Support #3048
closed
the modbus packets have been limited
Added by John Smith over 5 years ago.
Updated over 5 years ago.
Description
When I send modbus packets about 80,000.Then the parser 'app-layer-modbus.c' doesn't parse the modbus packets.Only decode the tcp.
So I want to known how to set the modbus no traffic limit?
If you have a method,thank you very much!
- Assignee changed from Victor Julien to Community Ticket
- Target version set to Support
Without more details about your setup it is hard to help.
Also please don't assign team members directly for support tickets, we will take care of the assignements on our side.
ok.There are my steps:
1.run suricata : sudo suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2
2.send modbus packets.I use the modbus slave and poll to send the packet.
3.In the modbus-parser 'app-layer-modbus.c',I write "printf('parse the modbus data\n');".And In "decode-tcp.c",I write "printf('decode tcp data');"
4.When I send above 80,000 packets,there is no output "parse the modbus data".But still have 'decode tcp data'.
So I want to known how to solve this problem.
What version of suricata on which system are you using? Best would be to paste a suricata --build-info output.
How does your config look like and the iptables/nftables setup for that scenario?
Did you look into the stats.log if all relevant counters still increase while sending traffic?
Did you check if there are some rules that trigger, maybe even drop?
Without the clear diff to the original source ode it's hard to tell if it's just an issue with your printf statements.
Could be the stream depth kicking in? Does the cut off happen at ~1MiB?
oh,yes.The stream depth has limited the modbus flow datas.
So I change the value to 0,is it ok?
- Status changed from New to Feedback
I would recommend setting it to a sensible value but not 0. You need to tune it for your scenario.
- Status changed from Feedback to Closed
Also available in: Atom
PDF