Cisco Cisco Firepower Management Center 4000

Save your policy, continue editing, discard your changes, revert to the default configuration settings in 
the base policy, or exit while leaving your changes in the system cache. See the 

 table for more information.

Protection

Supervisory Control and Data Acquisition (SCADA) protocols monitor, control, and acquire data from 
industrial, infrastructure, and facility processes such as manufacturing, production, water treatment, 
electric power distribution, airport and shipping systems, and so on. The FireSIGHT System provides 
preprocessors for the Modbus and DNP3 SCADA protocols.

See the following sections for more information:

Protection

The Modbus protocol, which was first published in 1979 by Modicon, is a widely used SCADA protocol. 
The Modbus preprocessor detects anomalies in Modbus traffic and decodes the Modbus protocol for 
processing by the rules engine, which uses Modbus keywords to access certain protocol fields. See 

 for more information.

A single configuration option allows you to modify the default setting for the port that the preprocessor 
inspects for Modbus traffic.

You must enable the Modbus preprocessor rules in the following table if you want these rules to generate 
events. See 

 for information on enabling rules.

Note the following information regarding the use of the Modbus preprocessor:

144:1

Generates an event when the length in the Modbus header does not match the 
length required by the Modbus function code.

Each Modbus function has an expected format for requests and responses. If the 
length of the message does not match the expected format, this event is generated.

144:2

Generates an event when the Modbus protocol ID is non-zero. The protocol ID 
field is used for multiplexing other protocols with Modbus. Because the 
preprocessor does not process these other protocols, this event is generated 
instead.

144:3

Generates an event when the preprocessor detects a reserved Modbus function 
code.