[Oisf-devel] Question regarding Modbus payload

LUKAT Alexandre Ext alexandre.lukat at rte-france.com
Sun Aug 23 16:49:27 UTC 2015


Hello Victor,

I was running 2.1beta3 but also tested 2.1beta4 without any success.

By the way, if I have this following error:
[ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus.function'.

Is there something I forget to do regarding to modbus configuration for suricata? Is there some preprocessing to configure?

Or is it supposed to work out of the box?

Thank you very much.
Best Regards,

Alexandre
________________________________________
De : Victor Julien [victor at inliniac.net]
Envoyé : vendredi 21 août 2015 17:28
À : LUKAT Alexandre Ext
Cc : oisf-devel at lists.openinfosecfoundation.org
Objet : Re: [Oisf-devel] Question regarding Modbus payload

On 08/21/2015 03:05 PM, LUKAT Alexandre Ext wrote:
> [NOT WORKING]
> alert modbus any any -> any 502 (msg:"Modbus traffic detected!"; flow:stateless; 'dsize:>0; sid:123596;)  => 'modbus' instead of 'tcp'
>
> In fine, I would like to use 'modbus.function: 0x5A;' type of statements.

The modbus parser is part of 2.1beta4. Have you tried running that version?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



"Ce message est destiné exclusivement aux personnes ou entités auxquelles il est adressé et peut contenir des informations privilégiées ou confidentielles. Si vous avez reçu ce document par erreur, merci de nous l'indiquer par retour, de ne pas le transmettre et de procéder à sa destruction.

This message is solely intended for the use of the individual or entity to which it is addressed and may contain information that is privileged or confidential. If you have received this communication by error, please notify us immediately by electronic mail, do not disclose it and delete the original message."



More information about the Oisf-devel mailing list