[Oisf-devel] Question regarding Modbus payload
Victor Julien
victor at inliniac.net
Thu Aug 20 17:06:40 UTC 2015
On 08/20/2015 06:01 PM, LUKAT Alexandre Ext wrote:
> I am testing Suricata in order to detect fraudulent traffic. I made good
> progress and managed to trigger my first alerts.
>
>
>
> So now, the following rule is triggered:
>
>
>
> *alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)*
>
> * *
>
>
>
> Be the TCP/IP Modbus exchange, confirmed by Wireshark:
>
> (1) -> TCP SYN
>
> (2) <- TCP SYN, ACK
>
> (3) -> TCP ACK
>
> (4) -> TCP with Modbus Payload
>
>
>
> My current problem is that this alert is only triggered for packet (1)
> and not (3) or (4). I think it should. In the end, I would like to alert
> for (4), and eventually *parse the Modbus payload*.
>
> The (1) does not have Modbus payload, as it is only a TCP SYN.
>
>
>
> Do you have an idea on my problem? Why doesn’t the other packet trigger
> the alert?
>
We consider this an IP-only rule, as it just looks for non-payload parts
of the session. This is only checked and matched once per flow.
If you add a payload inspection statement, it will alert more often. I
would suggest adding 'dsize:>0;', as you care about the payloads.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list