SCADA IDS Signatures (SIS)

CRITIFENCE® SCADA IDS Signatures Database (SIS)

Crash CPU Attempt

Date Title Author SVE-ID
2016-03-03Crash CPU AttemptRockwell AutomationN/A
Description
This rule was developed by Rockwell Automation in response to vulnerabilities identified in Project Basecamp. Attack: Crash CPU Impact: Crashes the CPU due to a malformed request, leaving it in a ‘Major recoverable fault’ state. In order to clear the fault the key needs to be turned manually from RUN to PROG twice. // CIP - Unconnected send – CM via 0x52 // Service: 0xa Multipel service packet // Class: 0x2 Message Router unsigned char packetCrashCPU[]= "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" "\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00";

Signature

						
							
								
alert tcp any any -> $ENIP_SERVER 44818 (msg:"ROCKWELL Automation ControlLogix Denial of Service (Crash CPU)";
 flow:to_server;
 content:"|6f 00|";
 offset:0;
 depth:2;
 content:"|00 00 00 00|";
 distance:22;
 within:4;
 byte_extract:2,2,count,relative,multiplier 4,little;
 content:"|b2 00|";
 distance:0;
 within:count;
 content:"|52|";
 distance:2;
 within:1;
 byte_jump:1,0,relative,multiplier 2;
 content:"|0a|";
 distance:4;
 within:1;
 classtype:attempted-dos;
 reference:osvdb,78486;
 reference:secunia,47737;
 sid:1111687;
 rev:1;
)