We added two new SCADA IDS signatures for DNP3 to our SCADA IDS release package. Like the recently released Modbus TCP signature update, these two new DNP3 signatures will identify when an attacker is performing a reconnaissance scan of a DNP3 outstation (PLC, RTU, IED, etc.) The first signature will identify someone scanning for all possible points, and the second will identify a function code scan.

These signatures leverage the Internal Indication (IIN) bits and look for a configurable number of errors in a configurable amount of time. The signature has our recommendation for limits, but they are easily modified by anyone with basic Snort knowledge.

Subscribers can download the latest package and view the documentation pages for each signature.