Modbus: Add support for Diagnostics (FC=8) requests and responses

testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_big/coverage

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-5 of 28 events triggered by trace
+5 of 30 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_small/coverage

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-5 of 28 events triggered by trace
+5 of 30 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.modbus.events/coverage

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-18 of 28 events triggered by trace
+20 of 30 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.modbus.events/output

@@ -1,4 +1,12 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+3 modbus_diagnostics_request, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=8], 1, \x00\x00
+2 modbus_diagnostics_request, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=8], 10, \x00\x00
+3 modbus_diagnostics_request, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=8], 4, \x00\x00
+1 modbus_diagnostics_request, [orig_h=192.168.66.235, orig_p=2582/tcp, resp_h=166.161.16.230, resp_p=502/tcp], [tid=0, pid=0, uid=1, function_code=8], 0, \x00\x00
+2 modbus_diagnostics_response, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=8], 1, \x00\x00
+2 modbus_diagnostics_response, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=8], 10, \x00\x00
+1 modbus_diagnostics_response, [orig_h=192.168.66.235, orig_p=2582/tcp, resp_h=166.161.16.230, resp_p=502/tcp], [tid=0, pid=0, uid=1, function_code=8], 0, \x00\x00
+4 modbus_exception, [orig_h=10.0.0.57, orig_p=2578/tcp, resp_h=10.0.0.3, resp_p=502/tcp], [tid=0, pid=0, uid=10, function_code=136], 11
 8 modbus_exception, [orig_h=192.168.66.235, orig_p=2582/tcp, resp_h=166.161.16.230, resp_p=502/tcp], [tid=0, pid=0, uid=1, function_code=129], 2
 1 modbus_exception, [orig_h=192.168.66.235, orig_p=2582/tcp, resp_h=166.161.16.230, resp_p=502/tcp], [tid=0, pid=0, uid=1, function_code=129], 3
 1 modbus_exception, [orig_h=192.168.66.235, orig_p=2582/tcp, resp_h=166.161.16.230, resp_p=502/tcp], [tid=0, pid=0, uid=1, function_code=130], 3

testing/btest/Baseline/scripts.base.protocols.modbus.events/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	modbus_diag_unknown_request_subfunction	0	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.modbus.policy/modbus.log

@@ -8,9 +8,13 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tid	unit	func	pdu_type	exception
 #types	time	string	addr	port	addr	port	count	count	string	string	string
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	unknown-136	RESP	GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	unknown-136	RESP	GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	unknown-136	RESP	GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	unknown-136	RESP	GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	RESP	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	0	10	DIAGNOSTICS	REQ	-

testing/btest/scripts/base/protocols/modbus/events.zeek

@@ -6,9 +6,11 @@
 # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
 # @TEST-EXEC: btest-diff coverage
 # @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff weird.log
 
 @load base/protocols/modbus
 @load base/protocols/conn
+@load base/frameworks/notice/weird
 
 redef DPD::ignore_violations_after = 1;
 
@@ -152,3 +154,12 @@ event modbus_read_fifo_queue_response(c: connection, headers: ModbusHeaders, fif
     print "modbus_read_fifo_queue_response", c$id, headers, fifos;
 }
 
+event modbus_diagnostics_request(c: connection, headers: ModbusHeaders, subfunction: count, data: string)
+{
+    print "modbus_diagnostics_request", c$id, headers, subfunction, data;
+}
+
+event modbus_diagnostics_response(c: connection, headers: ModbusHeaders, subfunction: count, data: string)
+{
+    print "modbus_diagnostics_response", c$id, headers, subfunction, data;
+}