Project

General

Profile

Actions

Feature #1579

closed

Support Modbus Unit Identifier

Added by Jason Ish almost 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

[Feature request added on here on behalf of someone else]

The Modbus/TCP protocol frame format supports a field called the ‘unit identifier’. When Modbus/TCP devices are directly addressable through TCP this field has recommended default values. Some Modbus/TCP devices are co-located with other devices, and occasionally some Modbus/TCP devices act as gateways to other Modbus/TCP devices (perhaps connected serially to the gateway device). When destination IP address does not suffice to uniquely identify the Modbus/TCP device, the 'unit identifier' field in some cases does. Support for this ‘unit identifier’ could be of utility when Suricata rules are meant to alert on device manipulation where those devices are behind a Modbus/TCP gateway or contained within a group of co-located Modbus/TCP devices.

A few references:

https://en.wikipedia.org/wiki/Modbus [ search for unit id in the page ]
https://www.snort.org/faq/readme-modbus
http://mblogic.sourceforge.net/mbapps/ModbusBasics-en.html
http://gridconnect.com/blog/tag/modbus-explained/

A few caveats:

I cannot point at a particular pcap file where I know this unit-id is used outside of device defaults (the Quickdraw Modbus/TCP pcap does use it, with what I presume is a device default (not broadcast)). I haven’t researched the devices that support it. I merely thought it would be “nice to have” without knowing exactly and precisely where (or when) it might be useful.

Actions #1

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by David DIALLO over 5 years ago

  • Assignee changed from OISF Dev to David DIALLO
Actions #3

Updated by David DIALLO over 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions #4

Updated by Andreas Herz over 3 years ago

If it's resolved can you set the issue to closed and link further informations, like pull request if it's fixed by one?

Actions #5

Updated by Victor Julien over 3 years ago

  • Status changed from Resolved to Closed
  • Target version changed from TBD to 4.1beta1
Actions

Also available in: Atom PDF