Hello,
I have a question about the use of app-layer-protocol:modbus. I use this in my rule in combination with a content match and a byte test, however it matches bytes in the IPV4 layer which causes a lot of FP’s. I thought when using the app-layer-protocol it starts from the MBAP header (MODBUS payload). Any advice on this would be highly appreciated!