Rule Options

The Modbus preprocessor adds 3 new rule options. These rule options match on various pieces of the Modbus headers:

    modbus_func
    modbus_unit
    modbus_data

The preprocessor must be enabled for these rule option to work.

modbus_func

This option matches against the Function Code inside of a Modbus header. The code may be a number (in decimal format), or a string from the list provided below.

Syntax

    modbus_func:<code>

    code  = 0-255 |
            "read_coils" |
            "read_discrete_inputs" |
            "read_holding_registers" |
            "read_input_registers" |
            "write_single_coil" |
            "write_single_register" |
            "read_exception_status" |
            "diagnostics" |
            "get_comm_event_counter" |
            "get_comm_event_log" |
            "write_multiple_coils" |
            "write_multiple_registers" |
            "report_slave_id" |
            "read_file_record" |
            "write_file_record" |
            "mask_write_register" |
            "read_write_multiple_registers" |
            "read_fifo_queue" |
            "encapsulated_interface_transport"

Examples

    modbus_func:1;
    modbus_func:write_multiple_coils;

modbus_unit

This option matches against the Unit ID field in a Modbus header.

Syntax

    modbus_unit:<unit>

    unit = 0-255

Examples

    modbus_unit:1;

modbus_data

This rule option sets the cursor at the beginning of the Data field in a Modbus request/response.

Syntax

    modbus_data;

Examples

    modbus_data; content:"badstuff";