[Oisf-users] Suricata 3.2dev : Modbus function code inspection problem

Alex Levit alex at bitfidence.com
Fri Dec 23 08:32:09 UTC 2016


Hello Everyone,

I am new to suricata, so may be missing something basic in understanding
how to write rules.
I am trying to enforce function code 4 (read input registers)  only between
Scada and RTU while all others I want to block. The result is that I am
able to either block or allow all modbus communication.

If I add below pass rules:

pass modbus 10.10.10.1 any -> 10.10.10.2 502
(msg:"Modbus";flow:established; modbus:function 4; sid:1004; rev:1;)
pass modbus 10.10.10.2 502 -> 10.10.10.1 any
(msg:"Modbus";flow:established; modbus:function 4; sid:1005; rev:1;)

For some unclear reason, function code 3 is also allowed.
Removing these rules will block all function codes.
Attached are drop and pass rules files as well as log files and config.

Q1:
- What am I doing wrong ?

Q2
- The release is still defined "dev". Is that right direction for me to use
it if I want to test DNP3 and modbus ?

Thanks,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: startup.log
Type: text/x-log
Size: 3585 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-packet.log
Type: text/x-log
Size: 241637 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: drop.rules
Type: application/octet-stream
Size: 241 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/x-yaml
Size: 66003 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pass.rules
Type: application/octet-stream
Size: 584 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161223/50eeabe5/attachment-0003.obj>


More information about the Oisf-users mailing list