From 7c55cebd914ac059b9c91a897cb00011b689eb57 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Mon, 25 Sep 2017 20:55:08 +0000 Subject: bro-script: Add simple baseline implementation This implementation only logs the (combined) request and response events that occur within the same connection. This assumes that a response is always send over the same connection as a request. It is unclear whether this assumption really holds. This implementation does not yet contain error handling, so if there was no response for a request, Bro displays an error message. It also does not contain an interpretation of the values, so if multiple values are read within one request, they are displayed in the same log entry. --- bro-script/pasad-simple.bro | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 bro-script/pasad-simple.bro (limited to 'bro-script/pasad-simple.bro') diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro new file mode 100644 index 0000000..d5f3e10 --- /dev/null +++ b/bro-script/pasad-simple.bro @@ -0,0 +1,46 @@ +## Simple implementation that outputs the raw request and response data +## to a log file. +## Currently, this only handles the read_holding_registers event. Other +## events can be handled similarily. This implementation assumes that +## requests and responses are exchanged within the same connection. I am not +## sure whether this really holds. + +module Pasad; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts_request: time &log; + ts_response: time &log &optional; + rtype: string &log; + tid_request: count &log; + tid_response: count &log &optional; + start_adress: count &log; + quantity: count &log; + registers: ModbusRegisters &log &optional; + }; +} + +redef record connection += { + pasad: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad"]); + } + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_adress: count, quantity: count) + { + local rec: Info = [$ts_request=network_time(), $rtype="holding", $tid_request=headers$tid, $start_adress=start_adress, $quantity=quantity]; + c$pasad = rec; + } + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) + { + c$pasad$tid_response = headers$tid; + c$pasad$ts_response = network_time(); + c$pasad$registers = registers; + Log::write(Pasad::LOG, c$pasad); + } -- cgit v1.2.1