From 6c643d8975e9bab542ef5583d1422d5e669188df Mon Sep 17 00:00:00 2001
From: David DIALLO <david.diallo@gmail.com>
Date: Thu, 8 Feb 2018 00:20:09 +0100
Subject: [PATCH] modbus: duplicate alerts unaware of direction

Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).

Detect Value keyword in read access rule. In read access, match on value
is not possible.

Update Modbus keyword documentation.
---
 doc/userguide/rules/modbus-keyword.rst | 8 +++++---
 src/detect-modbus.c                    | 7 ++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/doc/userguide/rules/modbus-keyword.rst b/doc/userguide/rules/modbus-keyword.rst
index 407c3e38e8..38a4a26b7b 100644
--- a/doc/userguide/rules/modbus-keyword.rst
+++ b/doc/userguide/rules/modbus-keyword.rst
@@ -49,9 +49,11 @@ With the **access** setting, you can match on:
 Syntax::
 
   modbus: access <read | write>
-  modbus: access <read | write> <discretes | coils | input | holding>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>, value <value>
+  modbus: access read <discretes | coils | input | holding>
+  modbus: access read <discretes | coils | input | holding>, address <value>
+  modbus: access write < coils | holding>
+  modbus: access write < coils | holding>, address <value>
+  modbus: access write < coils | holding>, address <value>, value <value>
 
 With _<value>_ setting matches on the address or value as it is being
 accessed or written as follows::
diff --git a/src/detect-modbus.c b/src/detect-modbus.c
index 7724695d72..972e09543d 100644
--- a/src/detect-modbus.c
+++ b/src/detect-modbus.c
@@ -221,6 +221,10 @@ static DetectModbus *DetectModbusAccessParse(const char *str)
                     }
 
                     /* We have a correct address option */
+                    if (modbus->type == MODBUS_TYP_READ)
+                        /* Value access is only possible in write access. */
+                        goto error;
+
                     modbus->data = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
                     if (unlikely(modbus->data == NULL))
                         goto error;
@@ -416,9 +420,6 @@ void DetectModbusRegister(void)
     DetectAppLayerInspectEngineRegister("modbus",
             ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectModbus);
-    DetectAppLayerInspectEngineRegister("modbus",
-            ALPROTO_MODBUS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectModbus);
 
     g_modbus_buffer_id = DetectBufferTypeGetByName("modbus");
 }
-- 
2.47.2