Cisco Cisco Firepower Management Center 2000

32-72

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

•

modbus_func, page 32-72

•

modbus_unit, page 32-73

modbus_data

You can use the

modbus_data

keyword to point to the beginning of the Data field in a Modbus request

or response.

To point to the beginning of the modbus Data field:

Access:

Admin/Intrusion Admin

Step 1

On the Create Rule page, select

modbus_data

from the drop-down list and click

Add Option.

The

modbus_data

keyword appears.

The

modbus_data

keyword has no arguments.

modbus_func

You can use the

modbus_func

keyword to match against the Function Code field in a Modbus application

layer request or response header. You can specify either a single defined decimal value or a single
defined string for a Modbus function code.

The following table lists the defined values and strings recognized by the system for Modbus function
codes.

Table 32-42

Modbus Function Codes

Value

String

read_coils

read_discrete_inputs

read_holding_registers

read_input_registers

write_single_coil

write_single_register

read_exception_status

diagnostics

get_comm_event_counter

get_comm_event_log

write_multiple_coils

write_multiple_registers

report_slave_id

read_file_record

write_file_record

mask_write_register