[Oisf-devel] Question regarding Modbus payload

Fri Aug 28 13:15:04 UTC 2015

Hello Alexandre,

Your alert "/alert modbus any any -> any any (msg:"Modbus traffic
detected!"; sid:14452;) /"  works on my side (2.1beta3 and 2.1beta4).

I did (and you can do it also) the test with the following pcap file
from Schneider Electric Modicon PLC (Traffic 5. Modicon PLC) provided by
Digital Bond:
https://www.digitalbond.com/s4/s4x15-week/s4x15-ics-village/

Where did you get your Modbus exchange (simulated or real ICS network)?
Are you able to provide any pcap file to test it?

Thanks & Regards,
David DIALLO.

Le 24/08/2015 16:02, LUKAT Alexandre Ext a écrit :
> Hello,
>
> Some update regarding my problems.
> I managed to get rid of this error, the proper keyword was "modbus: function 3" for example.
>
> But what I do not understand is that, this alert is working:
> alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; flow:stateless; 'dsize:>0; sid:123596;)
>
> But this one is not:
> alert modbus any any -> any any (msg:"Modbus traffic detected!"; sid:14452;)
>
> I have no error anywhere, and no alert in eve.json (2.1beta4).
>
> What am I missing? Is there some preprocessing to configure somewhere?
>
> Best Regards,
> Alexandre
>
>
>
> -----Message d'origine-----
> De : LUKAT Alexandre Ext
> Envoyé : dimanche 23 août 2015 18:49
> À : Victor Julien
> Cc : oisf-devel at lists.openinfosecfoundation.org
> Objet : RE:[Oisf-devel] Question regarding Modbus payload
>
> Hello Victor,
>
> I was running 2.1beta3 but also tested 2.1beta4 without any success.
>
> By the way, if I have this following error:
> [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus.function'.
>
> Is there something I forget to do regarding to modbus configuration for suricata? Is there some preprocessing to configure?
>
> Or is it supposed to work out of the box?
>
> Thank you very much.
> Best Regards,
>
> Alexandre
> ________________________________________
> De : Victor Julien [victor at inliniac.net] Envoyé : vendredi 21 août 2015 17:28 À : LUKAT Alexandre Ext Cc : oisf-devel at lists.openinfosecfoundation.org
> Objet : Re: [Oisf-devel] Question regarding Modbus payload
>
> On 08/21/2015 03:05 PM, LUKAT Alexandre Ext wrote:
>> [NOT WORKING]
>> alert modbus any any -> any 502 (msg:"Modbus traffic detected!"; flow:stateless; 'dsize:>0; sid:123596;)  => 'modbus' instead of 'tcp'
>>
>> In fine, I would like to use 'modbus.function: 0x5A;' type of statements.
> The modbus parser is part of 2.1beta4. Have you tried running that version?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> "Ce message est destiné exclusivement aux personnes ou entités auxquelles il est adressé et peut contenir des informations privilégiées ou confidentielles. Si vous avez reçu ce document par erreur, merci de nous l'indiquer par retour, de ne pas le transmettre et de procéder à sa destruction.
>
> This message is solely intended for the use of the individual or entity to which it is addressed and may contain information that is privileged or confidential. If you have received this communication by error, please notify us immediately by electronic mail, do not disclose it and delete the original message."
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Copenhagen Sept 14-18: http://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150828/5589b781/attachment-0002.html>