From 7d105935b190ff0147f8e221e2575e9fc03af023 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 19 Jun 2015 07:00:38 -0400
Subject: [PATCH] Call ProtocolConfirmed on modbus

After a PDU is successfully parsed from both sides of a
modbus connection we're now declaring the protocol confirmed.

A small extension to the modbus/events test was added to verify
that "modbus" was identified in the service field in conn.log.
---
 .../protocol/modbus/modbus-analyzer.pac       | 51 +++++++++++++++++++
 .../protocol/modbus/modbus-protocol.pac       |  2 +
 .../scripts/base/protocols/modbus/events.bro  |  2 +
 3 files changed, 55 insertions(+)

diff --git a/src/analyzer/protocol/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac
index c9b0861428..5a862b7604 100644
--- a/src/analyzer/protocol/modbus/modbus-analyzer.pac
+++ b/src/analyzer/protocol/modbus/modbus-analyzer.pac
@@ -47,6 +47,42 @@
 
 	%}
 
+refine connection ModbusTCP_Conn += {
+	%member{
+		// Fields used to determine if the protocol has been confirmed or not.
+		bool confirmed;
+		bool orig_pdu;
+		bool resp_pdu;
+		%}
+
+	%init{
+		confirmed = false;
+		orig_pdu = false;
+		resp_pdu = false;
+		%}
+
+	function SetPDU(is_orig: bool): bool
+		%{
+		if ( is_orig )
+			orig_pdu = true;
+		else
+			resp_pdu = true;
+
+		return true;
+		%}
+
+	function SetConfirmed(): bool
+		%{
+		confirmed = true;
+		return true;
+		%}
+
+	function IsConfirmed(): bool
+		%{
+		return confirmed && orig_pdu && resp_pdu;
+		%}
+};
+
 refine flow ModbusTCP_Flow += {
 
 	function deliver_message(header: ModbusTCP_TransportHeader): bool
@@ -62,6 +98,21 @@ refine flow ModbusTCP_Flow += {
 		return true;
 		%}
 
+	function deliver_ModbusTCP_PDU(message: ModbusTCP_PDU): bool
+		%{
+		// We will assume that if an entire PDU from both sides
+		// is successfully parsed then this is definitely modbus.
+		connection()->SetPDU(${message.is_orig});
+
+		if ( ! connection()->IsConfirmed() )
+			{
+			connection()->SetConfirmed();
+			connection()->bro_analyzer()->ProtocolConfirmation();
+			}
+
+		return true;
+		%}
+
 	# EXCEPTION
 	function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool
 		%{
diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac
index a79e4dccf5..e5b92169b4 100644
--- a/src/analyzer/protocol/modbus/modbus-protocol.pac
+++ b/src/analyzer/protocol/modbus/modbus-protocol.pac
@@ -64,6 +64,8 @@ type ModbusTCP_PDU(is_orig: bool) = record {
 		true  -> request:  ModbusTCP_Request(header);
 		false -> response: ModbusTCP_Response(header);
 	};
+} &let {
+	deliver: bool = $context.flow.deliver_ModbusTCP_PDU(this);
 } &length=header.len+6, &byteorder=bigendian;
 
 type ModbusTCP_TransportHeader = record {
diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.bro
index a5fe26be9c..fe748fa3dc 100644
--- a/testing/btest/scripts/base/protocols/modbus/events.bro
+++ b/testing/btest/scripts/base/protocols/modbus/events.bro
@@ -5,6 +5,8 @@
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
 # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
 # @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff conn.log
+
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
 {