virus logo Intrusion Prevention

Modbus.TCP.Function.Code.Scan

description-logoDescription

This indicates an attempt to probe a Modbus TCP server to determine what type of device and function code support is available.
Modbus TCP is a request/response protocol commonly used in SCADA and DCS networks for process control. A function code is included in each request that determines the type of request such as read, write, or administrative. If the Modbus TCP server does not support the function code it will respond with an error function code and exception code 01. It would be an unusual error for an authorized HMI or server to issue a function code request that is not supported. Some vendors support vendor specific function codes so the result of a function code scan could be to allow an attacker to identify the field equipment vendor and model. This rule will trigger when 3 exception code 01 responses are received in 60 seconds. This is likely to happen if an attacker is attempting to see what type of device and function code support is available in the reconnaissance phase of an attack.

affected-products-logoAffected Products

Modbus servers, such as PLCs and RTUs.

Impact logoImpact

System compromise: reconnaissance.

recomended-action-logoRecommended Actions

Deploy access control lists or firewalls to only allow access from authorized IP addresses.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)
ID 15291
Created Jan 10, 2008
Updated Jul 06, 2022
Risk black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Default Action pass
Active
Affected OS Other
Affected App SCADA