Modbus protocol event handler for Bro

Michael_Haney · March 29, 2013, 6:53am

I’m reviewing this paper and the related code for DNP3:
http://csiir.ornl.gov/csiirw/12/BPAwards/csiirw8Submission7.pdf

But I have a network I’m analyzing that has modbus over tcp and has implemented things in a somewhat unorthodox way. They’ve used port assignments as a means of categorizing subsets of systems, and a bit of security by obscurity. So nothing is on the standard port 502. It’s all over the place on ranges of ports from 2100 to 9900.

Enter Bro and it’s acclaimed ability to recognize protocols not by port number but by semantics of the payload.

But has anyone done this for modbus yet? Anyone interested to use it if I start working on it? (read: volunteer beta tester and guinea pig).

What about other ICS/SCADA protocols?

Seth_Hall3 · March 30, 2013, 12:51am

When I was reviewing and preparing the modbus analyzer to be merged I didn't create signatures for DPD because modbus doesn't have a very clear structure to identify. I'll file a ticket now to come back around before the release and try to make a signature for identifying modbus.

Regardless, you will always be able to define ports that the analyzer is always used on.

.Seth

Topic		Replies	Views
Modbus protocol event handler for Bro Zeek	2	102	May 6, 2022
Follow up on invoking the "protocol_confirmation" event Zeek	5	83	May 6, 2022
udp_reply event instead of supposed udp_request event Zeek	3	75	May 6, 2022
Is there existing signatures for modbus and dnp3 Zeek	4	86	May 6, 2022
BRO and CANBUS Protocols Zeek	5	202	May 6, 2022

Modbus protocol event handler for Bro

Related Topics