[Snort-sigs] PCCC DoS Packet Rule

José Diogo jdiogolopes at gmail.com
Fri Feb 15 11:38:31 EST 2019


Hi,

Please find below a rule for detection of a CIP/PCCC DoS Packet. This refers to CVE 2017-7924. Attached a pcap file that you can use to test. You can also reproduce this attack with https://www.rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc <https://www.rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc>.



alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"PCCC DoS Packet Detection"; content:"|4B0220672401|"; pcre:"/\xA2[\x00-\xff]\x05\x47/"; flow:to_server,established; metadata:ruleset community; reference:cve,2017-7924; reference:url,https://www.rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:100009991; rev:1)


Let me you know your feedback

Best Regards,
José Monteiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190215/6c3117de/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cip_pccc_dos.pcapng
Type: application/octet-stream
Size: 1296 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190215/6c3117de/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190215/6c3117de/attachment-0001.html>


More information about the Snort-sigs mailing list