SCADA IDS Signatures (SIS)

CRITIFENCE® SCADA IDS Signatures Database (SIS)

Dump 1756- ENBT’s module boot code Attempt

Date Title Author SVE-ID
2016-03-03Dump 1756- ENBT’s module boot code AttemptRockwell AutomationN/A
Description
This rule was developed by Rockwell Automation in response to vulnerabilities identified in Project Basecamp. Attack: Dump 1756- ENBT’s module boot code Impact: A ‘curious’ undocumented service that allows remotely dumping of the EtherNET/IP module’s boot code // CIP - Unconnected send // Service: 0x97 // Class: 0xc0 unsigned char packetDump[]= "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" "\x97\x02\x20\xc0\x24\x00\x00\x00";

Signature

						
							
								
alert tcp any any -> $ENIP_SERVER 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP modules boot code dump (Dump)";
 flow:to_server;
 content:"|6f 00|";
 offset:0;
 depth:2;
 content:"|00 00 00 00|";
 distance:22;
 within:4;
 byte_extract:2,2,count,relative,multiplier 4,little;
 content:"|b2 00|";
 distance:0;
 within:count;
 content:"|97 02 20 c0 24|";
 distance:2;
 within:5;
 classtype:data-attempt;
 reference:osvdb,78490;
 reference:secunia,47737;
 sid:1111688;
 rev:1;
)