Cisco Cisco FirePOWER Appliance 8390
25-74
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Working with SCADA Preprocessors
Step 9
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Working with SCADA Preprocessors
License:
Protection
Supervisory Control and Data Acquisition (SCADA) protocols monitor, control, and acquire data from
industrial, infrastructure, and facility processes such as manufacturing, production, water treatment,
electric power distribution, airport and shipping systems, and so on. The FireSIGHT System provides
preprocessors for the Modbus and DNP3 SCADA protocols.
industrial, infrastructure, and facility processes such as manufacturing, production, water treatment,
electric power distribution, airport and shipping systems, and so on. The FireSIGHT System provides
preprocessors for the Modbus and DNP3 SCADA protocols.
See the following sections for more information:
•
•
Configuring the Modbus Preprocessor
License:
Protection
The Modbus protocol, which was first published in 1979 by Modicon, is a widely used SCADA protocol.
The Modbus preprocessor detects anomalies in Modbus traffic and decodes the Modbus protocol for
processing by the rules engine, which uses Modbus keywords to access certain protocol fields. See
The Modbus preprocessor detects anomalies in Modbus traffic and decodes the Modbus protocol for
processing by the rules engine, which uses Modbus keywords to access certain protocol fields. See
for more information.
A single configuration option allows you to modify the default setting for the port that the preprocessor
inspects for Modbus traffic.
inspects for Modbus traffic.
You must enable the Modbus preprocessor rules in the following table if you want these rules to generate
events. See
events. See
for information on enabling rules.
Note the following information regarding the use of the Modbus preprocessor:
Table 25-13
Modbus Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
144:1
Generates an event when the length in the Modbus header does not match the
length required by the Modbus function code.
length required by the Modbus function code.
Each Modbus function has an expected format for requests and responses. If the
length of the message does not match the expected format, this event is generated.
length of the message does not match the expected format, this event is generated.
144:2
Generates an event when the Modbus protocol ID is non-zero. The protocol ID
field is used for multiplexing other protocols with Modbus. Because the
preprocessor does not process these other protocols, this event is generated
instead.
field is used for multiplexing other protocols with Modbus. Because the
preprocessor does not process these other protocols, this event is generated
instead.
144:3
Generates an event when the preprocessor detects a reserved Modbus function
code.
code.