diff options
| -rw-r--r-- | bro-script/README | 6 | ||||
| -rw-r--r-- | bro-script/pasad-simple.bro | 46 | ||||
| -rw-r--r-- | bro-script/pasad-simple.log | 100 | 
3 files changed, 151 insertions, 1 deletions
| diff --git a/bro-script/README b/bro-script/README index abfe1ad..03d9158 100644 --- a/bro-script/README +++ b/bro-script/README @@ -1,4 +1,8 @@  This directory contains a baseline implementation of the package parser  implemented as a Bro script.  A .bro file contains a script that can be  executed on a Modbus pcap dump.  A .log file contains an example for an -output file generated by this script. +output file generated by this script.  By convention, the sample log file +should contain the first 100 lines of a real log file. + +Currently, the scripts only handle the read_holding_registers event.  Other +events can handled by simply copying and adapting the existing handlers. diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro new file mode 100644 index 0000000..d5f3e10 --- /dev/null +++ b/bro-script/pasad-simple.bro @@ -0,0 +1,46 @@ +## Simple implementation that outputs the raw request and response data  +## to a log file. +## Currently, this only handles the read_holding_registers event.  Other +## events can be handled similarily.  This implementation assumes that +## requests and responses are exchanged within the same connection.  I am not +## sure whether this really holds. + +module Pasad; + +export { +	redef enum Log::ID += { LOG }; + +	type Info: record { +		ts_request:	time	&log; +		ts_response:	time	&log &optional; +		rtype: 		string	&log; +		tid_request:	count	&log; +		tid_response:	count	&log &optional; +		start_adress:	count	&log; +		quantity:	count	&log; +		registers:	ModbusRegisters &log &optional; +	}; +} + +redef record connection += { +	pasad: Info &optional; +}; + +event bro_init() &priority=5 +	{ +	Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad"]); +	} + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_adress: count, quantity: count) +	{ +	local rec: Info = [$ts_request=network_time(), $rtype="holding", $tid_request=headers$tid, $start_adress=start_adress, $quantity=quantity]; +	c$pasad = rec; +	} + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) +	{ +		c$pasad$tid_response = headers$tid; +		c$pasad$ts_response = network_time(); +		c$pasad$registers = registers; +		Log::write(Pasad::LOG, c$pasad); +	} diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log new file mode 100644 index 0000000..e7979e5 --- /dev/null +++ b/bro-script/pasad-simple.log @@ -0,0 +1,100 @@ +#separator \x09 +#set_separator	, +#empty_field	(empty) +#unset_field	- +#path	pasad +#open	2017-09-25-20-54-23 +#fields	ts_request	ts_response	rtype	tid_request	tid_response	start_adress	quantity	registers +#types	time	time	string	count	count	count	count	vector[count] +1480337775.934099	1480337775.971379	holding	2538	2538	80	8	48979,7282,15636,9709,48404,9709,16943,32237 +1480337776.128206	1480337776.131736	holding	2547	2547	60	12	17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653 +1480337776.103192	1480337776.132496	holding	2542	2542	0	3	244,32776,9728 +1480337776.123186	1480337776.146508	holding	2546	2546	68	6	0,0,0,0,0,0 +1480337776.113180	1480337776.156409	holding	2544	2544	50	6	2016,11,28,13,56,15 +1480337776.134962	1480337776.158094	holding	2548	2548	40	6	7,0,32768,0,0,0 +1480337776.144883	1480337776.171089	holding	2549	2549	50	6	2016,11,28,13,56,15 +1480337776.118196	1480337776.171376	holding	2545	2545	40	7	120,1,0,0,0,0,0 +1480337776.096762	1480337776.172857	holding	41583	41583	0	10	31840,27348,32541,6170,26,12311,0,0,0,0 +1480337776.169475	1480337776.180976	holding	2554	2554	68	8	17000,0,17012,0,17008,0,15948,52429 +1480337776.174899	1480337776.185110	holding	2555	2555	68	10	17052,0,17048,0,17046,0,17042,0,16256,0 +1480337776.108212	1480337776.195739	holding	2543	2543	50	6	2016,11,28,13,56,14 +1480337776.149574	1480337776.206115	holding	2550	2550	40	7	263,0,0,0,0,0,0 +1480337776.195190	1480337776.220473	holding	2559	2559	70	6	2016,11,28,13,56,14 +1480337776.205354	1480337776.231626	holding	2561	2561	60	8	0,0,17267,15019,17074,38533,16827,2427 +1480337776.204301	1480337776.235686	holding	2560	2560	60	12	0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332 +1480337776.215341	1480337776.238091	holding	2563	2563	80	6	16867,48545,48720,38836,48770,24273 +1480337776.225171	1480337776.250126	holding	2565	2565	50	6	2016,11,28,13,56,15 +1480337776.230277	1480337776.252068	holding	2566	2566	60	8	16975,56798,17027,50517,16984,13350,16621,63109 +1480337776.178152	1480337776.252858	holding	41584	41584	58	10	16956,45056,16814,4096,16986,49152,17180,41984,0,0 +1480337776.210249	1480337776.264273	holding	2562	2562	68	8	0,0,0,0,0,0,0,0 +1480337776.235274	1480337776.277239	holding	2567	2567	50	6	2016,11,28,13,56,15 +1480337776.244236	1480337776.286747	holding	41588	41588	50	3	49152,0,0 +1480337776.239724	1480337776.305137	holding	41587	41587	50	3	1,0,0 +1480337776.280346	1480337776.312383	holding	2576	2576	80	6	16993,3098,16907,56957,17147,63329 +1480337776.290526	1480337776.315494	holding	2578	2578	68	8	0,0,0,0,0,0,0,0 +1480337776.285222	1480337776.315673	holding	2577	2577	72	8	16960,0,16952,0,17038,0,17042,0 +1480337776.299070	1480337776.324822	holding	41590	41590	60	6	2016,11,28,13,56,14 +1480337776.259216	1480337776.332727	holding	41585	41585	10	8	0,0,32,2048,0,3,0,0 +1480337776.295410	1480337776.334351	holding	2579	2579	80	8	0,0,0,0,0,0,0,0 +1480337776.315670	1480337776.344274	holding	2583	2583	68	8	0,0,0,0,0,0,0,0 +1480337776.310646	1480337776.345388	holding	2582	2582	60	8	0,0,48941,21845,16969,33071,16825,27307 +1480337776.308173	1480337776.351504	holding	41589	41589	60	6	2016,11,28,13,56,15 +1480337776.328087	1480337776.352746	holding	41592	41592	70	10	16539,13107,16616,41943,17329,983,17099,34079,16720,41943 +1480337776.320477	1480337776.360244	holding	2584	2584	68	8	0,0,0,0,0,0,0,0 +1480337776.355648	1480337776.379496	holding	2591	2591	86	8	0,0,0,0,16874,26215,0,0 +1480337776.357170	1480337776.389772	holding	41593	41593	80	16	17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214 +1480337776.381033	1480337776.403105	holding	2596	2596	68	6	0,0,0,0,0,0 +1480337776.363053	1480337776.407348	holding	41591	41591	94	6	17035,64717,16796,27610,17031,14131 +1480337776.365324	1480337776.416503	holding	2593	2593	80	4	15597,2427,15873,12136 +1480337776.340063	1480337776.423765	holding	41586	41586	38	10	16950,4096,16900,32768,16798,8192,16608,0,16992,0 +1480337776.385390	1480337776.431254	holding	2597	2597	80	8	0,0,0,0,0,0,17095,27610 +1480337776.476201	1480337776.506120	holding	2606	2606	80	6	48592,0,48573,41263,48526,14564 +1480337776.506298	1480337776.518276	holding	2612	2612	40	6	1799,13431,32,2615,1591,1591 +1480337776.496191	1480337776.518469	holding	2610	2610	40	6	1031,0,32768,3,1,2 +1480337776.495616	1480337776.519869	holding	41595	41595	40	9	0,0,0,0,0,0,0,0,30 +1480337776.511294	1480337776.522899	holding	2613	2613	40	7	527,12543,0,563,1591,563,0 +1480337776.491221	1480337776.527134	holding	2609	2609	40	7	775,0,0,0,0,0,0 +1480337776.501350	1480337776.540895	holding	2611	2611	40	7	783,0,0,0,0,0,0 +1480337776.516193	1480337776.546865	holding	2614	2614	40	6	259,0,32768,0,0,0 +1480337776.554304	1480337776.579100	holding	2620	2620	40	6	263,0,32768,0,0,0 +1480337776.490946	1480337776.590021	holding	41594	41594	18	10	0,0,0,0,48669,28832,16167,8912,16164,48234 +1480337776.522267	1480337776.591382	holding	2615	2615	40	7	2063,0,32768,0,0,0,0 +1480337776.585015	1480337776.599260	holding	2626	2626	80	6	0,0,16784,0,16731,13107 +1480337776.589372	1480337776.599983	holding	2627	2627	80	8	0,0,17086,39322,0,0,0,0 +1480337776.574281	1480337776.606989	holding	2624	2624	50	6	2016,11,28,13,56,15 +1480337776.579367	1480337776.624210	holding	2625	2625	50	6	2016,11,28,13,56,15 +1480337776.599256	1480337776.635603	holding	2629	2629	40	7	3855,13567,192,1591,2615,2615,1591 +1480337776.609257	1480337776.643349	holding	2631	2631	40	6	7,0,0,0,0,0 +1480337776.604267	1480337776.649367	holding	2628	2628	50	6	2016,11,28,13,56,15 +1480337776.629206	1480337776.659118	holding	2635	2635	60	8	17056,37046,17260,57344,17029,48393,16890,15170 +1480337776.624205	1480337776.661266	holding	2634	2634	80	8	15696,38836,15568,38836,15568,38836,0,0 +1480337776.635896	1480337776.663986	holding	2636	2636	60	8	17151,13232,17213,31043,17068,41112,16708,64929 +1480337776.598093	1480337776.672871	holding	41596	41596	28	10	16071,19398,16346,45875,16946,16384,16959,8192,16913,20480 +1480337776.649253	1480337776.676361	holding	2639	2639	40	7	3087,0,32768,0,0,0,0 +1480337776.654236	1480337776.677240	holding	2640	2640	50	6	2016,11,28,13,56,15 +1480337776.645288	1480337776.682747	holding	2638	2638	80	10	16384,0,16501,49807,0,0,0,0,16648,62914 +1480337776.660501	1480337776.698573	holding	2637	2637	60	8	17177,9421,17125,51883,17102,31554,16655,64322 +1480337776.671138	1480337776.701126	holding	2642	2642	68	8	0,0,0,0,0,0,0,0 +1480337776.684320	1480337776.706498	holding	2644	2644	60	8	17048,38426,48720,0,16986,11226,16895,6068 +1480337776.713660	1480337776.735618	holding	2647	2647	80	6	48561,50972,48365,2427,48621,2427 +1480337776.704169	1480337776.740641	holding	2643	2643	68	8	0,0,0,0,0,0,0,0 +1480337776.713186	1480337776.743142	holding	2645	2645	80	8	15597,2427,15597,2427,15597,2427,15597,2427 +1480337776.679076	1480337776.753232	holding	41597	41597	48	10	16720,0,16965,53248,16959,16384,16964,4096,16822,20480 +1480337776.746150	1480337776.781571	holding	2646	2646	80	8	15568,38836,15568,38836,0,0,0,0 +1480337776.875195	1480337776.912519	holding	2649	2649	0	3	244,40,9728 +1480337776.910345	1480337776.913669	holding	2656	2656	40	7	7,0,32768,0,0,0,0 +1480337776.880212	1480337776.915602	holding	2650	2650	50	6	2016,11,28,13,56,15 +1480337776.895199	1480337776.917131	holding	2653	2653	50	6	2016,11,28,13,56,15 +1480337776.870194	1480337776.922039	holding	2648	2648	68	8	0,0,0,0,0,0,0,0 +1480337776.890215	1480337776.930400	holding	2652	2652	50	6	2016,11,28,13,56,16 +1480337776.900279	1480337776.931123	holding	2654	2654	40	7	259,0,32768,0,0,0,0 +1480337776.885172	1480337776.936397	holding	2651	2651	50	6	2016,11,28,13,56,15 +1480337776.925970	1480337776.947376	holding	2659	2659	70	6	2016,11,28,13,56,15 +1480337776.905320	1480337776.956106	holding	2655	2655	40	7	263,0,32768,0,0,0,0 +1480337776.954233	1480337776.958002	holding	2664	2664	50	6	2016,11,28,13,56,15 +1480337776.940206	1480337776.965516	holding	2660	2660	60	8	0,0,17266,17977,17074,46118,16827,40353 +1480337776.925370	1480337776.967032	holding	2658	2658	80	8	15568,38836,0,0,0,0,0,0 +1480337776.944478	1480337776.967249	holding	2662	2662	60	8	17058,3234,17105,17749,16954,7282,16772,26700 +1480337776.935247	1480337776.974263	holding	2661	2661	60	8	0,0,17070,10923,17035,27762,16703,46118 +1480337776.915597	1480337776.975377	holding	2657	2657	40	7	2063,0,32768,0,0,0,0 +1480337776.976604	1480337776.979823	holding	2668	2668	60	12	17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994 | 
