diff options
-rw-r--r-- | bro-script/README | 6 | ||||
-rw-r--r-- | bro-script/pasad-simple.bro | 46 | ||||
-rw-r--r-- | bro-script/pasad-simple.log | 100 |
3 files changed, 151 insertions, 1 deletions
diff --git a/bro-script/README b/bro-script/README index abfe1ad..03d9158 100644 --- a/bro-script/README +++ b/bro-script/README @@ -1,4 +1,8 @@ This directory contains a baseline implementation of the package parser implemented as a Bro script. A .bro file contains a script that can be executed on a Modbus pcap dump. A .log file contains an example for an -output file generated by this script. +output file generated by this script. By convention, the sample log file +should contain the first 100 lines of a real log file. + +Currently, the scripts only handle the read_holding_registers event. Other +events can handled by simply copying and adapting the existing handlers. diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro new file mode 100644 index 0000000..d5f3e10 --- /dev/null +++ b/bro-script/pasad-simple.bro @@ -0,0 +1,46 @@ +## Simple implementation that outputs the raw request and response data +## to a log file. +## Currently, this only handles the read_holding_registers event. Other +## events can be handled similarily. This implementation assumes that +## requests and responses are exchanged within the same connection. I am not +## sure whether this really holds. + +module Pasad; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts_request: time &log; + ts_response: time &log &optional; + rtype: string &log; + tid_request: count &log; + tid_response: count &log &optional; + start_adress: count &log; + quantity: count &log; + registers: ModbusRegisters &log &optional; + }; +} + +redef record connection += { + pasad: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad"]); + } + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_adress: count, quantity: count) + { + local rec: Info = [$ts_request=network_time(), $rtype="holding", $tid_request=headers$tid, $start_adress=start_adress, $quantity=quantity]; + c$pasad = rec; + } + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) + { + c$pasad$tid_response = headers$tid; + c$pasad$ts_response = network_time(); + c$pasad$registers = registers; + Log::write(Pasad::LOG, c$pasad); + } diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log new file mode 100644 index 0000000..e7979e5 --- /dev/null +++ b/bro-script/pasad-simple.log @@ -0,0 +1,100 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path pasad +#open 2017-09-25-20-54-23 +#fields ts_request ts_response rtype tid_request tid_response start_adress quantity registers +#types time time string count count count count vector[count] +1480337775.934099 1480337775.971379 holding 2538 2538 80 8 48979,7282,15636,9709,48404,9709,16943,32237 +1480337776.128206 1480337776.131736 holding 2547 2547 60 12 17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653 +1480337776.103192 1480337776.132496 holding 2542 2542 0 3 244,32776,9728 +1480337776.123186 1480337776.146508 holding 2546 2546 68 6 0,0,0,0,0,0 +1480337776.113180 1480337776.156409 holding 2544 2544 50 6 2016,11,28,13,56,15 +1480337776.134962 1480337776.158094 holding 2548 2548 40 6 7,0,32768,0,0,0 +1480337776.144883 1480337776.171089 holding 2549 2549 50 6 2016,11,28,13,56,15 +1480337776.118196 1480337776.171376 holding 2545 2545 40 7 120,1,0,0,0,0,0 +1480337776.096762 1480337776.172857 holding 41583 41583 0 10 31840,27348,32541,6170,26,12311,0,0,0,0 +1480337776.169475 1480337776.180976 holding 2554 2554 68 8 17000,0,17012,0,17008,0,15948,52429 +1480337776.174899 1480337776.185110 holding 2555 2555 68 10 17052,0,17048,0,17046,0,17042,0,16256,0 +1480337776.108212 1480337776.195739 holding 2543 2543 50 6 2016,11,28,13,56,14 +1480337776.149574 1480337776.206115 holding 2550 2550 40 7 263,0,0,0,0,0,0 +1480337776.195190 1480337776.220473 holding 2559 2559 70 6 2016,11,28,13,56,14 +1480337776.205354 1480337776.231626 holding 2561 2561 60 8 0,0,17267,15019,17074,38533,16827,2427 +1480337776.204301 1480337776.235686 holding 2560 2560 60 12 0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332 +1480337776.215341 1480337776.238091 holding 2563 2563 80 6 16867,48545,48720,38836,48770,24273 +1480337776.225171 1480337776.250126 holding 2565 2565 50 6 2016,11,28,13,56,15 +1480337776.230277 1480337776.252068 holding 2566 2566 60 8 16975,56798,17027,50517,16984,13350,16621,63109 +1480337776.178152 1480337776.252858 holding 41584 41584 58 10 16956,45056,16814,4096,16986,49152,17180,41984,0,0 +1480337776.210249 1480337776.264273 holding 2562 2562 68 8 0,0,0,0,0,0,0,0 +1480337776.235274 1480337776.277239 holding 2567 2567 50 6 2016,11,28,13,56,15 +1480337776.244236 1480337776.286747 holding 41588 41588 50 3 49152,0,0 +1480337776.239724 1480337776.305137 holding 41587 41587 50 3 1,0,0 +1480337776.280346 1480337776.312383 holding 2576 2576 80 6 16993,3098,16907,56957,17147,63329 +1480337776.290526 1480337776.315494 holding 2578 2578 68 8 0,0,0,0,0,0,0,0 +1480337776.285222 1480337776.315673 holding 2577 2577 72 8 16960,0,16952,0,17038,0,17042,0 +1480337776.299070 1480337776.324822 holding 41590 41590 60 6 2016,11,28,13,56,14 +1480337776.259216 1480337776.332727 holding 41585 41585 10 8 0,0,32,2048,0,3,0,0 +1480337776.295410 1480337776.334351 holding 2579 2579 80 8 0,0,0,0,0,0,0,0 +1480337776.315670 1480337776.344274 holding 2583 2583 68 8 0,0,0,0,0,0,0,0 +1480337776.310646 1480337776.345388 holding 2582 2582 60 8 0,0,48941,21845,16969,33071,16825,27307 +1480337776.308173 1480337776.351504 holding 41589 41589 60 6 2016,11,28,13,56,15 +1480337776.328087 1480337776.352746 holding 41592 41592 70 10 16539,13107,16616,41943,17329,983,17099,34079,16720,41943 +1480337776.320477 1480337776.360244 holding 2584 2584 68 8 0,0,0,0,0,0,0,0 +1480337776.355648 1480337776.379496 holding 2591 2591 86 8 0,0,0,0,16874,26215,0,0 +1480337776.357170 1480337776.389772 holding 41593 41593 80 16 17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214 +1480337776.381033 1480337776.403105 holding 2596 2596 68 6 0,0,0,0,0,0 +1480337776.363053 1480337776.407348 holding 41591 41591 94 6 17035,64717,16796,27610,17031,14131 +1480337776.365324 1480337776.416503 holding 2593 2593 80 4 15597,2427,15873,12136 +1480337776.340063 1480337776.423765 holding 41586 41586 38 10 16950,4096,16900,32768,16798,8192,16608,0,16992,0 +1480337776.385390 1480337776.431254 holding 2597 2597 80 8 0,0,0,0,0,0,17095,27610 +1480337776.476201 1480337776.506120 holding 2606 2606 80 6 48592,0,48573,41263,48526,14564 +1480337776.506298 1480337776.518276 holding 2612 2612 40 6 1799,13431,32,2615,1591,1591 +1480337776.496191 1480337776.518469 holding 2610 2610 40 6 1031,0,32768,3,1,2 +1480337776.495616 1480337776.519869 holding 41595 41595 40 9 0,0,0,0,0,0,0,0,30 +1480337776.511294 1480337776.522899 holding 2613 2613 40 7 527,12543,0,563,1591,563,0 +1480337776.491221 1480337776.527134 holding 2609 2609 40 7 775,0,0,0,0,0,0 +1480337776.501350 1480337776.540895 holding 2611 2611 40 7 783,0,0,0,0,0,0 +1480337776.516193 1480337776.546865 holding 2614 2614 40 6 259,0,32768,0,0,0 +1480337776.554304 1480337776.579100 holding 2620 2620 40 6 263,0,32768,0,0,0 +1480337776.490946 1480337776.590021 holding 41594 41594 18 10 0,0,0,0,48669,28832,16167,8912,16164,48234 +1480337776.522267 1480337776.591382 holding 2615 2615 40 7 2063,0,32768,0,0,0,0 +1480337776.585015 1480337776.599260 holding 2626 2626 80 6 0,0,16784,0,16731,13107 +1480337776.589372 1480337776.599983 holding 2627 2627 80 8 0,0,17086,39322,0,0,0,0 +1480337776.574281 1480337776.606989 holding 2624 2624 50 6 2016,11,28,13,56,15 +1480337776.579367 1480337776.624210 holding 2625 2625 50 6 2016,11,28,13,56,15 +1480337776.599256 1480337776.635603 holding 2629 2629 40 7 3855,13567,192,1591,2615,2615,1591 +1480337776.609257 1480337776.643349 holding 2631 2631 40 6 7,0,0,0,0,0 +1480337776.604267 1480337776.649367 holding 2628 2628 50 6 2016,11,28,13,56,15 +1480337776.629206 1480337776.659118 holding 2635 2635 60 8 17056,37046,17260,57344,17029,48393,16890,15170 +1480337776.624205 1480337776.661266 holding 2634 2634 80 8 15696,38836,15568,38836,15568,38836,0,0 +1480337776.635896 1480337776.663986 holding 2636 2636 60 8 17151,13232,17213,31043,17068,41112,16708,64929 +1480337776.598093 1480337776.672871 holding 41596 41596 28 10 16071,19398,16346,45875,16946,16384,16959,8192,16913,20480 +1480337776.649253 1480337776.676361 holding 2639 2639 40 7 3087,0,32768,0,0,0,0 +1480337776.654236 1480337776.677240 holding 2640 2640 50 6 2016,11,28,13,56,15 +1480337776.645288 1480337776.682747 holding 2638 2638 80 10 16384,0,16501,49807,0,0,0,0,16648,62914 +1480337776.660501 1480337776.698573 holding 2637 2637 60 8 17177,9421,17125,51883,17102,31554,16655,64322 +1480337776.671138 1480337776.701126 holding 2642 2642 68 8 0,0,0,0,0,0,0,0 +1480337776.684320 1480337776.706498 holding 2644 2644 60 8 17048,38426,48720,0,16986,11226,16895,6068 +1480337776.713660 1480337776.735618 holding 2647 2647 80 6 48561,50972,48365,2427,48621,2427 +1480337776.704169 1480337776.740641 holding 2643 2643 68 8 0,0,0,0,0,0,0,0 +1480337776.713186 1480337776.743142 holding 2645 2645 80 8 15597,2427,15597,2427,15597,2427,15597,2427 +1480337776.679076 1480337776.753232 holding 41597 41597 48 10 16720,0,16965,53248,16959,16384,16964,4096,16822,20480 +1480337776.746150 1480337776.781571 holding 2646 2646 80 8 15568,38836,15568,38836,0,0,0,0 +1480337776.875195 1480337776.912519 holding 2649 2649 0 3 244,40,9728 +1480337776.910345 1480337776.913669 holding 2656 2656 40 7 7,0,32768,0,0,0,0 +1480337776.880212 1480337776.915602 holding 2650 2650 50 6 2016,11,28,13,56,15 +1480337776.895199 1480337776.917131 holding 2653 2653 50 6 2016,11,28,13,56,15 +1480337776.870194 1480337776.922039 holding 2648 2648 68 8 0,0,0,0,0,0,0,0 +1480337776.890215 1480337776.930400 holding 2652 2652 50 6 2016,11,28,13,56,16 +1480337776.900279 1480337776.931123 holding 2654 2654 40 7 259,0,32768,0,0,0,0 +1480337776.885172 1480337776.936397 holding 2651 2651 50 6 2016,11,28,13,56,15 +1480337776.925970 1480337776.947376 holding 2659 2659 70 6 2016,11,28,13,56,15 +1480337776.905320 1480337776.956106 holding 2655 2655 40 7 263,0,32768,0,0,0,0 +1480337776.954233 1480337776.958002 holding 2664 2664 50 6 2016,11,28,13,56,15 +1480337776.940206 1480337776.965516 holding 2660 2660 60 8 0,0,17266,17977,17074,46118,16827,40353 +1480337776.925370 1480337776.967032 holding 2658 2658 80 8 15568,38836,0,0,0,0,0,0 +1480337776.944478 1480337776.967249 holding 2662 2662 60 8 17058,3234,17105,17749,16954,7282,16772,26700 +1480337776.935247 1480337776.974263 holding 2661 2661 60 8 0,0,17070,10923,17035,27762,16703,46118 +1480337776.915597 1480337776.975377 holding 2657 2657 40 7 2063,0,32768,0,0,0,0 +1480337776.976604 1480337776.979823 holding 2668 2668 60 12 17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994 |