Bug #1574
closedModbus: Seeing two alerts for a single invalid length modbus request packet
Description
Via a small PCAP file, consisting of some request and response modbus packets, I'm sending an invalid length request modbus packet. I have added logging to ModbusSetEvent() and see it being logged only once as below. I have also added logging for the four spots in app-layer-modbus.c where it detects an INVALID_LENGTH. I see it being logged only once as below. This is consistent with the packets in the PCAP file I play.
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:184) <Debug>(ModbusSetEvent) -- ModbusSetEvent
[17118] 7/10/2015 -- 12:17:11 - (app-layer-modbus.c:474) <Debug> (ModbusCheckHeader) -- INVALID LENGTH length=1025
However I always see two alerts in fast.log as follows:
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.1:47762 -> 192.168.1.2:502
11/23/2011-07:43:30.842526 [**] [1:2250003:1] SURICATA Modbus invalid Length[**][Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:502 -> 192.168.1.1:47762
The first alert corresponds to the invalid length request modbus packet. The second alert is spurious; it corresponds to a response modbus packet and should not be generated.
Files
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Target version set to 70
Updated by David DIALLO almost 7 years ago
- File lengthBiggerThan255.pcap lengthBiggerThan255.pcap added
This issue is fixed thanks to commit flow/stream: reduce/disable pseudo packet injections (149e3240602e070d88c833088a5bf045d3b349a3)
A pcap file (sent by Bakul Khanna) is available in attach to reproduce the issue.
Updated by David DIALLO almost 7 years ago
- Status changed from Assigned to Resolved
Updated by Andreas Herz almost 7 years ago
- Status changed from Resolved to Closed
- Target version deleted (
70)