Digital Bond developed the first SCADA IDS rules back in the middle of the last decade with the help of a DHS research contract. Those rules were integrated into most commercial IDS. A second DHS research contract funded the development of the Quickdraw IDS preprocessors for EtherNet/IP and DNP3, as well as additional rules. We have also developed IDS rules throughout the years as pro bono research. All of these results have been available free of charge in the Tools/Quickdraw SCADA IDS section of this site.
We develop these SCADA IDS tools at a point in time for the current version of Snort. The changes to Snort rarely cause a problem, but it seems every two to three years something breaks. Honestly, we have not been very good at updating these tools to work with current versions. It is the hard, thankless work of a product management and support team.
Enter Emerging Threats — they have an ETOpen (free) feed and an ETPro (paid) feed with IDS rulesets for Snort and Suricata IDS. This is their main line of business, and they maintain these rules for the popular versions of these products. Emerging Threats has had the Quickdraw IDS rules in their feed for a couple of years now, and we feel comfortable that they will do a great job supporting our SCADA IDS work.
At this point the rules that do not require a preprocessor are already in both feeds. You can get the rules in the ETOpen feed at:
- http://rules.emergingthreats.net/open/snort-2.4.0/rules/emerging-scada.rules
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-scada.rules
- http://rules.emergingthreats.net/open/suricata/rules/emerging-scada.rules
The preprocessors need to be updated to compile with the current version of Snort and on Suricata. We will let you know on this site when that is completed and available. At that time we will remove our download page and point people to ETOpen feed.
The other benefit of this arrangement is it allows us to focus on developing new SCADA IDS rules. The community still has only scratched the surface of what is possible in this area, particularly when it comes to detecting attacks related to insecure by design problems.