diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac index ebd1805815..5b566e6729 100644 --- a/src/analyzer/protocol/modbus/modbus-protocol.pac +++ b/src/analyzer/protocol/modbus/modbus-protocol.pac @@ -90,8 +90,8 @@ type ModbusTCP_PDU(is_orig: bool) = record { type ModbusTCP_TransportHeader = record { tid: uint16; # Transaction identifier - pid: uint16; # Protocol identifier - len: uint16; # Length of everything after this field + pid: uint16 &enforce(pid == 0); # Protocol identifier + len: uint16 &enforce(len >= 2); # Length of everything after this field uid: uint8; # Unit identifier (previously 'slave address') fc: uint8; # MODBUS function code (see function_codes enum) } &byteorder=bigendian, &let { diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log index 9298bf4eeb..07518ad4fc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log @@ -11,15 +11,15 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 u XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-29 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-160 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-33 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 WRITE_SINGLE_REGISTER REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-162 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 21504 1 unknown-35 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-36 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-37 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-38 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-175 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-179 RESP - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 12032 0 unknown-0 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-0 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-165 RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-54 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 37 1 unknown-71 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-63 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-65 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-71 REQ - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log new file mode 100644 index 0000000000..ab8cb41827 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log @@ -0,0 +1,20 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path analyzer +#open XXXX-XX-XX-XX-XX-XX +#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +#types time string string string string string addr port addr port string string +XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log new file mode 100644 index 0000000000..945c873d56 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 tcp modbus 177.095534 72 69 SF T T 0 ShADdFaf 16 720 9 437 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 87.236.176.106 38129 192.168.10.111 502 tcp dce_rpc 5.102604 72 9 SF F T 0 ShADadFf 6 392 4 225 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 87.236.176.96 60175 192.168.10.111 502 tcp - 5.052092 44 9 SF F T 0 ShADadFf 6 364 4 225 - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 66.175.213.4 58380 192.168.10.111 502 tcp ssl 59.999857 138 9 SF F T 0 ShADadFf 9 610 7 377 - +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 198.74.56.135 60293 192.168.10.111 502 tcp - 0.117322 0 0 RSTO F T 0 ShR 2 80 1 44 - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 198.74.56.135 60293 192.168.10.111 502 tcp - 0.000054 109 0 RSTRH F T 0 Dr 1 149 1 40 - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 159.203.208.13 33752 192.168.10.113 502 tcp - 0.470159 24 9 SF F T 0 ShADadFf 6 344 4 225 - +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 62.122.184.123 7488 192.168.10.111 502 tcp - 30.159557 43 9 SF F T 0 ShADadFf 6 295 4 181 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log new file mode 100644 index 0000000000..0bf4ca545b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log @@ -0,0 +1,22 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path modbus +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tid unit func pdu_type exception +#types time string addr port addr port count count string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER RESP - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap b/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap new file mode 100644 index 0000000000..a3b1ea28f8 Binary files /dev/null and b/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap differ diff --git a/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test new file mode 100644 index 0000000000..fcb95fa6d3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff modbus.log +# @TEST-EXEC: btest-diff analyzer.log + +# The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502. +# This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events.