[Oisf-users] Suricata 3.2dev : Modbus function code inspection problem

Alex Levit alex at bitfidence.com
Sun Dec 25 14:22:58 UTC 2016

Thanks Eric for the info, the shift is actually in address.
I rewritten the drop rule to drop only packets that were detected as modbus
and now no need for allowing 3 way handshake.
Then it worked well, both function code as well as address and values
Happy Holidays to Everyone

On Fri, Dec 23, 2016 at 10:32 AM, Alex Levit <alex at bitfidence.com> wrote:

> Hello Everyone,
> I am new to suricata, so may be missing something basic in understanding
> how to write rules.
> I am trying to enforce function code 4 (read input registers)  only
> between Scada and RTU while all others I want to block. The result is that
> I am able to either block or allow all modbus communication.
> If I add below pass rules:
> pass modbus any -> 502 (msg:"Modbus";flow:established;
> modbus:function 4; sid:1004; rev:1;)
> pass modbus 502 -> any (msg:"Modbus";flow:established;
> modbus:function 4; sid:1005; rev:1;)
> For some unclear reason, function code 3 is also allowed.
> Removing these rules will block all function codes.
> Attached are drop and pass rules files as well as log files and config.
> Q1:
> - What am I doing wrong ?
> Q2
> - The release is still defined "dev". Is that right direction for me to
> use it if I want to test DNP3 and modbus ?
> Thanks,
> Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161225/9effc8de/attachment-0002.html>

More information about the Oisf-users mailing list