Modbus – Slave Device Busy Exception Code Delay
This Snort rule is crafted to detect specific byte sequences in Modbus TCP traffic, indicating a potential protocol violation or attack scenario related to Modbus communication. If packets matching this pattern are detected in the specified threshold, an alert will be triggered.
ID Number
4000007
Signature
alert tcp any 502 -> any any (content:"|00 00|"; depth:2; offset:2; content:"|06|"; depth:1; offset:8; byte_test:1,>=,0x80,7; msg:"Modbus - Slave Device Busy Exception Code Delay"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules; classtype:successful-dos; sid:4000007; priority:2; )
MITRE ATT&CK Technique
-
Severity
medium
Recommendations/Investigative actions
Identify the source and destination and check if these endpoints should initiate MODBUS traffic - is it PLC or HMI or SCADA Server. It maybe legit traffic as part of industrial software. It is recommened to investigate PCAP and consult with OT engineers.