From: Victor Julien <victor@inliniac.net>
Date: Mon, 31 Oct 2016 13:11:57 +0000 (+0100)
Subject: yaml: group ICS protocols together
X-Git-Tag: suricata-3.2RC1~1
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2393%2Fhead;p=thirdparty%2Fsuricata.git

yaml: group ICS protocols together
---

diff --git a/suricata.yaml.in b/suricata.yaml.in
index c657be3f40..1a431dc334 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -704,32 +704,6 @@ app-layer:
       enabled: yes
       detection-ports:
         dp: 139
-    # Note: Modbus probe parser is minimalist due to the poor significant field
-    # Only Modbus message length (greater than Modbus header length)
-    # And Protocol ID (equal to 0) are checked in probing parser
-    # It is important to enable detection port and define Modbus port
-    # to avoid false positive
-    modbus:
-      # How many unreplied Modbus requests are considered a flood.
-      # If the limit is reached, app-layer-event:modbus.flooded; will match.
-      #request-flood: 500
-
-      # Stream reassembly size for modbus. By default track it completely.
-      stream-depth: 0
-
-      enabled: no
-      detection-ports:
-        dp: 502
-      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
-      # is recommended to keep the TCP connection opened with a remote device
-      # and not to open and close it for each MODBUS/TCP transaction. In that
-      # case, it is important to set the depth of the stream reassembling as
-      # unlimited (stream.reassembly.depth: 0)
-    # DNP3
-    dnp3:
-      enabled: no
-      detection-ports:
-        dp: 20000
     # smb2 detection is disabled internally inside the engine.
     #smb2:
     #  enabled: yes
@@ -854,6 +828,34 @@ app-layer:
            #    double-decode-path: no
            #    double-decode-query: no
 
+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: no
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: no
+      detection-ports:
+        dp: 20000
+
     # SCADA EtherNet/IP and CIP protocol support
     enip:
       enabled: no