[Bro] Modbus protocol event handler for Bro

Seth Hall seth at icir.org
Fri Mar 29 17:51:15 PDT 2013


On Mar 29, 2013, at 2:53 AM, Michael Haney <michael-haney at utulsa.edu> wrote:

> But I have a network I'm analyzing that has modbus over tcp and has implemented things in a somewhat unorthodox way. They've used port assignments as a means of categorizing subsets of systems, and a bit of security by obscurity. So nothing is on the standard port 502. It's all over the place on ranges of ports from 2100 to 9900.

When I was reviewing and preparing the modbus analyzer to be merged I didn't create signatures for DPD because modbus doesn't have a very clear structure to identify.  I'll file a ticket now to come back around before the release and try to make a signature for identifying modbus.

Regardless, you will always be able to define ports that the analyzer is always used on.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list