summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bro-script/README6
-rw-r--r--bro-script/pasad-simple.bro46
-rw-r--r--bro-script/pasad-simple.log100
3 files changed, 151 insertions, 1 deletions
diff --git a/bro-script/README b/bro-script/README
index abfe1ad..03d9158 100644
--- a/bro-script/README
+++ b/bro-script/README
@@ -1,4 +1,8 @@
This directory contains a baseline implementation of the package parser
implemented as a Bro script. A .bro file contains a script that can be
executed on a Modbus pcap dump. A .log file contains an example for an
-output file generated by this script.
+output file generated by this script. By convention, the sample log file
+should contain the first 100 lines of a real log file.
+
+Currently, the scripts only handle the read_holding_registers event. Other
+events can handled by simply copying and adapting the existing handlers.
diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro
new file mode 100644
index 0000000..d5f3e10
--- /dev/null
+++ b/bro-script/pasad-simple.bro
@@ -0,0 +1,46 @@
+## Simple implementation that outputs the raw request and response data
+## to a log file.
+## Currently, this only handles the read_holding_registers event. Other
+## events can be handled similarily. This implementation assumes that
+## requests and responses are exchanged within the same connection. I am not
+## sure whether this really holds.
+
+module Pasad;
+
+export {
+ redef enum Log::ID += { LOG };
+
+ type Info: record {
+ ts_request: time &log;
+ ts_response: time &log &optional;
+ rtype: string &log;
+ tid_request: count &log;
+ tid_response: count &log &optional;
+ start_adress: count &log;
+ quantity: count &log;
+ registers: ModbusRegisters &log &optional;
+ };
+}
+
+redef record connection += {
+ pasad: Info &optional;
+};
+
+event bro_init() &priority=5
+ {
+ Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad"]);
+ }
+
+event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_adress: count, quantity: count)
+ {
+ local rec: Info = [$ts_request=network_time(), $rtype="holding", $tid_request=headers$tid, $start_adress=start_adress, $quantity=quantity];
+ c$pasad = rec;
+ }
+
+event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
+ {
+ c$pasad$tid_response = headers$tid;
+ c$pasad$ts_response = network_time();
+ c$pasad$registers = registers;
+ Log::write(Pasad::LOG, c$pasad);
+ }
diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log
new file mode 100644
index 0000000..e7979e5
--- /dev/null
+++ b/bro-script/pasad-simple.log
@@ -0,0 +1,100 @@
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path pasad
+#open 2017-09-25-20-54-23
+#fields ts_request ts_response rtype tid_request tid_response start_adress quantity registers
+#types time time string count count count count vector[count]
+1480337775.934099 1480337775.971379 holding 2538 2538 80 8 48979,7282,15636,9709,48404,9709,16943,32237
+1480337776.128206 1480337776.131736 holding 2547 2547 60 12 17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653
+1480337776.103192 1480337776.132496 holding 2542 2542 0 3 244,32776,9728
+1480337776.123186 1480337776.146508 holding 2546 2546 68 6 0,0,0,0,0,0
+1480337776.113180 1480337776.156409 holding 2544 2544 50 6 2016,11,28,13,56,15
+1480337776.134962 1480337776.158094 holding 2548 2548 40 6 7,0,32768,0,0,0
+1480337776.144883 1480337776.171089 holding 2549 2549 50 6 2016,11,28,13,56,15
+1480337776.118196 1480337776.171376 holding 2545 2545 40 7 120,1,0,0,0,0,0
+1480337776.096762 1480337776.172857 holding 41583 41583 0 10 31840,27348,32541,6170,26,12311,0,0,0,0
+1480337776.169475 1480337776.180976 holding 2554 2554 68 8 17000,0,17012,0,17008,0,15948,52429
+1480337776.174899 1480337776.185110 holding 2555 2555 68 10 17052,0,17048,0,17046,0,17042,0,16256,0
+1480337776.108212 1480337776.195739 holding 2543 2543 50 6 2016,11,28,13,56,14
+1480337776.149574 1480337776.206115 holding 2550 2550 40 7 263,0,0,0,0,0,0
+1480337776.195190 1480337776.220473 holding 2559 2559 70 6 2016,11,28,13,56,14
+1480337776.205354 1480337776.231626 holding 2561 2561 60 8 0,0,17267,15019,17074,38533,16827,2427
+1480337776.204301 1480337776.235686 holding 2560 2560 60 12 0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332
+1480337776.215341 1480337776.238091 holding 2563 2563 80 6 16867,48545,48720,38836,48770,24273
+1480337776.225171 1480337776.250126 holding 2565 2565 50 6 2016,11,28,13,56,15
+1480337776.230277 1480337776.252068 holding 2566 2566 60 8 16975,56798,17027,50517,16984,13350,16621,63109
+1480337776.178152 1480337776.252858 holding 41584 41584 58 10 16956,45056,16814,4096,16986,49152,17180,41984,0,0
+1480337776.210249 1480337776.264273 holding 2562 2562 68 8 0,0,0,0,0,0,0,0
+1480337776.235274 1480337776.277239 holding 2567 2567 50 6 2016,11,28,13,56,15
+1480337776.244236 1480337776.286747 holding 41588 41588 50 3 49152,0,0
+1480337776.239724 1480337776.305137 holding 41587 41587 50 3 1,0,0
+1480337776.280346 1480337776.312383 holding 2576 2576 80 6 16993,3098,16907,56957,17147,63329
+1480337776.290526 1480337776.315494 holding 2578 2578 68 8 0,0,0,0,0,0,0,0
+1480337776.285222 1480337776.315673 holding 2577 2577 72 8 16960,0,16952,0,17038,0,17042,0
+1480337776.299070 1480337776.324822 holding 41590 41590 60 6 2016,11,28,13,56,14
+1480337776.259216 1480337776.332727 holding 41585 41585 10 8 0,0,32,2048,0,3,0,0
+1480337776.295410 1480337776.334351 holding 2579 2579 80 8 0,0,0,0,0,0,0,0
+1480337776.315670 1480337776.344274 holding 2583 2583 68 8 0,0,0,0,0,0,0,0
+1480337776.310646 1480337776.345388 holding 2582 2582 60 8 0,0,48941,21845,16969,33071,16825,27307
+1480337776.308173 1480337776.351504 holding 41589 41589 60 6 2016,11,28,13,56,15
+1480337776.328087 1480337776.352746 holding 41592 41592 70 10 16539,13107,16616,41943,17329,983,17099,34079,16720,41943
+1480337776.320477 1480337776.360244 holding 2584 2584 68 8 0,0,0,0,0,0,0,0
+1480337776.355648 1480337776.379496 holding 2591 2591 86 8 0,0,0,0,16874,26215,0,0
+1480337776.357170 1480337776.389772 holding 41593 41593 80 16 17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214
+1480337776.381033 1480337776.403105 holding 2596 2596 68 6 0,0,0,0,0,0
+1480337776.363053 1480337776.407348 holding 41591 41591 94 6 17035,64717,16796,27610,17031,14131
+1480337776.365324 1480337776.416503 holding 2593 2593 80 4 15597,2427,15873,12136
+1480337776.340063 1480337776.423765 holding 41586 41586 38 10 16950,4096,16900,32768,16798,8192,16608,0,16992,0
+1480337776.385390 1480337776.431254 holding 2597 2597 80 8 0,0,0,0,0,0,17095,27610
+1480337776.476201 1480337776.506120 holding 2606 2606 80 6 48592,0,48573,41263,48526,14564
+1480337776.506298 1480337776.518276 holding 2612 2612 40 6 1799,13431,32,2615,1591,1591
+1480337776.496191 1480337776.518469 holding 2610 2610 40 6 1031,0,32768,3,1,2
+1480337776.495616 1480337776.519869 holding 41595 41595 40 9 0,0,0,0,0,0,0,0,30
+1480337776.511294 1480337776.522899 holding 2613 2613 40 7 527,12543,0,563,1591,563,0
+1480337776.491221 1480337776.527134 holding 2609 2609 40 7 775,0,0,0,0,0,0
+1480337776.501350 1480337776.540895 holding 2611 2611 40 7 783,0,0,0,0,0,0
+1480337776.516193 1480337776.546865 holding 2614 2614 40 6 259,0,32768,0,0,0
+1480337776.554304 1480337776.579100 holding 2620 2620 40 6 263,0,32768,0,0,0
+1480337776.490946 1480337776.590021 holding 41594 41594 18 10 0,0,0,0,48669,28832,16167,8912,16164,48234
+1480337776.522267 1480337776.591382 holding 2615 2615 40 7 2063,0,32768,0,0,0,0
+1480337776.585015 1480337776.599260 holding 2626 2626 80 6 0,0,16784,0,16731,13107
+1480337776.589372 1480337776.599983 holding 2627 2627 80 8 0,0,17086,39322,0,0,0,0
+1480337776.574281 1480337776.606989 holding 2624 2624 50 6 2016,11,28,13,56,15
+1480337776.579367 1480337776.624210 holding 2625 2625 50 6 2016,11,28,13,56,15
+1480337776.599256 1480337776.635603 holding 2629 2629 40 7 3855,13567,192,1591,2615,2615,1591
+1480337776.609257 1480337776.643349 holding 2631 2631 40 6 7,0,0,0,0,0
+1480337776.604267 1480337776.649367 holding 2628 2628 50 6 2016,11,28,13,56,15
+1480337776.629206 1480337776.659118 holding 2635 2635 60 8 17056,37046,17260,57344,17029,48393,16890,15170
+1480337776.624205 1480337776.661266 holding 2634 2634 80 8 15696,38836,15568,38836,15568,38836,0,0
+1480337776.635896 1480337776.663986 holding 2636 2636 60 8 17151,13232,17213,31043,17068,41112,16708,64929
+1480337776.598093 1480337776.672871 holding 41596 41596 28 10 16071,19398,16346,45875,16946,16384,16959,8192,16913,20480
+1480337776.649253 1480337776.676361 holding 2639 2639 40 7 3087,0,32768,0,0,0,0
+1480337776.654236 1480337776.677240 holding 2640 2640 50 6 2016,11,28,13,56,15
+1480337776.645288 1480337776.682747 holding 2638 2638 80 10 16384,0,16501,49807,0,0,0,0,16648,62914
+1480337776.660501 1480337776.698573 holding 2637 2637 60 8 17177,9421,17125,51883,17102,31554,16655,64322
+1480337776.671138 1480337776.701126 holding 2642 2642 68 8 0,0,0,0,0,0,0,0
+1480337776.684320 1480337776.706498 holding 2644 2644 60 8 17048,38426,48720,0,16986,11226,16895,6068
+1480337776.713660 1480337776.735618 holding 2647 2647 80 6 48561,50972,48365,2427,48621,2427
+1480337776.704169 1480337776.740641 holding 2643 2643 68 8 0,0,0,0,0,0,0,0
+1480337776.713186 1480337776.743142 holding 2645 2645 80 8 15597,2427,15597,2427,15597,2427,15597,2427
+1480337776.679076 1480337776.753232 holding 41597 41597 48 10 16720,0,16965,53248,16959,16384,16964,4096,16822,20480
+1480337776.746150 1480337776.781571 holding 2646 2646 80 8 15568,38836,15568,38836,0,0,0,0
+1480337776.875195 1480337776.912519 holding 2649 2649 0 3 244,40,9728
+1480337776.910345 1480337776.913669 holding 2656 2656 40 7 7,0,32768,0,0,0,0
+1480337776.880212 1480337776.915602 holding 2650 2650 50 6 2016,11,28,13,56,15
+1480337776.895199 1480337776.917131 holding 2653 2653 50 6 2016,11,28,13,56,15
+1480337776.870194 1480337776.922039 holding 2648 2648 68 8 0,0,0,0,0,0,0,0
+1480337776.890215 1480337776.930400 holding 2652 2652 50 6 2016,11,28,13,56,16
+1480337776.900279 1480337776.931123 holding 2654 2654 40 7 259,0,32768,0,0,0,0
+1480337776.885172 1480337776.936397 holding 2651 2651 50 6 2016,11,28,13,56,15
+1480337776.925970 1480337776.947376 holding 2659 2659 70 6 2016,11,28,13,56,15
+1480337776.905320 1480337776.956106 holding 2655 2655 40 7 263,0,32768,0,0,0,0
+1480337776.954233 1480337776.958002 holding 2664 2664 50 6 2016,11,28,13,56,15
+1480337776.940206 1480337776.965516 holding 2660 2660 60 8 0,0,17266,17977,17074,46118,16827,40353
+1480337776.925370 1480337776.967032 holding 2658 2658 80 8 15568,38836,0,0,0,0,0,0
+1480337776.944478 1480337776.967249 holding 2662 2662 60 8 17058,3234,17105,17749,16954,7282,16772,26700
+1480337776.935247 1480337776.974263 holding 2661 2661 60 8 0,0,17070,10923,17035,27762,16703,46118
+1480337776.915597 1480337776.975377 holding 2657 2657 40 7 2063,0,32768,0,0,0,0
+1480337776.976604 1480337776.979823 holding 2668 2668 60 12 17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994