Modbus protocol event handler for Bro

I’m reviewing this paper and the related code for DNP3:

But I have a network I’m analyzing that has modbus over tcp and has implemented things in a somewhat unorthodox way. They’ve used port assignments as a means of categorizing subsets of systems, and a bit of security by obscurity. So nothing is on the standard port 502. It’s all over the place on ranges of ports from 2100 to 9900.

Enter Bro and it’s acclaimed ability to recognize protocols not by port number but by semantics of the payload.

But has anyone done this for modbus yet? Anyone interested to use it if I start working on it? (read: volunteer beta tester and guinea pig).

What about other ICS/SCADA protocols?

When I was reviewing and preparing the modbus analyzer to be merged I didn't create signatures for DPD because modbus doesn't have a very clear structure to identify. I'll file a ticket now to come back around before the release and try to make a signature for identifying modbus.

Regardless, you will always be able to define ports that the analyzer is always used on.