diff --git a/scripts/base/protocols/modbus/modbus.bro b/scripts/base/protocols/modbus/modbus.bro index 979371fa49..b40e14915e 100644 --- a/scripts/base/protocols/modbus/modbus.bro +++ b/scripts/base/protocols/modbus/modbus.bro @@ -8,6 +8,7 @@ redef dpd_config+={[ANALYZER_MODBUS]=[$ports=modbus_ports]}; global path:string="/home/dina/pcaps_all/logs/simulations/"; +#global path:string="./simulations/" # raise this (simple) event if you do not have the specific one bellow event modbus_request(c:connection,is_orig:bool,tid:count, pid:count,uid:count, fc:count) @@ -109,8 +110,6 @@ event modbus_read_coils_request(c:connection,is_orig:bool,tid:count,pid:count,ui dst_p=cat(c$id$resp_p); #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(ref), "\t", cat(bcount),"\n"); @@ -148,8 +147,6 @@ event modbus_read_coils_response(c:connection,is_orig:bool,tid:count,pid:count,u dst_p=cat(c$id$resp_p); #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(bcount),"\t",bits,"\n"); @@ -414,8 +411,6 @@ event modbus_write_coil_request(c:connection,is_orig:bool,tid:count,pid:count,ui dst_p=cat(c$id$resp_p); #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(onOff),"\t",cat(other),"\n"); @@ -452,8 +447,7 @@ event modbus_write_coil_response(c:connection,is_orig:bool,tid:count,pid:count,u dst_p=cat(c$id$resp_p); #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; + local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t","\t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(onOff),"\t",cat(other),"\n"); @@ -562,8 +556,7 @@ event modbus_force_coils_request(c:connection,is_orig:bool,tid:count,pid:count,u dst_p=cat(c$id$resp_p); #according to the specification, this FC usually has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; + local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(bitCount),"\t",cat(byteCount),coils,"\n"); @@ -599,8 +592,7 @@ event modbus_force_coils_response(c:connection,is_orig:bool,tid:count,pid:count, dst_p=cat(c$id$resp_p); #according to the specification, this FC usually has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; + local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(bitCount),"\n"); @@ -712,10 +704,6 @@ event modbus_read_reference_request(c:connection,is_orig:bool,tid:count,pid:coun src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refCount),"\t",cat(t),"\n"); @@ -751,10 +739,6 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n"); @@ -789,10 +773,6 @@ event modbus_read_single_reference_request(c:connection,is_orig:bool,tid:count,p src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refType),"\t",cat(refNumber),"\t",cat(wordCount),"\n"); @@ -826,10 +806,6 @@ event modbus_read_single_reference_response(c:connection,is_orig:bool,tid:count, src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(refType),"\t",cat(t),"\n"); @@ -866,10 +842,6 @@ event modbus_write_reference_request(c:connection,is_orig:bool,tid:count,pid:cou src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n"); @@ -904,10 +876,6 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n"); @@ -919,7 +887,7 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou } -#REQUEST/RESPONSE FC=20 (for single reference) +#REQUEST/RESPONSE FC=21 (for single reference) event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:count,uid:count,fc:count,refType:count,refNumber:count,wordCount:count,t:int_vec) { @@ -931,7 +899,6 @@ event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:coun local src_p:string; local dst_p:string; - k=open_for_append (string_cat(path,"f21_singles_new.log")); m=open_for_append (string_cat(path,"fall_new.log")); ftime=strftime("%F %T",network_time()); @@ -941,11 +908,6 @@ event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:coun src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC usually has 4xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+40000; - - local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST/RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refType),"\t",cat(refNumber),"\t",cat(wordCount),"\t",cat(t),"\n"); write_file(k,text); @@ -979,10 +941,6 @@ event modbus_mask_write_request(c:connection,is_orig:bool,tid:count,pid:count,ui src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(andMask),"\t",cat(orMask),"\n"); write_file(h,text); @@ -1015,10 +973,6 @@ event modbus_mask_write_response(c:connection,is_orig:bool,tid:count,pid:count,u src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC typically has 0xxxx offset in the memory map - #local prefix_ref:count; - #prefix_ref=ref+00000; - local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(andMask),"\t",cat(orMask),"\n"); write_file(h,text); @@ -1122,11 +1076,6 @@ event modbus_read_FIFO_request(c:connection,is_orig:bool,tid:count,pid:count,uid src_p=cat(c$id$orig_p); dst_p=cat(c$id$resp_p); - #according to the specification, this FC typically has 4xxxx offset in the memory map - #local prefix_ref:count; - # prefix_ref=ref+40000; - - local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(ref), "\t","\n"); write_file(f,text); @@ -1165,10 +1114,8 @@ event modbus_read_FIFO_response(c:connection,is_orig:bool,t:int_vec,tid:count,pi write_file(h,text); write_file(m,text); - close(h); close(m); - } diff --git a/src/modbus-analyzer.pac b/src/modbus-analyzer.pac index 44ac504652..4b7a7094b2 100644 --- a/src/modbus-analyzer.pac +++ b/src/modbus-analyzer.pac @@ -1,3 +1,15 @@ +######################################################################################### +# # +# # +# The development of this software has been made possible thanks to the support of # +# the Ministry of Security and Justice of the Kingdom of the Netherlands within # +# the projects of Hermes, Castor and Midas. # +# # +# # +######################################################################################### +# useful references: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf # +# http://www.simplymodbus.ca/faq.htm # +######################################################################################### diff --git a/src/modbus-protocol.pac b/src/modbus-protocol.pac index d8c48f2027..596cae12b8 100644 --- a/src/modbus-protocol.pac +++ b/src/modbus-protocol.pac @@ -1,37 +1,16 @@ -#Copyright (c) 2011 SecurityMatters BV. All rights reserved. +######################################################################################### +# # +# # +# The development of this software has been made possible thanks to the support of # +# the Ministry of Security and Justice of the Kingdom of the Netherlands within # +# the projects of Hermes, Castor and Midas. # +# # +# # +######################################################################################### +# useful references: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf # +# http://www.simplymodbus.ca/faq.htm # +######################################################################################### -##Redistribution and use in source and binary forms, with or without -##modification, are permitted provided that the following conditions are met: - -##(1) Redistributions of source code must retain the above copyright notice, -## this list of conditions and the following disclaimer. - -##(2) Redistributions in binary form must reproduce the above copyright -## notice, this list of conditions and the following disclaimer in the -## documentation and/or other materials provided with the distribution. - -##(3) Neither the name of SecurityMatters BV, nor the names of contributors -## may be used to endorse or promote products derived from this software -## without specific prior written permission. - -##THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -##AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -##IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -##ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -##LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -##CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -##SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -##INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -##CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -##ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -##POSSIBILITY OF SUCH DAMAGE. - - -## -## Modbus/TCP protocol -## Based on OPEN MODBUS/TCP SPECIFICATION -## Release 1.0, 29 March 1999 -## analyzer ModbusTCP withcontext { connection: ModbusTCP_Conn; diff --git a/src/modbus.pac b/src/modbus.pac index bece9cc9a6..b11e8a14c5 100644 --- a/src/modbus.pac +++ b/src/modbus.pac @@ -1,3 +1,15 @@ +######################################################################################### +# # +# # +# The development of this software has been made possible thanks to the support of # +# the Ministry of Security and Justice of the Kingdom of the Netherlands within # +# the projects of Hermes, Castor and Midas. # +# # +# # +######################################################################################### + + + %include bro.pac %include modbus-protocol.pac