aboutsummaryrefslogtreecommitdiff
path: root/bro-script
diff options
context:
space:
mode:
Diffstat (limited to 'bro-script')
-rw-r--r--bro-script/pasad-parsed.bro86
-rw-r--r--bro-script/pasad-parsed.log190
2 files changed, 163 insertions, 113 deletions
diff --git a/bro-script/pasad-parsed.bro b/bro-script/pasad-parsed.bro
index 7fcc905..88b1be1 100644
--- a/bro-script/pasad-parsed.bro
+++ b/bro-script/pasad-parsed.bro
@@ -1,27 +1,72 @@
-## Implementation that outputs pairs of register IDs and values.
-## Otherwise, the same restrictions as with pasad-simple apply. Additionally,
-## the correct register count is not checked and might lead to indexing errors.
+## Implementation that outputs the register identification and the register
+## value. The correct register count is not checked and might lead to indexing
+## errors.
module Pasad;
+## DATA STRUCTURES
+
export {
redef enum Log::ID += { LOG };
+ type Transaction: record {
+ start_address: count;
+ quantity: count;
+ };
+
+ type TransactionTable: table[count] of Transaction;
+
type Info: record {
- start_address: count &log;
- quantity: count &log;
+ transactions: TransactionTable &default=TransactionTable();
};
type Entry: record {
- address: count &log;
- register: count &log;
+ ip: addr &log;
+ uid: count &log;
+ regtype: string &log;
+ address: count &log;
+ register: count &log;
};
}
redef record connection += {
- pasad: Info &optional;
+ pasad: Info &default=Info();
};
+## CUSTOM EVENTS
+
+event pasad_entry(entry: Entry)
+ {
+ Log::write(Pasad::LOG, entry);
+ }
+
+event pasad_unmatched(tid: count)
+ {
+ print fmt("Unmatched response: tid=%d", tid);
+ }
+
+## CUSTOM FUNCTIONS
+
+function pasad_generate_events(transaction: Transaction, c: connection, headers: ModbusHeaders, registers: ModbusRegisters, regtype: string)
+ {
+ # TODO: check registers size
+ local i = 0;
+ while ( i < transaction$quantity )
+ {
+ local entry = Entry(
+ $ip=c$id$orig_h,
+ $uid=headers$uid,
+ $regtype=regtype,
+ $address=transaction$start_address + i,
+ $register=registers[i]
+ );
+ event pasad_entry(entry);
+ ++i;
+ }
+ }
+
+## EVENT HANDLERS
+
event bro_init() &priority=5
{
Log::create_stream(Pasad::LOG, [$columns=Entry, $path="pasad-parsed"]);
@@ -29,18 +74,23 @@ event bro_init() &priority=5
event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
{
- c$pasad = [$start_address=start_address, $quantity=quantity];
+ local tid = headers$tid;
+ local transaction = Transaction(
+ $start_address=start_address,
+ $quantity=quantity
+ );
+ c$pasad$transactions[tid] = transaction;
}
event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
{
- local i = 0;
- while ( i < c$pasad$quantity )
- {
- local address = c$pasad$start_address + i;
- local mb_register = registers[i];
- local entry = Entry($address=address, $register=mb_register);
- Log::write(Pasad::LOG, entry);
- ++i;
- }
+ local tid = headers$tid;
+ if ( tid !in c$pasad$transactions )
+ {
+ event pasad_unmatched(tid);
+ return;
+ }
+ local transaction = c$pasad$transactions[tid];
+ delete c$pasad$transactions[tid];
+ pasad_generate_events(transaction, c, headers, registers, "h");
}
diff --git a/bro-script/pasad-parsed.log b/bro-script/pasad-parsed.log
index bf195b7..dd7b1ba 100644
--- a/bro-script/pasad-parsed.log
+++ b/bro-script/pasad-parsed.log
@@ -3,98 +3,98 @@
#empty_field (empty)
#unset_field -
#path pasad-parsed
-#open 2017-09-25-21-23-53
-#fields address register
-#types count count
-80 48979
-81 7282
-82 15636
-83 9709
-84 48404
-85 9709
-86 16943
-87 32237
-60 17173
-61 45657
-62 49927
-63 27307
-64 17146
-65 46421
-66 17120
-67 57951
-68 17107
-69 22452
-70 16795
-71 13653
-0 244
-1 32776
-2 9728
-68 0
-69 0
-70 0
-71 0
-72 0
-73 0
-50 2016
-51 11
-52 28
-53 13
-54 56
-55 15
-40 7
-41 0
-42 32768
-43 0
-44 0
-45 0
-50 2016
-51 11
-52 28
-53 13
-54 56
-55 15
-40 120
-41 1
-42 0
-43 0
-44 0
-45 0
-46 0
-0 31840
-1 27348
-2 32541
-3 6170
-4 26
-5 12311
-6 0
-7 0
-8 0
-9 0
-68 17000
-69 0
-70 17012
-71 0
-72 17008
-73 0
-74 15948
-75 52429
-68 17052
-69 0
-70 17048
-71 0
-72 17046
-73 0
-74 17042
-75 0
-76 16256
-77 0
-50 2016
-51 11
-52 28
-53 13
-54 56
-55 14
-40 263
-41 0
-42 0
-43 0
+#open 2017-10-03-11-12-43
+#fields ip uid regtype address register
+#types addr count string count count
+10.34.211.73 255 h 80 48979
+10.34.211.73 255 h 81 7282
+10.34.211.73 255 h 82 15636
+10.34.211.73 255 h 83 9709
+10.34.211.73 255 h 84 48404
+10.34.211.73 255 h 85 9709
+10.34.211.73 255 h 86 16943
+10.34.211.73 255 h 87 32237
+10.34.211.73 255 h 60 17173
+10.34.211.73 255 h 61 45657
+10.34.211.73 255 h 62 49927
+10.34.211.73 255 h 63 27307
+10.34.211.73 255 h 64 17146
+10.34.211.73 255 h 65 46421
+10.34.211.73 255 h 66 17120
+10.34.211.73 255 h 67 57951
+10.34.211.73 255 h 68 17107
+10.34.211.73 255 h 69 22452
+10.34.211.73 255 h 70 16795
+10.34.211.73 255 h 71 13653
+10.34.211.73 255 h 0 244
+10.34.211.73 255 h 1 32776
+10.34.211.73 255 h 2 9728
+10.34.211.73 255 h 68 0
+10.34.211.73 255 h 69 0
+10.34.211.73 255 h 70 0
+10.34.211.73 255 h 71 0
+10.34.211.73 255 h 72 0
+10.34.211.73 255 h 73 0
+10.34.211.73 255 h 50 2016
+10.34.211.73 255 h 51 11
+10.34.211.73 255 h 52 28
+10.34.211.73 255 h 53 13
+10.34.211.73 255 h 54 56
+10.34.211.73 255 h 55 15
+10.34.211.73 255 h 40 7
+10.34.211.73 255 h 41 0
+10.34.211.73 255 h 42 32768
+10.34.211.73 255 h 43 0
+10.34.211.73 255 h 44 0
+10.34.211.73 255 h 45 0
+10.34.211.73 255 h 50 2016
+10.34.211.73 255 h 51 11
+10.34.211.73 255 h 52 28
+10.34.211.73 255 h 53 13
+10.34.211.73 255 h 54 56
+10.34.211.73 255 h 55 15
+10.34.211.73 255 h 40 120
+10.34.211.73 255 h 41 1
+10.34.211.73 255 h 42 0
+10.34.211.73 255 h 43 0
+10.34.211.73 255 h 44 0
+10.34.211.73 255 h 45 0
+10.34.211.73 255 h 46 0
+10.34.211.69 1 h 0 31840
+10.34.211.69 1 h 1 27348
+10.34.211.69 1 h 2 32541
+10.34.211.69 1 h 3 6170
+10.34.211.69 1 h 4 26
+10.34.211.69 1 h 5 12311
+10.34.211.69 1 h 6 0
+10.34.211.69 1 h 7 0
+10.34.211.69 1 h 8 0
+10.34.211.69 1 h 9 0
+10.34.211.73 255 h 68 17000
+10.34.211.73 255 h 69 0
+10.34.211.73 255 h 70 17012
+10.34.211.73 255 h 71 0
+10.34.211.73 255 h 72 17008
+10.34.211.73 255 h 73 0
+10.34.211.73 255 h 74 15948
+10.34.211.73 255 h 75 52429
+10.34.211.73 255 h 68 17052
+10.34.211.73 255 h 69 0
+10.34.211.73 255 h 70 17048
+10.34.211.73 255 h 71 0
+10.34.211.73 255 h 72 17046
+10.34.211.73 255 h 73 0
+10.34.211.73 255 h 74 17042
+10.34.211.73 255 h 75 0
+10.34.211.73 255 h 76 16256
+10.34.211.73 255 h 77 0
+10.34.211.73 255 h 50 2016
+10.34.211.73 255 h 51 11
+10.34.211.73 255 h 52 28
+10.34.211.73 255 h 53 13
+10.34.211.73 255 h 54 56
+10.34.211.73 255 h 55 14
+10.34.211.73 255 h 40 263
+10.34.211.73 255 h 41 0
+10.34.211.73 255 h 42 0
+10.34.211.73 255 h 43 0