 |
Snort: Rule to detect Modbus device fingerprinting Tue, 21 Apr 2009 I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan: alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;) You caN find it at Emerging Threats posted at: 15:55 | path: /Scada Security | permanent link to this entry | 0 comments | Ntop: Testing l7-filter protocol detection patterns Sun, 12 Apr 2009 I've wrote a little script to quickly test l7-filter protocol patterns used by ntop to detect protocol usage. You have to install scapy, I' ve include some patterns from Ntop, include your owns on l7-patterns directory You could read a pcap or capture from an interface. Examples: root@ubuntu:~/panalyzer# python l7Match.py -f http1.pcap http 74.125.43.83 -> 192.168.1.131 root@ubuntu:~/proyectos/panalyzer# python l7Match.py -i eth0 ssl 88.221.225.51 -> 192.168.1.128 ssl 192.168.1.128 -> 88.221.225.51 ssl 88.221.225.51 -> 192.168.1.128 ssl 192.168.1.128 -> 88.221.225.51 posted at: 19:00 | path: /Ossim | permanent link to this entry | 0 comments | |
Categories
/ (34) Jaime Blasco (feel free to get in touch) Friend's blogs: 
Lecture...
Archives
2010-Aug Tags
| | ||||||||||||||||||||||||||||||||||||||||||||||||||
 |
 |
