I’m reviewing this paper and the related code for DNP3:
But I have a network I’m analyzing that has modbus over tcp and has implemented things in a somewhat unorthodox way. They’ve used port assignments as a means of categorizing subsets of systems, and a bit of security by obscurity. So nothing is on the standard port 502. It’s all over the place on ranges of ports from 2100 to 9900.
Enter Bro and it’s acclaimed ability to recognize protocols not by port number but by semantics of the payload.
But has anyone done this for modbus yet? Anyone interested to use it if I start working on it? (read: volunteer beta tester and guinea pig).
What about other ICS/SCADA protocols?