Project

General

Profile

Actions

Bug #1574

closed

Modbus: Seeing two alerts for a single invalid length modbus request packet

Added by Bakul Khanna almost 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Via a small PCAP file, consisting of some request and response modbus packets, I'm sending an invalid length request modbus packet. I have added logging to ModbusSetEvent() and see it being logged only once as below. I have also added logging for the four spots in app-layer-modbus.c where it detects an INVALID_LENGTH. I see it being logged only once as below. This is consistent with the packets in the PCAP file I play.
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:184) <Debug>(ModbusSetEvent) -- ModbusSetEvent
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:474) <Debug> (ModbusCheckHeader) -- INVALID LENGTH length=1025

However I always see two alerts in fast.log as follows:
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.1:47762 -> 192.168.1.2:502
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:502 -> 192.168.1.1:47762
The first alert corresponds to the invalid length request modbus packet. The second alert is spurious; it corresponds to a response modbus packet and should not be generated.


Files

lengthBiggerThan255.pcap (2.87 KB) lengthBiggerThan255.pcap David DIALLO, 01/24/2018 04:44 PM
Actions

Also available in: Atom PDF