This honeywall update includes our four latest IDS signatures which aid in detecting points list and function code scans on DNP3 and Modbus TCP. These signatures play an important role in identifying a reconnaissance scan on PLC’s, RTU’s, and IED’s in a control system environment. In regards to the honeywall, roo-1.2 has been released for […]

We added two new SCADA IDS signatures for DNP3 to our SCADA IDS release package. Like the recently released Modbus TCP signature update, these two new DNP3 signatures will identify when an attacker is performing a reconnaissance scan of a DNP3 outstation (PLC, RTU, IED, etc.) The first signature will identify someone scanning for […]

We released two new Modbus TCP IDS signatures and some improvements and updates today. The download of the entire new SCADA IDS package and links to the documentation are available on our IDS research page.
The new signatures identify Modbus scanners in two different ways.

SID 1111013, Modbus TCP - Function Code Scan, identifies a scanner attempting […]

This update includes the current version (roo 1.1) of the honeywall and a patched target which had a vulnerability in one of the service components. After a large number of bug fixes and IDS signature interface changes, the honeywall is stable and reports all SCADA alerts correctly in Walleye (as shown below).

Thanks to Neutralbit for […]

For those of you who have downloaded our latest release of the SCADA Honeynet, you have probably noticed that the SCADA IDS signatures display ‘unknown signature’ in the Walleye interface. I’m sure this is true for anyone who has put a custom IDS snort signature on their honeywall as well. The steps below outline what […]

So I decided to load the latest test version (1.1) of the roo Honeywall from the Honeynet Project. The image was made public on 11/30/06 and there are numerous improvements. One example being the package respositories are now setup correctly, previously when you would update the honeywall it would get packages from other repos causing […]

McAfee recently added support for most of our ICCP IDS signatures. See:
http://knowledge.mcafee.com/article/684/7716290_f.SAL_Public.html

Ty writes:
Say Company X’s CIRT deploys to an incident that was triggered by one of the SCADA IDS rules that DigitalBond has put out. What would be the best thing for the team to look for?
Talk to the operators? Look for netflows? Hope the IDS rule had a session tag or there was some kind […]

We have issued a minor update to two ICCP rules, 1111404 and 1111405. These rules are related to the MMS layer. The new rules eliminate a small number of false negatives that were based on a specific implementation and a typical write request. The new rules also should lessen the number of false positives because […]

Fortinet has joined the group of IDS/IPS vendors that have integrated our SCADA Signatures. The Modbus TCP and DNP3 signatures are now available in Fortinet’s FortiGate devices including FortiOS 2.50, 2.80 and 3.00.
Fortinet products are also part of Verano’s security solutions.
The Snort version of the signatures are available free of charge to any bona fide […]