Modbus TCP IDS Signatures
From SCADApedia
The Modbus TCP IDS Signatures are part of Digital Bond's SCADA IDS Signature research project. The signatures, or rules in Snort parlance, are written for Snort and some or all of the SCADA signatures have been integrated into most commercial IDS/IPS products.
The signatures can be broadly grouped in the following categories:
- Unauthorized Modbus Use - the authorized Modbus clients and servers are entered as variables in the IDS, and the signatures identify when unauthorized systems send requests with variable severity levels dependent on the request.
- Modbus Protocol Errors - these signatures will be triggered when an attacker is attempting to fuzz the protocol.
- Scanning - once a control system is deployed there are a number of errors and function codes that should be exceedingly rare unless someone is scanning a Modbus server.
The Modbus TCP Signatures currently available are listed in the table below.
| SID | Message | Summary |
|---|---|---|
| 1111001 | Force Listen Only Mode | An attacker can force a PLC into listen only mode by issuing the 08 Diagnostics function code with a sub-function code of 04, Force Listen Only Mode. |
| 1111002 | Restart Communications Option | An attacker can force a PLC or other Modbus TCP server to power cycle via function code 08, sub function 01. |
| 1111003 | Clear Counters and Diagnostic Registers | An attacker erases the counters and diagnostics in an effort to hide attack information or increase the time to recover from an attack. |
| 1111004 | Read Device Identification | An attacker learns the vendor, product, version number and other information about a PLC or other MODBUS server. |
| 1111005 | Report Server Information | An attacker gains information on a PLC or other Modbus server by issuing the function code 17 Report Slave ID request. |
| 1111006 | Unauthorized Read Request to a PLC | An unauthorized Modbus client attempts to read information from a PLC or other field device. |
| 1111007 | Unauthorized Write Request to a PLC | An unauthorized Modbus client attempts to write information to a PLC or other field device. |
| 1111008 | Illegal Packet Size, Possible DOS Attack | A Modbus TCP packet that exceeds the maximum length for the protocol. |
| 1111009 | Non-Modbus Communication of TCP Port 502 | An established connection between a HMI or control server and a PLC is hijacked or spoofed to send other attacks to either device. |
| 1111010 | Slave Device Busy Exception Code Delay | An attacker postpones action or an alarm by sending an exception code 06 Slave Devices Busy in an exception response message. The threshold is set to 3 times in 60 seconds. |
| 1111011 | Acknowledge Exception Code Delay | An attacker postpones action or an alarm by sending an exception code 05 Acknowledge in an exception response message. The threshold is set to 3 times in 60 seconds. |
| 1111012 | Incorrect Packet Length, Possible DOS Attack | The Modbus TCP packet is a different length than defined by the length parameter in the Modbus Application Protocol (MBAP). |
| 1111013 | Points List Scan | An attacker determines what Modbus TCP data points are available in the reconnaissance phase of an attack. |
| 1111014 | Function Code Scan | An attacker determines what Modbus TCP function codes are available in the reconnaissance phase of an attack. |
[edit]
