From: David DIALLO <david.diallo@gmail.com>
Date: Wed, 7 Feb 2018 23:20:09 +0000 (+0100)
Subject: modbus: duplicate alerts unaware of direction
X-Git-Tag: suricata-4.1.0-beta1~164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3230%2Fhead;p=thirdparty%2Fsuricata.git

modbus: duplicate alerts unaware of direction

Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
---

diff --git a/doc/userguide/rules/modbus-keyword.rst b/doc/userguide/rules/modbus-keyword.rst
index 407c3e38e8..38a4a26b7b 100644
--- a/doc/userguide/rules/modbus-keyword.rst
+++ b/doc/userguide/rules/modbus-keyword.rst
@@ -49,9 +49,11 @@ With the **access** setting, you can match on:
 Syntax::
 
   modbus: access <read | write>
-  modbus: access <read | write> <discretes | coils | input | holding>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>, value <value>
+  modbus: access read <discretes | coils | input | holding>
+  modbus: access read <discretes | coils | input | holding>, address <value>
+  modbus: access write < coils | holding>
+  modbus: access write < coils | holding>, address <value>
+  modbus: access write < coils | holding>, address <value>, value <value>
 
 With _<value>_ setting matches on the address or value as it is being
 accessed or written as follows::
diff --git a/src/detect-modbus.c b/src/detect-modbus.c
index 7724695d72..972e09543d 100644
--- a/src/detect-modbus.c
+++ b/src/detect-modbus.c
@@ -221,6 +221,10 @@ static DetectModbus *DetectModbusAccessParse(const char *str)
                     }
 
                     /* We have a correct address option */
+                    if (modbus->type == MODBUS_TYP_READ)
+                        /* Value access is only possible in write access. */
+                        goto error;
+
                     modbus->data = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
                     if (unlikely(modbus->data == NULL))
                         goto error;
@@ -416,9 +420,6 @@ void DetectModbusRegister(void)
     DetectAppLayerInspectEngineRegister("modbus",
             ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectModbus);
-    DetectAppLayerInspectEngineRegister("modbus",
-            ALPROTO_MODBUS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectModbus);
 
     g_modbus_buffer_id = DetectBufferTypeGetByName("modbus");
 }