Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/scripts/base/protocols/modbus/register_parsing.bro
Jon Siwek fd5eb23fa6 Remove byte count parameter from modbus events carrying register arrays 
Instead of these events being generated for invalid byte count values
(they should always be even, not odd), a protocol_violation is raised.

    modbus_read_holding_registers_response
    modbus_read_input_registers_response
    modbus_write_multiple_registers_request
    modbus_read_write_multiple_registers_request
    modbus_read_write_multiple_registers_response
    modbus_read_fifo_queue_respons
2012-11-13 12:09:14 -06:00

21 lines
1 KiB
Text
Raw Blame History

# @TEST-EXEC: bro -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
# @TEST-EXEC: btest-diff modbus.log
# @TEST-EXEC: btest-diff output
# modbus registers are 2-byte values. Many messages send a variable amount
# of register values, with the quantity being derived from a byte count value
# that is also sent. If the byte count value is invalid (e.g. an odd value
# might not be valid since registers must be 2-byte values), then the parser
# should not trigger any asserts, but generate a protocol_violation (in this
# case TCP_ApplicationAnalyzer::ProtocolViolation asserts its behavior for
# incomplete connections).
event modbus_read_input_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
{
print "modbus_read_input_registers_request", c$id, headers, start_address, quantity;
}
event modbus_read_input_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
{
print "modbus_read_input_registers_response", c$id, headers, registers, |registers|;
}
Reference in a new issue View git blame Copy permalink