modbus event_type with Suricata?
Network Monitoring Guy
I'm trying to generate some modbus events using Suricata.
I was able to generate DNP3 events using these PCAPs
http://www.netresec.com/?page=PCAP4SICS
Here is an example of the type of event I'm looking for with MODBUS, but this is for DNP3.
{"timestamp":"2015-10-22T04:46:25.989814-0400","flow_id":719070443301326,"pcap_cnt":837127,"event_type":"dnp3","src_ip":"192.168.2.166","src_port":2142,"dest_ip":"192.168.88.95","dest_port":20000,"proto":"TCP","dnp3":{"type":"request","control":{"dir":true,"pri":true,"fcb":false,"fcv":false,"function_code":4},"src":1,"dst":1024,"application":{"control":{"fir":true,"fin":true,"con":false,"uns":false,"sequence":1},"function_code":1,"objects":[{"group":60,"variation":2,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":3,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":4,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0},{"group":60,"variation":1,"qualifier":6,"prefix_code":0,"range_code":6,"start":0,"stop":0,"count":0}],"complete":true}}}
But I notice that modbus only appears in the app_proto field and it does not create its own event_type (like above).
Is that expected behavior for Suricata or could I be missing something in the config?
I notice under types in line 243, https://github.com/inliniac/suricata/blob/master/suricata.yaml.in there is a type for dnp3, but no type for modbus.
Guessing this why there is no event generated, but how could the same be achieved for modbus.
Jason Ish
modbus support is limited to some keywords for detection on the decoded
parts of the protocol.
If you'd like to see such a feature I suggest you file a request on the
Suricata issue tracker:
https://redmine.openinfosecfoundation.org/projects/suricata
Jason
Network Monitoring Guy
Thank you, Jason. Ticket created: https://redmine.openinfosecfoundation.org/issues/2096