Prevent non-Modbus on port 502 to be reported as Modbus

This commit prevents most non-Modbus TCP traffic on port 502 to be reported as Modbus in conn.log as well as in modbus.log. To do so, we have introduced two &enforce checks in the Modbus protocol definition that checks that some specific fields of the (supposedly) Modbus header are compatible with values specified in the specs. To ensure non-regression, with this commit we also introduce a new btest. Closes #3962
2025-10-10 02:28:21 +00:00 · 2024-10-21 14:40:45 +02:00 · 2024-10-21 14:40:45 +02:00 · 05d92dc2a5
commit 05d92dc2a5
parent 1e24980901
7 changed files with 74 additions and 7 deletions
--- a/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test
+++ b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test
@ -0,0 +1,7 @@
+# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff modbus.log
+# @TEST-EXEC: btest-diff analyzer.log
+
+# The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502.
+# This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events.