Jaime Blasco Blog
Snort: Rule to detect Modbus device fingerprinting
Tue, 21 Apr 2009

I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)

You caN find it at Emerging Threats

posted at: 15:55 | path: /Scada Security | permanent link to this entry | 0 comments |



Categories

/ (31)
    Attacks/ (2)
    Exploits/ (1)
    General/ (3)
    Lua/ (1)
    Malware/ (1)
    Nessus/ (6)
        cisco/ (1)
        plugins/ (3)
    Ossim/ (9)
    Scada Security/ (1)
    Security Visualization/ (6)
        Malware/ (2)
    Vulnerability Management/ (1)


Jaime Blasco
(feel free to get in touch)
  • Mail
  • Linkedin
  • Twitter
  • Linkedin
  • Forums

Friend's blogs:
  • /blog/dk
  • /blog/juanma
  • /blog/santiago
  • /blog/pablo/



RSS



Lecture...




< April 2009 >
MoTuWeThFrSaSu
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
27282930   



Archives

2010-Jan
2009-Dec
2009-Oct
2009-Sep
2009-Jul
2009-Jun
2009-Apr
2009-Mar
2009-Feb
2009-Jan
2008-Oct
2008-Aug



Tags


Made with PyBlosxom