Just in case my bro version did not include the fix you mentioned, Johanna, I updated bro yesterday and re-ran the test. My output was the same as before. I followed up with a test on a pcap with DNP3 traffic. My test script output included "Analyzer::ANALYZER_DNP3_TCP". It appears that for whatever reason, there may still be a disconnect between the MODBUS analyzer and ProtocolConfirmation().
Earl
The best option at this point would be to give us a small sample of the traffic that isn’t working correctly for you.
.Seth
I'll see what I can do; our data is not public. Can ICIR execute an NDA?
I can say that the MODBUS-specific logs (modbus, known_modbus and modbus_register_change) seem to be generated properly, and that Wireshark labels the traffic correctly.
Earl
New did write a simple anonymizer for a power company to share traces with us that you could use. Of course then it isn't exactly the same data anymore.
That's certainly worth a try. How do I access this?
Earl