[Oisf-users] Suricata 3.2dev : Modbus function code inspection problem
Eric Leblond
eric at regit.org
Fri Dec 23 13:45:17 UTC 2016
Hello,
On Fri, 2016-12-23 at 10:32 +0200, Alex Levit wrote:
> Hello Everyone,
>
> I am new to suricata, so may be missing something basic in
> understanding how to write rules.
> I am trying to enforce function code 4 (read input registers) only
> between Scada and RTU while all others I want to block. The result is
> that I am able to either block or allow all modbus communication.
>
> If I add below pass rules:
>
> pass modbus 10.10.10.1 any -> 10.10.10.2 502
> (msg:"Modbus";flow:established; modbus:function 4; sid:1004; rev:1;)
> pass modbus 10.10.10.2 502 -> 10.10.10.1 any
> (msg:"Modbus";flow:established; modbus:function 4; sid:1005; rev:1;)
>
> For some unclear reason, function code 3 is also allowed.
There is a shift in the function code. The array of function can start
at 0 or 1. In the case of Suricata it starts at 1, see:
http://suricata.readthedocs.io/en/latest/rules/modbus-keyword.html?high
light=modbus
> Removing these rules will block all function codes.
> Attached are drop and pass rules files as well as log files and
> config.
>
> Q1:
> - What am I doing wrong ?
>
> Q2
> - The release is still defined "dev". Is that right direction for me
> to use it if I want to test DNP3 and modbus ?
3.2 is not dev anymore and provide both protocols.
>
> Thanks,
> Alex
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list