[Oisf-devel] Question regarding Modbus payload
LUKAT Alexandre Ext
alexandre.lukat at rte-france.com
Fri Aug 21 13:05:05 UTC 2015
Hello Victor,
Thank you for your answer!
It worked perfectly.
Additionnaly, is there something special to do in order to decode modbus?
[WORKING]
alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; flow:stateless; 'dsize:>0; sid:123596;)
[NOT WORKING]
alert modbus any any -> any 502 (msg:"Modbus traffic detected!"; flow:stateless; 'dsize:>0; sid:123596;) => 'modbus' instead of 'tcp'
In fine, I would like to use 'modbus.function: 0x5A;' type of statements.
Thanks again for your appreciated help.
Best Regards,
Alexandre
-----Message d'origine-----
De : oisf-devel-bounces at lists.openinfosecfoundation.org [mailto:oisf-devel-bounces at lists.openinfosecfoundation.org] De la part de Victor Julien
Envoyé : jeudi 20 août 2015 19:07
À : oisf-devel at lists.openinfosecfoundation.org
Objet : Re: [Oisf-devel] Question regarding Modbus payload
On 08/20/2015 06:01 PM, LUKAT Alexandre Ext wrote:
> I am testing Suricata in order to detect fraudulent traffic. I made
> good progress and managed to trigger my first alerts.
>
>
>
> So now, the following rule is triggered:
>
>
>
> *alert tcp any any -> any 502 (msg:"Modbus traffic detected!";
> sid:123596;)*
>
> * *
>
>
>
> Be the TCP/IP Modbus exchange, confirmed by Wireshark:
>
> (1) -> TCP SYN
>
> (2) <- TCP SYN, ACK
>
> (3) -> TCP ACK
>
> (4) -> TCP with Modbus Payload
>
>
>
> My current problem is that this alert is only triggered for packet (1)
> and not (3) or (4). I think it should. In the end, I would like to
> alert for (4), and eventually *parse the Modbus payload*.
>
> The (1) does not have Modbus payload, as it is only a TCP SYN.
>
>
>
> Do you have an idea on my problem? Why doesn't the other packet
> trigger the alert?
>
We consider this an IP-only rule, as it just looks for non-payload parts of the session. This is only checked and matched once per flow.
If you add a payload inspection statement, it will alert more often. I would suggest adding 'dsize:>0;', as you care about the payloads.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
Developer Training in Copenhagen Sept 14-18: http://suricata-ids.org/training/
"Ce message est destiné exclusivement aux personnes ou entités auxquelles il est adressé et peut contenir des informations privilégiées ou confidentielles. Si vous avez reçu ce document par erreur, merci de nous l'indiquer par retour, de ne pas le transmettre et de procéder à sa destruction.
This message is solely intended for the use of the individual or entity to which it is addressed and may contain information that is privileged or confidential. If you have received this communication by error, please notify us immediately by electronic mail, do not disclose it and delete the original message."
More information about the Oisf-devel
mailing list