diff options
| author | Luca Deri <deri@ntop.org> | 2024-02-16 15:48:34 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-02-16 15:48:34 +0100 |
| commit | 23536ff77a5175797d419470755d3904997927ab (patch) | |
| tree | 45c7baecafb64e8dedfe496bde99c2f05c3dcbe6 | |
| parent | d1aed7b39101414de004a54ee1d769f7ce0d1e2d (diff) | |
Improved modbus dissection to discard false positives
| -rw-r--r-- | src/lib/protocols/modbus.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/protocols/modbus.c b/src/lib/protocols/modbus.c index e57b0d69e..d0b6bd593 100644 --- a/src/lib/protocols/modbus.c +++ b/src/lib/protocols/modbus.c @@ -46,8 +46,9 @@ static void ndpi_search_modbus_tcp(struct ndpi_detection_module_struct *ndpi_str u_int16_t modbus_len = htons(*((u_int16_t*)&packet->payload[4])); // the fourth parameter of the payload is the length of the segment - if((modbus_len-1) == (packet->payload_packet_len - 7 /* ModbusTCP header len */)) { - /* Check Modbus function code. 0x5A (90) is reserved for UMAS protocol */ + if(((modbus_len-1) == (packet->payload_packet_len - 7 /* ModbusTCP header len */)) + && (packet->payload[2] == 0x0) && (packet->payload[3] == 0x0) /* Protocol identifier */) { + /* Check Modbus function code. 0x5A (90) is reserved for UMAS protocol */ if (packet->payload[7] == 0x5A) { NDPI_LOG_INFO(ndpi_struct, "found Schneider Electric UMAS\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UMAS, NDPI_PROTOCOL_MODBUS, NDPI_CONFIDENCE_DPI); |