cisagov / icsnpp-modbus Goto Github PK
View Code? Open in Web Editor NEWZeek Modbus Extension Scripts - CISA ICSNPP
License: BSD 3-Clause "New" or "Revised" License
Zeek Modbus Extension Scripts - CISA ICSNPP
License: BSD 3-Clause "New" or "Revised" License
Merge requests and responses into a single line (most effort) or just add Modbus Transaction ID to outputs (less effort)
Amazing script guys! Anyone that can wrangle zeek scripts is at another level! I love the fact that you are parsing both requests and responses, however it is hard to tell which requests belong to which responses when they are not sequential, which for me is most of the time.
In my perfect world, I would love to see both requests and responses merged into a single line, which would provide more context and cut the size of the modbus_detailed.log file to about 50% of its current size for the same traffic. This would be a bit more coding effort to pull off, but I think provide the most value.
Your current output includes:
The problem currently is:
My prefered solution would be to merge requests and responses into a single line with a table format like
However if that is too difficult to do in zeek, or if there is some other reason both requests and responses are needed separately, then simply adding the transaction_id field would be sufficient to address the problems.
Ignore ANALYZER_VIOLATION errors to continue parsing of Modbus traffic.
Steps to reproduce the behavior:
Modbus traffic that has an invalid WRITE_COIL value such as 0x0001 (only two expected values are 0x0000 and 0xFF00).
Modbus logs should continue to log data from the connection, but currently after receiving multiple bad values, the entire connection itself is no longer logged which can lead to good/correct Modbus traffic not being logged.
Because this project/script only extends functionality of Zeek's default Modbus parser and does not control the parser itself, we are unable to modify any code within the Modbus parsing/PAC files themselves. However, adding the following line to main.zeek will ignore these ANALYZER_VIOLATIONS and cause the parser to continue to parse connections as intended even when invalid WRITE_COIL values are sent:
redef DPD::ignore_violations += { Analyzer::ANALYZER_MODBUS };
the zeek v6.1.0 release has some new modbus stuff:
The ModBus analyzer's function support was expanded, with new handling of the
Encapsulation Interface Transport (function 28) And Diagnostics (function 8)
functions. This adds new modbus_encap_interface_transport_{request,response}
and modbus_diagnostics_{request,response} events.
The ModBus file record read and write events now provide the full data from
the request and response messages as part of the event data.
The full PDU length was added to the ModBusHeader record type passed with
all of the ModBus events.
We ought to look at these changes and see if any of them could and/or should be reflected in the various modbus logs being generated by this plugin.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.