From 7c55cebd914ac059b9c91a897cb00011b689eb57 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Mon, 25 Sep 2017 20:55:08 +0000 Subject: bro-script: Add simple baseline implementation This implementation only logs the (combined) request and response events that occur within the same connection. This assumes that a response is always send over the same connection as a request. It is unclear whether this assumption really holds. This implementation does not yet contain error handling, so if there was no response for a request, Bro displays an error message. It also does not contain an interpretation of the values, so if multiple values are read within one request, they are displayed in the same log entry. --- bro-script/README | 6 ++- bro-script/pasad-simple.bro | 46 ++++++++++++++++++++ bro-script/pasad-simple.log | 100 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 bro-script/pasad-simple.bro create mode 100644 bro-script/pasad-simple.log (limited to 'bro-script') diff --git a/bro-script/README b/bro-script/README index abfe1ad..03d9158 100644 --- a/bro-script/README +++ b/bro-script/README @@ -1,4 +1,8 @@ This directory contains a baseline implementation of the package parser implemented as a Bro script. A .bro file contains a script that can be executed on a Modbus pcap dump. A .log file contains an example for an -output file generated by this script. +output file generated by this script. By convention, the sample log file +should contain the first 100 lines of a real log file. + +Currently, the scripts only handle the read_holding_registers event. Other +events can handled by simply copying and adapting the existing handlers. diff --git a/bro-script/pasad-simple.bro b/bro-script/pasad-simple.bro new file mode 100644 index 0000000..d5f3e10 --- /dev/null +++ b/bro-script/pasad-simple.bro @@ -0,0 +1,46 @@ +## Simple implementation that outputs the raw request and response data +## to a log file. +## Currently, this only handles the read_holding_registers event. Other +## events can be handled similarily. This implementation assumes that +## requests and responses are exchanged within the same connection. I am not +## sure whether this really holds. + +module Pasad; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts_request: time &log; + ts_response: time &log &optional; + rtype: string &log; + tid_request: count &log; + tid_response: count &log &optional; + start_adress: count &log; + quantity: count &log; + registers: ModbusRegisters &log &optional; + }; +} + +redef record connection += { + pasad: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(Pasad::LOG, [$columns=Info, $path="pasad"]); + } + +event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_adress: count, quantity: count) + { + local rec: Info = [$ts_request=network_time(), $rtype="holding", $tid_request=headers$tid, $start_adress=start_adress, $quantity=quantity]; + c$pasad = rec; + } + +event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters) + { + c$pasad$tid_response = headers$tid; + c$pasad$ts_response = network_time(); + c$pasad$registers = registers; + Log::write(Pasad::LOG, c$pasad); + } diff --git a/bro-script/pasad-simple.log b/bro-script/pasad-simple.log new file mode 100644 index 0000000..e7979e5 --- /dev/null +++ b/bro-script/pasad-simple.log @@ -0,0 +1,100 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path pasad +#open 2017-09-25-20-54-23 +#fields ts_request ts_response rtype tid_request tid_response start_adress quantity registers +#types time time string count count count count vector[count] +1480337775.934099 1480337775.971379 holding 2538 2538 80 8 48979,7282,15636,9709,48404,9709,16943,32237 +1480337776.128206 1480337776.131736 holding 2547 2547 60 12 17173,45657,49927,27307,17146,46421,17120,57951,17107,22452,16795,13653 +1480337776.103192 1480337776.132496 holding 2542 2542 0 3 244,32776,9728 +1480337776.123186 1480337776.146508 holding 2546 2546 68 6 0,0,0,0,0,0 +1480337776.113180 1480337776.156409 holding 2544 2544 50 6 2016,11,28,13,56,15 +1480337776.134962 1480337776.158094 holding 2548 2548 40 6 7,0,32768,0,0,0 +1480337776.144883 1480337776.171089 holding 2549 2549 50 6 2016,11,28,13,56,15 +1480337776.118196 1480337776.171376 holding 2545 2545 40 7 120,1,0,0,0,0,0 +1480337776.096762 1480337776.172857 holding 41583 41583 0 10 31840,27348,32541,6170,26,12311,0,0,0,0 +1480337776.169475 1480337776.180976 holding 2554 2554 68 8 17000,0,17012,0,17008,0,15948,52429 +1480337776.174899 1480337776.185110 holding 2555 2555 68 10 17052,0,17048,0,17046,0,17042,0,16256,0 +1480337776.108212 1480337776.195739 holding 2543 2543 50 6 2016,11,28,13,56,14 +1480337776.149574 1480337776.206115 holding 2550 2550 40 7 263,0,0,0,0,0,0 +1480337776.195190 1480337776.220473 holding 2559 2559 70 6 2016,11,28,13,56,14 +1480337776.205354 1480337776.231626 holding 2561 2561 60 8 0,0,17267,15019,17074,38533,16827,2427 +1480337776.204301 1480337776.235686 holding 2560 2560 60 12 0,0,16240,0,16707,0,16960,16081,17041,62199,16849,47332 +1480337776.215341 1480337776.238091 holding 2563 2563 80 6 16867,48545,48720,38836,48770,24273 +1480337776.225171 1480337776.250126 holding 2565 2565 50 6 2016,11,28,13,56,15 +1480337776.230277 1480337776.252068 holding 2566 2566 60 8 16975,56798,17027,50517,16984,13350,16621,63109 +1480337776.178152 1480337776.252858 holding 41584 41584 58 10 16956,45056,16814,4096,16986,49152,17180,41984,0,0 +1480337776.210249 1480337776.264273 holding 2562 2562 68 8 0,0,0,0,0,0,0,0 +1480337776.235274 1480337776.277239 holding 2567 2567 50 6 2016,11,28,13,56,15 +1480337776.244236 1480337776.286747 holding 41588 41588 50 3 49152,0,0 +1480337776.239724 1480337776.305137 holding 41587 41587 50 3 1,0,0 +1480337776.280346 1480337776.312383 holding 2576 2576 80 6 16993,3098,16907,56957,17147,63329 +1480337776.290526 1480337776.315494 holding 2578 2578 68 8 0,0,0,0,0,0,0,0 +1480337776.285222 1480337776.315673 holding 2577 2577 72 8 16960,0,16952,0,17038,0,17042,0 +1480337776.299070 1480337776.324822 holding 41590 41590 60 6 2016,11,28,13,56,14 +1480337776.259216 1480337776.332727 holding 41585 41585 10 8 0,0,32,2048,0,3,0,0 +1480337776.295410 1480337776.334351 holding 2579 2579 80 8 0,0,0,0,0,0,0,0 +1480337776.315670 1480337776.344274 holding 2583 2583 68 8 0,0,0,0,0,0,0,0 +1480337776.310646 1480337776.345388 holding 2582 2582 60 8 0,0,48941,21845,16969,33071,16825,27307 +1480337776.308173 1480337776.351504 holding 41589 41589 60 6 2016,11,28,13,56,15 +1480337776.328087 1480337776.352746 holding 41592 41592 70 10 16539,13107,16616,41943,17329,983,17099,34079,16720,41943 +1480337776.320477 1480337776.360244 holding 2584 2584 68 8 0,0,0,0,0,0,0,0 +1480337776.355648 1480337776.379496 holding 2591 2591 86 8 0,0,0,0,16874,26215,0,0 +1480337776.357170 1480337776.389772 holding 41593 41593 80 16 17043,14418,16326,26214,16504,62915,16151,2621,16675,56099,18436,5504,16918,4821,16582,26214 +1480337776.381033 1480337776.403105 holding 2596 2596 68 6 0,0,0,0,0,0 +1480337776.363053 1480337776.407348 holding 41591 41591 94 6 17035,64717,16796,27610,17031,14131 +1480337776.365324 1480337776.416503 holding 2593 2593 80 4 15597,2427,15873,12136 +1480337776.340063 1480337776.423765 holding 41586 41586 38 10 16950,4096,16900,32768,16798,8192,16608,0,16992,0 +1480337776.385390 1480337776.431254 holding 2597 2597 80 8 0,0,0,0,0,0,17095,27610 +1480337776.476201 1480337776.506120 holding 2606 2606 80 6 48592,0,48573,41263,48526,14564 +1480337776.506298 1480337776.518276 holding 2612 2612 40 6 1799,13431,32,2615,1591,1591 +1480337776.496191 1480337776.518469 holding 2610 2610 40 6 1031,0,32768,3,1,2 +1480337776.495616 1480337776.519869 holding 41595 41595 40 9 0,0,0,0,0,0,0,0,30 +1480337776.511294 1480337776.522899 holding 2613 2613 40 7 527,12543,0,563,1591,563,0 +1480337776.491221 1480337776.527134 holding 2609 2609 40 7 775,0,0,0,0,0,0 +1480337776.501350 1480337776.540895 holding 2611 2611 40 7 783,0,0,0,0,0,0 +1480337776.516193 1480337776.546865 holding 2614 2614 40 6 259,0,32768,0,0,0 +1480337776.554304 1480337776.579100 holding 2620 2620 40 6 263,0,32768,0,0,0 +1480337776.490946 1480337776.590021 holding 41594 41594 18 10 0,0,0,0,48669,28832,16167,8912,16164,48234 +1480337776.522267 1480337776.591382 holding 2615 2615 40 7 2063,0,32768,0,0,0,0 +1480337776.585015 1480337776.599260 holding 2626 2626 80 6 0,0,16784,0,16731,13107 +1480337776.589372 1480337776.599983 holding 2627 2627 80 8 0,0,17086,39322,0,0,0,0 +1480337776.574281 1480337776.606989 holding 2624 2624 50 6 2016,11,28,13,56,15 +1480337776.579367 1480337776.624210 holding 2625 2625 50 6 2016,11,28,13,56,15 +1480337776.599256 1480337776.635603 holding 2629 2629 40 7 3855,13567,192,1591,2615,2615,1591 +1480337776.609257 1480337776.643349 holding 2631 2631 40 6 7,0,0,0,0,0 +1480337776.604267 1480337776.649367 holding 2628 2628 50 6 2016,11,28,13,56,15 +1480337776.629206 1480337776.659118 holding 2635 2635 60 8 17056,37046,17260,57344,17029,48393,16890,15170 +1480337776.624205 1480337776.661266 holding 2634 2634 80 8 15696,38836,15568,38836,15568,38836,0,0 +1480337776.635896 1480337776.663986 holding 2636 2636 60 8 17151,13232,17213,31043,17068,41112,16708,64929 +1480337776.598093 1480337776.672871 holding 41596 41596 28 10 16071,19398,16346,45875,16946,16384,16959,8192,16913,20480 +1480337776.649253 1480337776.676361 holding 2639 2639 40 7 3087,0,32768,0,0,0,0 +1480337776.654236 1480337776.677240 holding 2640 2640 50 6 2016,11,28,13,56,15 +1480337776.645288 1480337776.682747 holding 2638 2638 80 10 16384,0,16501,49807,0,0,0,0,16648,62914 +1480337776.660501 1480337776.698573 holding 2637 2637 60 8 17177,9421,17125,51883,17102,31554,16655,64322 +1480337776.671138 1480337776.701126 holding 2642 2642 68 8 0,0,0,0,0,0,0,0 +1480337776.684320 1480337776.706498 holding 2644 2644 60 8 17048,38426,48720,0,16986,11226,16895,6068 +1480337776.713660 1480337776.735618 holding 2647 2647 80 6 48561,50972,48365,2427,48621,2427 +1480337776.704169 1480337776.740641 holding 2643 2643 68 8 0,0,0,0,0,0,0,0 +1480337776.713186 1480337776.743142 holding 2645 2645 80 8 15597,2427,15597,2427,15597,2427,15597,2427 +1480337776.679076 1480337776.753232 holding 41597 41597 48 10 16720,0,16965,53248,16959,16384,16964,4096,16822,20480 +1480337776.746150 1480337776.781571 holding 2646 2646 80 8 15568,38836,15568,38836,0,0,0,0 +1480337776.875195 1480337776.912519 holding 2649 2649 0 3 244,40,9728 +1480337776.910345 1480337776.913669 holding 2656 2656 40 7 7,0,32768,0,0,0,0 +1480337776.880212 1480337776.915602 holding 2650 2650 50 6 2016,11,28,13,56,15 +1480337776.895199 1480337776.917131 holding 2653 2653 50 6 2016,11,28,13,56,15 +1480337776.870194 1480337776.922039 holding 2648 2648 68 8 0,0,0,0,0,0,0,0 +1480337776.890215 1480337776.930400 holding 2652 2652 50 6 2016,11,28,13,56,16 +1480337776.900279 1480337776.931123 holding 2654 2654 40 7 259,0,32768,0,0,0,0 +1480337776.885172 1480337776.936397 holding 2651 2651 50 6 2016,11,28,13,56,15 +1480337776.925970 1480337776.947376 holding 2659 2659 70 6 2016,11,28,13,56,15 +1480337776.905320 1480337776.956106 holding 2655 2655 40 7 263,0,32768,0,0,0,0 +1480337776.954233 1480337776.958002 holding 2664 2664 50 6 2016,11,28,13,56,15 +1480337776.940206 1480337776.965516 holding 2660 2660 60 8 0,0,17266,17977,17074,46118,16827,40353 +1480337776.925370 1480337776.967032 holding 2658 2658 80 8 15568,38836,0,0,0,0,0,0 +1480337776.944478 1480337776.967249 holding 2662 2662 60 8 17058,3234,17105,17749,16954,7282,16772,26700 +1480337776.935247 1480337776.974263 holding 2661 2661 60 8 0,0,17070,10923,17035,27762,16703,46118 +1480337776.915597 1480337776.975377 holding 2657 2657 40 7 2063,0,32768,0,0,0,0 +1480337776.976604 1480337776.979823 holding 2668 2668 60 12 17173,48796,49926,54917,17146,46421,17120,50366,17107,7282,16795,43994 -- cgit v1.2.3