From 84f1ed9f7cc4170d2de7072e05bcba7217ea24ac Mon Sep 17 00:00:00 2001
From: Erwan Cordier <85730394+biero-el-corridor@users.noreply.github.com>
Date: Tue, 4 Nov 2025 15:59:28 +0100
Subject: [PATCH] Add new sericata templates

add new suricata tempalte for the following utilisites

    - https://github.com/biero-el-corridor/ICS_CPS_nuclei_template?tab=readme-ov-file#plc-model
    - Detect Ethernet/IP CIP requesto for serial number of equipement
    - Detect S7comm request for serial number of equipement
---
 README.md        |  9 ++++++++-
 scada-scan.rules | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 957bb3c..1dab8f3 100644
--- a/README.md
+++ b/README.md
@@ -3,10 +3,17 @@
 Suricata rule created to detect scan tools targeting PLC interfaces.
 
 The detected tools:
-- nmap with the modbus script https://github.com/nmap/nmap/blob/master/scripts/modbus-discover.nse)
+- nmap with the modbus script (https://github.com/nmap/nmap/blob/master/scripts/modbus-discover.nse)
 - msfconsole (modbus_banner_grabbing and modbusdetect)
 - Zgrab2 https://github.com/zmap/zgrab2
 - nmap with bacnet script https://github.com/nmap/nmap/blob/master/scripts/bacnet-info.nse
+- Detect Following nuclei tempalte (Pending fork on offical nuclei template)
+    - https://github.com/biero-el-corridor/ICS_CPS_nuclei_template?tab=readme-ov-file#plc-model
+    - Detect Ethernet/IP CIP requesto for serial number of equipement 
+    - Detect S7comm request for serial number of equipement
+
+
+
 
 Suricata is a network IDS, IPS and NSM engine developed by the OISF and the Suricata community :
 https://github.com/OISF/suricata
diff --git a/scada-scan.rules b/scada-scan.rules
index 60c3005..4adb34b 100644
--- a/scada-scan.rules
+++ b/scada-scan.rules
@@ -19,3 +19,17 @@ alert udp any any -> any 47808 (msg:"CYBER-SEC-ICS POLICY SCADA-SCAN Bacnet scan
 
 alert tcp any any -> any 1911 (msg:"CYBER-SEC-ICS POLICY SCADA-SCAN Fox scan looking like nmap"; content:"{|0a|fox.version=s:1.0|0a|id=i:1|0a|}"; classtype:bad-unknown; rev:2; sid:101563274;)
 alert tcp any any -> any 1962 (msg:"CYBER-SEC-ICS POLICY SCADA-SCAN Pcworx scan looking like nmap"; content:"|01 06 00 0e 00 02 00 00 00 00 00 4b 04 00|"; classtype:bad-unknown; rev:2; sid:101563275;)
+
+
+# Nuclei detections sections.
+
+alert tcp any any -> any 502 (msg:"BIERO NULCEI-SCAN Schneider Electric UMAS modicon 340 & 580"; content:"|00 01 00 00 00 04 00 5a 00 02|"; classtype:bad-unknown; rev:2; sid:101563276;)
+
+alert tcp any any -> any 789 (msg:"Red Lion enip detect"; content:"|00 04 01 2b 1b 00|"; classtype:bad-unknown; rev:2; sid:101563277;)
+
+alert tcp any any -> any 44818 (msg:"Allan_Bredlley enip-cip detect"; content:"|63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:bad-unknown; rev:2; sid:101563278;)
+
+alert tcp any any -> any 44818 (msg:"Ethenret/IP CIP"; content:"|63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 de be d1 00 00 00 00|"; classtype:bad-unknown; rev:2; sid:101563279;)
+
+alert tcp any any -> any 44818 (msg:"S7comm Request serial number of PLC"; content:"|03 00 00 21 02 f0 80 32 07 00 00 00 00 00 08 00 08 00 01 12 04 11 44 01 00 ff 09 00 04 00 1c 00 01|"; classtype:bad-unknown; rev:2; sid:101563279;)
+