]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 92b537d)
modbus: duplicate alerts unaware of direction 3230/head
authorDavid DIALLO <david.diallo@gmail.com>
Wed, 7 Feb 2018 23:20:09 +0000 (00:20 +0100)
committerVictor Julien <victor@inliniac.net>
Fri, 9 Feb 2018 14:39:53 +0000 (15:39 +0100)
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.

doc/userguide/rules/modbus-keyword.rst patch | blob | blame | history
src/detect-modbus.c patch | blob | blame | history

diff --git a/doc/userguide/rules/modbus-keyword.rst b/doc/userguide/rules/modbus-keyword.rst
index 407c3e38e8fcecaca97f6445b46c1abf4231cc2a..38a4a26b7bd93881c60bf5e19985d7e4cf765899 100644 (file)
--- a/doc/userguide/rules/modbus-keyword.rst
+++ b/doc/userguide/rules/modbus-keyword.rst
@@ -49,9 +49,11 @@ With the **access** setting, you can match on:
 Syntax::
 
   modbus: access <read | write>
-  modbus: access <read | write> <discretes | coils | input | holding>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>, value <value>
+  modbus: access read <discretes | coils | input | holding>
+  modbus: access read <discretes | coils | input | holding>, address <value>
+  modbus: access write < coils | holding>
+  modbus: access write < coils | holding>, address <value>
+  modbus: access write < coils | holding>, address <value>, value <value>
 
 With _<value>_ setting matches on the address or value as it is being
 accessed or written as follows::
diff --git a/src/detect-modbus.c b/src/detect-modbus.c
index 7724695d72eb2475113ede66fb773e9945057093..972e09543d6d53d5e06d4907608053daf879134b 100644 (file)
--- a/src/detect-modbus.c
+++ b/src/detect-modbus.c
@@ -221,6 +221,10 @@ static DetectModbus *DetectModbusAccessParse(const char *str)
                     }
 
                     /* We have a correct address option */
+                    if (modbus->type == MODBUS_TYP_READ)
+                        /* Value access is only possible in write access. */
+                        goto error;
+
                     modbus->data = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
                     if (unlikely(modbus->data == NULL))
                         goto error;
@@ -416,9 +420,6 @@ void DetectModbusRegister(void)
     DetectAppLayerInspectEngineRegister("modbus",
             ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectModbus);
-    DetectAppLayerInspectEngineRegister("modbus",
-            ALPROTO_MODBUS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectModbus);
 
     g_modbus_buffer_id = DetectBufferTypeGetByName("modbus");
 }
Mirror of https://github.com/OISF/suricata.git