Suricata

Currently, the usefulness of the DNP3 keywords is severely hindered by their limitations. This is especially true for dnp3_obj, where hundreds of rules may be required to specify the objects you want to filter/detect especially if the var field contains a length in bytes. There is also no current mechanism to filter by point index or (less important) point value, as the Modbus keywords already let you do. To address this I propose the following alternative syntax for the dnp3_obj keyword, with associated detection code:

dnp3_obj:group <ranges> [, var <ranges>] [, index <ranges>] [, value <ranges>]
where:
ranges ::= <range> [, <range> ...]
range ::= <min>-<max>|[<|>|!]<value>

Alternatively you could use the <> operator to indicate max/min range as some of the other keywords do, but that is a poor syntax given its extensive prior use to mean "not-equals". For file or data set objects, value would be the name of the file or data set as a double-quoted string.