From ee87c2e33a9f90c6ce373851b57c58bb43ca1d2f Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 19 Dec 2021 15:51:58 +0100 Subject: [PATCH] suricata.yaml: Add config options for modbus, dnp3 and enip protocols. All of them are disabled by default, but may be needed in some environments and so easily can be enabled there. Signed-off-by: Stefan Schantl --- config/suricata/suricata.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 692d81c96d..830636c1b4 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -521,6 +521,41 @@ app-layer: double-decode-path: no double-decode-query: no + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + ntp: enabled: yes dhcp: -- 2.39.5