Snort’s version 2.9.2 of open source network intrusion detection system (NIDS) is out with new preprocessors that add support for protocols used in industrial control systems.
The additional functionality should allow Snort to detect targeted attacks on networked SCADA systems.
The two protocols implemented to date, DNP3 and Modbus, are industry standards. The addition of SCADA protocols to Snort is in part due to the presence of significant vulnerabilities in such systems.
The development team is looking to implement further SCADA protocols and welcomes development and testing support. Exploit framework Metasploit added SCADA vulnerability detection in August 2011.
Further information about the release and how to write rules for these protocols is available in the release announcement. The documentation for 2.9.2 has also been updated. Snort source code and binaries are available to download from the web site. The source code for the Snort engine and community rules is under the GPLv2, proprietary rules are under Sourcefire’s own Non-Commercial Use License.