This repository has been archived by the owner on Apr 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 291
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #7 from iadgov/3.2.1
3.2.1 updates
- Loading branch information
Showing
162 changed files
with
5,516 additions
and
519 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Fingerprint> | ||
<Header> | ||
<Name>ANSI</Name> | ||
<Author>Default</Author> | ||
<Description>This fingerprint identifies evidenece of ANSI x3.28, z39.50, and c1222-asse traffic.</Description> | ||
</Header> | ||
<Filter For="ANSI 1" Name="z39.50"> | ||
<DstPort>210</DstPort> | ||
</Filter> | ||
<Filter For="ANSI 2" Name="c1222-asse"> | ||
<DstPort>1153</DstPort> | ||
</Filter> | ||
<Payload For="ANSI 1"> | ||
<Description>Developed by Allen Bradley to communicate between stations and substations. Z39.50</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ISCProtocol">ANSI</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
</Payload> | ||
<Payload For="ANSI 2"> | ||
<Description>Developed by Allen Bradley to communicate between stations and substations. C1222-ASSE.</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ICSProtocol">ANSI</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
</Payload> | ||
</Fingerprint> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Fingerprint> | ||
<Header> | ||
<Name>ASP.Net</Name> | ||
<Author>Default</Author> | ||
<Description>This fingerprint identifies evidence of session states that stores data out of process.</Description> | ||
</Header> | ||
<Filter For="ASP.Net" Name="State Service"> | ||
<DstPort>42424</DstPort> | ||
</Filter> | ||
<Payload For="ASP.Net"> | ||
<Description>Payload supports asp.net state service</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="Microsoft Server Product">ASP.NET</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
</Payload> | ||
</Fingerprint> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Fingerprint> | ||
<Header> | ||
<Name>Allen Bradley</Name> | ||
<Author>Default</Author> | ||
<Description>This is the response seen from a device running an Allen Bradley specific web server and providing its device description via a web page. | ||
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). | ||
This is the response seen from a device running an Allen Bradley specific web server. "Server: A-B WWW/0.1" | ||
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). | ||
This is the response seen from a device running an Allen Bradley specific web server and providing its device name via a web page. | ||
This is evidence of some sort of Allen Bradley Intelligent Electronic Device (IED). | ||
</Description> | ||
</Header> | ||
<Filter For="Bradley Web Server Device Description" Name="Server Device"> | ||
<TransportProtocol>6</TransportProtocol> | ||
<Ethertype>2048</Ethertype> | ||
<SrcPort>80</SrcPort> | ||
</Filter> | ||
<Filter For="Bradley Web Server" Name="Web Server"> | ||
<TransportProtocol>6</TransportProtocol> | ||
<Ethertype>2048</Ethertype> | ||
<SrcPort>80</SrcPort> | ||
</Filter> | ||
<Filter For="Bradley Web Server Device Name" Name="Server Device Name"> | ||
<TransportProtocol>6</TransportProtocol> | ||
<Ethertype>2048</Ethertype> | ||
<SrcPort>80</SrcPort> | ||
</Filter> | ||
<Filter For="All newer Rockwell PLC" Name="Rockwell PLC"> | ||
<TransportProtocol>6</TransportProtocol> | ||
<DstPort>44818</DstPort> | ||
</Filter> | ||
<Payload For="Bradley Web Server Device Description"> | ||
<Description>Bradley Web Server Device Description</Description> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true"> | ||
<Pattern>Description</td><td></Pattern> | ||
<AndThen> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false"> | ||
<Content Type="HEX">3C</Content> | ||
<AndThen> | ||
<Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/> | ||
<Return Direction="SOURCE" Confidence="4"> | ||
<Details> | ||
<Category>IED</Category> | ||
<Role>SERVER</Role> | ||
<Detail Name="ICSProtocol">Bradley Web Server Device Description</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="Bradley Web Server"> | ||
<Description>Bradley Web Server</Description> | ||
<Match Offset="17" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">5365727665723A20412D42205757572F302E310D0A</Content> | ||
<AndThen> | ||
<Return Direction="SOURCE" Confidence="4"> | ||
<Details> | ||
<Category>IED</Category> | ||
<Role>SERVER</Role> | ||
<Detail Name="ICSProtocol">Bradley Web Server</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="Bradley Web Server Device Name"> | ||
<Description>Bradley Web Server Device Name</Description> | ||
<Match Offset="184" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">73733D52363E446576696365204E616D653C2F74643E3C74643E</Content> | ||
<AndThen> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="true" Within="0" MoveCursors="false"> | ||
<Content Type="HEX">3C</Content> | ||
<AndThen> | ||
<Anchor Cursor="END" Position="CURSOR_MAIN" Relative="false" Offset="0"/> | ||
<Return Direction="SOURCE" Confidence="4"> | ||
<Details> | ||
<Category>IED</Category> | ||
<Role>SERVER</Role> | ||
<Detail Name="ICSProtocol">Bradely Web Server Device Name</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="All newer Rockwell PLC"> | ||
<Description>Allen Bradley Rockwell PLC</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Category>PLC</Category> | ||
<Detail Name="ICSProtocol">Allen Bradley Rockwell PLC</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
</Payload> | ||
</Fingerprint> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Fingerprint> | ||
<Header> | ||
<Name>Automation Direct DirectNET</Name> | ||
<Author>Default</Author> | ||
<Description>This fingerprint looks for evidence of Automation Direct's DirectNet protocol traffic.</Description> | ||
</Header> | ||
<Filter For="DirectNet Master TCP" Name="MASTER TCP"> | ||
<TransportProtocol>6</TransportProtocol> | ||
<DstPort>3447</DstPort> | ||
</Filter> | ||
<Filter For="DirectNet Slave TCP" Name="SLAVE TCP"> | ||
<TransportProtocol>17</TransportProtocol> | ||
<SrcPort>3447</SrcPort> | ||
</Filter> | ||
<Filter For="DirectNet Master UDP" Name="MASTER UDP"> | ||
<TransportProtocol>17</TransportProtocol> | ||
<DstPort>3447</DstPort> | ||
</Filter> | ||
<Filter For="DirectNet Slave UDP" Name="SLAVE UDP"> | ||
<TransportProtocol>17</TransportProtocol> | ||
<SrcPort>3447</SrcPort> | ||
</Filter> | ||
<Payload For="DirectNet Master TCP"> | ||
<Description>DirectNet MASTER that matches the HEX pattern</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Category>MTU</Category> | ||
<Role>MASTER</Role> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">4E2105</Content> | ||
<AndThen> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="DirectNet Slave TCP"> | ||
<Description>DirectNet SLAVE that matches the HEX pattern</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Category>RTU</Category> | ||
<Role>SLAVE</Role> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">4E2105</Content> | ||
<AndThen> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="DirectNet Master UDP"> | ||
<Description>DirectNet MASTER that matches the HEX pattern</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Category>MTU</Category> | ||
<Role>MASTER</Role> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">4E2105</Content> | ||
<AndThen> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
<Payload For="DirectNet Slave UDP"> | ||
<Description>DirectNet SLAVE that matches the HEX pattern</Description> | ||
<Always> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Category>RTU</Category> | ||
<Role>SLAVE</Role> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</Always> | ||
<Match Offset="0" Reverse="true" NoCase="false" Depth="0" Relative="false" Within="0" MoveCursors="true"> | ||
<Content Type="HEX">4E2105</Content> | ||
<AndThen> | ||
<Return Direction="SOURCE" Confidence="5"> | ||
<Details> | ||
<Detail Name="ICSProtocol">Automation Direct DirectNet</Detail> | ||
</Details> | ||
</Return> | ||
</AndThen> | ||
</Match> | ||
</Payload> | ||
</Fingerprint> |
Oops, something went wrong.