[Bro] Modbus protocol event handler for Bro
Seth Hall
seth at icir.org
Fri Mar 29 17:51:15 PDT 2013
On Mar 29, 2013, at 2:53 AM, Michael Haney <michael-haney at utulsa.edu> wrote:
> But I have a network I'm analyzing that has modbus over tcp and has implemented things in a somewhat unorthodox way. They've used port assignments as a means of categorizing subsets of systems, and a bit of security by obscurity. So nothing is on the standard port 502. It's all over the place on ranges of ports from 2100 to 9900.
When I was reviewing and preparing the modbus analyzer to be merged I didn't create signatures for DPD because modbus doesn't have a very clear structure to identify. I'll file a ticket now to come back around before the release and try to make a signature for identifying modbus.
Regardless, you will always be able to define ports that the analyzer is always used on.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list