Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Call ProtocolConfirmed on modbus

Browse source 
After a PDU is successfully parsed from both sides of a
modbus connection we're now declaring the protocol confirmed.

A small extension to the modbus/events test was added to verify
that "modbus" was identified in the service field in conn.log.
This commit is contained in:
Seth Hall 2015-06-19 07:00:38 -04:00
parent 217ccf6063
commit 7d105935b1
3 changed files with 55 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

51
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -47,6 +47,42 @@
%} %}
refine connection ModbusTCP_Conn += {
%member{
// Fields used to determine if the protocol has been confirmed or not.
bool confirmed;
bool orig_pdu;
bool resp_pdu;
%}
%init{
confirmed = false;
orig_pdu = false;
resp_pdu = false;
%}
function SetPDU(is_orig: bool): bool
%{
if ( is_orig )
orig_pdu = true;
else
resp_pdu = true;
return true;
%}
function SetConfirmed(): bool
%{
confirmed = true;
return true;
%}
function IsConfirmed(): bool
%{
return confirmed && orig_pdu && resp_pdu;
%}
};
refine flow ModbusTCP_Flow += { refine flow ModbusTCP_Flow += {
function deliver_message(header: ModbusTCP_TransportHeader): bool function deliver_message(header: ModbusTCP_TransportHeader): bool
@ -62,6 +98,21 @@ refine flow ModbusTCP_Flow += {
return true; return true;
%} %}
function deliver_ModbusTCP_PDU(message: ModbusTCP_PDU): bool
%{
// We will assume that if an entire PDU from both sides
// is successfully parsed then this is definitely modbus.
connection()->SetPDU(${message.is_orig});
if ( ! connection()->IsConfirmed() )
{
connection()->SetConfirmed();
connection()->bro_analyzer()->ProtocolConfirmation();
}
return true;
%}
# EXCEPTION # EXCEPTION
function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool
%{ %{

2
src/analyzer/protocol/modbus/modbus-protocol.pac
View file

@ -64,6 +64,8 @@ type ModbusTCP_PDU(is_orig: bool) = record {
true -> request: ModbusTCP_Request(header); true -> request: ModbusTCP_Request(header);
false -> response: ModbusTCP_Response(header); false -> response: ModbusTCP_Response(header);
}; };
} &let {
deliver: bool = $context.flow.deliver_ModbusTCP_PDU(this);
} &length=header.len+6, &byteorder=bigendian; } &length=header.len+6, &byteorder=bigendian;
type ModbusTCP_TransportHeader = record { type ModbusTCP_TransportHeader = record {

2
testing/btest/scripts/base/protocols/modbus/events.bro
View file

@ -5,6 +5,8 @@
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
# @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff coverage
# @TEST-EXEC: btest-diff conn.log
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
{ {