From da9544a4dba273d1cada460f3064d9e1ff21b44e Mon Sep 17 00:00:00 2001 From: Andreas Lindhé Date: Wed, 11 Oct 2017 08:47:50 +0200 Subject: Move files from bro-script directory --- bro-script/README | 9 ---- bro-script/pasad-parsed.bro | 96 ------------------------------------- bro-script/pasad-parsed.log | 100 --------------------------------------- bro-script/pasad-simple.bro | 56 ---------------------- bro-script/pasad-simple.log | 100 --------------------------------------- broccoli/script/README | 9 ++++ broccoli/script/pasad-parsed.bro | 96 +++++++++++++++++++++++++++++++++++++ broccoli/script/pasad-simple.bro | 56 ++++++++++++++++++++++ 8 files changed, 161 insertions(+), 361 deletions(-) delete mode 100644 bro-script/README delete mode 100644 bro-script/pasad-parsed.bro delete mode 100644 bro-script/pasad-parsed.log delete mode 100644 bro-script/pasad-simple.bro delete mode 100644 bro-script/pasad-simple.log create mode 100644 broccoli/script/README create mode 100644 broccoli/script/pasad-parsed.bro create mode 100644 broccoli/script/pasad-simple.bro diff --git a/bro-script/README b/bro-script/README deleted file mode 100644 index 15f121e..0000000 --- a/bro-script/README +++ /dev/null @@ -1,9 +0,0 @@ -This directory contains a baseline implementation of the package parser -implemented as a Bro script. A .bro file contains a script that can be -executed on a Modbus pcap dump. A .log file contains an example for an -output file generated by this script. By convention, the sample log file -should contain the first 100 lines of a real log file obtained from running -the script on packets_00014_20161128135616.cap. - -Currently, the scripts only handle the read_holding_registers event. Other -events can handled by simply copying and adapting the existing handlers. diff --git a/bro-script/pasad-parsed.bro b/bro-script/pasad-parsed.bro deleted file mode 100644 index 88b1be1..0000000 --- a/bro-script/pasad-parsed.bro +++ /dev/null @@ -1,96 +0,0 @@ -## Implementation that outputs the register identification and the register -## value. The correct register count is not checked and might lead to indexing -## errors. - -module Pasad; - -## DATA STRUCTURES - -export { - redef enum Log::ID += { LOG }; - - type Transaction: record { - start_address: count; - quantity: count; - }; - - type TransactionTable: table[count] of Transaction; - - type Info: record { - transactions: TransactionTable &default=TransactionTable(); - }; - - type Entry: record { - ip: addr &log; - uid: count &log; - regtype: string &log; - address: count &log; - register: count &log; - }; -} - -redef record connection += { - pasad: Info &default=Info(); -}; - -## CUSTOM EVENTS - -event pasad_entry(entry: Entry) - { - Log::write(Pasad::LOG, entry); - } - -event pasad_unmatched(tid: count) - { - print fmt("Unmatched response: tid=%d", tid); - } - -## CUSTOM FUNCTIONS - -function pasad_generate_events(transaction: Transaction, c: connection, headers: ModbusHeaders, registers: ModbusRegisters, regtype: string) - { - # TODO: check registers size - local i = 0; - while ( i < transaction$quantity ) - { - local entry = Entry( - $ip=c$id$orig_h, - $uid=headers$uid, - $regtype=regtype, - $address=transaction$start_address + i, - $register=registers[i] - ); - event pasad_entry(entry); - ++i; - } - } - -## EVENT HANDLERS - -event bro_init() &priority=5 - { - Log::create_stream(Pasad::LOG, [$columns=Entry, $path="pasad-parsed"]); - } - -event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) - { - local tid = headers$tid; - local transaction = Transaction( - $start_address=start_address, - $quantity=quantity - ); - c$pasad$transactions[tid] = transaction; - } - -event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) - { - local tid = headers$tid; - if ( tid !in c$pasad$transactions ) - { - event pasad_unmatched(tid); - return; - } - local transaction = c$pasad$transactions[tid]; - delete c$pasad$transactions[tid]; - pasad_generate_events(transaction, c, headers, registers, "h"); - } diff --git a/bro-script/pasad-parsed.log b/bro-script/pasad-parsed.log deleted file mode 100644 index dd7b1ba..0000000 --- a/bro-script/pasad-parsed.log +++ /dev/null @@ -1,100 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path pasad-parsed -#open 2017-10-03-11-12-43 -#fields ip uid regtype address register -#types addr count string count count -10.34.211.73 255 h 80 48979 -10.34.211.73 255 h 81 7282 -10.34.211.73 255 h 82 15636 -10.34.211.73 255 h 83 9709 -10.34.211.73 255 h 84 48404 -10.34.211.73 255 h 85 9709 -10.34.211.73 255 h 86 16943 -10.34.211.73 255 h 87 32237 -10.34.211.73 255 h 60 17173 -10.34.211.73 255 h 61 45657 -10.34.211.73 255 h 62 49927 -10.34.211.73 255 h 63 27307 -10.34.211.73 255 h 64 17146 -10.34.211.73 255 h 65 46421 -10.34.211.73 255 h 66 17120 -10.34.211.73 255 h 67 57951 -10.34.211.73 255 h 68 17107 -10.34.211.73 255 h 69 22452 -10.34.211.73 255 h 70 16795 -10.34.211.73 255 h 71 13653 -10.34.211.73 255 h 0 244 -10.34.211.73 255 h 1 32776 -10.34.211.73 255 h 2 9728 -10.34.211.73 255 h 68 0 -10.34.211.73 255 h 69 0 -10.34.211.73 255 h 70 0 -10.34.211.73 255 h 71 0 -10.34.211.73 255 h 72 0 -10.34.211.73 255 h 73 0 -10.34.211.73 255 h 50 2016 -10.34.211.73 255 h 51 11 -10.34.211.73 255 h 52 28 -10.34.211.73 255 h 53 13 -10.34.211.73 255 h 54 56 -10.34.211.73 255 h 55 15 -10.34.211.73 255 h 40 7 -10.34.211.73 255 h 41 0 -10.34.211.73 255 h 42 32768 -10.34.211.73 255 h 43 0 -10.34.211.73 255 h 44 0 -10.34.211.73 255 h 45 0 -10.34.211.73 255 h 50 2016 -10.34.211.73 255 h 51 11 -10.34.211.73 255 h 52 28 -10.34.211.73 255 h 53 13 -10.34.211.73 255 h 54 56 -10.34.211.73 255 h 55 15 -10.34.211.73 255 h 40 120 -10.34.211.73 255 h 41 1 -10.34.211.73 255 h 42 0 -10.34.211.73 255 h 43 0 -10.34.211.73 255 h 44 0 -10.34.211.73 255 h 45 0 -10.34.211.73 255 h 46 0 -10.34.211.69 1 h 0 31840 -10.34.211.69 1 h 1 27348 -10.34.211.69 1 h 2 32541 -10.34.211.69 1 h 3 6170 -10.34.211.69 1 h 4 26 -10.34.211.69 1 h 5 12311 -10.34.211.69 1 h 6 0 -10.34.211.69 1 h 7 0 -10.34.211.69 1 h 8 0 -10.34.211.69 1 h 9 0 -10.34.211.73 255 h 68 17000 -10.34.211.73 255 h 69 0 -10.34.211.73 255 h 70 17012 -10.34.211.73 255 h 71 0 -10.34.211.73 255 h 72 17008 -10.34.211.73 255 h 73 0 -10.34.211.73 255 h 74 15948 -10.34.211.73 255 h 75 52429 -10.34.211.73 255 h 68 17052 -10.34.211.73 255 h 69 0 -10.34.211.73 255 h 70 17048 -10.34.211.73 255 h 71 0 -10.34.211.73 255 h 72 17046 -10.34.211.73 255 h 73 0 -10.34.211.73 255 h 74 17042 -10.34.211.73 255 h 75 0 -10.34.211.73 255 h 76 16256 -10.34.211.73 255 h 77 0 -10.34.211.73 255 h 50 2016 -10.34.211.73 255 h 51 11 -10.34.211.73 255 h 52 28 -10.34.211.73 255 h 53 13 -10.34.211.73 255 h 54 56 -10.34.211.73 255 h 55 14 -10.34.211.73 255 h 40 263 -10.34.211.73 255 h 41 0 -10.34.211.73 255 h 42 0 -10.34.211.73 255 h 43 0 diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro deleted file mode 100644 index db3b4be..0000000 --- a/bro-script/pasad-simple.bro +++ /dev/null @@ -1,56 +0,0 @@ -## Simple implementation that outputs the raw request and response data -## to a log file. -## Currently, this only handles the read_holding_registers event. Other -## events can be handled similarily. This implementation assumes that -## requests and responses are exchanged within the same connection. I am not -## sure whether this really holds. - -module Pasad; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - ts_request: time &log; - ts_response: time &log &optional; - rtype: string &log; - tid_request: count &log; - tid_response: count &log &optional; - ip_orig: addr &log; - ip_resp: addr &log; - start_address: count &log; - quantity: count &log; - registers: ModbusRegisters &log &optional; - }; -} - -redef record connection += { - pasad: Info &optional; -}; - -event bro_init() &priority=5 - { - Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad-simple"]); - } - -event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) - { - local rec: Info = [ - $ts_request=network_time(), - $rtype="holding", - $tid_request=headers$tid, - $start_address=start_address, - $quantity=quantity, - $ip_orig=c$id$orig_h, - $ip_resp=c$id$resp_h - ]; - c$pasad = rec; - } - -event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) - { - c$pasad$tid_response = headers$tid; - c$pasad$ts_response = network_time(); - c$pasad$registers = registers; - Log::write(Pasad::LOG, c$pasad); - } diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log deleted file mode 100644 index 71bb1db..0000000 --- a/bro-script/pasad-simple.log +++ /dev/null @@ -1,100 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path pasad-simple -#open 2017-09-26-10-11-01 -#fields ts_request ts_response rtype tid_request tid_response ip_orig ip_resp start_address quantity registers -#types time time string count count addr addr count count vector[count] -1480337775.934099 1480337775.971379 holding 2538 2538 10.34.211.73 192.168.211.146 80 8 48979,7282,15636,9709,48404,9709,16943,32237 -1480337776.128206 1480337776.131736 holding 2547 2547 10.34.211.73 192.168.215.66 60 12 17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653 -1480337776.103192 1480337776.132496 holding 2542 2542 10.34.211.73 192.168.211.186 0 3 244,32776,9728 -1480337776.123186 1480337776.146508 holding 2546 2546 10.34.211.73 192.168.211.122 68 6 0,0,0,0,0,0 -1480337776.113180 1480337776.156409 holding 2544 2544 10.34.211.73 192.168.211.178 50 6 2016,11,28,13,56,15 -1480337776.134962 1480337776.158094 holding 2548 2548 10.34.211.73 192.168.211.130 40 6 7,0,32768,0,0,0 -1480337776.144883 1480337776.171089 holding 2549 2549 10.34.211.73 192.168.211.210 50 6 2016,11,28,13,56,15 -1480337776.118196 1480337776.171376 holding 2545 2545 10.34.211.73 192.168.211.194 40 7 120,1,0,0,0,0,0 -1480337776.096762 1480337776.172857 holding 41583 41583 10.34.211.69 192.168.211.218 0 10 31840,27348,32541,6170,26,12311,0,0,0,0 -1480337776.169475 1480337776.180976 holding 2554 2554 10.34.211.73 192.168.211.67 68 8 17000,0,17012,0,17008,0,15948,52429 -1480337776.174899 1480337776.185110 holding 2555 2555 10.34.211.73 192.168.211.82 68 10 17052,0,17048,0,17046,0,17042,0,16256,0 -1480337776.108212 1480337776.195739 holding 2543 2543 10.34.211.73 192.168.211.226 50 6 2016,11,28,13,56,14 -1480337776.149574 1480337776.206115 holding 2550 2550 10.34.211.73 192.168.211.162 40 7 263,0,0,0,0,0,0 -1480337776.195190 1480337776.220473 holding 2559 2559 10.34.211.73 192.168.211.186 70 6 2016,11,28,13,56,14 -1480337776.205354 1480337776.231626 holding 2561 2561 10.34.211.73 192.168.211.178 60 8 0,0,17267,15019,17074,38533,16827,2427 -1480337776.204301 1480337776.235686 holding 2560 2560 10.34.211.73 192.168.211.226 60 12 0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332 -1480337776.215341 1480337776.238091 holding 2563 2563 10.34.211.73 192.168.211.122 80 6 16867,48545,48720,38836,48770,24273 -1480337776.225171 1480337776.250126 holding 2565 2565 10.34.211.73 192.168.211.130 50 6 2016,11,28,13,56,15 -1480337776.230277 1480337776.252068 holding 2566 2566 10.34.211.73 192.168.211.210 60 8 16975,56798,17027,50517,16984,13350,16621,63109 -1480337776.178152 1480337776.252858 holding 41584 41584 10.34.211.69 192.168.211.218 58 10 16956,45056,16814,4096,16986,49152,17180,41984,0,0 -1480337776.210249 1480337776.264273 holding 2562 2562 10.34.211.73 192.168.211.194 68 8 0,0,0,0,0,0,0,0 -1480337776.235274 1480337776.277239 holding 2567 2567 10.34.211.73 192.168.211.162 50 6 2016,11,28,13,56,15 -1480337776.244236 1480337776.286747 holding 41588 41588 10.34.211.69 192.168.211.90 50 3 49152,0,0 -1480337776.239724 1480337776.305137 holding 41587 41587 10.34.211.69 192.168.212.74 50 3 1,0,0 -1480337776.280346 1480337776.312383 holding 2576 2576 10.34.211.73 192.168.211.186 80 6 16993,3098,16907,56957,17147,63329 -1480337776.290526 1480337776.315494 holding 2578 2578 10.34.211.73 192.168.211.178 68 8 0,0,0,0,0,0,0,0 -1480337776.285222 1480337776.315673 holding 2577 2577 10.34.211.73 192.168.211.226 72 8 16960,0,16952,0,17038,0,17042,0 -1480337776.299070 1480337776.324822 holding 41590 41590 10.34.211.69 192.168.211.90 60 6 2016,11,28,13,56,14 -1480337776.259216 1480337776.332727 holding 41585 41585 10.34.211.69 192.168.211.218 10 8 0,0,32,2048,0,3,0,0 -1480337776.295410 1480337776.334351 holding 2579 2579 10.34.211.73 192.168.211.194 80 8 0,0,0,0,0,0,0,0 -1480337776.315670 1480337776.344274 holding 2583 2583 10.34.211.73 192.168.211.210 68 8 0,0,0,0,0,0,0,0 -1480337776.310646 1480337776.345388 holding 2582 2582 10.34.211.73 192.168.211.130 60 8 0,0,48941,21845,16969,33071,16825,27307 -1480337776.308173 1480337776.351504 holding 41589 41589 10.34.211.69 192.168.212.74 60 6 2016,11,28,13,56,15 -1480337776.328087 1480337776.352746 holding 41592 41592 10.34.211.69 192.168.211.90 70 10 16539,13107,16616,41943,17329,983,17099,34079,16720,41943 -1480337776.320477 1480337776.360244 holding 2584 2584 10.34.211.73 192.168.211.162 68 8 0,0,0,0,0,0,0,0 -1480337776.355648 1480337776.379496 holding 2591 2591 10.34.211.73 192.168.211.186 86 8 0,0,0,0,16874,26215,0,0 -1480337776.357170 1480337776.389772 holding 41593 41593 10.34.211.69 192.168.211.90 80 16 17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214 -1480337776.381033 1480337776.403105 holding 2596 2596 10.34.211.73 192.168.211.130 68 6 0,0,0,0,0,0 -1480337776.363053 1480337776.407348 holding 41591 41591 10.34.211.69 192.168.212.74 94 6 17035,64717,16796,27610,17031,14131 -1480337776.365324 1480337776.416503 holding 2593 2593 10.34.211.73 192.168.211.178 80 4 15597,2427,15873,12136 -1480337776.340063 1480337776.423765 holding 41586 41586 10.34.211.69 192.168.211.218 38 10 16950,4096,16900,32768,16798,8192,16608,0,16992,0 -1480337776.385390 1480337776.431254 holding 2597 2597 10.34.211.73 192.168.211.210 80 8 0,0,0,0,0,0,17095,27610 -1480337776.476201 1480337776.506120 holding 2606 2606 10.34.211.73 192.168.211.130 80 6 48592,0,48573,41263,48526,14564 -1480337776.506298 1480337776.518276 holding 2612 2612 10.34.211.73 192.168.211.67 40 6 1799,13431,32,2615,1591,1591 -1480337776.496191 1480337776.518469 holding 2610 2610 10.34.211.73 192.168.211.106 40 6 1031,0,32768,3,1,2 -1480337776.495616 1480337776.519869 holding 41595 41595 10.34.211.69 192.168.211.90 40 9 0,0,0,0,0,0,0,0,30 -1480337776.511294 1480337776.522899 holding 2613 2613 10.34.211.73 192.168.211.82 40 7 527,12543,0,563,1591,563,0 -1480337776.491221 1480337776.527134 holding 2609 2609 10.34.211.73 192.168.211.202 40 7 775,0,0,0,0,0,0 -1480337776.501350 1480337776.540895 holding 2611 2611 10.34.211.73 192.168.211.154 40 7 783,0,0,0,0,0,0 -1480337776.516193 1480337776.546865 holding 2614 2614 10.34.211.73 192.168.211.114 40 6 259,0,32768,0,0,0 -1480337776.554304 1480337776.579100 holding 2620 2620 10.34.211.73 192.168.211.122 40 6 263,0,32768,0,0,0 -1480337776.490946 1480337776.590021 holding 41594 41594 10.34.211.69 192.168.211.218 18 10 0,0,0,0,48669,28832,16167,8912,16164,48234 -1480337776.522267 1480337776.591382 holding 2615 2615 10.34.211.73 192.168.211.170 40 7 2063,0,32768,0,0,0,0 -1480337776.585015 1480337776.599260 holding 2626 2626 10.34.211.73 192.168.211.67 80 6 0,0,16784,0,16731,13107 -1480337776.589372 1480337776.599983 holding 2627 2627 10.34.211.73 192.168.211.82 80 8 0,0,17086,39322,0,0,0,0 -1480337776.574281 1480337776.606989 holding 2624 2624 10.34.211.73 192.168.211.202 50 6 2016,11,28,13,56,15 -1480337776.579367 1480337776.624210 holding 2625 2625 10.34.211.73 192.168.211.154 50 6 2016,11,28,13,56,15 -1480337776.599256 1480337776.635603 holding 2629 2629 10.34.211.73 192.168.211.226 40 7 3855,13567,192,1591,2615,2615,1591 -1480337776.609257 1480337776.643349 holding 2631 2631 10.34.211.73 192.168.211.98 40 6 7,0,0,0,0,0 -1480337776.604267 1480337776.649367 holding 2628 2628 10.34.211.73 192.168.211.170 50 6 2016,11,28,13,56,15 -1480337776.629206 1480337776.659118 holding 2635 2635 10.34.211.73 192.168.211.202 60 8 17056,37046,17260,57344,17029,48393,16890,15170 -1480337776.624205 1480337776.661266 holding 2634 2634 10.34.211.73 192.168.211.162 80 8 15696,38836,15568,38836,15568,38836,0,0 -1480337776.635896 1480337776.663986 holding 2636 2636 10.34.211.73 192.168.211.154 60 8 17151,13232,17213,31043,17068,41112,16708,64929 -1480337776.598093 1480337776.672871 holding 41596 41596 10.34.211.69 192.168.211.218 28 10 16071,19398,16346,45875,16946,16384,16959,8192,16913,20480 -1480337776.649253 1480337776.676361 holding 2639 2639 10.34.211.73 192.168.211.178 40 7 3087,0,32768,0,0,0,0 -1480337776.654236 1480337776.677240 holding 2640 2640 10.34.211.73 192.168.211.98 50 6 2016,11,28,13,56,15 -1480337776.645288 1480337776.682747 holding 2638 2638 10.34.211.73 192.168.211.226 80 10 16384,0,16501,49807,0,0,0,0,16648,62914 -1480337776.660501 1480337776.698573 holding 2637 2637 10.34.211.73 192.168.211.170 60 8 17177,9421,17125,51883,17102,31554,16655,64322 -1480337776.671138 1480337776.701126 holding 2642 2642 10.34.211.73 192.168.211.202 68 8 0,0,0,0,0,0,0,0 -1480337776.684320 1480337776.706498 holding 2644 2644 10.34.211.73 192.168.211.98 60 8 17048,38426,48720,0,16986,11226,16895,6068 -1480337776.713660 1480337776.735618 holding 2647 2647 10.34.211.73 192.168.211.98 80 6 48561,50972,48365,2427,48621,2427 -1480337776.704169 1480337776.740641 holding 2643 2643 10.34.211.73 192.168.211.170 68 8 0,0,0,0,0,0,0,0 -1480337776.713186 1480337776.743142 holding 2645 2645 10.34.211.73 192.168.211.202 80 8 15597,2427,15597,2427,15597,2427,15597,2427 -1480337776.679076 1480337776.753232 holding 41597 41597 10.34.211.69 192.168.211.218 48 10 16720,0,16965,53248,16959,16384,16964,4096,16822,20480 -1480337776.746150 1480337776.781571 holding 2646 2646 10.34.211.73 192.168.211.170 80 8 15568,38836,15568,38836,0,0,0,0 -1480337776.875195 1480337776.912519 holding 2649 2649 10.34.211.73 192.168.211.186 0 3 244,40,9728 -1480337776.910345 1480337776.913669 holding 2656 2656 10.34.211.73 192.168.215.66 40 7 7,0,32768,0,0,0,0 -1480337776.880212 1480337776.915602 holding 2650 2650 10.34.211.73 192.168.211.226 50 6 2016,11,28,13,56,15 -1480337776.895199 1480337776.917131 holding 2653 2653 10.34.211.73 192.168.211.122 50 6 2016,11,28,13,56,15 -1480337776.870194 1480337776.922039 holding 2648 2648 10.34.211.73 192.168.211.154 68 8 0,0,0,0,0,0,0,0 -1480337776.890215 1480337776.930400 holding 2652 2652 10.34.211.73 192.168.211.194 50 6 2016,11,28,13,56,16 -1480337776.900279 1480337776.931123 holding 2654 2654 10.34.211.73 192.168.211.210 40 7 259,0,32768,0,0,0,0 -1480337776.885172 1480337776.936397 holding 2651 2651 10.34.211.73 192.168.211.178 50 6 2016,11,28,13,56,15 -1480337776.925970 1480337776.947376 holding 2659 2659 10.34.211.73 192.168.211.186 70 6 2016,11,28,13,56,15 -1480337776.905320 1480337776.956106 holding 2655 2655 10.34.211.73 192.168.211.162 40 7 263,0,32768,0,0,0,0 -1480337776.954233 1480337776.958002 holding 2664 2664 10.34.211.73 192.168.215.66 50 6 2016,11,28,13,56,15 -1480337776.940206 1480337776.965516 holding 2660 2660 10.34.211.73 192.168.211.178 60 8 0,0,17266,17977,17074,46118,16827,40353 -1480337776.925370 1480337776.967032 holding 2658 2658 10.34.211.73 192.168.211.154 80 8 15568,38836,0,0,0,0,0,0 -1480337776.944478 1480337776.967249 holding 2662 2662 10.34.211.73 192.168.211.122 60 8 17058,3234,17105,17749,16954,7282,16772,26700 -1480337776.935247 1480337776.974263 holding 2661 2661 10.34.211.73 192.168.211.194 60 8 0,0,17070,10923,17035,27762,16703,46118 -1480337776.915597 1480337776.975377 holding 2657 2657 10.34.211.73 192.168.211.146 40 7 2063,0,32768,0,0,0,0 -1480337776.976604 1480337776.979823 holding 2668 2668 10.34.211.73 192.168.215.66 60 12 17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994 diff --git a/broccoli/script/README b/broccoli/script/README new file mode 100644 index 0000000..15f121e --- /dev/null +++ b/broccoli/script/README @@ -0,0 +1,9 @@ +This directory contains a baseline implementation of the package parser +implemented as a Bro script. A .bro file contains a script that can be +executed on a Modbus pcap dump. A .log file contains an example for an +output file generated by this script. By convention, the sample log file +should contain the first 100 lines of a real log file obtained from running +the script on packets_00014_20161128135616.cap. + +Currently, the scripts only handle the read_holding_registers event. Other +events can handled by simply copying and adapting the existing handlers. diff --git a/broccoli/script/pasad-parsed.bro b/broccoli/script/pasad-parsed.bro new file mode 100644 index 0000000..88b1be1 --- /dev/null +++ b/broccoli/script/pasad-parsed.bro @@ -0,0 +1,96 @@ +## Implementation that outputs the register identification and the register +## value. The correct register count is not checked and might lead to indexing +## errors. + +module Pasad; + +## DATA STRUCTURES + +export { + redef enum Log::ID += { LOG }; + + type Transaction: record { + start_address: count; + quantity: count; + }; + + type TransactionTable: table[count] of Transaction; + + type Info: record { + transactions: TransactionTable &default=TransactionTable(); + }; + + type Entry: record { + ip: addr &log; + uid: count &log; + regtype: string &log; + address: count &log; + register: count &log; + }; +} + +redef record connection += { + pasad: Info &default=Info(); +}; + +## CUSTOM EVENTS + +event pasad_entry(entry: Entry) + { + Log::write(Pasad::LOG, entry); + } + +event pasad_unmatched(tid: count) + { + print fmt("Unmatched response: tid=%d", tid); + } + +## CUSTOM FUNCTIONS + +function pasad_generate_events(transaction: Transaction, c: connection, headers: ModbusHeaders, registers: ModbusRegisters, regtype: string) + { + # TODO: check registers size + local i = 0; + while ( i < transaction$quantity ) + { + local entry = Entry( + $ip=c$id$orig_h, + $uid=headers$uid, + $regtype=regtype, + $address=transaction$start_address + i, + $register=registers[i] + ); + event pasad_entry(entry); + ++i; + } + } + +## EVENT HANDLERS + +event bro_init() &priority=5 + { + Log::create_stream(Pasad::LOG, [$columns=Entry, $path="pasad-parsed"]); + } + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) + { + local tid = headers$tid; + local transaction = Transaction( + $start_address=start_address, + $quantity=quantity + ); + c$pasad$transactions[tid] = transaction; + } + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) + { + local tid = headers$tid; + if ( tid !in c$pasad$transactions ) + { + event pasad_unmatched(tid); + return; + } + local transaction = c$pasad$transactions[tid]; + delete c$pasad$transactions[tid]; + pasad_generate_events(transaction, c, headers, registers, "h"); + } diff --git a/broccoli/script/pasad-simple.bro b/broccoli/script/pasad-simple.bro new file mode 100644 index 0000000..db3b4be --- /dev/null +++ b/broccoli/script/pasad-simple.bro @@ -0,0 +1,56 @@ +## Simple implementation that outputs the raw request and response data +## to a log file. +## Currently, this only handles the read_holding_registers event. Other +## events can be handled similarily. This implementation assumes that +## requests and responses are exchanged within the same connection. I am not +## sure whether this really holds. + +module Pasad; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts_request: time &log; + ts_response: time &log &optional; + rtype: string &log; + tid_request: count &log; + tid_response: count &log &optional; + ip_orig: addr &log; + ip_resp: addr &log; + start_address: count &log; + quantity: count &log; + registers: ModbusRegisters &log &optional; + }; +} + +redef record connection += { + pasad: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad-simple"]); + } + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) + { + local rec: Info = [ + $ts_request=network_time(), + $rtype="holding", + $tid_request=headers$tid, + $start_address=start_address, + $quantity=quantity, + $ip_orig=c$id$orig_h, + $ip_resp=c$id$resp_h + ]; + c$pasad = rec; + } + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) + { + c$pasad$tid_response = headers$tid; + c$pasad$ts_response = network_time(); + c$pasad$registers = registers; + Log::write(Pasad::LOG, c$pasad); + } -- cgit v1.2.3