We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the crux of the Quickdraw project. They are:

DNP3
Ethernet Industrial Protocol (EtherNet/IP and [...]

It’s been a little while since we’ve had a Quickdraw update, and I wanted to fill everyone in on how we’re doing and the approach we’re using.

As we’ve described before we’re basing the project on the snort 2.8.x tree, and we could do much of the processing and alerting using only the snort rule language [...]

With the advent of exploits of control system component and application vulnerabilities in the wild, we have added a fourth category to Digital Bond’s IDS signature package – – Vulnerability Exploit IDS Signatures. There are currently three of vulnerability exploit signatures.
All can see the list of IDS signatures in the SCADApedia:
DNP3 Signature List
ICCP Signature List
Modbus [...]

This vulnerability was made public a few days ago now, and we’ve put together a signature to detect it.  This is another very simple stack based overflow, seeing far too many of these in SCADA software; I hope vendors have already started doing some internal code audits to find these with the increased exposure the [...]

This honeywall update includes our four latest IDS signatures which aid in detecting points list and function code scans on DNP3 and Modbus TCP. These signatures play an important role in identifying a reconnaissance scan on PLC’s, RTU’s, and IED’s in a control system environment. In regards to the honeywall, roo-1.2 has been released for [...]

We added two new SCADA IDS signatures for DNP3 to our SCADA IDS release package. Like the recently released Modbus TCP signature update, these two new DNP3 signatures will identify when an attacker is performing a reconnaissance scan of a DNP3 outstation (PLC, RTU, IED, etc.) The first signature will identify someone scanning for [...]

We released two new Modbus TCP IDS signatures and some improvements and updates today. The download of the entire new SCADA IDS package and links to the documentation are available on our IDS research page.
The new signatures identify Modbus scanners in two different ways.

SID 1111013, Modbus TCP – Function Code Scan, identifies a scanner attempting [...]

This update includes the current version (roo 1.1) of the honeywall and a patched target which had a vulnerability in one of the service components. After a large number of bug fixes and IDS signature interface changes, the honeywall is stable and reports all SCADA alerts correctly in Walleye (as shown below).

Thanks to Neutralbit for [...]

For those of you who have downloaded our latest release of the SCADA Honeynet, you have probably noticed that the SCADA IDS signatures display ‘unknown signature’ in the Walleye interface. I’m sure this is true for anyone who has put a custom IDS snort signature on their honeywall as well. The steps below outline what [...]

So I decided to load the latest test version (1.1) of the roo Honeywall from the Honeynet Project. The image was made public on 11/30/06 and there are numerous improvements. One example being the package respositories are now setup correctly, previously when you would update the honeywall it would get packages from other repos causing [...]