💡 Summary

Some of the ICSNPP parsers can be very verbose (e.g., as far as individual values for writes/reads/operations vs. higher-level operations). It would be convenient to provide a flag to be able to control the verbosity of these logs per-protocol. In other words, a boolean where if set to "true" the verbosity is higher (i.e., more of the .log files are generated) vs. "false" where only summary logs are generated (not the details).

Motivation and context

This idea came from the discussion we had with corelight.

Implementation notes

An example of this could be the synchrophasor parser. See main.zeek.

💡 Summary

What is the work, as a high-level summary?
Can you add a new parser for Omron FINS

Motivation and context

Why does this work belong in this project?
Based on the PIPEDREAM malware and if malware is starting to target Omron, I would like to be able to parse that in Security Onion. I am able to review the traffic in Wireshark, but that can only process so much data at a time and is hard to target down to long tail analysis.
This would be useful because...

Implementation notes

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Acceptance criteria

How do we know when this work is done?

• Criterion

🐛 Summary

When using zkg to install any of the icnspp-* plugins i get a 'no "master" branch or version tags

To reproduce

Steps to reproduce the behavior:

1. zkg install icsnpp-ethercat

Expected behavior

installation of the plugin

Any helpful log output or screenshots

Paste the results here:

 #zkg install icsnpp-ethercat
error: invalid package "icsnpp-ethercat": git repo has no "master" branch or version tags

# zkg install icsnpp-bacnet
error: invalid package "icsnpp-bacnet": git repo has no "master" branch or version tags

Add any screenshots of the problem here.

🐛 Summary

When I run a PCAP though the the Zeek command it parses the pcap and creates the logs as intended. However, when I use a packet replay tool to play the packets over a monitored interface it does not parse the pcap. I can see the PCAP on the interface with wireshark, and wireshark parses it correctly. I can also see the traffic in Conn.logs, but never get the parsed logs outputted. Zeek shows that the scripts loaded. I do not know if this is just a capability/functionality issue, or if this is an actual bug. It is also possible that it is specific to only replayed packets. I do not have actual live ICS traffic that I can monitor, so I need to make sure that it does in fact work at parsing live traffic.

ANSI C12.22

This is, I believe, an ASN.1 parser. This would make it pretty easy, as it would be very similar to how the LDAP parser I wrote works.

💡 Summary

I am currently developing a Zeek parser for IEC 104 using Spicy. It is my first attempt in the world of Zeek, and I am looking for your insight for a potential integration of this parser to the main ICSNPP repo (that was helpful for me during my development process).

Motivation and context

This would be useful because it can provide a parser for a protocol that is widely used by the electrical sector is some countries, complementing the DNP3 one that you already include.

Implementation notes

You can find the parser in the following repo along with the README of what has been achieved so far.

Currently, your modbus and dnp3 scripts both recommend that users overwrite the scripts that are shipping with Zeek. It would be much better for everyone if you just treated these as completely separate scripts. You could have an option to do something like disable the existing built in logs.

One side benefit you get if you don't tell people to overwrite the existing scripts is that you can submit your scripts to the Zeek package manager and get more users through that.

We would be totally happy to discuss how to make the DNP3 and Modbus base scripts in Zeek better too! They haven't been extensively refined and it would be great to get some practitioners advice on what should be in those logs.

Thanks!