Hello everyone,
I’m currently testing Suricata 8.0.0 with Siemens S7Comm traffic (port 102/tcp), but I’m having trouble getting any alert to trigger — even though the Rust s7comm parser appears to be correctly registered at startup.
Environment:
Suricata version: 8.0.0 (compiled from source)
Build options: default + Rust enabled
OS: Ubuntu 22.04 LTS
Run mode: offline (-r s7.pcap)
Config path: /usr/local/etc/suricata/suricata.yaml
Rule path: /usr/local/var/lib/suricata/rules/s7comm.rules
s7comm:
enabled: yes
detection-ports:
dp: 102
rule:
alert tcp any any → any 102 (msg:“[TEST] S7Comm traffic detected”; app-layer-protocol:s7comm; sid:1000001; rev:1;)
Startup logs show that both s7 and s7comm parsers are registered
…but no alerts are generated when running:
sudo suricata -r s7.pcap -c /usr/local/etc/suricata/suricata.yaml -v
What I’ve verified:
The parser loads (Rust s7comm parser registered).
The PCAP contains valid S7Comm packets (COTP -> S7Comm -> Job Function [Setup Communication]).
Other rules (e.g., alert tcp any any -> any 102) trigger correctly.
The issue persists even with very simple content rules, e.g.:
alert tcp any any -> any 102 (msg:"S7Comm detected"; content:"|03 00 00|"; sid:1000002; rev:1;)
No “app-layer-event” or “decoder event” related to S7Comm is shown in the logs.
Question
Is the S7Comm Rust parser fully implemented in Suricata 8.0.0 for detection rules?
If so, could someone confirm the correct rule syntax or provide a working example of a functional S7Comm rule? I can share a small .pcap sample if needed.
Thanks in advance for your help and for maintaining Suricata’s ICS support!