Project

General

Profile

Actions
Copy link

Bug #7612

open

Modbus regression from Suricata 6 to 7

Added by Andreas Herz 8 months ago. Updated about 2 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Andreas Herz
Target version:
TBD
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

There seems to be a regression in the modbus parser between Suricata 6 and 7 when replaying https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap as a source.

Output with Suricata 6.0.20 where we have 4 flows with `app_proto` set to `modbus`:

{
  "timestamp": "2004-08-26T14:01:18.945447+0200",
  "flow_id": 1453545012427633,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2579,
  "dest_ip": "10.0.0.8",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 6,
    "pkts_toclient": 5,
    "bytes_toserver": 374,
    "bytes_toclient": 302,
    "start": "2004-08-26T14:05:53.490353+0200",
    "end": "2004-08-26T14:06:16.747072+0200",
    "age": 23,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "3b",
    "tcp_flags_ts": "3b",
    "tcp_flags_tc": "13",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "urg": true,
    "state": "closed" 
  }
}

{
  "timestamp": "2004-08-26T14:01:18.945447+0200",
  "flow_id": 1755588569702907,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2578,
  "dest_ip": "10.0.0.3",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 20,
    "pkts_toclient": 12,
    "bytes_toserver": 1254,
    "bytes_toclient": 800,
    "start": "2004-08-26T14:01:21.696827+0200",
    "end": "2004-08-26T14:07:47.391775+0200",
    "age": 386,
    "state": "established",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "3b",
    "tcp_flags_ts": "3b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "urg": true,
    "state": "fin_wait2" 
  }
}
{
  "timestamp": "2004-08-26T14:01:18.945447+0200",
  "flow_id": 1806557029495883,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2585,
  "dest_ip": "10.0.0.8",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 8,
    "pkts_toclient": 7,
    "bytes_toserver": 1384,
    "bytes_toclient": 422,
    "start": "2004-08-26T14:22:26.554059+0200",
    "end": "2004-08-26T14:23:43.116262+0200",
    "age": 77,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "3b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "3b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "urg": true,
    "state": "closed" 
  }
}
{
  "timestamp": "2004-08-26T14:01:18.945447+0200",
  "flow_id": 44881663135779,
  "event_type": "flow",
  "src_ip": "10.0.0.9",
  "src_port": 3082,
  "dest_ip": "10.0.0.3",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 16,
    "pkts_toclient": 9,
    "bytes_toserver": 998,
    "bytes_toclient": 575,
    "start": "2004-08-26T14:12:06.102435+0200",
    "end": "2004-08-26T14:15:03.198170+0200",
    "age": 177,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed" 
  }
}

Output with Suricata 7.0.8 where we have 3 flows with `app_proto` set to `modbus`:

{
  "timestamp": "2004-08-26T14:25:39.878395+0200",
  "flow_id": 417201198152419,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2579,
  "dest_ip": "10.0.0.8",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 6,
    "pkts_toclient": 5,
    "bytes_toserver": 374,
    "bytes_toclient": 302,
    "start": "2004-08-26T14:05:53.490353+0200",
    "end": "2004-08-26T14:06:16.747072+0200",
    "age": 23,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "13",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}
{
  "timestamp": "2004-08-26T14:25:39.878395+0200",
  "flow_id": 459578595248221,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2578,
  "dest_ip": "10.0.0.3",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 20,
    "pkts_toclient": 12,
    "bytes_toserver": 1254,
    "bytes_toclient": 800,
    "start": "2004-08-26T14:01:21.696827+0200",
    "end": "2004-08-26T14:07:47.391775+0200",
    "age": 386,
    "state": "established",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1a",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "fin_wait2",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}
{
  "timestamp": "2004-08-26T14:25:39.878395+0200",
  "flow_id": 1847331805319692,
  "event_type": "flow",
  "src_ip": "10.0.0.9",
  "src_port": 3082,
  "dest_ip": "10.0.0.3",
  "dest_port": 502,
  "proto": "TCP",
  "app_proto": "modbus",
  "flow": {
    "pkts_toserver": 16,
    "pkts_toclient": 9,
    "bytes_toserver": 998,
    "bytes_toclient": 575,
    "start": "2004-08-26T14:12:06.102435+0200",
    "end": "2004-08-26T14:15:03.198170+0200",
    "age": 177,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}

So this specific flow is missing it now in 7:

{
  "timestamp": "2004-08-26T14:25:39.878395+0200",
  "flow_id": 690817311456706,
  "event_type": "flow",
  "src_ip": "10.0.0.57",
  "src_port": 2585,
  "dest_ip": "10.0.0.8",
  "dest_port": 502,
  "proto": "TCP",
  "flow": {
    "pkts_toserver": 8,
    "pkts_toclient": 7,
    "bytes_toserver": 1384,
    "bytes_toclient": 422,
    "start": "2004-08-26T14:22:26.554059+0200",
    "end": "2004-08-26T14:23:43.116262+0200",
    "age": 77,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "13",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}

Actions
Copy link
 #1

Updated by Victor Julien 8 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Andreas Herz

Please create some SV tests.

Actions
Copy link
 #2

Updated by Philippe Antoine 2 months ago

  • Affected Versions 8.0.0 added
  • Affected Versions deleted (6.0.20, 7.0.8)

Wireshark thinks 2585 is not modus and I agree with it (mbtcp.len == 0x8804)

But wireshark sees 2582 as modbus from the server and suricata does not see it due to probing parser...

8 also sees 51411 as right modbus as was missed previously

So, there is a bug about probing parser from server when it replies error code (illegal function)

Actions
Copy link
 #3

Updated by Jason Ish 2 months ago

Philippe Antoine wrote in #note-2:

Wireshark thinks 2585 is not modus and I agree with it (mbtcp.len == 0x8804)

But wireshark sees 2582 as modbus from the server and suricata does not see it due to probing parser...

8 also sees 51411 as right modbus as was missed previously

So, there is a bug about probing parser from server when it replies error code (illegal function)

7 still affected tho right?

Actions
Copy link
 #4

Updated by Philippe Antoine about 2 months ago

7 still affected tho right?

I only looked with 8 so far and there is a bug there to fix in 8 :

So, there is a bug about probing parser from server when it replies error code (illegal function)

Actions
Copy link

Also available in: Atom PDF