mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 09:08:20 +00:00
Final touches to modbus analyzer for now.
- There are still some broken events in the modbus analyzer because I don't have traffic to test with (coil and record related events primarily). - There are a few example scripts in policy/protocols/modbus
This commit is contained in:
Seth Hall
parent
009efbcb27
commit
a2f336cc72
6 changed files with 549 additions and 179 deletions
|
|
@ -3,24 +3,71 @@
|
|||
module Modbus;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
## Time of the request.
|
||||
ts: time &log;
|
||||
## Unique identifier for the connnection.
|
||||
uid: string &log;
|
||||
## Identifier for the connection.
|
||||
id: conn_id &log;
|
||||
## The name of the function message that was sent.
|
||||
func: string &log &optional;
|
||||
## The status of the response.
|
||||
success: bool &log &default=T;
|
||||
## The exception if the response was a failure.
|
||||
exception: string &log &optional;
|
||||
};
|
||||
|
||||
## Event that can be handled to access the Modbus record as it is sent on
|
||||
## to the logging framework.
|
||||
global log_modbus: event(rec: Info);
|
||||
}
|
||||
|
||||
redef record connection += {
|
||||
modbus: Info &optional;
|
||||
};
|
||||
|
||||
# Configure DPD and the packet filter.
|
||||
redef capture_filters += { ["modbus"] = "tcp port 502" };
|
||||
redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] };
|
||||
redef likely_server_ports += { 502/tcp };
|
||||
|
||||
|
||||
event modbus_exception(c: connection, header: ModbusHeaders, code: count)
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
print fmt("%.6f %s There was an exception: %s", network_time(), c$id, exception_codes[code]);
|
||||
Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]);
|
||||
}
|
||||
|
||||
event modbus_message(c: connection, header: ModbusHeaders, is_orig: bool)
|
||||
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5
|
||||
{
|
||||
#if ( function_codes[header$function_code] in set("READ_MULTIPLE_REGISTERS", "READ_WRITE_REGISTERS", "WRITE_MULTIPLE_REGISTERS") )
|
||||
# return;
|
||||
if ( ! c?$modbus )
|
||||
{
|
||||
c$modbus = [$ts=network_time(), $uid=c$uid, $id=c$id];
|
||||
}
|
||||
|
||||
print fmt("%.6f %s %s: %s", network_time(), c$id, is_orig ? "request":"response", function_codes[header$function_code]);
|
||||
c$modbus$ts = network_time();
|
||||
c$modbus$func = function_codes[headers$function_code];
|
||||
|
||||
if ( ! is_orig &&
|
||||
( headers$function_code >= 0x81 || headers$function_code <= 0x98 ) )
|
||||
c$modbus$success = F;
|
||||
else
|
||||
c$modbus$success = T;
|
||||
}
|
||||
|
||||
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=-5
|
||||
{
|
||||
# Don't log now if this is an exception (log in the exception event handler)
|
||||
if ( c$modbus$success )
|
||||
Log::write(LOG, c$modbus);
|
||||
}
|
||||
|
||||
event modbus_exception(c: connection, headers: ModbusHeaders, code: count) &priority=5
|
||||
{
|
||||
c$modbus$exception = exception_codes[code];
|
||||
Log::write(LOG, c$modbus);
|
||||
|
||||
delete c$modbus$exception;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue