From: Stefan Schantl Date: Sun, 19 Dec 2021 14:51:58 +0000 (+0100) Subject: suricata.yaml: Add config options for modbus, dnp3 and enip protocols. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee87c2e33a9f90c6ce373851b57c58bb43ca1d2f;p=people%2Fstevee%2Fipfire-2.x.git suricata.yaml: Add config options for modbus, dnp3 and enip protocols. All of them are disabled by default, but may be needed in some environments and so easily can be enabled there. Signed-off-by: Stefan Schantl --- diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 692d81c96d..830636c1b4 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -521,6 +521,41 @@ app-layer: double-decode-path: no double-decode-query: no + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + ntp: enabled: yes dhcp: