Bug #5751: DNP3 preprocessor incorrectly parses READ requests - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5751

open

DNP3 preprocessor incorrectly parses READ requests

Added by Alex Lasky almost 2 years ago. Updated 5 months ago.

Status:

New

Priority:

Normal

Assignee:

Jason Ish

Target version:

TBD

Affected Versions:

6.0.4

Effort:

Difficulty:

Label:

Description

The DNP3 preprocessor incorrectly parses read (function code 1) requests. Read requests only include object headers, not the object values. The DNP3 preprocessor is incorrectly treating 2nd and subsequent object headers in a read request as if they are object values for the 1st header, as shown by the attached eve application layer output for the g50v1 read request. Subsequent testing (not shown) using the signature 'dnp3_obj:50,1; dnp3_obj:60,2;' confirms that this is not just an artefact of the eve output, but that this is how the dnp3_obj rules also parse the fragment.

Files

Download all files

DNP3ReassemblyError.json (3.2 KB) DNP3ReassemblyError.json		Alex Lasky, 12/12/2022 09:43 PM
DNP3ReassemblyError1.pcap (2.43 KB) DNP3ReassemblyError1.pcap		Alex Lasky, 12/12/2022 09:43 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5751

DNP3 preprocessor incorrectly parses READ requests

Updated by Jason Ish almost 2 years ago

Updated by Michael Torres almost 2 years ago

Updated by Philippe Antoine 5 months ago