Cisco Cisco FirePOWER Appliance 8390
32-72
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
•
modbus_data
You can use the
modbus_data
keyword to point to the beginning of the Data field in a Modbus request
or response.
To point to the beginning of the modbus Data field:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
modbus_data
from the drop-down list and click
Add Option.
The
modbus_data
keyword appears.
The
modbus_data
keyword has no arguments.
modbus_func
You can use the
modbus_func
keyword to match against the Function Code field in a Modbus application
layer request or response header. You can specify either a single defined decimal value or a single
defined string for a Modbus function code.
defined string for a Modbus function code.
The following table lists the defined values and strings recognized by the system for Modbus function
codes.
codes.
Table 32-42
Modbus Function Codes
Value
String
1
read_coils
2
read_discrete_inputs
3
read_holding_registers
4
read_input_registers
5
write_single_coil
6
write_single_register
7
read_exception_status
8
diagnostics
11
get_comm_event_counter
12
get_comm_event_log
15
write_multiple_coils
16
write_multiple_registers
17
report_slave_id
20
read_file_record
21
write_file_record
22
mask_write_register