modbus: duplicate alerts unaware of direction

Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction because Modbus inspection engine is only performing in request (TOSERVER). Detect Value keyword in read access rule. In read access, match on value is not possible. Update Modbus keyword documentation.
8 years ago · 6c643d8975
parent 92b537d028
commit 6c643d8975
2 changed files with 9 additions and 6 deletions
--- a/doc/userguide/rules/modbus-keyword.rst
+++ b/doc/userguide/rules/modbus-keyword.rst
@ -49,9 +49,11 @@ With the **access** setting, you can match on:
 Syntax::

  modbus: access <read | write>
-  modbus: access <read | write> <discretes | coils | input | holding>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>
-  modbus: access <read | write> <discretes | coils | input | holding>, address <value>, value <value>
+  modbus: access read <discretes | coils | input | holding>
+  modbus: access read <discretes | coils | input | holding>, address <value>
+  modbus: access write < coils | holding>
+  modbus: access write < coils | holding>, address <value>
+  modbus: access write < coils | holding>, address <value>, value <value>

 With _<value>_ setting matches on the address or value as it is being
 accessed or written as follows::
--- a/src/detect-modbus.c
+++ b/src/detect-modbus.c
@ -221,6 +221,10 @@ static DetectModbus *DetectModbusAccessParse(const char *str)
                    }

                    /* We have a correct address option */
+                    if (modbus->type == MODBUS_TYP_READ)
+                        /* Value access is only possible in write access. */
+                        goto error;
+
                    modbus->data = (DetectModbusValue *) SCCalloc(1, sizeof(DetectModbusValue));
                    if (unlikely(modbus->data == NULL))
                        goto error;
@ -416,9 +420,6 @@ void DetectModbusRegister(void)
    DetectAppLayerInspectEngineRegister("modbus",
            ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectModbus);
-    DetectAppLayerInspectEngineRegister("modbus",
-            ALPROTO_MODBUS, SIG_FLAG_TOCLIENT, 0,
-            DetectEngineInspectModbus);

    g_modbus_buffer_id = DetectBufferTypeGetByName("modbus");
 }