AAA  AAA 

Archive for 'SCADA IDS'

Another SCADA Honeynet Update

This honeywall update includes our four latest IDS signatures which aid in detecting points list and function code scans on DNP3 and Modbus TCP. These signatures play an important role in identifying a reconnaissance scan on PLC’s, RTU’s, and IED’s in a control system environment. In regards to the honeywall, roo-1.2 has been released for […]

New DNP3 IDS Signatures

We added two new SCADA IDS signatures for DNP3 to our SCADA IDS release package. Like the recently released Modbus TCP signature update, these two new DNP3 signatures will identify when an attacker is performing a reconnaissance scan of a DNP3 outstation (PLC, RTU, IED, etc.) The first signature will identify someone scanning for […]

New IDS Signatures for Modbus TCP

We released two new Modbus TCP IDS signatures and some improvements and updates today. The download of the entire new SCADA IDS package and links to the documentation are available on our IDS research page.
The new signatures identify Modbus scanners in two different ways.

SID 1111013, Modbus TCP - Function Code Scan, identifies a scanner attempting […]

SCADA Honeynet Updates

This update includes the current version (roo 1.1) of the honeywall and a patched target which had a vulnerability in one of the service components. After a large number of bug fixes and IDS signature interface changes, the honeywall is stable and reports all SCADA alerts correctly in Walleye (as shown below).

Thanks to Neutralbit for […]

Displaying Custom IDS Signature Alerts in Walleye

For those of you who have downloaded our latest release of the SCADA Honeynet, you have probably noticed that the SCADA IDS signatures display ‘unknown signature’ in the Walleye interface. I’m sure this is true for anyone who has put a custom IDS snort signature on their honeywall as well. The steps below outline what […]

Latest Honeywall Test Version

So I decided to load the latest test version (1.1) of the roo Honeywall from the Honeynet Project. The image was made public on 11/30/06 and there are numerous improvements. One example being the package respositories are now setup correctly, previously when you would update the honeywall it would get packages from other repos causing […]

McAfee Supports ICCP Signatures

McAfee recently added support for most of our ICCP IDS signatures. See:
http://knowledge.mcafee.com/article/684/7716290_f.SAL_Public.html

SCADA IDS Question

Ty writes:
Say Company X’s CIRT deploys to an incident that was triggered by one of the SCADA IDS rules that DigitalBond has put out. What would be the best thing for the team to look for?
Talk to the operators? Look for netflows? Hope the IDS rule had a session tag or there was some kind […]

ICCP IDS Rules Update

We have issued a minor update to two ICCP rules, 1111404 and 1111405. These rules are related to the MMS layer. The new rules eliminate a small number of false negatives that were based on a specific implementation and a typical write request. The new rules also should lessen the number of false positives because […]

Fortinet Integrates SCADA Signatures

Fortinet has joined the group of IDS/IPS vendors that have integrated our SCADA Signatures. The Modbus TCP and DNP3 signatures are now available in Fortinet’s FortiGate devices including FortiOS 2.50, 2.80 and 3.00.
Fortinet products are also part of Verano’s security solutions.
The Snort version of the signatures are available free of charge to any bona fide […]