Project

General

Profile

Actions

Bug #1574

closed

Modbus: Seeing two alerts for a single invalid length modbus request packet

Added by Bakul Khanna almost 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Via a small PCAP file, consisting of some request and response modbus packets, I'm sending an invalid length request modbus packet. I have added logging to ModbusSetEvent() and see it being logged only once as below. I have also added logging for the four spots in app-layer-modbus.c where it detects an INVALID_LENGTH. I see it being logged only once as below. This is consistent with the packets in the PCAP file I play.
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:184) <Debug>(ModbusSetEvent) -- ModbusSetEvent
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:474) <Debug> (ModbusCheckHeader) -- INVALID LENGTH length=1025

However I always see two alerts in fast.log as follows:
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.1:47762 -> 192.168.1.2:502
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:502 -> 192.168.1.1:47762
The first alert corresponds to the invalid length request modbus packet. The second alert is spurious; it corresponds to a response modbus packet and should not be generated.


Files

lengthBiggerThan255.pcap (2.87 KB) lengthBiggerThan255.pcap David DIALLO, 01/24/2018 04:44 PM
Actions #1

Updated by David DIALLO over 5 years ago

  • Assignee set to David DIALLO
Actions #2

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Target version set to 70
Actions #3

Updated by David DIALLO over 3 years ago

This issue is fixed thanks to commit flow/stream: reduce/disable pseudo packet injections (149e3240602e070d88c833088a5bf045d3b349a3)
A pcap file (sent by Bakul Khanna) is available in attach to reproduce the issue.

Actions #4

Updated by David DIALLO over 3 years ago

  • Status changed from Assigned to Resolved
Actions #5

Updated by Andreas Herz over 3 years ago

  • Status changed from Resolved to Closed
  • Target version deleted (70)
Actions

Also available in: Atom PDF