From 888e5074c46584ae9f9b4621cb9b4ae1084aa100 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Tue, 3 Oct 2017 11:14:33 +0000 Subject: bro-script: pasad-parsed: Implement transaction handling --- bro-script/pasad-parsed.bro | 86 +++++++++++++++----- bro-script/pasad-parsed.log | 190 ++++++++++++++++++++++---------------------- 2 files changed, 163 insertions(+), 113 deletions(-) diff --git a/bro-script/pasad-parsed.bro b/bro-script/pasad-parsed.bro index 7fcc905..88b1be1 100644 --- a/bro-script/pasad-parsed.bro +++ b/bro-script/pasad-parsed.bro @@ -1,27 +1,72 @@ -## Implementation that outputs pairs of register IDs and values. -## Otherwise, the same restrictions as with pasad-simple apply. Additionally, -## the correct register count is not checked and might lead to indexing errors. +## Implementation that outputs the register identification and the register +## value. The correct register count is not checked and might lead to indexing +## errors. module Pasad; +## DATA STRUCTURES + export { redef enum Log::ID += { LOG }; + type Transaction: record { + start_address: count; + quantity: count; + }; + + type TransactionTable: table[count] of Transaction; + type Info: record { - start_address: count &log; - quantity: count &log; + transactions: TransactionTable &default=TransactionTable(); }; type Entry: record { - address: count &log; - register: count &log; + ip: addr &log; + uid: count &log; + regtype: string &log; + address: count &log; + register: count &log; }; } redef record connection += { - pasad: Info &optional; + pasad: Info &default=Info(); }; +## CUSTOM EVENTS + +event pasad_entry(entry: Entry) + { + Log::write(Pasad::LOG, entry); + } + +event pasad_unmatched(tid: count) + { + print fmt("Unmatched response: tid=%d", tid); + } + +## CUSTOM FUNCTIONS + +function pasad_generate_events(transaction: Transaction, c: connection, headers: ModbusHeaders, registers: ModbusRegisters, regtype: string) + { + # TODO: check registers size + local i = 0; + while ( i < transaction$quantity ) + { + local entry = Entry( + $ip=c$id$orig_h, + $uid=headers$uid, + $regtype=regtype, + $address=transaction$start_address + i, + $register=registers[i] + ); + event pasad_entry(entry); + ++i; + } + } + +## EVENT HANDLERS + event bro_init() &priority=5 { Log::create_stream(Pasad::LOG, [$columns=Entry, $path="pasad-parsed"]); @@ -29,18 +74,23 @@ event bro_init() &priority=5 event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) { - c$pasad = [$start_address=start_address, $quantity=quantity]; + local tid = headers$tid; + local transaction = Transaction( + $start_address=start_address, + $quantity=quantity + ); + c$pasad$transactions[tid] = transaction; } event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) { - local i = 0; - while ( i < c$pasad$quantity ) - { - local address = c$pasad$start_address + i; - local mb_register = registers[i]; - local entry = Entry($address=address, $register=mb_register); - Log::write(Pasad::LOG, entry); - ++i; - } + local tid = headers$tid; + if ( tid !in c$pasad$transactions ) + { + event pasad_unmatched(tid); + return; + } + local transaction = c$pasad$transactions[tid]; + delete c$pasad$transactions[tid]; + pasad_generate_events(transaction, c, headers, registers, "h"); } diff --git a/bro-script/pasad-parsed.log b/bro-script/pasad-parsed.log index bf195b7..dd7b1ba 100644 --- a/bro-script/pasad-parsed.log +++ b/bro-script/pasad-parsed.log @@ -3,98 +3,98 @@ #empty_field (empty) #unset_field - #path pasad-parsed -#open 2017-09-25-21-23-53 -#fields address register -#types count count -80 48979 -81 7282 -82 15636 -83 9709 -84 48404 -85 9709 -86 16943 -87 32237 -60 17173 -61 45657 -62 49927 -63 27307 -64 17146 -65 46421 -66 17120 -67 57951 -68 17107 -69 22452 -70 16795 -71 13653 -0 244 -1 32776 -2 9728 -68 0 -69 0 -70 0 -71 0 -72 0 -73 0 -50 2016 -51 11 -52 28 -53 13 -54 56 -55 15 -40 7 -41 0 -42 32768 -43 0 -44 0 -45 0 -50 2016 -51 11 -52 28 -53 13 -54 56 -55 15 -40 120 -41 1 -42 0 -43 0 -44 0 -45 0 -46 0 -0 31840 -1 27348 -2 32541 -3 6170 -4 26 -5 12311 -6 0 -7 0 -8 0 -9 0 -68 17000 -69 0 -70 17012 -71 0 -72 17008 -73 0 -74 15948 -75 52429 -68 17052 -69 0 -70 17048 -71 0 -72 17046 -73 0 -74 17042 -75 0 -76 16256 -77 0 -50 2016 -51 11 -52 28 -53 13 -54 56 -55 14 -40 263 -41 0 -42 0 -43 0 +#open 2017-10-03-11-12-43 +#fields ip uid regtype address register +#types addr count string count count +10.34.211.73 255 h 80 48979 +10.34.211.73 255 h 81 7282 +10.34.211.73 255 h 82 15636 +10.34.211.73 255 h 83 9709 +10.34.211.73 255 h 84 48404 +10.34.211.73 255 h 85 9709 +10.34.211.73 255 h 86 16943 +10.34.211.73 255 h 87 32237 +10.34.211.73 255 h 60 17173 +10.34.211.73 255 h 61 45657 +10.34.211.73 255 h 62 49927 +10.34.211.73 255 h 63 27307 +10.34.211.73 255 h 64 17146 +10.34.211.73 255 h 65 46421 +10.34.211.73 255 h 66 17120 +10.34.211.73 255 h 67 57951 +10.34.211.73 255 h 68 17107 +10.34.211.73 255 h 69 22452 +10.34.211.73 255 h 70 16795 +10.34.211.73 255 h 71 13653 +10.34.211.73 255 h 0 244 +10.34.211.73 255 h 1 32776 +10.34.211.73 255 h 2 9728 +10.34.211.73 255 h 68 0 +10.34.211.73 255 h 69 0 +10.34.211.73 255 h 70 0 +10.34.211.73 255 h 71 0 +10.34.211.73 255 h 72 0 +10.34.211.73 255 h 73 0 +10.34.211.73 255 h 50 2016 +10.34.211.73 255 h 51 11 +10.34.211.73 255 h 52 28 +10.34.211.73 255 h 53 13 +10.34.211.73 255 h 54 56 +10.34.211.73 255 h 55 15 +10.34.211.73 255 h 40 7 +10.34.211.73 255 h 41 0 +10.34.211.73 255 h 42 32768 +10.34.211.73 255 h 43 0 +10.34.211.73 255 h 44 0 +10.34.211.73 255 h 45 0 +10.34.211.73 255 h 50 2016 +10.34.211.73 255 h 51 11 +10.34.211.73 255 h 52 28 +10.34.211.73 255 h 53 13 +10.34.211.73 255 h 54 56 +10.34.211.73 255 h 55 15 +10.34.211.73 255 h 40 120 +10.34.211.73 255 h 41 1 +10.34.211.73 255 h 42 0 +10.34.211.73 255 h 43 0 +10.34.211.73 255 h 44 0 +10.34.211.73 255 h 45 0 +10.34.211.73 255 h 46 0 +10.34.211.69 1 h 0 31840 +10.34.211.69 1 h 1 27348 +10.34.211.69 1 h 2 32541 +10.34.211.69 1 h 3 6170 +10.34.211.69 1 h 4 26 +10.34.211.69 1 h 5 12311 +10.34.211.69 1 h 6 0 +10.34.211.69 1 h 7 0 +10.34.211.69 1 h 8 0 +10.34.211.69 1 h 9 0 +10.34.211.73 255 h 68 17000 +10.34.211.73 255 h 69 0 +10.34.211.73 255 h 70 17012 +10.34.211.73 255 h 71 0 +10.34.211.73 255 h 72 17008 +10.34.211.73 255 h 73 0 +10.34.211.73 255 h 74 15948 +10.34.211.73 255 h 75 52429 +10.34.211.73 255 h 68 17052 +10.34.211.73 255 h 69 0 +10.34.211.73 255 h 70 17048 +10.34.211.73 255 h 71 0 +10.34.211.73 255 h 72 17046 +10.34.211.73 255 h 73 0 +10.34.211.73 255 h 74 17042 +10.34.211.73 255 h 75 0 +10.34.211.73 255 h 76 16256 +10.34.211.73 255 h 77 0 +10.34.211.73 255 h 50 2016 +10.34.211.73 255 h 51 11 +10.34.211.73 255 h 52 28 +10.34.211.73 255 h 53 13 +10.34.211.73 255 h 54 56 +10.34.211.73 255 h 55 14 +10.34.211.73 255 h 40 263 +10.34.211.73 255 h 41 0 +10.34.211.73 255 h 42 0 +10.34.211.73 255 h 43 0 -- cgit v1.2.1