|
|
|
@ -704,32 +704,6 @@ app-layer:
|
|
|
|
enabled: yes
|
|
|
|
enabled: yes
|
|
|
|
detection-ports:
|
|
|
|
detection-ports:
|
|
|
|
dp: 139
|
|
|
|
dp: 139
|
|
|
|
# Note: Modbus probe parser is minimalist due to the poor significant field
|
|
|
|
|
|
|
|
# Only Modbus message length (greater than Modbus header length)
|
|
|
|
|
|
|
|
# And Protocol ID (equal to 0) are checked in probing parser
|
|
|
|
|
|
|
|
# It is important to enable detection port and define Modbus port
|
|
|
|
|
|
|
|
# to avoid false positive
|
|
|
|
|
|
|
|
modbus:
|
|
|
|
|
|
|
|
# How many unreplied Modbus requests are considered a flood.
|
|
|
|
|
|
|
|
# If the limit is reached, app-layer-event:modbus.flooded; will match.
|
|
|
|
|
|
|
|
#request-flood: 500
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Stream reassembly size for modbus. By default track it completely.
|
|
|
|
|
|
|
|
stream-depth: 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
enabled: no
|
|
|
|
|
|
|
|
detection-ports:
|
|
|
|
|
|
|
|
dp: 502
|
|
|
|
|
|
|
|
# According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
|
|
|
|
|
|
|
|
# is recommended to keep the TCP connection opened with a remote device
|
|
|
|
|
|
|
|
# and not to open and close it for each MODBUS/TCP transaction. In that
|
|
|
|
|
|
|
|
# case, it is important to set the depth of the stream reassembling as
|
|
|
|
|
|
|
|
# unlimited (stream.reassembly.depth: 0)
|
|
|
|
|
|
|
|
# DNP3
|
|
|
|
|
|
|
|
dnp3:
|
|
|
|
|
|
|
|
enabled: no
|
|
|
|
|
|
|
|
detection-ports:
|
|
|
|
|
|
|
|
dp: 20000
|
|
|
|
|
|
|
|
# smb2 detection is disabled internally inside the engine.
|
|
|
|
# smb2 detection is disabled internally inside the engine.
|
|
|
|
#smb2:
|
|
|
|
#smb2:
|
|
|
|
# enabled: yes
|
|
|
|
# enabled: yes
|
|
|
|
@ -854,6 +828,34 @@ app-layer:
|
|
|
|
# double-decode-path: no
|
|
|
|
# double-decode-path: no
|
|
|
|
# double-decode-query: no
|
|
|
|
# double-decode-query: no
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Note: Modbus probe parser is minimalist due to the poor significant field
|
|
|
|
|
|
|
|
# Only Modbus message length (greater than Modbus header length)
|
|
|
|
|
|
|
|
# And Protocol ID (equal to 0) are checked in probing parser
|
|
|
|
|
|
|
|
# It is important to enable detection port and define Modbus port
|
|
|
|
|
|
|
|
# to avoid false positive
|
|
|
|
|
|
|
|
modbus:
|
|
|
|
|
|
|
|
# How many unreplied Modbus requests are considered a flood.
|
|
|
|
|
|
|
|
# If the limit is reached, app-layer-event:modbus.flooded; will match.
|
|
|
|
|
|
|
|
#request-flood: 500
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
enabled: no
|
|
|
|
|
|
|
|
detection-ports:
|
|
|
|
|
|
|
|
dp: 502
|
|
|
|
|
|
|
|
# According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
|
|
|
|
|
|
|
|
# is recommended to keep the TCP connection opened with a remote device
|
|
|
|
|
|
|
|
# and not to open and close it for each MODBUS/TCP transaction. In that
|
|
|
|
|
|
|
|
# case, it is important to set the depth of the stream reassembling as
|
|
|
|
|
|
|
|
# unlimited (stream.reassembly.depth: 0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Stream reassembly size for modbus. By default track it completely.
|
|
|
|
|
|
|
|
stream-depth: 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# DNP3
|
|
|
|
|
|
|
|
dnp3:
|
|
|
|
|
|
|
|
enabled: no
|
|
|
|
|
|
|
|
detection-ports:
|
|
|
|
|
|
|
|
dp: 20000
|
|
|
|
|
|
|
|
|
|
|
|
# SCADA EtherNet/IP and CIP protocol support
|
|
|
|
# SCADA EtherNet/IP and CIP protocol support
|
|
|
|
enip:
|
|
|
|
enip:
|
|
|
|
enabled: no
|
|
|
|
enabled: no
|
|
|
|
|
Victor Julien
9 years ago