[Oisf-devel] Question regarding Modbus payload

LUKAT Alexandre Ext alexandre.lukat at rte-france.com
Thu Aug 20 16:01:17 UTC 2015


I am testing Suricata in order to detect fraudulent traffic. I made good progress and managed to trigger my first alerts.

So now, the following rule is triggered:

alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)

Be the TCP/IP Modbus exchange, confirmed by Wireshark:
(1) -> TCP SYN
(2) <- TCP SYN, ACK
(3) -> TCP ACK
(4) -> TCP with Modbus Payload

My current problem is that this alert is only triggered for packet (1) and not (3) or (4). I think it should. In the end, I would like to alert for (4), and eventually parse the Modbus payload.
The (1) does not have Modbus payload, as it is only a TCP SYN.

Do you have an idea on my problem? Why doesn’t the other packet trigger the alert?

Thanks for your help.

Best Regards,

"Ce message est destiné exclusivement aux personnes ou entités auxquelles il est adressé et peut contenir des informations privilégiées ou confidentielles. Si vous avez reçu ce document par erreur, merci de nous l'indiquer par retour, de ne pas le transmettre et de procéder à sa destruction.

This message is solely intended for the use of the individual or entity to which it is addressed and may contain information that is privileged or confidential. If you have received this communication by error, please notify us immediately by electronic mail, do not disclose it and delete the original message."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150820/46eb6c05/attachment.html>

More information about the Oisf-devel mailing list