Suricata

[Feature request added on here on behalf of someone else]

The Modbus/TCP protocol frame format supports a field called the ‘unit identifier’. When Modbus/TCP devices are directly addressable through TCP this field has recommended default values. Some Modbus/TCP devices are co-located with other devices, and occasionally some Modbus/TCP devices act as gateways to other Modbus/TCP devices (perhaps connected serially to the gateway device). When destination IP address does not suffice to uniquely identify the Modbus/TCP device, the 'unit identifier' field in some cases does. Support for this ‘unit identifier’ could be of utility when Suricata rules are meant to alert on device manipulation where those devices are behind a Modbus/TCP gateway or contained within a group of co-located Modbus/TCP devices.

A few references:

https://en.wikipedia.org/wiki/Modbus [ search for unit id in the page ]
https://www.snort.org/faq/readme-modbus
http://mblogic.sourceforge.net/mbapps/ModbusBasics-en.html
http://gridconnect.com/blog/tag/modbus-explained/

A few caveats:

I cannot point at a particular pcap file where I know this unit-id is used outside of device defaults (the Quickdraw Modbus/TCP pcap does use it, with what I presume is a device default (not broadcast)). I haven’t researched the devices that support it. I merely thought it would be “nice to have” without knowing exactly and precisely where (or when) it might be useful.