-
Notifications
You must be signed in to change notification settings - Fork 66
Expand file tree
/
Copy pathomron.rules
More file actions
20 lines (18 loc) · 1.4 KB
/
omron.rules
File metadata and controls
20 lines (18 loc) · 1.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Version 1.0 06 April 2015
# 1.0 - Initial Release - Stephen Hilt (hilt at digitalbond dot com)
#
#
####################################################################
# Variables to set in snort.conf
# $FINS_SERVER = Omron PLC
# $FINS_CLIENT = Engineering Workstation/HMI
#
#-----------------------------
# Alert on a command that was is via Redpoint Nmap NSE on TCP/9600
alert tcp any any -> any 9600 (content: "|46 49 4e 53|"; offset: 0; depth: 4; content: "|05 01|"; offset: 26; depth: 2; msg: "OMRON FINS TCP Read Controller Attempt";sid:1111401;priority:3;rev:1;)
# Alert on a command that was is via Redpoint Nmap NSE on UDP/9600
alert udp any any -> any 9600 (content: "|80|"; offset: 0; depth: 1; content: "|05 01|"; offset: 10; depth: 2; msg: "OMRON FINS UDP Read Controller Attempt";sid:1111402;priority:3;rev:1;)
# Alert on a command that was is via Redpoint Nmap NSE on TCP/9600 from Non Authorized Host
alert tcp !$FINS_CLIENT any -> $FINS_SERVER 9600 (content: "|46 49 4e 53|"; offset: 0; depth: 4; content: "|05 01|"; offset: 26; depth: 2; msg: "OMRON FINS TCP Read Controller Attempt";sid:1111403;priority:1;rev:1;)
# Alert on a command that was is via Redpoint Nmap NSE on UDP/9600 from Non Authorized Host
alert udp !$FINS_CLIENT any -> $FINS_SERVER 9600 (content: "|80|"; offset: 0; depth: 1; content: "|05 01|"; offset: 10; depth: 2; msg: "OMRON FINS UDP Read Controller Attempt";sid:1111404;priority:1;rev:1;)