Actions
Bug #7612
openModbus regression from Suricata 6 to 7
Affected Versions:
Effort:
Difficulty:
Label:
Description
There seems to be a regression in the modbus parser between Suricata 6 and 7 when replaying https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap as a source.
Output with Suricata 6.0.20 where we have 4 flows with `app_proto` set to `modbus`:
{
"timestamp": "2004-08-26T14:01:18.945447+0200",
"flow_id": 1453545012427633,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2579,
"dest_ip": "10.0.0.8",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 6,
"pkts_toclient": 5,
"bytes_toserver": 374,
"bytes_toclient": 302,
"start": "2004-08-26T14:05:53.490353+0200",
"end": "2004-08-26T14:06:16.747072+0200",
"age": 23,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "3b",
"tcp_flags_ts": "3b",
"tcp_flags_tc": "13",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"urg": true,
"state": "closed"
}
}
{
"timestamp": "2004-08-26T14:01:18.945447+0200",
"flow_id": 1755588569702907,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2578,
"dest_ip": "10.0.0.3",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 20,
"pkts_toclient": 12,
"bytes_toserver": 1254,
"bytes_toclient": 800,
"start": "2004-08-26T14:01:21.696827+0200",
"end": "2004-08-26T14:07:47.391775+0200",
"age": 386,
"state": "established",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "3b",
"tcp_flags_ts": "3b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"urg": true,
"state": "fin_wait2"
}
}
{
"timestamp": "2004-08-26T14:01:18.945447+0200",
"flow_id": 1806557029495883,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2585,
"dest_ip": "10.0.0.8",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 8,
"pkts_toclient": 7,
"bytes_toserver": 1384,
"bytes_toclient": 422,
"start": "2004-08-26T14:22:26.554059+0200",
"end": "2004-08-26T14:23:43.116262+0200",
"age": 77,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "3b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "3b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"urg": true,
"state": "closed"
}
}
{
"timestamp": "2004-08-26T14:01:18.945447+0200",
"flow_id": 44881663135779,
"event_type": "flow",
"src_ip": "10.0.0.9",
"src_port": 3082,
"dest_ip": "10.0.0.3",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 16,
"pkts_toclient": 9,
"bytes_toserver": 998,
"bytes_toclient": 575,
"start": "2004-08-26T14:12:06.102435+0200",
"end": "2004-08-26T14:15:03.198170+0200",
"age": 177,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed"
}
}
Output with Suricata 7.0.8 where we have 3 flows with `app_proto` set to `modbus`:
{
"timestamp": "2004-08-26T14:25:39.878395+0200",
"flow_id": 417201198152419,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2579,
"dest_ip": "10.0.0.8",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 6,
"pkts_toclient": 5,
"bytes_toserver": 374,
"bytes_toclient": 302,
"start": "2004-08-26T14:05:53.490353+0200",
"end": "2004-08-26T14:06:16.747072+0200",
"age": 23,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "13",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
{
"timestamp": "2004-08-26T14:25:39.878395+0200",
"flow_id": 459578595248221,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2578,
"dest_ip": "10.0.0.3",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 20,
"pkts_toclient": 12,
"bytes_toserver": 1254,
"bytes_toclient": 800,
"start": "2004-08-26T14:01:21.696827+0200",
"end": "2004-08-26T14:07:47.391775+0200",
"age": 386,
"state": "established",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1a",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "fin_wait2",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
{
"timestamp": "2004-08-26T14:25:39.878395+0200",
"flow_id": 1847331805319692,
"event_type": "flow",
"src_ip": "10.0.0.9",
"src_port": 3082,
"dest_ip": "10.0.0.3",
"dest_port": 502,
"proto": "TCP",
"app_proto": "modbus",
"flow": {
"pkts_toserver": 16,
"pkts_toclient": 9,
"bytes_toserver": 998,
"bytes_toclient": 575,
"start": "2004-08-26T14:12:06.102435+0200",
"end": "2004-08-26T14:15:03.198170+0200",
"age": 177,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
So this specific flow is missing it now in 7:
{
"timestamp": "2004-08-26T14:25:39.878395+0200",
"flow_id": 690817311456706,
"event_type": "flow",
"src_ip": "10.0.0.57",
"src_port": 2585,
"dest_ip": "10.0.0.8",
"dest_port": 502,
"proto": "TCP",
"flow": {
"pkts_toserver": 8,
"pkts_toclient": 7,
"bytes_toserver": 1384,
"bytes_toclient": 422,
"start": "2004-08-26T14:22:26.554059+0200",
"end": "2004-08-26T14:23:43.116262+0200",
"age": 77,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "13",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
Actions