[Bro] Is there existing signatures for modbus and dnp3

Ren, Wenyu wren3 at illinois.edu
Tue Nov 3 18:23:35 PST 2015

Hi Anthony,

Thanks for your reply. I am sorry but I probably did not make myself clear. I am not looking for signature that help you to identify Modbus and DNP3 packets. Instead, I am looking for signatures that help you to detect attacks on Modbus and DNP3. Do you know any signature like that available for Bro? Thanks a lot.

From: anthony kasza [anthony.kasza at gmail.com]
Sent: Tuesday, November 03, 2015 5:31 PM
To: Ren, Wenyu
Cc: bro at bro.org
Subject: Re: [Bro] Is there existing signatures for modbus and dnp3

Here are the sigs for dnp3 <https://github.com/bro/bro/blob/master/scripts/base/protocols/dnp3/dpd.sig<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro_blob_master_scripts_base_protocols_dnp3_dpd.sig&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=6F7DPPylFZLWp3oYlcjGbgu2HwPUnfL5RQWtcrYLrzk&m=tfO86BFO_XDEofmdfDJpyNyiDqkoar5FQFQlEMEi8_4&s=tdtB9KCU_mhRRfqx5ZufT65iZUcNRS8nQpJdhJA_0hg&e=>>.


On Nov 3, 2015 2:04 PM, "Ren, Wenyu" <wren3 at illinois.edu<mailto:wren3 at illinois.edu>> wrote:
Dear all,

I am wondering whether there is some existing signatures of Bro for Modbus and DNP3. I found something named quickdraw, which are signatures for Modbus and DNP3. But it is for Snort and Bro does not support signature for Snort anymore as far as I know. Does anyone know some similar signature available for Bro? Thanks a lot.

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151104/db0c1646/attachment-0001.html 

More information about the Bro mailing list