Merge remote-tracking branch 'origin/topic/timw/3184-modbus-extensions'

* origin/topic/timw/3184-modbus-extensions:
  Pass parsed file record information with ReadFile/WriteFile events
  Add length field from header to ModbusHeaders record type
  Modbus: Add support for Encapsulation Interface Transport (FC=2B) requests and responses
  Modbus: Add support for Diagnostics (FC=8) requests and responses
This commit is contained in:
Tim Wojtulewicz 2023-08-08 10:55:03 -07:00
commit 16a69864b4
22 changed files with 91261 additions and 90911 deletions

10
CHANGES
View file

@ -1,3 +1,13 @@
6.1.0-dev.284 | 2023-08-08 10:55:03 -0700
* Pass parsed file record information with ReadFile/WriteFile events (Tim Wojtulewicz, Corelight)
* Add length field from header to ModbusHeaders record type (Tim Wojtulewicz, Corelight)
* Modbus: Add support for Encapsulation Interface Transport (FC=2B) requests and responses (Tim Wojtulewicz, Corelight)
* Modbus: Add support for Diagnostics (FC=8) requests and responses (Tim Wojtulewicz, Corelight)
6.1.0-dev.272 | 2023-08-07 09:41:34 -0700 6.1.0-dev.272 | 2023-08-07 09:41:34 -0700
* Change VERSION variable in CMake config to ZEEK_VERSION_FULL (Tim Wojtulewicz, Corelight) * Change VERSION variable in CMake config to ZEEK_VERSION_FULL (Tim Wojtulewicz, Corelight)

View file

@ -1 +1 @@
6.1.0-dev.272 6.1.0-dev.284

View file

@ -4436,8 +4436,39 @@ type ModbusHeaders: record {
uid: count; uid: count;
## MODBUS function code ## MODBUS function code
function_code: count; function_code: count;
## Length of the application PDU following the header plus
## one byte for the uid field.
len: count;
}; };
type ModbusFileRecordRequest: record {
ref_type: count;
file_num: count;
record_num: count;
record_len: count;
};
type ModbusFileRecordRequests: vector of ModbusFileRecordRequest;
type ModbusFileRecordResponse: record {
file_len: count;
ref_type: count;
record_data: string;
};
type ModbusFileRecordResponses: vector of ModbusFileRecordResponse;
type ModbusFileReference: record {
ref_type: count;
file_num: count;
record_num: count;
record_len: count;
record_data: string;
};
type ModbusFileReferences: vector of ModbusFileReference;
module SSL; module SSL;
export { export {
type SignatureAndHashAlgorithm: record { type SignatureAndHashAlgorithm: record {

View file

@ -79,4 +79,3 @@ event modbus_exception(c: connection, headers: ModbusHeaders, code: count) &prio
Log::write(LOG, c$modbus); Log::write(LOG, c$modbus);
delete c$modbus$exception; delete c$modbus$exception;
} }

View file

@ -191,9 +191,11 @@ event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHe
## ##
## headers: The headers for the modbus function. ## headers: The headers for the modbus function.
## ##
## .. note: This event is incomplete. The information from the data structure ## byte_count: The full byte count for all of the reference records that follow.
## is not yet passed through to the event. ##
event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); ## refs: A vector of reference records.
event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileRecordRequests%);
event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%) &deprecated="Remove in v7.1. Use the version that takes a byte_count and vector of references";
## Generated for a Modbus read file record response. ## Generated for a Modbus read file record response.
## ##
@ -201,9 +203,11 @@ event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%);
## ##
## headers: The headers for the modbus function. ## headers: The headers for the modbus function.
## ##
## .. note: This event is incomplete. The information from the data structure ## byte_count: The full byte count for all of the reference records that follow.
## is not yet passed through to the event. ##
event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); ## refs: A vector of reference records.
event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileRecordResponses%);
event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%) &deprecated="Remove in v7.1. Use the version that takes a byte_count and vector of references";
## Generated for a Modbus write file record request. ## Generated for a Modbus write file record request.
## ##
@ -211,9 +215,11 @@ event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%);
## ##
## headers: The headers for the modbus function. ## headers: The headers for the modbus function.
## ##
## .. note: This event is incomplete. The information from the data structure ## byte_count: The full byte count for all of the reference records that follow.
## is not yet passed through to the event. ##
event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); ## refs: A vector of reference records.
event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileReferences%);
event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%) &deprecated="Remove in v7.1. Use the version that takes a byte_count and vector of references";
## Generated for a Modbus write file record response. ## Generated for a Modbus write file record response.
## ##
@ -221,9 +227,11 @@ event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%);
## ##
## headers: The headers for the modbus function. ## headers: The headers for the modbus function.
## ##
## .. note: This event is incomplete. The information from the data structure ## byte_count: The full byte count for all of the reference records that follow.
## is not yet passed through to the event. ##
event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); ## refs: A vector of reference records.
event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileReferences%);
event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%) &deprecated="Remove in v7.1. Use the version that takes a byte_count and vector of references";
## Generated for a Modbus mask write register request. ## Generated for a Modbus mask write register request.
## ##
@ -294,3 +302,46 @@ event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, sta
## fifos: The register values read from the FIFO queue on the device. ## fifos: The register values read from the FIFO queue on the device.
event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%);
## Generated for a Modbus Diagnostics request.
##
## c: The connection.
##
## headers: The headers for the modbus function.
##
## subfunction: The subfunction for the diagnostics request.
##
## data: The data passed in the diagnostics request.
event modbus_diagnostics_request%(c: connection, headers: ModbusHeaders, subfunction: count, data: string%);
## Generated for a Modbus Diagnostics response.
##
## c: The connection.
##
## headers: The headers for the modbus function.
##
## subfunction: The subfunction for the diagnostics response.
##
## data: The data passed in the diagnostics response.
event modbus_diagnostics_response%(c: connection, headers: ModbusHeaders, subfunction: count, data: string%);
## Generated for a Modbus Encapsulated Interface Transport request.
##
## c: The connection.
##
## headers: The headers for the modbus function.
##
## mei_type: The MEI type for the request.
##
## data: The MEI type specific data passed in the request.
event modbus_encap_interface_transport_request%(c: connection, headers: ModbusHeaders, mei_type: count, data: string%);
## Generated for a Modbus Encapsulated Interface Transport response.
##
## c: The connection.
##
## headers: The headers for the modbus function.
##
## mei_type: The MEI type for the response.
##
## data: The MEI type specific data passed in the response.
event modbus_encap_interface_transport_response%(c: connection, headers: ModbusHeaders, mei_type: count, data: string%);

View file

@ -34,6 +34,7 @@
modbus_header->Assign(1, header->pid()); modbus_header->Assign(1, header->pid());
modbus_header->Assign(2, header->uid()); modbus_header->Assign(2, header->uid());
modbus_header->Assign(3, header->fc()); modbus_header->Assign(3, header->fc());
modbus_header->Assign(4, header->len());
return modbus_header; return modbus_header;
} }
@ -355,6 +356,93 @@ refine flow ModbusTCP_Flow += {
%} %}
# REQUEST FC=8
function deliver_DiagnosticsRequest(header: ModbusTCP_TransportHeader, message: DiagnosticsRequest): bool
%{
if ( ::modbus_diagnostics_request )
{
auto data = to_stringval(${message.data});
// Data should always be a multiple of two bytes. For everything except
// "Return Query Data (0x00)" it should be two bytes long.
if ( data->Len() < 2 || data->Len() % 2 != 0 ||
(${message.subfunction} != DIAGNOSTICS_RETURN_QUERY_DATA && data->Len() != 2) )
{
zeek::reporter->Weird("modbus_diag_invalid_request_data",
zeek::util::fmt("%s", data->CheckString()));
}
switch (${message.subfunction})
{
case DIAGNOSTICS_RESTART_COMMUNICATIONS_OPTION:
// For "Restart Communications Option" it's either 0x0000 or 0xFF00.
if ( ( data->Bytes()[0] != 0x00 && data->Bytes()[0] != 0xFF ) ||
data->Bytes()[1] != 0x00 )
{
zeek::reporter->Weird("modbus_diag_invalid_request_data",
zeek::util::fmt("%s", data->CheckString()));
}
break;
case DIAGNOSTICS_RETURN_DIAGNOSTIC_REGISTER:
case DIAGNOSTICS_FORCE_LISTEN_ONLY_MODE:
case DIAGNOSTICS_CLEAR_COUNTERS_AND_DIAGNOSTIC_REGISTER:
case DIAGNOSTICS_RETURN_BUS_MESSAGE_COUNT:
case DIAGNOSTICS_RETURN_BUS_COMMUNICATION_ERROR_COUNT:
case DIAGNOSTICS_RETURN_BUS_EXCEPTION_ERROR_COUNT:
case DIAGNOSTICS_RETURN_SERVER_MESSAGE_COUNT:
case DIAGNOSTICS_RETURN_SERVER_NO_RESPONSE_COUNT:
case DIAGNOSTICS_RETURN_SERVER_NAK_COUNT:
case DIAGNOSTICS_RETURN_SERVER_BUSY_COUNT:
case DIAGNOSTICS_RETURN_BUS_CHARACTER_OVERRUN_COUNT:
case DIAGNOSTICS_CLEAR_OVERRUN_COUNTER_AND_FLAG:
// For all of these subfunctions, the data should be 0x0000.
if ( data->Bytes()[0] != 0x00 || data->Bytes()[1] != 0x00 )
{
zeek::reporter->Weird("modbus_diag_invalid_request_data",
zeek::util::fmt("%s", data->CheckString()));
}
break;
case DIAGNOSTICS_CHANGE_ASCII_INPUT_DELIMITER:
// For "Change ASCII Input Delimiter", it should be an ascii character
// followed by a zero.
if ( ! isascii(data->Bytes()[0]) || data->Bytes()[1] != 0x00 )
{
zeek::reporter->Weird("modbus_diag_invalid_request_data",
zeek::util::fmt("%s", data->CheckString()));
}
break;
default:
zeek::reporter->Weird("modbus_diag_unknown_request_subfunction",
zeek::util::fmt("%d", ${message.subfunction}));
break;
}
zeek::BifEvent::enqueue_modbus_diagnostics_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.subfunction}, to_stringval(${message.data}));
}
return true;
%}
# RESPONSE FC=8
function deliver_DiagnosticsResponse(header: ModbusTCP_TransportHeader, message: DiagnosticsResponse): bool
%{
if ( ::modbus_diagnostics_response )
{
zeek::BifEvent::enqueue_modbus_diagnostics_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.subfunction}, to_stringval(${message.data}));
}
return true;
%}
# REQUEST FC=15 # REQUEST FC=15
function deliver_WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader, message: WriteMultipleCoilsRequest): bool function deliver_WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader, message: WriteMultipleCoilsRequest): bool
%{ %{
@ -433,23 +521,23 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_file_record_request ) if ( ::modbus_read_file_record_request )
{ {
//TODO: this need to be a vector of some Reference Request record type auto vect = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::ModbusFileRecordRequests);
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i ) for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { {
// auto r = zeek::val_mgr->Count((${message.references[i].ref_type})); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusFileRecordRequest);
// t->Assign(i, r);
// r->Assign(0, zeek::val_mgr->Count(${message.references[i].ref_type}));
// auto k = zeek::val_mgr->Count((${message.references[i].file_num})); r->Assign(1, zeek::val_mgr->Count(${message.references[i].file_num}));
// t->Assign(i, k); r->Assign(2, zeek::val_mgr->Count(${message.references[i].record_num}));
// r->Assign(3, zeek::val_mgr->Count(${message.references[i].record_len}));
// auto l = zeek::val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, l); vect->Append(r);
// } }
zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header), ${message.byte_count}, vect);
} }
return true; return true;
@ -460,17 +548,22 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_file_record_response ) if ( ::modbus_read_file_record_response )
{ {
//auto t = create_vector_of_count(); auto vect = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::ModbusFileRecordResponses);
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// { for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// //TODO: work the reference type in here somewhere {
// auto r = zeek::val_mgr->Count(${message.references[i].record_data})); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusFileRecordResponse);
// t->Assign(i, r);
// } r->Assign(0, zeek::val_mgr->Count(${message.references[i].file_len}));
r->Assign(1, zeek::val_mgr->Count(${message.references[i].ref_type}));
r->Assign(2, to_stringval(${message.references[i].record_data}));
vect->Append(r);
}
zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header), ${message.byte_count}, vect);
} }
return true; return true;
@ -481,60 +574,50 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_file_record_request ) if ( ::modbus_write_file_record_request )
{ {
//auto t = create_vector_of_count(); auto vect = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::ModbusFileReferences);
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// auto r = zeek::val_mgr->Count((${message.references[i].ref_type})); {
// t->Assign(i, r); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusFileReference);
// r->Assign(0, zeek::val_mgr->Count(${message.references[i].ref_type}));
// auto k = zeek::val_mgr->Count((${message.references[i].file_num})); r->Assign(1, zeek::val_mgr->Count(${message.references[i].file_num}));
// t->Assign(i, k); r->Assign(2, zeek::val_mgr->Count(${message.references[i].record_num}));
// r->Assign(3, zeek::val_mgr->Count(${message.references[i].record_length}));
// auto n = zeek::val_mgr->Count((${message.references[i].record_num})); r->Assign(4, to_stringval(${message.references[i].record_data}));
// t->Assign(i, n);
// vect->Append(r);
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j ) }
// {
// k = zeek::val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
// }
zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header), ${message.byte_count}, vect);
} }
return true; return true;
%} %}
# RESPONSE FC=21 # RESPONSE FC=21
function deliver_WriteFileRecordResponse(header: ModbusTCP_TransportHeader, message: WriteFileRecordResponse): bool function deliver_WriteFileRecordResponse(header: ModbusTCP_TransportHeader, message: WriteFileRecordResponse): bool
%{ %{
if ( ::modbus_write_file_record_response ) if ( ::modbus_write_file_record_response )
{ {
//auto t = create_vector_of_count(); auto vect = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::ModbusFileReferences);
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// { for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// auto r = zeek::val_mgr->Count((${message.references[i].ref_type})); {
// t->Assign(i, r); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusFileReference);
// r->Assign(0, zeek::val_mgr->Count(${message.references[i].ref_type}));
// auto f = zeek::val_mgr->Count((${message.references[i].file_num})); r->Assign(1, zeek::val_mgr->Count(${message.references[i].file_num}));
// t->Assign(i, f); r->Assign(2, zeek::val_mgr->Count(${message.references[i].record_num}));
// r->Assign(3, zeek::val_mgr->Count(${message.references[i].record_length}));
// auto rn = zeek::val_mgr->Count((${message.references[i].record_num})); r->Assign(4, to_stringval(${message.references[i].record_data}));
// t->Assign(i, rn);
// vect->Append(r);
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j ) }
// {
// auto k = zeek::val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header), ${message.byte_count}, vect);
} }
return true; return true;
@ -674,4 +757,31 @@ refine flow ModbusTCP_Flow += {
return true; return true;
%} %}
# REQUEST FC=2B
function deliver_EncapInterfaceTransportRequest(header: ModbusTCP_TransportHeader, message: EncapInterfaceTransportRequest): bool
%{
if ( ::modbus_encap_interface_transport_request )
{
zeek::BifEvent::enqueue_modbus_encap_interface_transport_request(
connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), ${message.mei_type}, to_stringval(${message.data}));
}
return true;
%}
# RESPONSE FC=2B
function deliver_EncapInterfaceTransportResponse(header: ModbusTCP_TransportHeader, message: EncapInterfaceTransportResponse): bool
%{
if ( ::modbus_encap_interface_transport_response )
{
zeek::BifEvent::enqueue_modbus_encap_interface_transport_response(
connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), ${message.mei_type}, to_stringval(${message.data}));
}
return true;
%}
}; };

View file

@ -15,7 +15,7 @@ enum function_codes {
WRITE_SINGLE_COIL = 0x05, WRITE_SINGLE_COIL = 0x05,
WRITE_SINGLE_REGISTER = 0x06, WRITE_SINGLE_REGISTER = 0x06,
# READ_EXCEPTION_STATUS = 0x07, # READ_EXCEPTION_STATUS = 0x07,
# DIAGNOSTICS = 0x08, DIAGNOSTICS = 0x08,
# GET_COMM_EVENT_COUNTER = 0x0B, # GET_COMM_EVENT_COUNTER = 0x0B,
# GET_COMM_EVENT_LOG = 0x0C, # GET_COMM_EVENT_LOG = 0x0C,
WRITE_MULTIPLE_COILS = 0x0F, WRITE_MULTIPLE_COILS = 0x0F,
@ -48,6 +48,7 @@ enum function_codes {
WRITE_SINGLE_COIL_EXCEPTION = 0x85, WRITE_SINGLE_COIL_EXCEPTION = 0x85,
WRITE_SINGLE_REGISTER_EXCEPTION = 0x86, WRITE_SINGLE_REGISTER_EXCEPTION = 0x86,
READ_EXCEPTION_STATUS_EXCEPTION = 0x87, READ_EXCEPTION_STATUS_EXCEPTION = 0x87,
DIAGNOSTICS_EXCEPTION = 0x88,
WRITE_MULTIPLE_COILS_EXCEPTION = 0x8F, WRITE_MULTIPLE_COILS_EXCEPTION = 0x8F,
WRITE_MULTIPLE_REGISTERS_EXCEPTION = 0x90, WRITE_MULTIPLE_REGISTERS_EXCEPTION = 0x90,
READ_FILE_RECORD_EXCEPTION = 0x94, READ_FILE_RECORD_EXCEPTION = 0x94,
@ -55,6 +56,25 @@ enum function_codes {
MASK_WRITE_REGISTER_EXCEPTION = 0x96, MASK_WRITE_REGISTER_EXCEPTION = 0x96,
READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION = 0x97, READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION = 0x97,
READ_FIFO_QUEUE_EXCEPTION = 0x98, READ_FIFO_QUEUE_EXCEPTION = 0x98,
ENCAP_INTERFACE_TRANSPORT_EXCEPTION = 0xAB,
};
enum diagnostic_subfunctions {
DIAGNOSTICS_RETURN_QUERY_DATA = 0x00,
DIAGNOSTICS_RESTART_COMMUNICATIONS_OPTION = 0x01,
DIAGNOSTICS_RETURN_DIAGNOSTIC_REGISTER = 0x02,
DIAGNOSTICS_CHANGE_ASCII_INPUT_DELIMITER = 0x03,
DIAGNOSTICS_FORCE_LISTEN_ONLY_MODE = 0x04,
DIAGNOSTICS_CLEAR_COUNTERS_AND_DIAGNOSTIC_REGISTER = 0x0A,
DIAGNOSTICS_RETURN_BUS_MESSAGE_COUNT = 0x0B,
DIAGNOSTICS_RETURN_BUS_COMMUNICATION_ERROR_COUNT = 0x0C,
DIAGNOSTICS_RETURN_BUS_EXCEPTION_ERROR_COUNT = 0x0D,
DIAGNOSTICS_RETURN_SERVER_MESSAGE_COUNT = 0x0E,
DIAGNOSTICS_RETURN_SERVER_NO_RESPONSE_COUNT = 0x0F,
DIAGNOSTICS_RETURN_SERVER_NAK_COUNT = 0x10,
DIAGNOSTICS_RETURN_SERVER_BUSY_COUNT = 0x11,
DIAGNOSTICS_RETURN_BUS_CHARACTER_OVERRUN_COUNT = 0x12,
DIAGNOSTICS_CLEAR_OVERRUN_COUNTER_AND_FLAG = 0x14,
}; };
# Main Modbus/TCP PDU # Main Modbus/TCP PDU
@ -86,7 +106,7 @@ type ModbusTCP_Request(header: ModbusTCP_TransportHeader) = case header.fc of {
WRITE_SINGLE_COIL -> writeSingleCoil: WriteSingleCoilRequest(header); WRITE_SINGLE_COIL -> writeSingleCoil: WriteSingleCoilRequest(header);
WRITE_SINGLE_REGISTER -> writeSingleRegister: WriteSingleRegisterRequest(header); WRITE_SINGLE_REGISTER -> writeSingleRegister: WriteSingleRegisterRequest(header);
#READ_EXCEPTION_STATUS -> readExceptionStatus: ReadExceptionStatusRequest(header); #READ_EXCEPTION_STATUS -> readExceptionStatus: ReadExceptionStatusRequest(header);
#DIAGNOSTICS -> diagnostics: DiagnosticsRequest(header); DIAGNOSTICS -> diagnostics: DiagnosticsRequest(header);
#GET_COMM_EVENT_COUNTER -> getCommEventCounter: GetCommEventCounterRequest(header); #GET_COMM_EVENT_COUNTER -> getCommEventCounter: GetCommEventCounterRequest(header);
#GET_COMM_EVENT_LOG -> getCommEventLog: GetCommEventLogRequest(header); #GET_COMM_EVENT_LOG -> getCommEventLog: GetCommEventLogRequest(header);
WRITE_MULTIPLE_COILS -> writeMultipleCoils: WriteMultipleCoilsRequest(header); WRITE_MULTIPLE_COILS -> writeMultipleCoils: WriteMultipleCoilsRequest(header);
@ -97,7 +117,7 @@ type ModbusTCP_Request(header: ModbusTCP_TransportHeader) = case header.fc of {
MASK_WRITE_REGISTER -> maskWriteRegister: MaskWriteRegisterRequest(header); MASK_WRITE_REGISTER -> maskWriteRegister: MaskWriteRegisterRequest(header);
READ_WRITE_MULTIPLE_REGISTERS -> readWriteMultipleRegisters: ReadWriteMultipleRegistersRequest(header); READ_WRITE_MULTIPLE_REGISTERS -> readWriteMultipleRegisters: ReadWriteMultipleRegistersRequest(header);
READ_FIFO_QUEUE -> readFIFOQueue: ReadFIFOQueueRequest(header); READ_FIFO_QUEUE -> readFIFOQueue: ReadFIFOQueueRequest(header);
#ENCAP_INTERFACE_TRANSPORT ENCAP_INTERFACE_TRANSPORT -> encapInterfaceException: EncapInterfaceTransportRequest(header);
# All the rest # All the rest
default -> unknown: bytestring &restofdata; default -> unknown: bytestring &restofdata;
@ -113,7 +133,7 @@ type ModbusTCP_Response(header: ModbusTCP_TransportHeader) = case header.fc of {
WRITE_SINGLE_COIL -> writeSingleCoil: WriteSingleCoilResponse(header); WRITE_SINGLE_COIL -> writeSingleCoil: WriteSingleCoilResponse(header);
WRITE_SINGLE_REGISTER -> writeSingleRegister: WriteSingleRegisterResponse(header); WRITE_SINGLE_REGISTER -> writeSingleRegister: WriteSingleRegisterResponse(header);
#READ_EXCEPTION_STATUS -> readExceptionStatus: ReadExceptionStatusResponse(header); #READ_EXCEPTION_STATUS -> readExceptionStatus: ReadExceptionStatusResponse(header);
#DIAGNOSTICS -> diagnostics: DiagnosticsResponse(header); DIAGNOSTICS -> diagnostics: DiagnosticsResponse(header);
#GET_COMM_EVENT_COUNTER -> getCommEventCounter: GetCommEventCounterResponse(header); #GET_COMM_EVENT_COUNTER -> getCommEventCounter: GetCommEventCounterResponse(header);
#GET_COMM_EVENT_LOG -> getCommEventLog: GetCommEventLogResponse(header); #GET_COMM_EVENT_LOG -> getCommEventLog: GetCommEventLogResponse(header);
WRITE_MULTIPLE_COILS -> writeMultipleCoils: WriteMultipleCoilsResponse(header); WRITE_MULTIPLE_COILS -> writeMultipleCoils: WriteMultipleCoilsResponse(header);
@ -124,6 +144,7 @@ type ModbusTCP_Response(header: ModbusTCP_TransportHeader) = case header.fc of {
MASK_WRITE_REGISTER -> maskWriteRegister: MaskWriteRegisterResponse(header); MASK_WRITE_REGISTER -> maskWriteRegister: MaskWriteRegisterResponse(header);
READ_WRITE_MULTIPLE_REGISTERS -> readWriteMultipleRegisters: ReadWriteMultipleRegistersResponse(header); READ_WRITE_MULTIPLE_REGISTERS -> readWriteMultipleRegisters: ReadWriteMultipleRegistersResponse(header);
READ_FIFO_QUEUE -> readFIFOQueue: ReadFIFOQueueResponse(header); READ_FIFO_QUEUE -> readFIFOQueue: ReadFIFOQueueResponse(header);
ENCAP_INTERFACE_TRANSPORT -> encapInterfaceException: EncapInterfaceTransportResponse(header);
# Exceptions # Exceptions
READ_HOLDING_REGISTERS_EXCEPTION -> readHoldingRegistersException: Exception(header); READ_HOLDING_REGISTERS_EXCEPTION -> readHoldingRegistersException: Exception(header);
@ -134,12 +155,14 @@ type ModbusTCP_Response(header: ModbusTCP_TransportHeader) = case header.fc of {
WRITE_SINGLE_COIL_EXCEPTION -> writeCoilException: Exception(header); WRITE_SINGLE_COIL_EXCEPTION -> writeCoilException: Exception(header);
WRITE_SINGLE_REGISTER_EXCEPTION -> writeSingleRegisterException: Exception(header); WRITE_SINGLE_REGISTER_EXCEPTION -> writeSingleRegisterException: Exception(header);
READ_EXCEPTION_STATUS_EXCEPTION -> readExceptionStatusException: Exception(header); READ_EXCEPTION_STATUS_EXCEPTION -> readExceptionStatusException: Exception(header);
DIAGNOSTICS_EXCEPTION -> diagnosticsException: Exception(header);
WRITE_MULTIPLE_COILS_EXCEPTION -> forceMultipleCoilsException: Exception(header); WRITE_MULTIPLE_COILS_EXCEPTION -> forceMultipleCoilsException: Exception(header);
READ_FILE_RECORD_EXCEPTION -> readGeneralReferenceException: Exception(header); READ_FILE_RECORD_EXCEPTION -> readGeneralReferenceException: Exception(header);
WRITE_FILE_RECORD_EXCEPTION -> writeGeneralReferenceException: Exception(header); WRITE_FILE_RECORD_EXCEPTION -> writeGeneralReferenceException: Exception(header);
MASK_WRITE_REGISTER_EXCEPTION -> maskWriteRegisterException: Exception(header); MASK_WRITE_REGISTER_EXCEPTION -> maskWriteRegisterException: Exception(header);
READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION -> readWriteRegistersException: Exception(header); READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION -> readWriteRegistersException: Exception(header);
READ_FIFO_QUEUE_EXCEPTION -> readFIFOQueueException: Exception(header); READ_FIFO_QUEUE_EXCEPTION -> readFIFOQueueException: Exception(header);
ENCAP_INTERFACE_TRANSPORT_EXCEPTION -> encapInterfaceTransportException: Exception(header);
# All the rest # All the rest
default -> unknown: bytestring &restofdata; default -> unknown: bytestring &restofdata;
@ -247,6 +270,22 @@ type WriteSingleRegisterResponse(header: ModbusTCP_TransportHeader) = record {
deliver: bool = $context.flow.deliver_WriteSingleRegisterResponse(header, this); deliver: bool = $context.flow.deliver_WriteSingleRegisterResponse(header, this);
} &byteorder=bigendian; } &byteorder=bigendian;
# REQUEST FC=8
type DiagnosticsRequest(header: ModbusTCP_TransportHeader) = record {
subfunction: uint16;
data: bytestring &restofdata;
} &let {
deliver: bool = $context.flow.deliver_DiagnosticsRequest(header, this);
} &byteorder=bigendian;
# RESPONSE FC=8
type DiagnosticsResponse(header: ModbusTCP_TransportHeader) = record {
subfunction: uint16;
data: bytestring &restofdata;
} &let {
deliver: bool = $context.flow.deliver_DiagnosticsResponse(header, this);
} &byteorder=bigendian;
# REQUEST FC=15 # REQUEST FC=15
type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record { type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record {
start_address: uint16; start_address: uint16;
@ -305,7 +344,7 @@ type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
type FileRecordResponse = record { type FileRecordResponse = record {
file_len: uint8; # &check(file_len >= 0x07 && file_len <= 0xF5); file_len: uint8; # &check(file_len >= 0x07 && file_len <= 0xF5);
ref_type: uint8; # &check(ref_type == 6); ref_type: uint8; # &check(ref_type == 6);
record_data: uint16[file_len/2] &length=file_len; record_data: bytestring &length=file_len;
} &byteorder=bigendian; } &byteorder=bigendian;
# RESPONSE FC=20 # RESPONSE FC=20
@ -321,8 +360,8 @@ type ReferenceWithData = record {
ref_type: uint8; ref_type: uint8;
file_num: uint16; file_num: uint16;
record_num: uint16; record_num: uint16;
word_count: uint16; record_length: uint16;
register_value: uint16[word_count]; record_data: bytestring &length=record_length*2;
} &byteorder=bigendian; } &byteorder=bigendian;
# REQUEST FC=21 # REQUEST FC=21
@ -394,3 +433,19 @@ type ReadFIFOQueueResponse(header: ModbusTCP_TransportHeader) = record {
} &let { } &let {
deliver: bool = $context.flow.deliver_ReadFIFOQueueResponse(header, this); deliver: bool = $context.flow.deliver_ReadFIFOQueueResponse(header, this);
} &byteorder=bigendian; } &byteorder=bigendian;
# REQUEST FC=2B
type EncapInterfaceTransportRequest(header: ModbusTCP_TransportHeader) = record {
mei_type: uint8;
data: bytestring &restofdata;
} &let {
deliver: bool = $context.flow.deliver_EncapInterfaceTransportRequest(header, this);
} &byteorder=bigendian;
# RESPONSE FC=2B
type EncapInterfaceTransportResponse(header: ModbusTCP_TransportHeader) = record {
mei_type: uint8;
data: bytestring &restofdata;
} &let {
deliver: bool = $context.flow.deliver_EncapInterfaceTransportResponse(header, this);
} &byteorder=bigendian;

View file

@ -176,6 +176,12 @@ module GLOBAL;
type ModbusHeaders: record; type ModbusHeaders: record;
type ModbusCoils: vector; type ModbusCoils: vector;
type ModbusRegisters: vector; type ModbusRegisters: vector;
type ModbusFileRecordRequest: record;
type ModbusFileRecordRequests: vector;
type ModbusFileRecordResponse: record;
type ModbusFileRecordResponses: vector;
type ModbusFileReference: record;
type ModbusFileReferences: vector;
type PE::DOSHeader: record; type PE::DOSHeader: record;
type PE::FileHeader: record; type PE::FileHeader: record;

View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
5 of 28 events triggered by trace 5 of 36 events triggered by trace

View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
5 of 28 events triggered by trace 5 of 36 events triggered by trace

View file

@ -1,65 +1,65 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], T
1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F 1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], F
1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T 1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], T
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3 1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=6], 0, 3
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, F, F, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [F, F, F, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, F, T, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [F, F, T, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, T, F, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [F, T, F, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, T, T, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [F, T, T, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, F, F, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [T, F, F, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, F, T, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [T, F, T, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, T, F, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [T, T, F, F, F, F, F, F]
1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, T, T, F, F, F, F, F] 1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1, len=4], [T, T, T, F, F, F, F, F]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, F, F] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [F, F, F]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, F, T] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [F, F, T]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, T, F] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [F, T, F]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, T, T] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [F, T, T]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, F, F] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [T, F, F]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, F, T] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [T, F, T]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, T, F] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [T, T, F]
1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, T, T] 1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=8], 0, [T, T, T]
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3
1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3 1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15, len=6], 0, 3

View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.2.42 54297 192.168.88.100 502 tcp modbus 0.022532 11 18 OTH T T 0 Dd 1 51 1 58 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.2.42 54298 192.168.88.100 502 tcp modbus 3.019519 11 9 OTH T T 0 Dd 1 51 1 49 -
#close XXXX-XX-XX-XX-XX-XX

View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
18 of 28 events triggered by trace 22 of 36 events triggered by trace

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,21 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX - - - - - modbus_diag_unknown_request_subfunction 0 F zeek -
#close XXXX-XX-XX-XX-XX-XX
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX - - - - - modbus_diag_unknown_request_subfunction 0 F zeek -
#close XXXX-XX-XX-XX-XX-XX

View file

@ -8,9 +8,13 @@
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tid unit func pdu_type exception #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tid unit func pdu_type exception
#types time string addr port addr port count count string string string #types time string addr port addr port count count string string string
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 unknown-136 RESP GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 unknown-136 RESP GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 unknown-136 RESP GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 unknown-136 RESP GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS RESP - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS RESP -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ - XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.0.57 2578 10.0.0.3 502 0 10 DIAGNOSTICS REQ -
@ -119,6 +123,7 @@ XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-42 RESP - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-42 RESP -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 ENCAP_INTERFACE_TRANSPORT REQ - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 ENCAP_INTERFACE_TRANSPORT REQ -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-171 RESP - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-171 RESP -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-171 RESP ILLEGAL_FUNCTION
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-44 REQ - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-44 REQ -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-172 RESP - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-172 RESP -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-45 REQ - XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-45 REQ -

View file

@ -1,5 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, function_code=4], 900, 147 modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, function_code=4, len=6], 900, 147
modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, uid=255, function_code=4, len=203], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, function_code=4], 400, 100 modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, function_code=4, len=6], 400, 100
modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, uid=255, function_code=4, len=203], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100

View file

@ -3,3 +3,7 @@ These are the trace files that are used by the Zeek test suite.
Note to maintainers: please take care when modifying/removing files from here. Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might We install these traces with the Zeek distribution and external packages might
depend on them for tests. depend on them for tests.
Trace Index/Sources:
- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.

Binary file not shown.

View file

@ -1,14 +1,22 @@
# #
# @TEST-EXEC: zeek -b -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output # @TEST-EXEC: zeek -b -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
# @TEST-EXEC: mv conn.log conn-first.log
# @TEST-EXEC: cat weird.log >> weird-combined.log
# @TEST-EXEC: zeek -b -r $TRACES/modbus/modbus-eit.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >>output
# @TEST-EXEC: mv conn.log conn-second.log
# @TEST-EXEC: cat weird.log >> weird-combined.log
# @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff output
# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
# @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff coverage
# @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff conn-first.log
# @TEST-EXEC: btest-diff conn-second.log
# @TEST-EXEC: btest-diff weird-combined.log
@load base/protocols/modbus @load base/protocols/modbus
@load base/protocols/conn @load base/protocols/conn
@load base/frameworks/notice/weird
redef DPD::ignore_violations_after = 1; redef DPD::ignore_violations_after = 1;
@ -102,24 +110,24 @@ event modbus_write_multiple_registers_response(c: connection, headers: ModbusHea
print "modbus_write_multiple_registers_response", c$id, headers, start_address, quantity; print "modbus_write_multiple_registers_response", c$id, headers, start_address, quantity;
} }
event modbus_read_file_record_request(c: connection, headers: ModbusHeaders) event modbus_read_file_record_request(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileRecordRequests)
{ {
print "modbus_read_file_record_request", c$id, headers; print "modbus_read_file_record_request", c$id, headers, byte_count, refs;
} }
event modbus_read_file_record_response(c: connection, headers: ModbusHeaders) event modbus_read_file_record_response(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileRecordResponses)
{ {
print "modbus_read_file_record_response", c$id, headers; print "modbus_read_file_record_response", c$id, headers, byte_count, refs;
} }
event modbus_write_file_record_request(c: connection, headers: ModbusHeaders) event modbus_write_file_record_request(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileReferences)
{ {
print "modbus_write_file_record_request", c$id, headers; print "modbus_write_file_record_request", c$id, headers, byte_count, refs;
} }
event modbus_write_file_record_response(c: connection, headers: ModbusHeaders) event modbus_write_file_record_response(c: connection, headers: ModbusHeaders, byte_count: count, refs: ModbusFileReferences)
{ {
print "modbus_write_file_record_response", c$id, headers; print "modbus_write_file_record_response", c$id, headers, byte_count, refs;
} }
event modbus_mask_write_register_request(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count) event modbus_mask_write_register_request(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)
@ -152,3 +160,22 @@ event modbus_read_fifo_queue_response(c: connection, headers: ModbusHeaders, fif
print "modbus_read_fifo_queue_response", c$id, headers, fifos; print "modbus_read_fifo_queue_response", c$id, headers, fifos;
} }
event modbus_diagnostics_request(c: connection, headers: ModbusHeaders, subfunction: count, data: string)
{
print "modbus_diagnostics_request", c$id, headers, subfunction, data;
}
event modbus_diagnostics_response(c: connection, headers: ModbusHeaders, subfunction: count, data: string)
{
print "modbus_diagnostics_response", c$id, headers, subfunction, data;
}
event modbus_encap_interface_transport_request(c: connection, headers: ModbusHeaders, mei_type: count, data: string)
{
print "modbus_encap_interface_transport_request", c$id, headers, mei_type, data;
}
event modbus_encap_interface_transport_response(c: connection, headers: ModbusHeaders, mei_type: count, data: string)
{
print "modbus_encap_interface_transport_response", c$id, headers, mei_type, data;
}