Siemens Simatic PLC

Detects active Siemens PLCs running on port 102

id: siemens-plc-detect

info:
  name: Siemens PLC - Detect
  author: Redflare-Cyber
  severity: info
  description: |
    A Siemens PLC has been potentially detected.
    Heuristics in the response indicate a possible Siemens PLC installation.
  metadata:
    verified: true
    max-request: 1
    vendor: Siemens
    product: siemens
    shodan-query:
      - html:"Overview - Siemens, SIMATIC"
      - http.html:"overview - siemens, simatic"
    fofa-query: body="overview - siemens, simatic"
  tags: siemens,scada,IIoT,cti,network,tcp
tcp:
  - inputs:
      - data: "0300001611e00000000400c1020100c2020102c0010a"
        type: hex

    host:
      - "{{Hostname}}"
    port: 102
    read-size: 1024

    matchers:
      - type: binary
        binary:
          - "0300001611d00004000100c1020100c2020102c0010a"
          - "0300001611d00004443100c0010ac1020100c2020102"