Modbus Specific Options

Modbus is a protocol used in SCADA networks, and its traffic is typically seen on TCP port 502 (aka Modbus TCP). The Modbus service inspector decodes the Modbus protocol and provides three rule options that rule writers can use to evaluate Modbus traffic.

Those three options are modbus_data, modbus_func, and modbus_unit.

To be able to use the various modbus rule options, one must make sure to enable the inspector and add an approriate Binder entry in the Snort 3 config. For example:

-- enable the Modbus service inspector
modbus = {}
-- add the Modbus binder entry
binder =
{
    { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' }, },
}

modbus_data

The modbus_data rule option is used to set the detection cursor to the start of Modbus data.

Format:

modbus_data;

Examples:

modbus_data;
content:"modbus stuff";

modbus_func

The modbus_func rule option is used to check for a particular Modbus function code or function name.

Rule writers can provide either the function code—an integer value—or the function's string name. The list of valid function strings can be found in the Snort 3 source code here. If providing the function name as the argument, one should not enclose the string in double quotes.

Format:

modbus_func:{function_name|function_code};

Examples:

modbus_func:5;

modbus_func:write_single_coil;

modbus_unit

The modbus_unit rule option is used to check for a particular Modbus unit identifier.

This rule option takes in a single argument, an integer in the following range: 0-255.

Format:

modbus_unit:modbus_unit_id;

Examples:

modbus_unit:0;

modbus_unit:73;

Snort 3 Rule Writing Guide