Copy docs into Zeek repo directly

This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions

View file

@ -0,0 +1,118 @@
:tocdepth: 3
policy/protocols/modbus/known-masters-slaves.zeek
=================================================
.. zeek:namespace:: Known
Script for tracking known Modbus masters and slaves.
.. todo:: This script needs a lot of work. What might be more interesting
is to track master/slave relationships based on commands sent and
successful (non-exception) responses.
:Namespace: Known
:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
Summary
~~~~~~~
State Variables
###############
============================================================================================================== ===============================
:zeek:id:`Known::modbus_nodes`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The Modbus nodes being tracked.
============================================================================================================== ===============================
Types
#####
======================================================= =
:zeek:type:`Known::ModbusDeviceType`: :zeek:type:`enum`
:zeek:type:`Known::ModbusInfo`: :zeek:type:`record`
======================================================= =
Redefinitions
#############
======================================= ================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Known::MODBUS_LOG`
======================================= ================================
Events
######
====================================================== =====================================================================
:zeek:id:`Known::log_known_modbus`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
on to the logging framework.
====================================================== =====================================================================
Hooks
#####
================================================================= =
:zeek:id:`Known::log_policy_modbus`: :zeek:type:`Log::PolicyHook`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. zeek:id:: Known::modbus_nodes
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 31 31
:Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`Known::ModbusDeviceType`]
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
:Default: ``{}``
The Modbus nodes being tracked.
Types
#####
.. zeek:type:: Known::ModbusDeviceType
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 16 20
:Type: :zeek:type:`enum`
.. zeek:enum:: Known::MODBUS_MASTER Known::ModbusDeviceType
.. zeek:enum:: Known::MODBUS_SLAVE Known::ModbusDeviceType
.. zeek:type:: Known::ModbusInfo
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 21 28
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The time the device was discovered.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
The IP address of the host.
.. zeek:field:: device_type :zeek:type:`Known::ModbusDeviceType` :zeek:attr:`&log`
The type of device being tracked.
Events
######
.. zeek:id:: Known::log_known_modbus
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 35 35
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::ModbusInfo`)
Event that can be handled to access the loggable record as it is sent
on to the logging framework.
Hooks
#####
.. zeek:id:: Known::log_policy_modbus
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 14 14
:Type: :zeek:type:`Log::PolicyHook`

View file

@ -0,0 +1,170 @@
:tocdepth: 3
policy/protocols/modbus/track-memmap.zeek
=========================================
.. zeek:namespace:: Modbus
This script tracks the memory map of holding (read/write) registers and logs
changes as they are discovered.
.. todo:: Not all register read and write functions are supported yet.
:Namespace: Modbus
:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================== ==================================================
:zeek:id:`Modbus::track_memmap`: :zeek:type:`Host` :zeek:attr:`&redef` The hosts that should have memory mapping enabled.
====================================================================== ==================================================
State Variables
###############
======================================================= =======================================================
:zeek:id:`Modbus::device_registers`: :zeek:type:`table` The memory map of slaves is tracked with this variable.
======================================================= =======================================================
Types
#####
======================================================= =====================================================================
:zeek:type:`Modbus::MemmapInfo`: :zeek:type:`record`
:zeek:type:`Modbus::RegisterValue`: :zeek:type:`record`
:zeek:type:`Modbus::Registers`: :zeek:type:`table` Indexed on the device register value and yielding the register value.
======================================================= =====================================================================
Redefinitions
#############
============================================== ========================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Modbus::REGISTER_CHANGE_LOG`
:zeek:type:`Modbus::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Modbus::Info`
track_address: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
============================================== ========================================================================================
Events
######
======================================================= =====================================================================
:zeek:id:`Modbus::changed_register`: :zeek:type:`event` This event is generated every time a register is seen to be different
than it was previously seen to be.
======================================================= =====================================================================
Hooks
#####
=========================================================================== =
:zeek:id:`Modbus::log_policy_register_change`: :zeek:type:`Log::PolicyHook`
=========================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Modbus::track_memmap
:source-code: policy/protocols/modbus/track-memmap.zeek 17 17
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``ALL_HOSTS``
The hosts that should have memory mapping enabled.
State Variables
###############
.. zeek:id:: Modbus::device_registers
:source-code: policy/protocols/modbus/track-memmap.zeek 46 46
:Type: :zeek:type:`table` [:zeek:type:`addr`] of :zeek:type:`Modbus::Registers`
:Default: ``{}``
The memory map of slaves is tracked with this variable.
Types
#####
.. zeek:type:: Modbus::MemmapInfo
:source-code: policy/protocols/modbus/track-memmap.zeek 19 35
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for the detected register change.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
Connection ID.
.. zeek:field:: register :zeek:type:`count` :zeek:attr:`&log`
The device memory offset.
.. zeek:field:: old_val :zeek:type:`count` :zeek:attr:`&log`
The old value stored in the register.
.. zeek:field:: new_val :zeek:type:`count` :zeek:attr:`&log`
The new value stored in the register.
.. zeek:field:: delta :zeek:type:`interval` :zeek:attr:`&log`
The time delta between when the *old_val* and *new_val* were
seen.
.. zeek:type:: Modbus::RegisterValue
:source-code: policy/protocols/modbus/track-memmap.zeek 37 40
:Type: :zeek:type:`record`
.. zeek:field:: last_set :zeek:type:`time`
.. zeek:field:: value :zeek:type:`count`
.. zeek:type:: Modbus::Registers
:source-code: policy/protocols/modbus/track-memmap.zeek 43 43
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Modbus::RegisterValue`
Indexed on the device register value and yielding the register value.
Events
######
.. zeek:id:: Modbus::changed_register
:source-code: policy/protocols/modbus/track-memmap.zeek 103 108
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, register: :zeek:type:`count`, old_val: :zeek:type:`count`, new_val: :zeek:type:`count`, delta: :zeek:type:`interval`)
This event is generated every time a register is seen to be different
than it was previously seen to be.
Hooks
#####
.. zeek:id:: Modbus::log_policy_register_change
:source-code: policy/protocols/modbus/track-memmap.zeek 14 14
:Type: :zeek:type:`Log::PolicyHook`