• The rules are still provided in a Snort format. Most IDS/IPS vendors and many MSSP’s have imported our SCADA IDS signatures into their systems in the past. Contact your IDS/IPS vendor to determine if and when they support these new signatures. The vendors release signatures at least quarterly so this should not be a long delay if they choose to add these.
• All applicable Modbus TCP rules have an additional content check for the 0×0000 in the protocol ID field of the MBAP. This will slightly reduce the chance of a false positive.
• The pcap file we provided was create from the University of Tulsa Modbus Scanner developed under the I3P program. It performs Modbus TCP function code scanning and walks the points list among other things. It is an interesting and helpful tool. However, we found different results from scans on the same PLC with the same points list. We are still looking at why that happened.