suricata.yaml: Add config options for modbus, dnp3 and enip protocols.

All of them are disabled by default, but may be needed in some environments and so easily can be enabled there. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2021-12-19 15:51:58 +01:00
parent ec418b7a08
commit ee87c2e33a
1 changed files with 35 additions and 0 deletions
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -521,6 +521,41 @@ app-layer:
           double-decode-path: no
           double-decode-query: no

+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: no
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: no
+      detection-ports:
+        dp: 20000
+
+    # SCADA EtherNet/IP and CIP protocol support
+    enip:
+      enabled: no
+      detection-ports:
+        dp: 44818
+        sp: 44818
+
    ntp:
      enabled: yes
    dhcp: