Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 21:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/seth/modbus_dpd_fix'

Browse source 
* origin/topic/seth/modbus_dpd_fix:
  Call ProtocolConfirmed on modbus
This commit is contained in:
Robin Sommer 2015-06-19 14:06:15 -07:00
commit ffa254acd0
6 changed files with 84 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -1,4 +1,14 @@
2.4-5 | 2015-06-19 14:06:15 -0700
* Generate protocol confirmations for Modbus, making it appear as a
confirmed service in conn.log. (Seth Hall)
* Put command line options in alphabetical order. (Daniel Thayer)
* Remove unused code fo no longer supported -G command line option.
(Robin Sommer)
2.4 | 2015-06-09 07:30:53 -0700 2.4 | 2015-06-09 07:30:53 -0700
* Release 2.4. * Release 2.4.

2
VERSION
View file

@ -1 +1 @@
2.4 2.4-5

51
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -47,6 +47,42 @@
%} %}
refine connection ModbusTCP_Conn += {
%member{
// Fields used to determine if the protocol has been confirmed or not.
bool confirmed;
bool orig_pdu;
bool resp_pdu;
%}
%init{
confirmed = false;
orig_pdu = false;
resp_pdu = false;
%}
function SetPDU(is_orig: bool): bool
%{
if ( is_orig )
orig_pdu = true;
else
resp_pdu = true;
return true;
%}
function SetConfirmed(): bool
%{
confirmed = true;
return true;
%}
function IsConfirmed(): bool
%{
return confirmed && orig_pdu && resp_pdu;
%}
};
refine flow ModbusTCP_Flow += { refine flow ModbusTCP_Flow += {
function deliver_message(header: ModbusTCP_TransportHeader): bool function deliver_message(header: ModbusTCP_TransportHeader): bool
@ -62,6 +98,21 @@ refine flow ModbusTCP_Flow += {
return true; return true;
%} %}
function deliver_ModbusTCP_PDU(message: ModbusTCP_PDU): bool
%{
// We will assume that if an entire PDU from both sides
// is successfully parsed then this is definitely modbus.
connection()->SetPDU(${message.is_orig});
if ( ! connection()->IsConfirmed() )
{
connection()->SetConfirmed();
connection()->bro_analyzer()->ProtocolConfirmation();
}
return true;
%}
# EXCEPTION # EXCEPTION
function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool
%{ %{

2
src/analyzer/protocol/modbus/modbus-protocol.pac
View file

@ -64,6 +64,8 @@ type ModbusTCP_PDU(is_orig: bool) = record {
true -> request: ModbusTCP_Request(header); true -> request: ModbusTCP_Request(header);
false -> response: ModbusTCP_Response(header); false -> response: ModbusTCP_Response(header);
}; };
} &let {
deliver: bool = $context.flow.deliver_ModbusTCP_PDU(this);
} &length=header.len+6, &byteorder=bigendian; } &length=header.len+6, &byteorder=bigendian;
type ModbusTCP_TransportHeader = record { type ModbusTCP_TransportHeader = record {

18
testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log Normal file
View file

@ -0,0 +1,18 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2015-06-19-21-05-46
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1093521678.945447 CXWv6p3arKYeMETxOg 10.0.0.57 2387 10.0.0.3 502 tcp - 0.000493 0 0 SF - - 0 FafA 2 80 2 80 (empty)
1093521953.490353 CCvvfg3TEfuqmmG4bh 10.0.0.57 2579 10.0.0.8 502 tcp modbus 23.256631 24 0 SF - - 0 ShADaFf 6 272 5 208 (empty)
1093521681.696827 CjhGID4nQcgTWjvg4c 10.0.0.57 2578 10.0.0.3 502 tcp modbus 385.694948 112 138 S3 - - 0 ShADdf 20 920 12 626 (empty)
1093522326.102435 CsRx2w45OKnoww6xl4 10.0.0.9 3082 10.0.0.3 502 tcp modbus 177.095534 72 69 SF - - 0 ShADdFaf 16 720 9 437 (empty)
1093522946.554059 CRJuHdVW0XPVINV8a 10.0.0.57 2585 10.0.0.8 502 tcp - 76.561880 926 0 SF - - 0 ShADafF 8 1254 7 288 (empty)
1093523065.562221 CPbrpk1qSsw6ESzHV4 10.0.0.8 502 10.0.0.57 4446 tcp - 155.114237 128 0 SF - - 0 ShADaFf 16 776 15 608 (empty)
1153491879.610371 C6pKV8GSxOnSLghOa 192.168.66.235 2582 166.161.16.230 502 tcp - 2.905078 0 0 S0 - - 0 S 2 96 0 0 (empty)
1153491888.530306 CIPOse170MGiRM1Qf4 192.168.66.235 2582 166.161.16.230 502 tcp modbus 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 (empty)
1342774499.588269 C7XEbhP654jzLoe3a 10.1.1.234 51411 10.10.5.85 502 tcp modbus 2100.811351 237936 4121200 S2 - - 0 ShADdaF 39659 2300216 20100 5166412 (empty)
#close 2015-06-19-21-05-51

2
testing/btest/scripts/base/protocols/modbus/events.bro
View file

@ -5,6 +5,8 @@
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
# @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff coverage
# @TEST-EXEC: btest-diff conn.log
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
{ {