Snort to Boost SCADA Security

Thursday, January 12, 2012 @ 06:01 PM gHale

Snort’s version 2.9.2 of open source network intrusion detection system (NIDS) is out with new preprocessors that add support for protocols used in industrial control systems.

The additional functionality should allow Snort to detect targeted attacks on networked SCADA systems.

Data Compromise; the New Business Risk
Hacked Systems and Poor Passwords
Feds: No Cyber Intrusion at IL Water Plant
Three Legs to SCADA Security

The two protocols implemented to date, DNP3 and Modbus, are industry standards. The addition of SCADA protocols to Snort is in part due to the presence of significant vulnerabilities in such systems.

The development team is looking to implement further SCADA protocols and welcomes development and testing support. Exploit framework Metasploit added SCADA vulnerability detection in August 2011.

Further information about the release and how to write rules for these protocols is available in the release announcement. The documentation for 2.9.2 has also been updated. Snort source code and binaries are available to download from the web site. The source code for the Snort engine and community rules is under the GPLv2, proprietary rules are under Sourcefire’s own Non-Commercial Use License.

2 Responses to “Snort to Boost SCADA Security”

  1. db1981 says:

    I miss the point of how such pre-processors should boost Snort’s performance with respect to attack detection. Those pre-processor (although the Snort team has developed its own ones) have been provided by Digital Bond for years…

    One has still to know the attack in order to write a useful signature…sure, now they can write rules to blacklist/whitelist opcodes, but…isn’t it what Tofino has been also doing for years?

  2. MRMaguire says:

    We noticed this bit of news, also, and posted our own perspective on why it’s a good thing for SCADA operators. Thanks for your information!

Leave a Reply

You must be logged in to post a comment.