|2016-03-03||Check for Negative Header Length||NitroSecurity, Rockwell Automation||N/A|
|This rule was developed in response to ICSA-11-273-03 Rockwell RSLogix Denial of Service Vulnerability.
You need to add the following variable, $ROCKWELL_PORTS to the conf file.
$ROCKWELL_PORTS = [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281]|
alert tcp any any -> $HOME_NET $ROCKWELL_PORTS (msg:"Rockwell RNA Message Negative Header Length";