SCADA IDS Signatures (SIS)

CRITIFENCE® SCADA IDS Signatures Database (SIS)

Check for Large Header Length

Date Title Author SVE-ID
2016-03-03Check for Large Header LengthNitroSecurity, Rockwell AutomationN/A
Description
This rule was developed in response to ICSA-11-273-03 Rockwell RSLogix Denial of Service Vulnerability. You need to add the following variable, $ROCKWELL_PORTS to the conf file. $ROCKWELL_PORTS = [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281]

Signature

						
							
								
alert tcp any any -> $HOME_NET $ROCKWELL_PORTS (msg:"Rockwell RNA Message Large Header Length - 8Kb";
 flow:to_server;
 content:"rna|f2|";
 byte_test:4,>,0x2000,0,relative,little;
 classtype:attempted-dos;
 sid:1111681;
 rev:1;
)