Project

General

Profile

Actions

Bug #5751

open

DNP3 preprocessor incorrectly parses READ requests

Added by Alex Lasky about 2 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The DNP3 preprocessor incorrectly parses read (function code 1) requests. Read requests only include object headers, not the object values. The DNP3 preprocessor is incorrectly treating 2nd and subsequent object headers in a read request as if they are object values for the 1st header, as shown by the attached eve application layer output for the g50v1 read request. Subsequent testing (not shown) using the signature 'dnp3_obj:50,1; dnp3_obj:60,2;' confirms that this is not just an artefact of the eve output, but that this is how the dnp3_obj rules also parse the fragment.


Files

DNP3ReassemblyError.json (3.2 KB) DNP3ReassemblyError.json Alex Lasky, 12/12/2022 09:43 PM
DNP3ReassemblyError1.pcap (2.43 KB) DNP3ReassemblyError1.pcap Alex Lasky, 12/12/2022 09:43 PM
Actions

Also available in: Atom PDF