Modbus TCP – Invalid Modbus Function Code
This alert is triggered when a Modbus TCP packet with an invalid or unsupported function code is detected. Function codes in Modbus are used to perform specific operations, and values exceeding 0x5A are considered invalid, potentially indicating misconfigured devices or malicious activity.
ID Number
4000012
Signature
alert tcp any any -> any 502 (content:"|00 00|"; depth:2; offset:2; byte_test:1,>,0x5A,7; msg:"Modbus TCP - Invalid Modbus Function Code"; sid:4000012; priority:2;rev:1; )
Severity
Medium
Recommendations/Investigative actions
Identify the source of the Modbus traffic and Check if the device sending the invalid request is misconfigured or potentially compromised.
Block traffic with invalid Modbus function codes to prevent potential disruptions or attacks.