[Bro-Dev] #875: Modbus REF parameter
Bro Tracker
bro at tracker.bro-ids.org
Wed Sep 12 06:29:08 PDT 2012
#875: Modbus REF parameter
------------------------+-----------------------------------------
Reporter: dina | Type: Task
Status: new | Priority: Normal
Milestone: | Component: Bro
Version: git/master | Keywords: Modbus analyser, REF offset
------------------------+-----------------------------------------
By Modbus specification, different FC implicitly use different parts of
the PLC memory. Looking on the wire only, we do not see this. I think it
would be useful to include this knowledge about where is the specific data
from a packet supposed to be written in logs immediately.
For example, fc=3,6,16 work with PLC memory addresses that are >40000,
fc=4 work with values 30000-40000. On the wire we only see the REF
parameter which is typically 0-10000 (so its a 'local' offset), thus we do
not see the memory offset there. This part is implemented in the client by
adding different offsets to the REF value in each packet. (e.g., if
fc=3,6,16 use offset 40000 so real_ref=40000+ref). I used these offsets to
make logs in the .bro script in my branch.
This division of 10000 addresses is sth I see as a practice on forums and
some unofficial manuals, but its not defined in the specification. I
assume that, based on PLC capacity, there could be different kind of
division between different parts of the memory map.
I suggest that we make a configuration file that defines the division of
PLC memory space and which offsets do specific FCs use. As default, we can
put this division which i see as common practice. In specific cases, users
can change that config file to do proper remapping.
Seth, you can find a a bit more about this division (and exact offsets per
each FC) here: http://www.simplymodbus.ca/faq.htm
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/875>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list