[Oisf-users] Suricata 3.2dev : Modbus function code inspection problem

Alex Levit alex at bitfidence.com
Sun Dec 25 14:22:58 UTC 2016


Thanks Eric for the info, the shift is actually in address.
I rewritten the drop rule to drop only packets that were detected as modbus
and now no need for allowing 3 way handshake.
Then it worked well, both function code as well as address and values
filtering.
Happy Holidays to Everyone
Alex



On Fri, Dec 23, 2016 at 10:32 AM, Alex Levit <alex at bitfidence.com> wrote:

> Hello Everyone,
>
> I am new to suricata, so may be missing something basic in understanding
> how to write rules.
> I am trying to enforce function code 4 (read input registers)  only
> between Scada and RTU while all others I want to block. The result is that
> I am able to either block or allow all modbus communication.
>
> If I add below pass rules:
>
> pass modbus 10.10.10.1 any -> 10.10.10.2 502 (msg:"Modbus";flow:established;
> modbus:function 4; sid:1004; rev:1;)
> pass modbus 10.10.10.2 502 -> 10.10.10.1 any (msg:"Modbus";flow:established;
> modbus:function 4; sid:1005; rev:1;)
>
> For some unclear reason, function code 3 is also allowed.
> Removing these rules will block all function codes.
> Attached are drop and pass rules files as well as log files and config.
>
> Q1:
> - What am I doing wrong ?
>
> Q2
> - The release is still defined "dev". Is that right direction for me to
> use it if I want to test DNP3 and modbus ?
>
> Thanks,
> Alex
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161225/9effc8de/attachment-0002.html>


More information about the Oisf-users mailing list