Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

put some make-up on Modbus analyser

Browse source
This commit is contained in:
dina 2012-08-24 10:21:04 +02:00
parent c58c6791c5
commit fb0d93de1e
4 changed files with 41 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

63
scripts/base/protocols/modbus/modbus.bro
View file

@ -8,6 +8,7 @@ redef dpd_config+={[ANALYZER_MODBUS]=[$ports=modbus_ports]};
global path:string="/home/dina/pcaps_all/logs/simulations/";
#global path:string="./simulations/"
# raise this (simple) event if you do not have the specific one bellow
event modbus_request(c:connection,is_orig:bool,tid:count, pid:count,uid:count, fc:count)
@ -109,8 +110,6 @@ event modbus_read_coils_request(c:connection,is_orig:bool,tid:count,pid:count,ui
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(ref), "\t", cat(bcount),"\n");
@ -148,8 +147,6 @@ event modbus_read_coils_response(c:connection,is_orig:bool,tid:count,pid:count,u
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(bcount),"\t",bits,"\n");
@ -414,8 +411,6 @@ event modbus_write_coil_request(c:connection,is_orig:bool,tid:count,pid:count,ui
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(onOff),"\t",cat(other),"\n");
@ -452,8 +447,7 @@ event modbus_write_coil_response(c:connection,is_orig:bool,tid:count,pid:count,u
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t","\t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(onOff),"\t",cat(other),"\n");
@ -562,8 +556,7 @@ event modbus_force_coils_request(c:connection,is_orig:bool,tid:count,pid:count,u
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(bitCount),"\t",cat(byteCount),coils,"\n");
@ -599,8 +592,7 @@ event modbus_force_coils_response(c:connection,is_orig:bool,tid:count,pid:count,
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(bitCount),"\n");
@ -712,10 +704,6 @@ event modbus_read_reference_request(c:connection,is_orig:bool,tid:count,pid:coun
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refCount),"\t",cat(t),"\n");
@ -751,10 +739,6 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n");
@ -789,10 +773,6 @@ event modbus_read_single_reference_request(c:connection,is_orig:bool,tid:count,p
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refType),"\t",cat(refNumber),"\t",cat(wordCount),"\n");
@ -826,10 +806,6 @@ event modbus_read_single_reference_response(c:connection,is_orig:bool,tid:count,
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(refType),"\t",cat(t),"\n");
@ -866,10 +842,6 @@ event modbus_write_reference_request(c:connection,is_orig:bool,tid:count,pid:cou
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n");
@ -904,10 +876,6 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(byteCount),"\t",cat(t),"\n");
@ -919,7 +887,7 @@ event modbus_read_reference_response(c:connection,is_orig:bool,tid:count,pid:cou
}
#REQUEST/RESPONSE FC=20 (for single reference)
#REQUEST/RESPONSE FC=21 (for single reference)
event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:count,uid:count,fc:count,refType:count,refNumber:count,wordCount:count,t:int_vec)
{
@ -931,7 +899,6 @@ event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:coun
local src_p:string;
local dst_p:string;
k=open_for_append (string_cat(path,"f21_singles_new.log"));
m=open_for_append (string_cat(path,"fall_new.log"));
ftime=strftime("%F %T",network_time());
@ -941,11 +908,6 @@ event modbus_write_single_reference(c:connection,is_orig:bool,tid:count,pid:coun
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC usually has 4xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t",src_p, "\t REQUEST/RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t",cat(fc),"\t",cat(refType),"\t",cat(refNumber),"\t",cat(wordCount),"\t",cat(t),"\n");
write_file(k,text);
@ -979,10 +941,6 @@ event modbus_mask_write_request(c:connection,is_orig:bool,tid:count,pid:count,ui
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(andMask),"\t",cat(orMask),"\n");
write_file(h,text);
@ -1015,10 +973,6 @@ event modbus_mask_write_response(c:connection,is_orig:bool,tid:count,pid:count,u
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 0xxxx offset in the memory map
#local prefix_ref:count;
#prefix_ref=ref+00000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t RESPONSE \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t",cat(ref), "\t",cat(andMask),"\t",cat(orMask),"\n");
write_file(h,text);
@ -1122,11 +1076,6 @@ event modbus_read_FIFO_request(c:connection,is_orig:bool,tid:count,pid:count,uid
src_p=cat(c$id$orig_p);
dst_p=cat(c$id$resp_p);
#according to the specification, this FC typically has 4xxxx offset in the memory map
#local prefix_ref:count;
# prefix_ref=ref+40000;
local text=string_cat(ftime,"\t",src,"\t",dst,"\t", src_p, "\t REQUEST \t",cat(tid), "\t",cat(pid),"\t", cat(uid),"\t", cat(fc),"\t", cat(ref), "\t","\n");
write_file(f,text);
@ -1165,10 +1114,8 @@ event modbus_read_FIFO_response(c:connection,is_orig:bool,t:int_vec,tid:count,pi
write_file(h,text);
write_file(m,text);
close(h);
close(m);
}

12
src/modbus-analyzer.pac
View file

@ -1,3 +1,15 @@
#########################################################################################
# #
# #
# The development of this software has been made possible thanks to the support of #
# the Ministry of Security and Justice of the Kingdom of the Netherlands within #
# the projects of Hermes, Castor and Midas. #
# #
# #
#########################################################################################
# useful references: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf #
# http://www.simplymodbus.ca/faq.htm #
#########################################################################################

43
src/modbus-protocol.pac
View file

@ -1,37 +1,16 @@
#Copyright (c) 2011 SecurityMatters BV. All rights reserved.
##Redistribution and use in source and binary forms, with or without
##modification, are permitted provided that the following conditions are met:
##(1) Redistributions of source code must retain the above copyright notice,
## this list of conditions and the following disclaimer.
##(2) Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
##(3) Neither the name of SecurityMatters BV, nor the names of contributors
## may be used to endorse or promote products derived from this software
## without specific prior written permission.
##THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
##AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
##IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
##ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
##LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
##CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
##SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
##INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
##CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
##ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
##POSSIBILITY OF SUCH DAMAGE.
#########################################################################################
# #
## Modbus/TCP protocol
## Based on OPEN MODBUS/TCP SPECIFICATION
## Release 1.0, 29 March 1999
# #
# The development of this software has been made possible thanks to the support of #
# the Ministry of Security and Justice of the Kingdom of the Netherlands within #
# the projects of Hermes, Castor and Midas. #
# #
# #
#########################################################################################
# useful references: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf #
# http://www.simplymodbus.ca/faq.htm #
#########################################################################################
analyzer ModbusTCP withcontext {
connection: ModbusTCP_Conn;

12
src/modbus.pac
View file

@ -1,3 +1,15 @@
#########################################################################################
# #
# #
# The development of this software has been made possible thanks to the support of #
# the Ministry of Security and Justice of the Kingdom of the Netherlands within #
# the projects of Hermes, Castor and Midas. #
# #
# #
#########################################################################################
%include bro.pac
%include modbus-protocol.pac