Suricata

Do you have a modbus section in your config? Under app-layer:

    # Note: Modbus probe parser is minimalist due to the poor significant field
    # Only Modbus message length (greater than Modbus header length)
    # And Protocol ID (equal to 0) are checked in probing parser
    # It is important to enable detection port and define Modbus port
    # to avoid false positive
    modbus:
      # How many unreplied Modbus requests are considered a flood.
      # If the limit is reached, app-layer-event:modbus.flooded; will match.
      #request-flood: 500

      enabled: yes
      detection-ports:
        dp: 502
      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 
      # is recommended to keep the TCP connection opened with a remote device 
      # and not to open and close it for each MODBUS/TCP transaction. In that 
      # case, it is important to set the depth of the stream reassembling as
      # unlimited (stream.reassembly.depth: 0)

Victor Julien wrote:

Do you have a modbus section in your config? Under app-layer:
[...]

i do now. thx. fixed.