SCADA IDS Signatures (SIS)

CRITIFENCE® SCADA IDS Signatures Database (SIS)

Ensure Null Terminated Header

Date Title Author SVE-ID
2016-03-03Ensure Null Terminated HeaderNitroSecurity, Rockwell AutomationN/A
Description
This rule was developed in response to ICSA-11-273-03 Rockwell RSLogix Denial of Service Vulnerability. You need to add the following variable, $ROCKWELL_PORTS to the conf file. $ROCKWELL_PORTS = [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281]

Signature

						
							
								
alert tcp any any -> $HOME_NET $ROCKWELL_PORTS (msg:"Rockwell RNA Message Header Not Null Terminated";
 flow:to_server;
 content:"rna|f2|";
 byte_jump:4,0,relative,little;
 content:!"|00|";
 distance:-1;
 within:1;
 classtype:attempted-dos;
 sid:1111685;
 rev:1;
)