S7 – Request Security functions/Set PLC session password
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 - Request Security functions/Set PLC session password" command initiates the setup of security functions or allows setting a password for the PLC session. It is used to enable security features in the communication between the client (e.g., HMI, SCADA system) and the PLC to protect against unauthorized access or tampering.
Signature
alert tcp any any -> any 102 (msg:"S7 - Request Security functions/Set PLC session password";content:"|03 00|";offset:0;depth:2;content:"|00 01 12 04 11 45 01 00|";offset:17;depth:8;sid:4000022;)
Recommendations/Investigative actions
Authorize the connection. If the connection was approved as a network engineer accessing the PLC - archive and baseline the rule. If not - check the connection and investigate the relevant IP address.
Relations to other alerts