Project

General

Profile

Actions

Bug #5751

open

DNP3 preprocessor incorrectly parses READ requests

Added by Alex Lasky over 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

The DNP3 preprocessor incorrectly parses read (function code 1) requests. Read requests only include object headers, not the object values. The DNP3 preprocessor is incorrectly treating 2nd and subsequent object headers in a read request as if they are object values for the 1st header, as shown by the attached eve application layer output for the g50v1 read request. Subsequent testing (not shown) using the signature 'dnp3_obj:50,1; dnp3_obj:60,2;' confirms that this is not just an artefact of the eve output, but that this is how the dnp3_obj rules also parse the fragment.


Files

DNP3ReassemblyError.json (3.2 KB) DNP3ReassemblyError.json Alex Lasky, 12/12/2022 09:43 PM
DNP3ReassemblyError1.pcap (2.43 KB) DNP3ReassemblyError1.pcap Alex Lasky, 12/12/2022 09:43 PM
Actions #1

Updated by Jason Ish over 1 year ago

  • Assignee changed from OISF Dev to Jason Ish

Thanks for trying out the DNP3 support. I'll take a look at these as soon as possible, but might be a week or so until I can.

Actions #2

Updated by Michael Torres about 1 year ago

I'd love to take this one if you're OK with it Jason

Actions

Also available in: Atom PDF