ICCP IDS Signatures
From SCADApedia
The ICCP IDS Signatures are part of Digital Bond's SCADA IDS Signature research project. The signatures, or rules in Snort parlance, are written for Snort and some or all of the SCADA signatures have been integrated into most commercial IDS/IPS products.
The signatures can be broadly grouped in the following categories:
- Unauthorized ICCP Use - the authorized ICCP clients and servers are entered as variables in the IDS, and the signatures identify when unauthorized systems send requests with variable severity levels dependent on the request.
- ICCP Protocol Errors - these signatures will be triggered when an attacker is attempting to fuzz the protocol.
- Failed Connection and Write Attempts - once configured few error messages are expected. The signatures identifies error messages that likely only occur when an attacker is attempting to exploit an ICCP server in a production environment.
The ICCP Signatures currently available are listed in the table below.
| SID | Message | Summary |
|---|---|---|
| 1111401 | COTP Connection Request from Unauthorized Client | Unauthorized attempt to establish connection using the Connection Oriented Transport Protocol (COTP) to an ICCP server. |
| 1111402 | Unauthorized COTP Connection Established | An unauthorized ICCP client has successfully connected using OSI Connection Oriented Transport Protocol. |
| 1111403 | Unauthorized Association Request | Unauthorized client is forming an ICCP association with the server, after correctly negotiating lower layer communication parameters. |
| 1111404 | Unauthorized MMS Write Request Attempt | An attempt has been made to change an MMS/ICCP variable in an ICCP server. |
| 1111405 | Unauthorized MMS Write Request Succeeded | An attacker has successfully written a value to an MMS/ICCP variable in an ICCP server. |
| 1111406 | COTP Disconnect (Address Unknown) | An ICCP client has attempted to connect to an ICCP server with an invalid destination TSAP address. |
| 1111407 | COTP Disconnect (Protocol Error) | An invalid formatted COTP message was received by the ICCP server and in an error message is from the server to the client. |
| 1111408 | Invalid OSI SSEL (Refuse PDU) | An ICCP Server has sent a Session Refuse PDU (SS-User not attached to SSAP) message in response to an invalid OSI Session Layer Selector (SSEL) value sent by the client. |
| 1111409 | Invalid OSI PSEL (ACSE Abort Message) | ICCP Server as sent an ACSE Abort Message (ACSE Service User) in response to an invalid Presentation Layer Selector (PSEL) value. |
| 1111410 | Non TPKT Traffic over TCP Port 102 | Traffic sent of over TCP/102 that does not have a valid TPKT Header, which is part of all ICCP communication. |
[edit]
