[Bro] Modbus protocol event handler for Bro

Michael Haney michael-haney at utulsa.edu
Thu Mar 28 23:53:18 PDT 2013

I'm reviewing this paper and the related code for DNP3:

But I have a network I'm analyzing that has modbus over tcp and has
implemented things in a somewhat unorthodox way. They've used port
assignments as a means of categorizing subsets of systems, and a bit of
security by obscurity. So nothing is on the standard port 502. It's all
over the place on ranges of ports from 2100 to 9900.

Enter Bro and it's acclaimed ability to recognize protocols not by port
number but by semantics of the payload.

But has anyone done this for modbus yet?  Anyone interested to use it if I
start working on it? (read: volunteer beta tester and guinea pig).

What about other ICS/SCADA protocols?
