snort2-docker/docker/etc/rules/protocol-scada.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#----------------------
# PROTOCOL-SCADA RULES
#----------------------

# alert tcp $EXTERNAL_NET any -> $HOME_NET 1217 (msg:"PROTOCOL-SCADA CoDeSys GatewayService heap overrun attempt"; flow:to_server,established; content:"|FF FF FF|"; depth:3; offset:13; byte_test:1,>,0xCB,-4,relative; content:"|00|"; depth:1; offset:5; content:"|00|"; within:1; distance:1; reference:bugtraq,50849; reference:cve,2011-5008; classtype:attempted-user; sid:44368; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 20171 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt"; flow:to_server,established; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>=,225,0,relative; reference:bugtraq,29634; reference:cve,2008-2639; reference:url,citect.schneider-electric.com/scada/citectscada/about-citect-scada-2016; reference:url,igss.schneider-electric.com/products/igss/index.aspx; classtype:attempted-admin; sid:14265; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils - too many outputs"; flow:to_server,established; modbus_func:write_multiple_coils; byte_test:2,>,1968,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15076; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus user-defined function code - 65 to 72"; flow:to_server,established; byte_test:1,>,64,7; byte_test:1,<,73,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15074; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read multiple coils - too many inputs"; flow:to_server,established; modbus_func:read_coils; byte_test:2,>,2000,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15077; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus user-defined function code - 100 to 110"; flow:to_server,established; byte_test:1,>,99,7; byte_test:1,<,111,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15075; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory card format attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 04|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15411; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS file memory write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 11|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15407; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area fill attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15390; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15389; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS RESET attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15409; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 08|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15397; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area fill overflow attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; isdataat:8,relative; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15413; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS access right forced acquire attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15402; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15395; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS STOP attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15399; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS file delete attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15404; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS parameter area clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15393; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS access right acquire attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15401; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS forced set/reset cancel attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15406; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS RUN attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15398; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area write overflow attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; isdataat:10,relative; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15412; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area transfer attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15391; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS data link table write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02|!"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15408; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS name delete attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"&|02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15410; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 07|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15396; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt"; flow:to_server,no_stream; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 05 00 00 00 00 00 00 00 FF FF FF FF|"; depth:13; offset:10; detection_filter:track by_src, count 10, seconds 60; reference:url,attack.mitre.org/techniques/T1110; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15414; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS single file write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15403; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS clock write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|07 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15400; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS parameter area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15392; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS forced set/reset attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15405; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 04|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15394; rev:4;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 parameter error"; flow:established,to_client; dnp3_ind:parameter_error; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15716; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 unsupported function code error"; flow:established,to_client; dnp3_ind:no_func_code_support; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15718; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 corrupt configuration"; flow:established,to_client; dnp3_ind:config_corrupt; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15714; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 link service not supported"; flow:established,to_client; content:"|05|d"; depth:2; byte_test:1,!&,64,1,relative; byte_test:1,&,1,3; byte_test:1,&,2,3; byte_test:1,&,4,3; byte_test:1,&,8,3; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15719; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 unknown object error"; flow:established,to_client; dnp3_ind:object_unknown; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15717; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 event buffer overflow error"; flow:established,to_client; dnp3_ind:event_buffer_overflow; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15715; rev:5;)
# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 device trouble"; flow:established,to_client; dnp3_ind:device_trouble; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15713; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read fifo queue from external source"; flow:to_server,established; modbus_func:read_fifo_queue; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17792; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read coils from external source"; flow:to_server,established; modbus_func:read_coils; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17788; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus initiate diagnostic from external source"; flow:to_server,established; modbus_func:diagnostics; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17795; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus mask write register from external source"; flow:to_server,established; modbus_func:mask_write_register; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17800; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record from external source"; flow:to_server,established; modbus_func:write_file_record; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17786; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus report slave id from external source"; flow:to_server,established; modbus_func:report_slave_id; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17798; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read exception status from external source"; flow:to_server,established; modbus_func:read_exception_status; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17794; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil from external source"; flow:to_server,established; modbus_func:write_single_coil; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17784; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event counter from external source"; flow:to_server,established; modbus_func:get_comm_event_counter; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17796; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers from external source"; flow:to_server,established; modbus_func:write_multiple_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17782; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils from external source"; flow:to_server,established; modbus_func:write_multiple_coils; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17785; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event log from external source"; flow:to_server,established; modbus_func:get_comm_event_log; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17797; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register from external source"; flow:to_server,established; modbus_func:read_input_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17789; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read/write multiple registers from external source"; flow:to_server,established; modbus_func:read_write_multiple_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17791; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single register from external source"; flow:to_server,established; modbus_func:write_single_register; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17783; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read device identification from external source"; flow:to_server,established; modbus_func:report_slave_id; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17799; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers from external source"; flow:to_server,established; modbus_func:read_holding_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17790; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read file record from external source"; flow:to_server,established; modbus_func:read_file_record; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17793; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read discrete inputs from external source"; flow:to_server,established; modbus_func:read_discrete_inputs; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17787; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA Kingview HMI heap overflow attempt"; flow:to_server,established; stream_size:client,>,2000; content:"|90 90 90 90 90 90 90 90|"; fast_pattern:only; reference:bugtraq,45727; reference:cve,2011-0406; classtype:attempted-admin; sid:18327; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7579 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink vrn.exe file access attempt"; flow:to_server,established; content:"|FF 55 08 00|"; depth:4; offset:4; pcre:"/^.{32}[^\x00\x5C]*\x5C/sR"; reference:bugtraq,46934; classtype:attempted-user; sid:18614; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService path overflow attempt"; flow:to_server,established; content:"LEN|00|"; depth:6; fast_pattern; nocase; content:"|00 00 00 06|"; distance:0; content:"|06|"; within:1; distance:4; byte_test:4,>,1024,0,relative,big; reference:bugtraq,46934; classtype:attempted-admin; sid:18605; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CONNECT_FCS_LOGIN overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|01 00 01 00|"; within:4; distance:6; byte_test:4,>,1024,-10,little,relative; isdataat:1024,relative; content:!"|00|"; within:1024; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18658; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe report template operation overflow attempt"; flow:to_server,established; content:"|34 12 07 00|"; depth:4; offset:4; content:"|01 00 00 00|"; within:4; distance:6; isdataat:512,relative; pcre:"/^[\x02\x03\x04]\x00\x00\x00.*?\x00[^\x00]{512,}/R"; classtype:attempted-admin; sid:18652; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService file information access attempt"; flow:to_server,established; content:"LEN|00|"; depth:4; fast_pattern; nocase; content:"|00 00 00 10|"; distance:0; content:"|06|"; within:1; distance:4; byte_extract:4,0,str_size,relative,big; content:"|5C|"; within:str_size; distance:8; reference:bugtraq,46934; classtype:attempted-user; sid:18607; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7579 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink vrn.exe opcode 9 or 10 string parsing overflow attempt"; flow:to_server,established; content:"|FF 55|"; depth:2; offset:4; isdataat:933,relative; pcre:"/^[\x0A\x09]\x00.{32}[^\x3B]{900}/sR"; reference:bugtraq,46934; classtype:attempted-user; sid:18610; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService file access attempt"; flow:to_server,established; content:"LEN|00|"; depth:4; fast_pattern; nocase; content:"|00 00 00 08|"; distance:0; content:"|06|"; within:1; distance:4; byte_extract:4,0,str_size,relative,big; content:"|5C|"; within:str_size; distance:8; reference:bugtraq,46934; classtype:attempted-user; sid:18606; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B2 04 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18738; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,32,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18733; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BC 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18729; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18734; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|84 1C 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x10000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18722; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x089A integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|9A 08 00 00|"; depth:4; offset:20; fast_pattern; content:"|00 20|"; within:2; distance:4; byte_test:4,>,0x20000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18730; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AE 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18728; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18735; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18727; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|84 1C 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x10000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18721; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0453 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|53 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,22,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18731; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,24,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18736; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B2 04 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18726; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,32,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18732; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,24,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18737; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BC 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18787; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,1024,0,little,relative; isdataat:1024,relative; pcre:"/^.{6}\x05\x00[\x01\x02\x05]\x00.*?\x00[^\x00]{1024}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18746; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DB0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B0 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18784; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18779; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_INFOTAG_SET_CONTROL overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|11 00 01 00|"; within:4; distance:6; byte_test:4,>,400,-10,little,relative; isdataat:400,relative; content:!"|00|"; within:400; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18752; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBD integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BD 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18788; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,200,0,little,relative; isdataat:200,relative; pcre:"/^.{6}[\x02\x04]\x00[\x0f\x10\x12\x13]\x00[^\x00]{200}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18749; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AE 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18783; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA4 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|A4 0F 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x20000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18785; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18778; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x26AC integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AC 26 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18789; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|D0 07 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18780; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_MISC_FCS_MSGx overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; pcre:"/^.{6}\x0f\x00[\x01\x03]\x00/msR"; byte_test:4,>,0xffffffe9,0,relative,little; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18748; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_BINFILE_FCS_xFILE overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,256,0,little,relative; isdataat:256,relative; pcre:"/^.{6}\x10\x00[\x01\x03\x08\x0A\x0B\x0D]\x00.{12}[^\x00]{256}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18747; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA7 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|A7 0F 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18786; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|D0 07 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18781; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_SCRIPT_FCS_STARTPROG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|09 00 12 00|"; within:4; distance:6; byte_test:4,>,4096,-10,little,relative; stream_size:client,>,4096; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18750; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3250 (msg:"PROTOCOL-SCADA IntelliCom NetBiter config utility hostname overflow attempt"; flow:stateless; content:"hn"; nocase; isdataat:31,relative; pcre:"/^\s?=\s?[^\x3B]{31}/R"; reference:bugtraq,37325; reference:cve,2009-4462; reference:url,support.intellicom.se/showfile.cfm?FID=45; classtype:attempted-admin; sid:20052; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Cogent DataHub server-side information disclosure"; flow:to_server,established; content:".asp "; nocase; http_uri; pcre:"/\x2easp ($|\?)/iU"; metadata:service http; reference:cve,2011-3502; classtype:web-application-attack; sid:20173; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281] (msg:"PROTOCOL-SCADA RSLogix rna protocol denial of service attempt"; flow:to_server,established; content:"rna|F2|"; depth:4; content:"aaaaaaaaaa"; within:10; distance:4; reference:cve,2011-3489; reference:url,aluigi.altervista.org/adv/rslogix_1-adv.txt; classtype:attempted-dos; sid:20178; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Cogent DataHub server-side information disclosure"; flow:to_server,established; content:".asp."; nocase; http_uri; pcre:"/\x2easp\x2e($|\?)/iU"; metadata:service http; reference:cve,2011-3502; classtype:web-application-attack; sid:20174; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"PROTOCOL-SCADA DAQFactory NETB protcol stack overflow attempt"; flow:to_server; dsize:>370; content:"NETB"; depth:4; content:"|00|"; within:6; distance:230; reference:cve,2011-3492; reference:url,aluigi.altervista.org/adv/daqfactory_1-adv.txt; classtype:attempted-admin; sid:20176; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(register_datahub "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20209; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(domain "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20207; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(report_domain "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20208; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_client; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:20582; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_client; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:20581; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Progea Movicon/PowerHMI EIDP over HTTP memory corruption attempt"; flow:to_server,established; content:"EIDP"; depth:4; http_client_body; byte_test:4,>,0x7FFFFFFF,16,little,relative; metadata:service http; reference:bugtraq,49605; reference:cve,2011-3491; reference:cve,2011-3498; reference:cve,2011-3499; classtype:attempted-admin; sid:20638; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Microsys PROMOTIC ActiveX function call access"; flow:established,to_client; file_data; content:"PmTrdvw.TrendsViewCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PmTrdvw\.TrendsViewCtl(\.\d)?\x22|\x27PmTrdvw\.TrendsViewCtl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveCfg|AddTrend)\s*|.*(?P=v)\s*\.\s*(SaveCfg|AddTrend)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PmTrdvw\.TrendsViewCtl(\.\d)?\x22|\x27PmTrdvw\.TrendsViewCtl(\.\d)?\x27)\s*\)(\s*\.\s*(SaveCfg|AddTrend)\s*|.*(?P=n)\s*\.\s*(SaveCfg|AddTrend)\s*)/smiO"; metadata:service http; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; reference:url,www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-286-01.pdf; classtype:attempted-user; sid:21001; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Microsys PROMOTIC ActiveX clsid access"; flow:established,to_client; file_data; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveCfg|AddTrend)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveCfg|AddTrend))/siO"; metadata:service http; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; reference:url,www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-286-01.pdf; classtype:attempted-user; sid:21000; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Siemens SIMATIC HMI Administrator cookie detected"; flow:to_server,established; content:"EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcio"; content:"EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcio"; http_cookie; metadata:service http; reference:cve,2011-4508; reference:url,www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf; classtype:policy-violation; sid:21079; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|0D 0A|"; byte_test:1,>,32,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21148; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|0D 0A|"; byte_test:1,<,0,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21149; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|00 00 01 00|"; within:4; distance:4; byte_test:1,>,32,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21146; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|00 00 01 00|"; within:4; distance:4; byte_test:1,<,0,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21147; rev:2;)
# alert tcp $EXTERNAL_NET 54321 -> $HOME_NET any (msg:"PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt"; flow:to_client,established; dsize:>1080; content:"|28 10 00 29|"; depth:4; content:"|E8 D5 FD FF FF|"; within:5; distance:1076; reference:cve,2010-4741; reference:url,reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=1; classtype:attempted-user; sid:21483; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-SCADA General Electric d20me configuration retrieval attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"D20.zl"; distance:0; nocase; reference:url,www.metasploit.com/modules/auxiliary/gather/d20pass; classtype:attempted-recon; sid:21490; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 46823 (msg:"PROTOCOL-SCADA Sielco Sistemi Winlog Pro stack buffer overflow attempt"; flow:to_server,established; content:"|02 01 01|"; depth:3; isdataat:70,relative; reference:bugtraq,45813; reference:cve,2011-0517; classtype:attempted-admin; sid:21491; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-SCADA General Electric D20ME backdoor attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"MONITOR:command.log"; distance:0; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/revisions/b73f28f29511d154aed9e94dd262195db60c7e3b/entry/unstable-modules/auxiliary/d20tftpbd.rb; classtype:attempted-admin; sid:21494; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 01 03|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23006; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|08 00 02|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23007; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 02|"; depth:3; byte_test:4,>,0x410,3,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23004; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 03|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23005; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt"; flow:to_server,established; content:"|66 81 CA FF 0F 42 52 6A 02 58 CD 2E 3C 05 5A 74 EF B8 63 30 30 6C 8B FA AF 75 EA AF 75 E7 FF E7|"; fast_pattern:only; metadata:service telnet; reference:bugtraq,49480; reference:cve,2011-3322; classtype:attempted-user; sid:23330; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA BroadWin WebAccess Client format string exploit attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/<\s*script\s*\S*\s*>.*?[a-z0-9_-]+\.OcxSpool\s*\x28\s*([\x22\x27])[^\1]*(\x25[dlnpsx])[^\1]*\1/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:23964; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA BroadWin WebAccess Client arbitrary memory corruption attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/<\s*script\s*>.*?[a-z0-9_-]+\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29\s*\x3b/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:23965; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi command injection attempt"; flow:to_server,established; content:"/ping.php"; http_uri; content:"ip_dominio"; fast_pattern:only; http_client_body; pcre:"/ip_dominio.*?([\x26\x3b\x7c\x3e\x3c]|\x25(26|3b|7c|3e|3c))/Pi"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24425; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; byte_test:4,>,700,0,relative,little; content:"|0A 00 05 00|"; within:4; distance:6; reference:cve,2011-1563; classtype:attempted-user; sid:24481; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL injection attempt"; flow:to_server,established; content:"/changelanguagesession.php"; fast_pattern:only; http_uri; pcre:"/[?&]lingua=[^&]+?([\x22\x27]|SELECT|UPDATE|INSERT)/Ui"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24422; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 02 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24477; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 05 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24478; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL hard coded user login attempt"; flow:to_server,established; content:"/login.php"; fast_pattern:only; http_uri; content:"astridservice"; http_client_body; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24423; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; byte_test:4,>,4096,0,relative,little; content:"|09 00 12 00|"; within:4; distance:6; reference:cve,2011-1563; classtype:attempted-user; sid:24479; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL hard coded user login attempt"; flow:to_server,established; content:"/login.php"; fast_pattern:only; http_uri; content:"36e44c9b64"; http_client_body; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24424; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL injection attempt"; flow:to_server,established; content:"/dettagliinverter.php"; fast_pattern:only; http_uri; pcre:"/[?&]inverterselect=[^&]+?([\x22\x27]|SELECT|UPDATE|INSERT)/Ui"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24421; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 01 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24476; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_server; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=v)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar3>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=n)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar4>\x22|\x27|)(\x25[dlnpsx])+)/smiO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24582; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_server; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=v)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=n)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/smiO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24585; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_server; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)/siO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24581; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_server; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/siO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24584; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_client; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=v)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar3>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=n)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar4>\x22|\x27|)(\x25[dlnpsx])+)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24580; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_client; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=v)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=n)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24583; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Tridium Niagara directory traversal config.bog access attempt"; flow:to_server,established; content:"ord?file|3A 5E|config.bog"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2012-4027; classtype:attempted-admin; sid:25057; rev:3;)
# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus exception returned"; flow:established,to_client; byte_test:1,&,128,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15071; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Microsys Promotic directory traversal attempt"; flow:to_server,established; content:"/webdir/../../../../../"; metadata:service http; reference:bugtraq,50133; reference:cve,2011-4518; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-11-286-01; classtype:attempted-user; sid:28917; rev:3;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read write register response - invalid byte count"; flow:to_client,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,200,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29206; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read input registers response invalid byte count"; flow:to_client,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,125,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29205; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read holding register response - invalid byte count"; flow:to_client,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29204; rev:3;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read fifo response invalid byte count"; flow:to_client,established; modbus_func:read_fifo_queue; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,31,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29203; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29202; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_coils; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29201; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil - invalid state"; flow:to_server,established; modbus_func:write_single_coil; content:"|00 00|"; depth:2; offset:2; content:"|00|"; depth:1; offset:11; content:!"|FF|"; depth:1; offset:10; content:!"|00|"; depth:1; offset:10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29200; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers - too many registers"; flow:to_server,established; modbus_func:write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,100,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29199; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,14; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29198; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29197; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input status - too many inputs"; flow:to_server,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,2000,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29196; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register - too many inputs"; flow:to_server,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29195; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers - too many inputs"; flow:to_server,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29194; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus invalid encapsulated interface request"; flow:established,to_server; content:"|00 00|"; depth:2; offset:2; content:"|2B|"; depth:1; offset:7; content:!"|0D|"; within:1; content:!"|0E|"; within:1; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29319; rev:1;)
# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus invalid encapsulated interface response"; flow:established,to_client; content:"|00 00|"; depth:2; offset:2; content:"|2B|"; depth:1; offset:7; content:!"|0D|"; within:1; content:!"|0E|"; within:1; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29318; rev:1;)
# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus invalid exception message"; flow:established,to_client; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; isdataat:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29317; rev:1;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus value scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|03|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29316; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus list scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|02|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29315; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus function scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|01|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|00 00|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; pcre:"/^\xDD\xDD.{16}(\x09\x00)|(\x0E\x00)|(\xEE\x03)\x00\x00/"; reference:bugtraq,58032; reference:cve,2012-4704; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:29534; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt"; flow:to_server,established; content:"|BF 99 46 77 90 90 90 90 90 90 90 90 90 90|"; depth:14; offset:65; metadata:service telnet; reference:bugtraq,49480; reference:cve,2011-3322; classtype:attempted-user; sid:29515; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|54 4F 46 55 56 75 47 78 7A 44 66 61 68 44 4E 5A 65 6D 42 46|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2011-1567; classtype:attempted-admin; sid:29505; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime directory traversal attempt"; flow:to_server,established; content:"|2E 00 2E 00 2F 00|"; offset:30; reference:cve,2011-4876; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29964; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; content:"|00 04 03|"; depth:3; byte_test:4,>,0x410,23,little; isdataat:1025; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29963; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 28|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29962; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 22|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29961; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 21|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29960; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 08 02|"; depth:3; byte_test:4,>,0x410,3,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29959; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server heap buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|06 00 00 00|"; within:4; distance:16; byte_test:4,>,0x7fffffff,260,relative,little; reference:cve,2012-4706; classtype:attempted-admin; sid:29954; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 52302 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 bkclogserv buffer overflow attempt"; flow:to_server,no_stream; dsize:1024; content:"|00 04 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:12; content:!"|00|"; within:1000; detection_filter:track by_dst, count 2, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,66130; reference:cve,2014-0781; classtype:attempted-admin; sid:30802; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 PMODE bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"PMODE"; depth:5; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30801; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 XATR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"XATR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30800; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 ATTR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"ATTR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30799; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 STOR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"STOR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30798; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 RETR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"RETR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30797; rev:2;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30823; rev:1;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30822; rev:1;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30821; rev:1;)
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30820; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30818; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30817; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30816; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 34205 (msg:"PROTOCOL-SCADA Yokogawa CS3000 BKESimmgr.exe buffer overflow attempt"; flow:to_server,established; content:"|4F 27 D1 61 5C E6 40 00 90 EB 40 00|"; fast_pattern:only; content:"|00 00 00 01|"; depth:4; content:"|81 C4 54 F2 FF FF|"; distance:132; reference:cve,2014-0782; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-user; sid:31037; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:2; content:"|0D 00 00 00|"; within:4; distance:2; isdataat:466,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:31438; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt"; flow:to_server,established; content:"|D2 04 00 00 7B 00 00 00|"; depth:8; byte_test:4,>,0x7EF,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,66709; reference:cve,2014-0787; classtype:attempted-admin; sid:32059; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12221 (msg:"PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt"; flow:to_server,established; content:"EXECUTE|00|"; depth:12; offset:4; nocase; metadata:policy max-detect-ips drop; reference:url,packetstorm.sigterm.no/1311-exploits/abb_wserver_exec.rb.txt; classtype:attempted-user; sid:33015; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33002; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_server,established; file_data; content:"BWOCXRUN.BwocxrunCtrl"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33001; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_client,established; file_data; content:"BWOCXRUN.BwocxrunCtrl"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33000; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_client,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:32999; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|F1 03 00 00|"; within:4; distance:16; isdataat:384,relative; content:!"|00|"; within:384; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26504; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|04 00 00 00|"; within:4; distance:16; isdataat:464,relative; content:!"|00|"; within:464; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26503; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|06 00 00 00|"; within:4; distance:16; isdataat:232,relative; content:!"|00|"; within:232; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26502; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|10 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00|"; depth:16; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:26392; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:4; byte_jump:4,0,relative,little,post_offset -4; byte_test:4,>,0x800,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25852; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:4; byte_jump:4,0,relative,little,post_offset -4; byte_test:4,<,0x20,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25851; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; byte_test:4,>,0x800,8,little; metadata:policy max-detect-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25850; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:9; byte_test:1,<,0x20,8; metadata:policy max-detect-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25849; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5159 (msg:"PROTOCOL-SCADA GE Proficy Real-Time Information Portal directory traversal attempt"; flow:to_server,established; content:"|43 00 01 00 00 00 0C|"; depth:7; content:"|00 00 00 00 01 00 00 00 01|"; within:9; distance:4; byte_extract:4,0,filename_len,relative; content:"|00 2E 00 2E|"; within:filename_len; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,52439; reference:cve,2012-0232; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14768; classtype:attempted-admin; sid:24803; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA WellinTech Kingview HMI history server buffer overflow attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; offset:2; byte_test:2,>,9,0,little; byte_extract:2,4,element_count,relative,little,multiplier 12; byte_test:2,>,element_count,0,little; metadata:policy max-detect-ips drop; reference:cve,2011-4536; classtype:attempted-admin; sid:24480; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 48899 (msg:"PROTOCOL-SCADA Beckhoff TwinCAT DoS"; content:"|03 66 14 71|"; isdataat:23; metadata:policy max-detect-ips drop; reference:cve,2011-3486; classtype:attempted-dos; sid:20216; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11234 (msg:"PROTOCOL-SCADA Measuresoft ScadaPro directory traversal file operation attempt"; flow:to_server,established; content:"..|5C|..|5C|"; fast_pattern:only; pcre:"/^[xounwR]f\x25[^\n]*(\.\.\x5C){2}/i"; metadata:policy max-detect-ips drop; reference:cve,2011-3490; reference:cve,2011-3495; reference:cve,2011-3496; reference:cve,2011-3497; classtype:attempted-admin; sid:20215; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11234 (msg:"PROTOCOL-SCADA Measuresoft ScadaPro msvcrt.dll local command execution attempt"; flow:to_server,established; content:"xf%"; depth:3; content:"msvcrt.dll"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2011-3490; reference:cve,2011-3495; reference:cve,2011-3496; reference:cve,2011-3497; classtype:attempted-admin; sid:20214; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(slave "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20210; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:2; content:"|0D|"; within:1; distance:2; content:"|2E 2E|"; fast_pattern:only; pcre:"/.{18}[\x01\x02\x03\x04\x05\x06]\x00\x00\x00.+?(\x2E{2}[\x5C\x2F]){2}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:20030; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"PROTOCOL-SCADA RealWin 2.1 SCPC_INITIALIZE overflow attempt"; flow:to_server,established; content:"|64 12 54 6A|"; depth:4; byte_test:4,>,200,8,little; pcre:"/^\x64\x12\x54\x6A[\x02\x20\x10]\x00\x00\x00/"; metadata:policy max-detect-ips drop; reference:bugtraq,44150; reference:cve,2010-4142; classtype:attempted-admin; sid:18659; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12397 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|2E 2E|"; fast_pattern:only; pcre:"/^.{12}[\x17\x0A]\x00\x00\x00.{28}[^\x00]*(\x2E{2}[\x5C\x2F]){2}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18657; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt"; flow:to_server,established; content:"|04 00 00 00|"; fast_pattern:only; content:"|08|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; isdataat:260,relative; pcre:"/^\x04\x00\x00\x00[^\x00]{256,}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18656; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt"; flow:to_server,established; content:"|25 6E|"; fast_pattern:only; content:"|07|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^\x03\x00\x00\x00[^\x00]*\x25\x6e/R"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; reference:cve,2011-1568; classtype:attempted-admin; sid:18654; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt"; flow:to_server,established; content:"|07|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; isdataat:260,relative; pcre:"/^[\x04\x05\x06]\x00\x00\x00[^\x00]{256,}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18651; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt"; flow:to_server,established; content:"|01 00 34 12|"; depth:4; offset:2; isdataat:466,relative; pcre:"/^.{2}\x01\x00\x34\x12.{12}[\x01\x02\x03\x04\x05\x06\x07]\x00\x00\x00[^\x00]{444,}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; reference:cve,2011-4050; classtype:attempted-admin; sid:18649; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt"; flow:to_server,established; content:"|2E 2E|"; fast_pattern:only; content:"|0D|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^[\x02\x03]\x00\x00\x00[^\x00]*(\x2E{2}[\x5C\x2F]){2}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-user; sid:18648; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; byte_test:4,>,400,12,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:39391; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"PROTOCOL-SCADA Rockwell firmware upload attempt"; flow:to_server,established; content:"|6F 00|"; content:"|00 00 00 00|"; within:4; distance:6; content:"|00 00 00 00|"; within:4; distance:8; pcre:"/(\x20\xa1|\x21\x00\xa1\x00)(\x24[\x01-\xff]|\x25\x00[\x01-\xff]\x00)/smi"; reference:cve,2012-6437; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=27868; classtype:policy-violation; sid:40333; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Stop CPU attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|07 02 20 64 24 01|"; within:cipsize; classtype:policy-violation; sid:40518; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Network Policy Change attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|10|"; within:cipsize; content:"|20 F5|"; within:2; distance:1; classtype:policy-violation; sid:40517; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2404 (msg:"PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET"; flow:established; content:"|68|"; depth:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41079; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2404 (msg:"PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET"; flow:established; content:"|68|"; depth:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41078; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 unknown ASDU type detected"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x16-\x1D\x29-\x2C\x34-\x39\x41-\x45]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41077; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 double command issued"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2e\x3b]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41076; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 counter interrogation command"; flow:established; content:"|68|"; content:"|65|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41075; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 clock sync command"; flow:established; content:"|68|"; content:"|67|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41074; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 bitstring of 32 bits"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x33\x40\x07\x21]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41073; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Test command with time tag"; flow:established; content:"|68|"; content:"|6B|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41072; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Step point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x05\x20]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41071; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Single point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x14\x01\x1e]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41070; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Single command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2d\x3a]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41069; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Set point command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x30\x31\x32\x3d\x3e\x3f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41068; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Rest process command"; flow:established; content:"|68|"; content:"|69|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41067; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Regulating step command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2f\x3c]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41066; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Read command"; flow:established; content:"|68|"; content:"|66|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41065; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Query Log"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x7a\x7f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41064; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Parameter value"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x71\x6e\x6f\x70]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41063; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Packed start events"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x26\x27\x28]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41062; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Measured value"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x09\x0b\x0d\x15\x22\x23\x24]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41061; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 List directory"; flow:established; content:"|68|"; content:"|7E|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41060; rev:4;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Last section"; flow:established; content:"|68|"; content:"|7B|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41059; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Interrogation command"; flow:established; content:"|68|"; content:"|64|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41058; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Integrated totals"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x0f\x25]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41057; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 File ready"; flow:established; content:"|68|"; content:"|78|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41056; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 End of initialization"; flow:established; content:"|68|"; content:"|46|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41055; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Double point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x03\x1f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41054; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Ack file"; flow:established; content:"|68|"; content:"|7C|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41053; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 TESTFR CON"; flow:established; content:"|68|"; depth:1; content:"|83|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41052; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 TESTFR ACT"; flow:established; content:"|68|"; depth:1; content:"|43|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41051; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STOPDT CON"; flow:established; content:"|68|"; depth:1; content:"|23|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41050; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STOPDT ACT"; flow:established; content:"|68|"; depth:1; content:"|13|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41049; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STARTDT CON"; flow:established; content:"|68|"; depth:1; content:"|0B|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41048; rev:2;)
# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STARTDT ACT"; flow:established; content:"|68|"; depth:1; content:"|07|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41047; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Crash CPU attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|52|"; within:1; distance:12; content:"|0A|"; within:1; distance:9; byte_test:2, >, 25, 6, relative; reference:cve,2012-6436; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41044; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Ethernet Reset attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|05|"; within:1; distance:12; content:"|20 01|"; within:2; distance:1; reference:cve,2012-6442; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41043; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Dump Boot Code attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|97|"; within:1; distance:12; content:"|20 C0|"; within:2; distance:1; reference:cve,2012-6441; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41042; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|0E|"; within:cipsize; content:"|20 F5|"; within:2; distance:1; reference:cve,2012-6438; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41091; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 772 (msg:"PROTOCOL-SCADA SCADA Trace Mode DoS attempt"; flow:to_server,established; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; isdataat:300,relative; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:41648; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 789 (msg:"PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt"; flow:to_server,established; content:"|00 04 01 2A 03 00|"; depth:6; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.bb-elec.es/ethernet-gateways.htm; classtype:attempted-dos; sid:41646; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 16888 (msg:"PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt"; flow:to_server,established; content:"|0B|AAAAAAAAAAAA"; depth:13; isdataat:2500,relative; reference:url,www.moxa.com/product/Mass_Configuration_Tool.htm; classtype:attempted-dos; sid:41739; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"PROTOCOL-SCADA Sunway DOS attempt"; flow:to_server,established; content:"|07 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; isdataat:1000; reference:url,www.sunwayland.com/?Nid=3593; classtype:attempted-dos; sid:41738; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"PROTOCOL-SCADA Sunway DOS attempt"; flow:to_server,established; content:"|06 00 00 00 00 00 00 00 00 04 00 00|"; depth:12; isdataat:1000; reference:url,www.sunwayland.com/?Nid=3593; classtype:attempted-dos; sid:41737; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1804 (msg:"PROTOCOL-SCADA PowerNet Twin Client DOS attempt"; flow:to_server,established; dsize:>99; content:"|11 00|"; depth:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client; classtype:attempted-dos; sid:41752; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Moxa SoftCMS webserver DOS attempt"; flow:to_server,established; isdataat:!18; content:"GET . HTTP/1.0|0D 0A|"; depth:16; nocase; metadata:service http; classtype:attempted-dos; sid:41747; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22350 (msg:"PROTOCOL-SCADA TwinCAT PLC DOS attempt"; flow:to_server,established; dsize:>2000; content:"|A2 1D CB AA AA 75 48 B4 91 DB F4 06 B0 B0 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.beckhoff.com/english.asp?twincat/overvw.htm; classtype:attempted-dos; sid:41743; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 20010 (msg:"PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt"; flow:to_server; content:"|45 54 56 48 01 01 10 09 00 00 00 01 00 00 00 44|"; fast_pattern:only; isdataat:460; content:"|9C 5C E5 61|"; depth:4; offset:454; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-3888; classtype:attempted-admin; sid:41778; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa discovery packet information disclosure attempt"; flow:to_server; content:"|01|"; depth:1; content:"|08|"; within:1; distance:2; isdataat:3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-recon; sid:42016; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42058; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|0A|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42057; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa password retrieval attempt"; flow:to_server,established; content:"|2C|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42056; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa password retrieval attempt"; flow:to_server,established; content:"|29|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42055; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa get SNMP read string attempt"; flow:to_server,established; content:"|28|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42054; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|17 17 17 17 17 17 17 17|"; depth:8; metadata:policy connectivity-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42075; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; depth:8; metadata:policy balanced-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42074; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|02 00 00 00 FF 00|"; depth:6; metadata:policy max-detect-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42073; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA invalid modbus protocol identifier"; flow:to_server, established; content:"|00 00|"; depth:2; content:!"|00 00|"; within:2; reference:url,modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; reference:url,modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf; classtype:misc-activity; sid:42109; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4679 (msg:"PROTOCOL-SCADA Eaton Network Pi3Web DOS attempt"; flow:to_server,established; content:"//////////"; fast_pattern:only; metadata:service http; reference:cve,2003-0276; classtype:attempted-dos; sid:42127; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; isdataat:1000,relative; reference:url,www.3s-software.com; classtype:attempted-dos; sid:42284; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|02 15|"; depth:2; isdataat:104; content:"|00|"; distance:0; isdataat:2; content:!"|10 03|"; within:2; reference:cve,2011-4052; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42351; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|02 16|"; depth:2; isdataat:104; content:"|00|"; distance:0; isdataat:2; content:!"|10 03|"; within:2; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42350; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|16|"; depth:1; isdataat:104; content:!"|00|"; within:104; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42349; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|1E|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42786; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt"; flow:to_server, established; modbus_func:90; modbus_data; content:"|00 03 00|"; fast_pattern:only; reference:cve,2017-7575; reference:url,download.schneider-electric.com/files?&p_File_Name=SEVD-2017-097-01-SoMachine+Basic.pdf; classtype:attempted-admin; sid:42861; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"PROTOCOL-SCADA GE Proficy Historian buffer overflow attempt"; flow:to_server,established; isdataat:250; content:"|90 02 32 00 00 01 00 00 00 00 00 00 00 3C|"; fast_pattern:only; reference:cve,2011-1918; classtype:attempted-admin; sid:42934; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"PROTOCOL-SCADA Advantech Studio DOS attempt"; flow:to_server,established; content:"|06|oC3|00 09 00|"; fast_pattern; isdataat:35,relative; content:!"|00 0A 00 03|"; within:35; reference:url,www2.advantech.com/eAutomation/automation_controllers/news.aspx; classtype:attempted-dos; sid:43348; rev:1;)
# alert tcp $EXTERNAL_NET 102 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt"; flow:to_client,established,no_stream; content:"|61|"; content:"|03|"; within:1; distance:5; content:"|A0 03 80 01 00 A1|"; distance:0; content:"|81|"; within:1; distance:1; detection_filter:track by_src,count 10,seconds 15; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-recon; sid:43253; rev:2;)
# alert tcp $EXTERNAL_NET 102 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 61850 device connection enumeration attempt"; flow:to_client,established,no_stream; content:"|E0 00 00|"; depth:3; offset:5; content:"|00|"; within:1; distance:2; content:"|C1|"; depth:9; offset:11; content:"|C2|"; depth:9; offset:11; content:"|C0|"; depth:9; offset:11; detection_filter:track by_src,count 10,seconds 15; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-recon; sid:43252; rev:2;)
# alert tcp $EXTERNAL_NET 2404 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 104 force on denial of service attempt"; flow:to_client,established,no_stream; content:"|68|"; depth:1; content:"|2D|"; within:1; distance:5; content:"|01|"; within:1; distance:8; detection_filter:track by_src,count 50,seconds 5; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:43228; rev:2;)
# alert tcp $EXTERNAL_NET 2404 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 104 force off denial of service attempt"; flow:to_client,established,no_stream; content:"|68|"; depth:1; content:"|2D|"; within:1; distance:5; content:"|00|"; within:1; distance:8; detection_filter:track by_src,count 50,seconds 5; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:43227; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt"; flow:to_server; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; depth:18; reference:cve,2015-5374; reference:url,siemens.com/cert/pool/cert/siemens_security_advisory_ssa-732541.pdf; classtype:attempted-dos; sid:43177; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; content:"|14|"; within:1; distance:3; byte_test:4,<,100,4; byte_test:4,>,1000,32; reference:cve,2012-3795; classtype:denial-of-service; sid:43144; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; content:"|14|"; within:1; distance:3; byte_test:4,<,100,4; byte_test:4,>,1000,32; reference:cve,2012-3795; classtype:denial-of-service; sid:43143; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; byte_test:4,>,2000,4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07\x14]/"; reference:cve,2012-3795; reference:cve,2012-3796; classtype:denial-of-service; sid:43142; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; isdataat:1004,relative; content:"|07|"; within:1; distance:4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07]/i"; reference:cve,2012-3794; classtype:denial-of-service; sid:43141; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; byte_test:4,>,2000,4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07\x14]/"; reference:cve,2012-3795; reference:cve,2012-3796; classtype:denial-of-service; sid:43140; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; isdataat:1004,relative; content:"|07|"; within:1; distance:4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07]/i"; reference:cve,2012-3794; classtype:denial-of-service; sid:43139; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"PROTOCOL-SCADA Advantech WebAccess webvrpcs denial of service attempt"; flow:to_server,established; content:"|05 00 0D 03 10 00 00 00 18 B4|"; fast_pattern:only; reference:url,advantech.com/industrial-automation/webaccess; classtype:attempted-dos; sid:43122; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10260 (msg:"PROTOCOL-SCADA Optima PLC APIFTP denial of service attempt"; flow:to_server,established; content:"|E8 03 04 00|"; fast_pattern:only; reference:cve,2012-5049; classtype:attempted-dos; sid:43106; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 58723 (msg:"PROTOCOL-SCADA OPC Systems denial of service attempt"; flow:to_server,established; isdataat:125; content:".NET"; depth:4; content:"/OPC Systems Interface"; fast_pattern:only; reference:url,ics-cert.us-cert.gov/advisories/ICSA-12-012-01A; classtype:attempted-dos; sid:43104; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Weintek EasyBuilder Pro denial of service attempt"; flow:to_server,established; content:"|A6 12 AE 54 A4 64 9F 08 53 02 BD CD 39 A7 6B 55 AD|"; fast_pattern:only; reference:url,weintek.com/globalw/Software/EasyBuilderPro.aspx; classtype:attempted-dos; sid:43103; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"PROTOCOL-SCADA Weintek EB Pro denial of service attempt"; flow:to_server,established; content:"|21 06 0A 00 41 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:url,www.weintek.com; classtype:attempted-dos; sid:42995; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27700 (msg:"PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt"; flow:to_server,established; content:"|FF FF 00 00|"; depth:4; byte_test:2,>,1048,4; metadata:policy security-ips drop; reference:cve,2013-0662; classtype:attempted-admin; sid:43986; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt"; flow:to_server,established; content:"|DD DD|AaBbCcDdEeFf"; depth:14; reference:bugtraq,58032; reference:cve,2012-4704; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:44151; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25922 (msg:"PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt"; flow:to_server,established; content:"SDDRemoteControl"; nocase; content:"Cmd="; within:100; nocase; metadata:ruleset limited; classtype:policy-violation; sid:35889; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8089 (msg:"PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt"; flow:to_server,established; content:"nsopc:fileUpload"; fast_pattern:only; content:"nsopc:fileName"; content:"..|5C|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset limited, service http; classtype:attempted-admin; sid:35888; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt"; flow:to_server,established; content:"|80 00 00 30|"; depth:4; fast_pattern; content:"|00 00 00 02|"; within:4; distance:8; byte_test:1,>,127,12,relative; reference:cve,2015-7599; classtype:denial-of-service; sid:45101; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt"; flow:to_server, established; isdataat:650; content:"|01 00 09 E0|"; depth:4; reference:url,www.wellintech.com; classtype:attempted-dos; sid:45207; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon Quantum modbus start command attempt"; flow:to_server,established; content:"|5A|"; depth:1; offset:7; content:"|40 FF 00|"; distance:0; reference:url,schneider-electric.com; classtype:misc-activity; sid:45234; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon Quantum modbus stop command attempt"; flow:to_server,established; content:"|5A|"; depth:1; offset:7; content:"|41 FF 00|"; distance:0; reference:url,schneider-electric.com; classtype:misc-activity; sid:45233; rev:1;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Conclude-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|AD|"; within:1; distance:1; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45436; rev:2;)
# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Conclude-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|8C 00|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45435; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Conclude-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|8B 00|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45434; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Initiate-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|AA|"; within:1; distance:1; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45433; rev:2;)
# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Initiate-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|A9|"; distance:0; content:"|81|"; within:16; content:"|82|"; within:10; content:"|A4|"; within:20; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45432; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Initiate-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|A8|"; distance:0; content:"|81|"; within:16; content:"|82|"; within:10; content:"|A4|"; within:20; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45431; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A7|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45430; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-ResponsePDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 86|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45429; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 85|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45428; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS RejectPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 A4|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45427; rev:2;)
# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS UnconfirmedPDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A3|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45426; rev:2;)
# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Confirmed-ErrorPDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A2|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45425; rev:2;)
# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Confirmed-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A1|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45424; rev:2;)
# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Confirmed-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A0|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45423; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7135 (msg:"PROTOCOL-SCADA IntegraXor 6x denial of service attempt"; flow:to_server,established; content:"BBBBBBBBBBBBBBBBBBBBB|00|AAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; reference:url,integraxor.com; classtype:attempted-dos; sid:45871; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt"; flow:to_server,established; content:"|00 AD 00 00 00 FF 01 05 00 43 FF 00 07 1B 00 00 00 06 01|"; depth:24; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,102474; reference:cve,2017-16740; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-009-01; classtype:attempted-dos; sid:47604; rev:1;)
# alert tcp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; flow:to_server,established; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48577; rev:1;)
# alert udp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48576; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|84|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49033; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|C4|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49032; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|8C|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49031; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Operands binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|CD|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49030; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SN"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49029; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49028; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49027; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49026; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49025; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49024; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49023; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49022; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49021; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49020; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RN"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49019; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49018; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49017; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49016; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|0C|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49015; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|04|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49014; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49013; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|44|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49012; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Identification ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49011; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49010; rev:1;)
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49009; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Operands binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|4D|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49008; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49007; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNL"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49006; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Reset Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCE"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49005; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49004; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49003; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNH"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49002; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Start Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCR"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49001; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Stop Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCS"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49000; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48999; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48998; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48997; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNH"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48996; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48995; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48994; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNL"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48993; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48992; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48991; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48990; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48989; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48988; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48987; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48986; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Init Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCI"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:48985; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Identification ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48984; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 102 (msg:"PROTOCOL-SCADA Siemens SIMATIC S7-1500 remote denial of service attempt"; flow:to_server,established; isdataat:!18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern:only; reference:cve,2016-3963; reference:url,cert-portal.siemens.com/productcert/pdf/ssa-751155.pdf; classtype:attempted-dos; sid:49050; rev:1;)