[Oisf-users] modbus and dnp3

Russell Fulton r.fulton at auckland.ac.nz
Tue May 21 01:22:44 UTC 2019 

I am getting these errors from suricata on startup:

May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 22
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 26
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 36
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 48
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 77
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 89
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 132
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 142
M

These are builtin rules (i.e. no rules from a rule file).   I have done a bit of googling but I can’t see how to suppress these rules.

This start with the upgrade from 4.0.4 to 4.1.4.

Russell

More information about the Oisf-users mailing list