[Oisf-users] modbus and dnp3

Travis Green travis at travisgreen.net
Tue May 21 15:23:50 UTC 2019 

Hey Russell, looks like these rules are from dnp3-events.rules
<https://github.com/OISF/suricata/blob/ec77632e84a106ddbcd0baef4e4368b4fe5c5f9e/rules/dnp3-events.rules>
and modbus-events.rules
<https://github.com/OISF/suricata/blob/ec77632e84a106ddbcd0baef4e4368b4fe5c5f9e/rules/modbus-events.rules>

You may want to check lines 1920 and 1922 in suricata.yaml to ensure they
are disabled and rerun suricata-update.

On Mon, May 20, 2019 at 7:23 PM Russell Fulton <r.fulton at auckland.ac.nz>
wrote:

> I am getting these errors from suricata on startup:
>
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any
> any -> any any (msg:"SURICATA Modbus invalid Unit Identifier";
> app-layer-event:modbus.invalid_unit_identifier;
> classtype:protocol-command-decode; sid:2250004; rev:2;)" from file
> /var/lib/suricata/rules/suricata.rules at line 22
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any
> any -> any any (msg:"SURICATA Modbus Request flood detected";
> flow:to_server; app-layer-event:modbus.flooded;
> classtype:protocol-command-decode; sid:2250009; rev:2;)" from file
> /var/lib/suricata/rules/suricata.rules at line 26
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Bad transport CRC";
> app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode;
> sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 36
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any
> any -> any any (msg:"SURICATA Modbus Exception code invalid";
> flow:to_client; app-layer-event:modbus.invalid_exception_code;
> classtype:protocol-command-decode; sid:2250007; rev:2;)" from file
> /var/lib/suricata/rules/suricata.rules at line 48
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any
> any -> any any (msg:"SURICATA Modbus unsolicited response";
> app-layer-event:modbus.unsolicited_response;
> classtype:protocol-command-decode; sid:2250002; rev:2;)" from file
> /var/lib/suricata/rules/suricata.rules at line 77
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Unknown object";
> app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode;
> sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 89
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any
> any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client;
> app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode;
> sid:2250008; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 132
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Bad link CRC";
> app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode;
> sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 142
> M
>
> These are builtin rules (i.e. no rules from a rule file).   I have done a
> bit of googling but I can’t see how to suppress these rules.
>
> This start with the upgrade from 4.0.4 to 4.1.4.
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190521/2fdabc3b/attachment.html>

More information about the Oisf-users mailing list