marcin at kajtek.org
Tue Dec 2 06:21:49 UTC 2008
> isc.sans.org says they might be SCADA related.
If the traffic is modbus ascii, the frames should begin with 0x3A and
end with 0x0D0A, with values from 0x30 to 0x45 as payload.
I would love to get the dumps.
Given the number of sources, that (in my experience) PLCs are almost
always installed in private IP space and that modbus ascii is very
rare, I doubt this traffic is a case of data leak from a sensor
More information about the dns-operations