TOC & Recently Viewed
Recently Viewed Topics
SCADA/ICS Analysis Module
| Module Detection ID | Module Detection Name | Module Detection Description | Risk Factor | Legacy PASL ID |
|---|---|---|---|---|
| 21 | Siemens S7 Server Detection | S7 is a Siemens proprietary communications protocol. The S7 communications protocol is used extensively in the Siemens S7 software and device product line including the S7-200, S7-300, and S7-400 programmable logic controllers (PLCs). S7 can be encapsulated in several different protocols including PROFIBUS, MPI, and TCP. The S7 traffic detected here is encapsulated in TCP using TPKT and COTP. | INFO | 7160 |
| 22 | Siemens S7 Client Detection | S7 is a Siemens proprietary communications protocol. The S7 communications protocol is used extensively in the Siemens S7 software and device product line including the S7-200, S7-300, and S7-400 programmable logic controllers (PLCs). S7 can be encapsulated in several different protocols including PROFIBUS, MPI, and TCP. The S7 traffic detected here is encapsulated in TCP using TPKT and COTP. | INFO | 7159 |
| 23 | COTP Server Detection | The Connection-Oriented Transport Protocol (COTP) is an Open Systems Interconnection (OSI) transport layer protocol. COTP is defined in ISO 8073. In this instance, COTP is being transported via TCP using TPKT. | INFO | 7158 |
| 24 | COTP Client Detection | The Connection-Oriented Transport Protocol (COTP) is an Open Systems Interconnection (OSI) transport layer protocol. COTP is defined in ISO 8073. In this instance, COTP is being transported via TCP using TPKT. | INFO | 7157 |
| 25 | Siemens S7-200 Series PLC Detection | A Siemens S7-200 Series PLC has been detected. The Siemens S7-200 Series is a family of PLCs which supports the manufacturer's own proprietary S7 protocol. | INFO | 7193 |
| 26 | Siemens S7-300 Series PLC Detection | A Siemens S7-300 Series PLC has been detected. The Siemens S7-300 Series is a family of PLCs which supports the manufacturer's own proprietary S7 protocol. | INFO | 7194 |
| 27 | Siemens S7-400 Series PLC Detection | A Siemens S7-400 Series PLC has been detected. The Siemens S7-400 Series is a family of PLCs which supports the manufacturer's own proprietary S7 protocol. | INFO | 7195 |
| 28 | Siemens S7-1200 Series PLC Detection | A Siemens S7-1200 Series PLC has been detected. The Siemens S7-1200 Series is a family of PLCs which supports the manufacturer's own proprietary S7 protocol. | INFO | 7196 |
| 29 | Siemens S7-1500 Series PLC Detection | A Siemens S7-1500 Series PLC has been detected. The Siemens S7-1500 Series is a family of PLCs which supports the manufacturer's own proprietary S7 protocol. | INFO | 7197 |
| 30 | TPKT Client Detection | ISO Transport Service on top of TCP (TPKT) is defined in RFCs 1006 and 2126. Open Systems Interconnection (OSI) protocols as defined by the International Organization for Standardization (ISO) can be encapsulated in TCP using TPKT. TPKT emulates the OSI protocol Transport Service Access Point (TSAP). TCP port 102 is reserved for hosts which implement TPKT; however, it is not required that port 102 be used for all connections. One example of a protocol that uses TPKT but does not use port 102 is Microsoft's Remote Desktop Protocol (RDP) which uses TCP port 3389. | INFO | 7155 |
| 31 | TPKT Server Detection | ISO Transport Service on top of TCP (TPKT) is defined in RFCs 1006 and 2126. Open Systems Interconnection (OSI) protocols as defined by the International Organization for Standardization (ISO) can be encapsulated in TCP using TPKT. TPKT emulates the OSI protocol Transport Service Access Point (TSAP). TCP port 102 is reserved for hosts which implement TPKT; however, it is not required that port 102 be used for all connections. One example of a protocol that uses TPKT but does not use port 102 is Microsoft's Remote Desktop Protocol (RDP) which uses TCP port 3389. | INFO | 7156 |
| 32 | Siemens S7-300 Series PLC CPU Firmware <= 3.2.11 DoS | Siemens S7-300 PLC central processing units (CPUs) contain an unspecified flaw that may allow a remote attacker to use a specially crafted packet to cause the device to enter defect mode until a cold restart is performed. | HIGH | 7225 |
| 33 | MODBUS/TCP Device Identification Object Detection | MODBUS Device Identification objects provide information related to the physical and functional properties of a device. Objects in the Basic Device Identification include vendor name, product code, and revision number. Objects in the Regular Device Identification category include the Basic Device Identification category objects in addition to vendor URL, product name, model name, and user application name. | INFO | 7148 |
| 34 | Schneider Electric Modicon Quantum PLC Detection | A Schneider Electric Modicon Quantum PLC has been detected. The Schneider Electric Modicon Quantum is a large programmable logic controller (PLC) for process applications and high availability solutions. | INFO | 7149 |
| 35 | Schneider Electric Modicon M340 PLC Detection | A Schneider Electric Modicon M340 PLC has been detected. The Schneider Electric Modicon M340 is a compact programmable logic controller (PLC) suitable for a wide range of automation applications. The Modicon M340 is sometimes deployed in conjunction with the Modicon Premium and Modicon Quantum PLCs. | INFO | 7150 |
| 36 | Schneider Electric Modicon Premium PLC Detection | A Schneider Electric Modicon Premium PLC has been detected. The Schneider Electric Modicon Premium is a large programmable logic controller (PLC) for discrete or process applications and high availability solutions. | INFO | 7151 |
| 37 | Multiple Schneider Electric Modicon PLC Modules Directory Traversal | Schneider Electric Ethernet modules for Modicon M340, Modicon Quantum, and Modicon Premium PLCs in addition to Modicon Momentum, Modicon TSX Micro, and Modicon STB modules that provide HTTP services contain a directory traversal vulnerability. Attackers can remotely bypass web server authentication thereby achieving unauthenticated administrative access and control of the device. | CRITICAL | 7154 |
| 38 | Multiple Schneider Electric Modicon M340 Ethernet Modules Remote Denial of Service | Certain Schneider Electric Modicon M340 Programmable Logic Controller (PLC) Ethernet modules contain a vulnerability that allows remote, authenticated users to crash the Ethernet module via specially crafted FTP traffic. This vulnerability has been demonstrated using the FileZilla FTP client. Affected M340 Ethernet modules are the BMXNOE0100, BMXNOE0110, and BMXP342020. | MEDIUM | 7161 |
| 39 | MODBUS/TCP 'Return Query Data' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Return Query Data request. The Return Query Data request, function code 8 (0x08) and subfunction code 0 (0x00), will cause the target server to echo the request sent to it. This function is typically implemented only in serial devices. | INFO | 7099 |
| 40 | MODBUS/TCP 'Restart Communications' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Restart Communications request. The Restart Communications request, function code 8 (0x08) and subfunction code 1 (0x01), will cause the target server to reinitialize and restart its communication port. This function is typically implemented only in serial devices. | INFO | 7100 |
| 41 | MODBUS/TCP 'Force Listen Mode' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Force Listen Mode request. The Force Listen Mode request, function code 8 (0x08) and subfunction code 4 (0x04), will cause the target server into listen-only mode; i.e., it will not send any responses. This function is typically implemented only in serial devices. | INFO | 7101 |
| 42 | MODBUS/TCP 'Clear Counters and Diagnostic Register' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Clear Counters and Diagnostic Register request. The Clear Counters and Diagnostic Register request, function code 8 (0x08) and subfunction code 10 (0x0A), will cause the target server to clear its counters and the diagnostic register. This function is typically implemented only in serial devices. | INGO | 7102 |
| 43 | MODBUS/TCP 'Report Server ID' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Report Server ID request. The Report Server ID request, function code 17 (0x11), will cause the target server to respond with the server ID, run indicator status, and other information. This function is typically implemented only in serial devices. | INFO | 7103 |
| 44 | MODBUS/TCP 'CANopen' Function Code Detection (SCADA) | The MODBUS/TCP client is transporting the CANopen protocol. Function code 43 (0x2B) and subfunction code 13 (0x0D) indicate that the CANopen protocol is encapsulated in MODBUS. | INFO | 7104 |
| 45 | MODBUS/TCP 'Device Identification' Function Code Detection (SCADA) | The MODBUS/TCP client has sent a MODBUS server a Device Identification request. The Device Identification request, function code 43 (0x2B) and subfunction code 14 (0x0E), will cause the target server to return device identification information. | INFO | 7105 |
| 46 | MODBUS/TCP Server Detection | A MODBUS/TCP server (also known as a MODBUS/TCP slave) has been detected. MODBUS/TCP is a SCADA protocol widely used in industrial manufacturing and other industries. | INFO | 7092 |
| 47 | MODBUS/TCP Client Detection | A MODBUS/TCP client (also known as a MODBUS/TCP master) has been detected. MODBUS/TCP is a SCADA protocol widely used in industrial manufacturing and other industries. | INFO | 7091 |
| 48 | DNP3/TCP Master Detection | A DNP3/TCP master has been detected. DNP3 is a communications protocol used in SCADA systems primarily in the electric utility industry. | INFO | 7089 |
| 49 | DNP3/TCP 'Cold Restart' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Cold Restart command. The Cold Restart command, function code 13 (0x0D), will cause the target outstation to perform a cold restart. | INFO | 7094 |
| 50 | DNP3/TCP 'Warm Restart' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Warm Restart command. The Warm Restart command, function code 14 (0x0E), will cause the target outstation to perform a warm restart. | INFO | 7095 |
| 51 | DNP3/TCP 'Stop Application' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Stop Application command. The Stop Application command, function code 18 (0x12), will cause the target outstation to stop an application. | INFO | 7096 |
| 52 | DNP3/TCP 'Disable Unsolicited Messages' Function Code Detection (SCADA | The DNP3/TCP master has sent an outstation the Disable Unsolicited Messages command. The Disable Unsolicited Messages command, function code 21 (0x15), will cause the target outstation to stop sending unsolicited messages. | INFO | 7097 |
| 53 | Progea Movicon Client Detection via TCP | A Progea Movicon Client has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. | INFO | 7119 |
| 54 | Progea Movicon Server Detection via TCP | A Progea Movicon Server has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. | INFO | 7121 |
| 55 | Progea Movicon Client Detection via HTTP | A Progea Movicon Client has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. Movicon Clients use a proprietary communications protocol to access real-time data from Movicon Servers. This proprietary communications protocol may use TCP, UDP, or HTTP as a transport protocol. The Movicon Client detected is using HTTP as a transport protocol. | INFO | 7122 |
| 56 | Progea Movicon Server Detection via HTTP | A Progea Movicon Server has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. Movicon Clients use a proprietary communications protocol to access real-time data from Movicon Servers. This proprietary communications protocol may use TCP, UDP, or HTTP as a transport protocol. The Movicon Server detected is using HTTP as a transport protocol. | INFO | 7123 |
| 57 | Progea Movicon Client Detection via UDP | A Progea Movicon Client has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. Movicon Clients use a proprietary communications protocol to access real-time data from Movicon Servers. This proprietary communications protocol may use TCP, UDP, or HTTP as a transport protocol. The Movicon Client detected is using UDP as a transport protocol. | INFO | 7124 |
| 58 | Progea Movicon Server Detection via UDP | A Progea Movicon Server has been detected. Progea Movicon is SCADA/HMI software for industrial automation, remote control, and building automation. Movicon Clients use a proprietary communications protocol to access real-time data from Movicon Servers. This proprietary communications protocol may use TCP, UDP, or HTTP as a transport protocol. The Movicon Server detected is using UDP as a transport protocol. | INFO | 7125 |
| 59 | Progea Movicon < 11.4 Build 1150 Information Disclosure Vulnerability | The detected version of Progea Movicon contains an information disclosure vulnerability. This vulnerability is related to the TCPUploader module which could allow a remote and unauthenticated user to obtain OS version information. | MEDIUM | 7128 |
| 60 | Progea Movicon < 11.3 Memory Corruption Vulnerability | The detected version of Progea Movicon contains a memory corruption vulnerability. This vulnerability can be exploited by sending a specially crafted HTTP POST request to the Movicon OPC server. The specially crafted HTTP POST will cause the application to read out-of-bounds memory resulting in a denial of service. | HIGH | 7129 |
| 61 | Progea Movicon < 11.2 Build 1086 Multiple Vulnerabilities | The detected version of Progea Movicon is affected by multiple vulnerabilities: There is a remote heap-based buffer overflow vulnerability related to erroneous parsing of the Content-Length HTTP request header. (CVE-2011-3491) A remote heap-based buffer overflow vulnerability exists related to HTTP requests. (CVE-2011-3498) A remote denial of service vulnerability exists related to an EIDP packet with too large of a size field. The specially crafted EIDP packet will cause the application to crash, and there is the possibility of arbitrary code execution. (CVE-2011-3499) | CRITICAL | 7142 |
| 62 | Accuenergy Acuvim II AXM-NET 3.04 Multiple Vulnerabilities | Accuenergy Acuvim II AXM-NET module containing multiple vulnerabilities has been detected: The Accuenergy Acuvim AXM-NET Ethernet module contains an authentication bypass vulnerability which can be exploited remotely by accessing a specific web server URL. An attacker could modify the network settings of the AXM-NET module, but would not have access to the settings for the Acuvim II power meter. (CVE-2-14-2373) The Accuenergy Acuvim AXM-NET Ethernet module contains a password disclosure vulnerability related to JavaScript password validation. An authenticated attacker could modify the network settings of the AXM-NET module, but would not have access to the settings for the Acuvim II power meter. (CVE-2-14-2374) | HIGH | 7162 |
| 63 | Rockwell Automation/Allen-Bradley MicroLogix 1400 Detection | A Rockwell Automation/Allen-Bradley MicroLogix 1400 PLC has been detected. The MicroLogix 1400 is a PLC which supports EtherNet/IP, DNP3/TCP, Modbus/TCP, Modbus/RTU, and DNP3/ASCII. | INFO | 7146 |
| 64 | Rockwell Automation/Allen-Bradley MicroLogix 1400 Series A <= 7 and Series B <= 15.000 DNP3 Remote DoS | Rockwell Automation/Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs) contain a denial of service vulnerability related to the DNP3 protocol stack. Successful exploitation of this vulnerability results in the PLC becoming non-responsive, and recovery requires a power cycle. This vulnerability can be exploited by sending a series of malformed DNP3 packets to the MicroLogix 1400's DNP3 interface. The MicroLogix 1400's DNP3 interface can be either a serial or Ethernet port. Note that DNP3 is disabled by default in MicroLogix 1400 PLCs and that this vulnerability can be exploited only in devices that have DNP3 enabled. | HIGH | 7147 |
| 65 | Rockwell Automation/Allen-Bradley MicroLogix 1100 Detection | A Rockwell Automation/Allen-Bradley MicroLogix 1100 PLC has been detected. The MicroLogix 1100 is a PLC which supports serial and networked communication over a built-in RS-232/RS-485 combo port and Ethernet peer-to-peer commnications over its built-in EtherNet/IP port. | INFO | 7188 |
| 66 | Rockwell Automation/Allen-Bradley MicroLogix 1000 Detection | A Rockwell Automation/Allen-Bradley MicroLogix 1000 PLC has been detected. The MicroLogix 1000 is a PLC which supports serial and networked communication over a built-in RS-232/RS-485 combo port. The MicroLogix 1000 can also support Ethernet peer-to-peer commnications when outfitted with the 1761-NET-ENI communications module, which supports EtherNet/IP. | INFO | 7189 |
| 67 | Rockwell Automation/Allen-Bradley CompactLogix 1768 Detection | A Rockwell Automation/Allen-Bradley CompactLogix 1768 PLC has been detected. The CompactLogix 1768 is a PLC which supports EtherNet/IP and serial communications. | INFO | 7190 |
| 68 | Rockwell Automation/Allen-Bradley CompactLogix 1769 L23x/L3x Detection | A Rockwell Automation/Allen-Bradley CompactLogix 1769 L23x/L3x PLC has been detected. The CompactLogix 1769 L23x/L3x is a PLC which supports integrated serial, EtherNet/IP and ControlNet communications, as well as modular extensibility for DeviceNet support. | INFO | 7191 |
| 69 | Rockwell Automation/Allen-Bradley CompactLogix 1769 5370 Series Detection | A Rockwell Automation/Allen-Bradley CompactLogix 1769 5370 Series PLC has been detected. The CompactLogix 1769 5370 Series is a PLC which supports EtherNet/IP communications. | INFO | 7192 |
| 70 | Rockwell Automation/Allen-Bradley MicroLogix 1400 SNMP Remote Privilege Escalation | Rockwell Automation/Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs) contain an undocumented, hi gh privileged SNMP community string. This may allow an unauthorized remote attacker to make changes to the device's configuration or update the firmware. | MEDIUM | 7221 |
| 71 | Schneider Electric Modicon TSX Micro PLC Detection | A Schneider Electric Modicon TSX Micro PLC has been detected. The Schneider Electric Modicon TSX Micro is a compact, modular programmable logic controller (PLC) for OEM machine builders and infrastructure. | INFO | 7153 |
| 72 | Ethernet Industrial Protocol (EtherNet/IP) Implicit Message Detection | EtherNet/IP is a communications protocol used in industrial automation applications. EtherNet/IP implements the Common Industrial Protocol (CIP) at the session and application layers and uses TCP as a transport protocol for CIP explicit messages and UDP as a transport protocol for CIP implicit messages. CIP explicit messages are typically used to transmit configuration, diagnostic, and event data. CIP implicit messages are used for realtime I/O data transfer. An EtherNet/IP implicit message has been detected. | INFO | 7113 |
| 73 | Ethernet Industrial Protocol (EtherNet/IP) Client Explicit Message Detection | EtherNet/IP is a communications protocol used in industrial automation applications. EtherNet/IP implements the Common Industrial Protocol (CIP) at the session and application layers and uses TCP as a transport protocol for CIP explicit messages and UDP as a transport protocol for CIP implicit messages. CIP explicit messages are typically used to transmit configuration, diagnostic, and event data. CIP implicit messages are used for realtime I/O data transfer. An EtherNet/IP explicit message has been detected. | INFO | 7114 |
| 74 | Ethernet Industrial Protocol (EtherNet/IP) Server Explicit Message Detection | EtherNet/IP is a communications protocol used in industrial automation applications. EtherNet/IP implements the Common Industrial Protocol (CIP) at the session and application layers and uses TCP as a transport protocol for CIP explicit messages and UDP as a transport protocol for CIP implicit messages. CIP explicit messages are typically used to transmit configuration, diagnostic, and event data. CIP implicit messages are used for realtime I/O data transfer. An EtherNet/IP explicit message has been detected. | INFO | 7115 |
| 75 | Common Industrial Protocol (CIP) Identity Object Detection | The Common Industrial Protocol (CIP) Identity Object provides identification of and general information about a CIP-enabled device. The CIP I dentity Object detected provides the following information: Vendor ID, Device Type, Product Code, Revision, and Product Name. | INFO | 7144 |
| 76 | Rockwell Automation/Allen-Bradley MicroLogix 1100 L16xxx < 10.000 HTTP Remote DoS | Rockwell Automation MicroLogix 1100 PLCs contain an unspecified flaw in the password mechanism that may allow a remote denial of service. The issue is only present when the HTTP server is enabled. This may allow a remote attacker to cause the program to crash. | HIGH | 7198 |
| 77 | Rockwell Automation/Allen-Bradley MicroLogix 1400 1766-L32xxx Series A < 7.000 / Series B <= 11.000 HTTP Remote DoS | Rockwell Automation MicroLogix 1400 PLCs contain an unspecified flaw in the password mechanism that may allow a remote denial of service. The issue is only present when the HTTP server is enabled. This may allow a remote attacker to cause the program to crash. | HIGH | 7199 |
| 78 | WellinTech KingSCADA Client Detection via TCP | WellinTech KingSCADA is SCADA/HMI software for industrial automation. KingSCADA is found in the transportation, aerospace, electric power, oil and gas, petrochemical, and other industries. KingSCADA Clients use a proprietary communications protocol to access real-time data from KingSCADA Servers. A KingSCADA Client using this proprietary communications protocol has been detected. | INFO | 7118 |
| 79 | WellinTech KingSCADA Server Detection via TCP | WellinTech KingSCADA is SCADA/HMI software for industrial automation. KingSCADA is found in several industries including transportation, aerospace, electric power, oil and gas, and petrochemical. KingSCADA Clients use a proprietary communications protocol to access real-time data from KingSCADA Servers. A KingSCADA Server using this proprietary communications protocol has been detected. | INFO | 7130 |
| 80 | DNP3/TCP Outstation Detection | A DNP3/TCP outstation has been detected. DNP3 is a communications protocol used in SCADA systems primarily in the electric utility industry. | INFO | 7090 |
| 81 | BACnet/IP Protocol Detection | BACnet is a communications protocol for building automation and control. BACnet applications include heating, ventilating, air-conditioning control, lighting control, access control and fire detection systems. There are several options for BACnet data link and physical layers. BACnet/IP (the protocol detected here) uses IP and UDP as a virtual data link layer. | INFO | 7110 |
| 82 | BACnet Device Object Detection | Each BACnet device has an associated Device object. Device objects contain properties that represent the physical and funct ional properties of a device. Device object properties include application software version, firmware version, model name, object identifier, object name, vendor name, and vendor identifier. | INFO | 7165 |
| 83 | WellinTech KingView Client Detection | WellinTech KingView is SCADA/HMI software for industrial automation. KingView is found in the transportation, aerospace, electric power, oil and gas, petrochemical, and other industries. KingView Clients use a proprietary communications protocol to access real-time data from KingView Servers. A KingView Client using this proprietary communications protocol has been detected. | INFO | 7131 |
| 84 | WellinTech KingView Server Detection | WellinTech KingView is SCADA/HMI software for industrial automation. KingView is found in several industries including transportation, aerospace, electric power, oil and gas, and petrochemical. KingView Servers use a proprietary communications protocol to access real-time data from KingView Servers. A KingView Server using this proprietary communications protocol has been detected. | INFO | 7132 |
| 85 | Synchrophaser (IEEE C37.118) Client Detection via TCP | The remote client is using the Synchrophaser Protocol (IEEE C37.118) over TCP. The Synchrophaser Protocol is used by supervisory clients to remotely configure, monitor and received data from synchrophaser devices. A synchrophaser device is used to monitor, measure and analyze electrical flows at key intersections of the bulk electric grid (such as substations). | INFO | 7216 |
| 86 | Synchrophaser (IEEE C37.118) Server Detection via TCP | The remote server is using the Synchrophaser Protocol (IEEE C37.118) over TCP. The Synchrophaser Protocol is used by synchrophaser devices to report data and receive remote configuration commands from management clients. A synchrophaser device is used to monitor, measure and analyze electrical flows at key intersections of the bulk electric grid (such as substations). | INFO | 7217 |
| 87 | Synchrophaser (IEEE C37.118) Client Detection via UDP | The remote client is using the Synchrophaser Protocol (IEEE C37.118) over UDP. The Synchrophaser Protocol is used by supervisory clients to remotely configure, monitor and received data from synchrophaser devices. A synchrophaser device is used to monitor, measure and analyze electrical flows at key intersections of the bulk electric grid (such as substations). | INFO | 7218 |
| 88 | Synchrophaser (IEEE C37.118) Server Detection via UDP | The remote server is using the Synchrophaser Protocol (IEEE C37.118) over UDP. The Synchrophaser Protocol is used by synchrophaser devices to report data and receive remote configuration commands from management clients. A synchrophaser device is used to monitor, measure and analyze electrical flows at key intersections of the bulk electric grid (such as substations). | INFO | 7237 |
| 89 | DNP3/TCP Protocol Detection | Distributed Network Protocol (DNP3/TCP) has been detected. DNP3 is a communications protocol used in SCADA systems primarily in the electric utility industry. The detected variant of DNP3, or DNP3/TCP, is encapsulated within TCP for delivery over IP networks. | INFO | 7226 |
| 90 | MODBUS/TCP Protocol Detection | The Modbus/TCP protocol has been detected. Modbus is a SCADA protocol used in industrial manufacturing and other industries. The detected variant of Modbus, or Modbus/TCP, is encapsulated within TCP for delivery over IP networks. | INFO | 7227 |
| 91 | Ethernet/IP Protocol Detection | The Ethernet Industrial Protocol (EtherNet/IP) has been detected. EtherNet/IP is a communications protocol used in industrial automation applications. EtherNet/IP implements the Common Industrial Protocol (CIP) at the session and application layers and uses TCP as a transport protocol for CIP explicit messages and UDP as a transport protocol for CIP implicit messages. CIP explicit messages are typically used to transmit configuration, diagnostic, and event data. CIP implicit messages are used for realtime I/O data transfer. | INFO | 7228 |
| 92 | IEC 60870-5-104 Protocol Detection | The IEC 60870-5-104 protocol has been detected. IEC 60870-5-104 is a Supervisory Control and Data Acquisition (SCADA) protocol used in the power, petrochemical, water treatment, and oil and gas production industries. IEC 60870-5-104 is often used in power systems as a SCADA protocol between control stations and substations. IEC 60870-5-104 is based on IEC 60870-5-101 but uses TCP/IP instead of serial communications. | INFO | 7229 |
| 93 | Siemens S7 Protocol Detection | The Siemens S7 protocol has been detected. S7 is a proprietary communications protocol developed by Siemens that runs between programmable logic controllers (PLCs) of the Siemens S7 family. It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (supervisory control and data acquisition) systems, and for diagnostic purposes. | INFO | 7230 |
| 94 | IEC 60870-5-104 Server Detection | IEC 60870-5-104 is a Supervisory Control and Data Acquisition (SCADA) protocol used in the power, petrochemical, water treatment, and oil and gas production industries. IEC 60870-5-104 is often used in power systems as a SCADA protocol between control stations and substations. IEC 60870-5-104 is based on IEC 60870-5-101 but uses TCP/IP instead of serial. | INFO | 7139 |
| 95 | IEC 60870-5-104 Client Detection | IEC 60870-5-104 is a Supervisory Control and Data Acquisition (SCADA) protocol used in the power, petrochemical, water treatment, and oil and gas production industries. IEC 60870-5-104 is often used in power systems as a SCADA protocol between control stations and substations. IEC 60870-5-104 is based on IEC 60870-5-101 but uses TCP/IP instead of serial. | INFO | 7133 |
| 96 | Saia Burgess Controls PCD Controllers Hard-Coded FTP Credentials Vulnerability |
One or more of the following SBC controllers was detected to be running a version of firmware earlier than 1.24.50 : |
HIGH | 7183 |
| 114 | MODBUS/TCP 'Illegal Function Code' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with an Illegal Function Code exception. This means that the function code of the query from the client is not an allowable action for the server. | INFO | N/A |
| 115 | MODBUS/TCP 'Illegal Data Address' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with an Illegal Data Address exception. The data address received in the query is not an allowable address for the server. | INFO | N/A |
| 116 | MODBUS/TCP 'Illegal Data Value' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with an Illegal Data Value exception. A value contained in the query data field is not an allowable value for server. | INFO | N/A |
| 117 | MODBUS/TCP 'Server Device Failure' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with a Server Device Failure exception. An unrecoverable error occurred while the server was attempting to perform the requested action. | INFO | N/A |
| 118 | MODBUS/TCP 'Server Device Busy' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with a Service Device Busy exception. Specialized use in conjunction with programming commands. The server is engaged in processing a log-duration program command. The client should retransmit the message later when the server is free. | INFO | N/A |
| 119 | MODBUS/TCP 'Memory Parity Error' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with a Memory Parity Error exception. Specialized use in conjunction with function codes 20 and 21 and reference type 6, to indicate that the extended file area failed to pass a consistency check. | INFO | N/A |
| 120 | MODBUS/TCP 'Gateway Path Unavailable' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with a Gateway Path Unavailable exception. Specialized use in conjunction with gateways, indicates that the gateway was unable to allocate an internal communication path from the input port to the output port for processing the request. Usually means that the gateway is misconfigured or overloaded. | INFO | N/A |
| 121 | MODBUS/TCP 'Gateway Target Device Failed to Respond' Exception Code Detection (SCADA) | The MODBUS/TCP server has sent a MODBUS client a response with a Gateway Target Device Failed to Respond exception. Specialized use in conjunction with gateways, indicates that no response was obtained from the target device. Usually means that the device is not present on the network. | INFO | N/A |
| 122 | Ethernet/IP CIP List Identity Device Detection Response | The Ethernet/IP CIP (Common Industrial Protocol) List Identity command provides identification of and general information about an Ethernet/IP-enabled device. | INFO | N/A |
| 123 | Ethernet/IP CIP SendRRData Get Attribute All Device Identity Response | The Ethernet/IP CIP (Common Industrial Protocol) SendRRData command Get Attribute All Device Identity response provides identification of and general information about an Ethernet/IP-enabled device. | INFO | N/A |
| 124 | DNP3/TCP 'Write' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Write command. The Write command, function code 2 (0x02), is a Transfer control function used to store control information at the outstation. | INFO | N/A |
| 125 | DNP3/TCP 'Select' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Select command. The Select command, function code 3 (0x03), is used to select, or arm points to be operated on. | INFO | N/A |
| 126 | DNP3/TCP 'Operate' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Operate command. The Operate command, function code 4 (0x04), is used to set or produce the output actions on the points previously selected. | INFO | N/A |
| 127 | DNP3/TCP 'Direct Operate' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Direct Operate command. The Direct Operate command, function code 5 (0x05), lacks the security feature of SBO. Direct operate forces selected points to execute the specified action without a verification check of the selected outstations. | INFO | N/A |
| 128 | DNP3/TCP 'Direct Operate/No Response' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the Direct Operate/No Response command. The Direct Operate/No Response command, function code 6 (0x06), lacks the security feature of SBO. Direct operate forces selected points to execute the specified action without a verification check of the selected outstations. | INFO | N/A |
| 129 | DNP3/TCP 'Enable Unsolicited Messages' Function Code Detection (SCADA) | The DNP3/TCP master has sent an outstation the 'Enable Unsolicited Messages' command. The Enable Unsolicited Messages command, function code 20 (0x14), enables spontaneous reporting of the specified objects. | INFO | N/A |
| 130 | Rockwell Automation/Allen-Bradley 1756 ControlLogix Controller Detection | A Rockwell Automation/Allen-Bradley 1756 ControlLogix Controller PLC has been detected. The 1756 ControlLogix Controller is a scalable controller solution that is capable of addressing many I/O points. | INFO | N/A |
| 131 | Rockwell Automation/Allen-Bradley 1756 ControlLogix Communication Module Detection | A Rockwell Automation/Allen-Bradley 1756 ControlLogix Communication Module communication adapter has been detected. This 1756 ControlLogix Communication Module is used to add Ethernet/IP communication capabilities to a PLC. | INFO | N/A |