Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Prevent non-Modbus on port 502 to be reported as Modbus

Browse source 
This commit prevents most non-Modbus TCP traffic on port 502 to be
reported as Modbus in conn.log as well as in modbus.log.
To do so, we have introduced two &enforce checks in the Modbus
protocol definition that checks that some specific fields of the
(supposedly) Modbus header are compatible with values specified in
the specs.

To ensure non-regression, with this commit we also introduce a
new btest.

Closes #3962
This commit is contained in:
Emmanuele Zambon 2024-10-21 14:40:45 +02:00
parent 1e24980901
commit 05d92dc2a5
7 changed files with 74 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/analyzer/protocol/modbus/modbus-protocol.pac
View file

@ -90,8 +90,8 @@ type ModbusTCP_PDU(is_orig: bool) = record {
type ModbusTCP_TransportHeader = record { type ModbusTCP_TransportHeader = record {
tid: uint16; # Transaction identifier tid: uint16; # Transaction identifier
pid: uint16; # Protocol identifier pid: uint16 &enforce(pid == 0); # Protocol identifier
len: uint16; # Length of everything after this field len: uint16 &enforce(len >= 2); # Length of everything after this field
uid: uint8; # Unit identifier (previously 'slave address') uid: uint8; # Unit identifier (previously 'slave address')
fc: uint8; # MODBUS function code (see function_codes enum) fc: uint8; # MODBUS function code (see function_codes enum)
} &byteorder=bigendian, &let { } &byteorder=bigendian, &let {

10
testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log
View file

@ -11,15 +11,15 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 u
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-29 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-29 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-160 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-160 RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-33 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-33 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 WRITE_SINGLE_REGISTER REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-162 RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 21504 1 unknown-35 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 21504 1 unknown-35 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-36 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-36 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-37 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-37 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-38 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-38 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-175 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-175 RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-179 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-179 RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 12032 0 unknown-0 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-54 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-0 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 37 1 unknown-71 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-165 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-63 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-65 REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-71 REQ -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

20
testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log Normal file
View file

@ -0,0 +1,20 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path analyzer
#open XXXX-XX-XX-XX-XX-XX
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
#types time string string string string string addr port addr port string string
XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid -
#close XXXX-XX-XX-XX-XX-XX

18
testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log Normal file
View file

@ -0,0 +1,18 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 tcp modbus 177.095534 72 69 SF T T 0 ShADdFaf 16 720 9 437 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 87.236.176.106 38129 192.168.10.111 502 tcp dce_rpc 5.102604 72 9 SF F T 0 ShADadFf 6 392 4 225 -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 87.236.176.96 60175 192.168.10.111 502 tcp - 5.052092 44 9 SF F T 0 ShADadFf 6 364 4 225 -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 66.175.213.4 58380 192.168.10.111 502 tcp ssl 59.999857 138 9 SF F T 0 ShADadFf 9 610 7 377 -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 198.74.56.135 60293 192.168.10.111 502 tcp - 0.117322 0 0 RSTO F T 0 ShR 2 80 1 44 -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 198.74.56.135 60293 192.168.10.111 502 tcp - 0.000054 109 0 RSTRH F T 0 Dr 1 149 1 40 -
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 159.203.208.13 33752 192.168.10.113 502 tcp - 0.470159 24 9 SF F T 0 ShADadFf 6 344 4 225 -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 62.122.184.123 7488 192.168.10.111 502 tcp - 30.159557 43 9 SF F T 0 ShADadFf 6 295 4 181 -
#close XXXX-XX-XX-XX-XX-XX

22
testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log Normal file
View file

@ -0,0 +1,22 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path modbus
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tid unit func pdu_type exception
#types time string addr port addr port count count string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER REQ -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER RESP -
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap Normal file
View file

Binary file not shown.

7
testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff modbus.log
# @TEST-EXEC: btest-diff analyzer.log
# The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502.
# This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events.