Known_services detection for MODBUS

Hi All,

I had a recent case where MODBUS was reported in the known_services.log file for the scanning attempts on port 502, and no connection being set-up. I always thought that a known_service is logged when the complete handshake is seen in the connection:

$ zcat known_services.22:00:00-23:00:00.log.gz | grep “128.175.10.187” | grep “MODBUS” | more
1544756649.284460 128.175.10.187 502 tcp MODBUS
1544756677.105590 128.175.10.187 502 tcp MODBUS

$ zcat conn.22:00:00-23:00:00.log.gz | grep “modbus” | awk -F’\t’ ‘{if ($5 ~ /128.175.10.187/) print;}’ | more
1544756649.284460 Coix4i2Hvzy3fHMFH5 118.26.141.219 3901 128.175.10.187 502 tcp modbus - - - S0 F T 0 S 1 60 0 0 (empty) worker-2-10
1544756677.105590 C1wLrc4pJoc30fJvL 118.26.141.219 1471 128.175.10.187 502 tcp modbus - - - S0 F T 0 S 1 60 0 0 (empty) worker-4-5

Usually the number of entries logged in the known_services.log file ranges between 900-2000 for an hour, but that day for a single hour it was completely swamped by the MODBUS service logs for the heavy scanning on port 502.

$ zcat known_services.22:00:00-23:00:00.log.gz | grep “MODBUS” | wc -l

96949

I am looking into the issue, but just wanted to share here if someone already know about this and can provide any inputs, don’t want to re-invent the wheel :slight_smile:

Thanks!
Fatema.