Project

General

Profile

Actions

Support #3048

closed

the modbus packets have been limited

Added by John Smith over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

When I send modbus packets about 80,000.Then the parser 'app-layer-modbus.c' doesn't parse the modbus packets.Only decode the tcp.
So I want to known how to set the modbus no traffic limit?
If you have a method,thank you very much!

Actions #1

Updated by Andreas Herz over 5 years ago

  • Assignee changed from Victor Julien to Community Ticket
  • Target version set to Support

Without more details about your setup it is hard to help.
Also please don't assign team members directly for support tickets, we will take care of the assignements on our side.

Actions #2

Updated by John Smith over 5 years ago

ok.There are my steps:
1.run suricata : sudo suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2
2.send modbus packets.I use the modbus slave and poll to send the packet.
3.In the modbus-parser 'app-layer-modbus.c',I write "printf('parse the modbus data\n');".And In "decode-tcp.c",I write "printf('decode tcp data');"
4.When I send above 80,000 packets,there is no output "parse the modbus data".But still have 'decode tcp data'.
So I want to known how to solve this problem.

Actions #3

Updated by Andreas Herz over 5 years ago

What version of suricata on which system are you using? Best would be to paste a suricata --build-info output.

How does your config look like and the iptables/nftables setup for that scenario?

Did you look into the stats.log if all relevant counters still increase while sending traffic?

Did you check if there are some rules that trigger, maybe even drop?

Without the clear diff to the original source ode it's hard to tell if it's just an issue with your printf statements.

Actions #4

Updated by Victor Julien over 5 years ago

Could be the stream depth kicking in? Does the cut off happen at ~1MiB?

Actions #5

Updated by John Smith over 5 years ago

oh,yes.The stream depth has limited the modbus flow datas.
So I change the value to 0,is it ok?

Actions #6

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback

I would recommend setting it to a sensible value but not 0. You need to tune it for your scenario.

Actions #7

Updated by Victor Julien about 5 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF