From d87a60f3cc87d346a9b1e04ff133dfed6e9f7cbe Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 3 Dec 2015 15:40:08 -0600 Subject: [PATCH] modbus: disable by default --- src/app-layer-modbus.c | 14 +++----------- suricata.yaml.in | 4 ++-- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/src/app-layer-modbus.c b/src/app-layer-modbus.c index fa965135d3..2d2cdc3d2e 100644 --- a/src/app-layer-modbus.c +++ b/src/app-layer-modbus.c @@ -1427,21 +1427,13 @@ void RegisterModbusParsers(void) STREAM_TOSERVER, ModbusProbingParser); } else { - /* if we have no config, we enable the default port 502 */ + /* If there is no app-layer section for Modbus, silently + * leave it disabled. */ if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_MODBUS, 0, sizeof(ModbusHeader), ModbusProbingParser)) { - SCLogWarning(SC_ERR_MODBUS_CONFIG, "no Modbus TCP config found, " - "enabling Modbus detection on " - "port 502."); - - AppLayerProtoDetectPPRegister(IPPROTO_TCP, - "502", - ALPROTO_MODBUS, - 0, sizeof(ModbusHeader), - STREAM_TOSERVER, - ModbusProbingParser); + return; } } diff --git a/suricata.yaml.in b/suricata.yaml.in index af54b5274d..a612fb25de 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1171,7 +1171,7 @@ rule-files: - smtp-events.rules # available in suricata sources under rules dir - dns-events.rules # available in suricata sources under rules dir - tls-events.rules # available in suricata sources under rules dir - - modbus-events.rules # available in suricata sources under rules dir +# - modbus-events.rules # available in suricata sources under rules dir - app-layer-events.rules # available in suricata sources under rules dir classification-file: @e_sysconfdir@classification.config @@ -1350,7 +1350,7 @@ app-layer: # If the limit is reached, app-layer-event:modbus.flooded; will match. #request-flood: 500 - enabled: yes + enabled: no detection-ports: dp: 502 # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it -- 2.47.2