search

amzn / zeek-plugin-bacnet

Zeek network security monitor plugin that enables parsing of the BACnet standard building controls protocol
BSD 3-Clause "New" or "Revised" License
30 stars 12 forks source link

handling of optional content octets that follow the NPCI control octet #24

Open duffy-ocraven opened 4 years ago

duffy-ocraven commented 4 years ago

I had mentioned if (control & 0x80) { in https://github.com/amzn/zeek-plugin-bacnet/commit/4f91d6a9fd1ec24b2e10216cbbab8081774d4686#commitcomment-42241394

but I should be more effusive, since that change cannot proceed in isolation to parse all the possible network layer messages. The code needs to relocate and revise https://github.com/amzn/zeek-plugin-bacnet/blob/4f91d6a9fd1ec24b2e10216cbbab8081774d4686/scripts/main.zeek lines 165-189 which are the handing of the various optional content octets that follow the NPCI control octet, and appear in network layer messages before the network_layer_message_type octet. Those statements need to be revised to perform not an exact comparison for equality, but instead bitmasking to decide based on bit5 and bit3. These can occur irrespective of the network_priority in bit1 and bit0. Additionally bit2 is an interesting case, and it is worth noting any combinations observed which are non-standard in using a bit2 polarity that contradicts the network_layer_message_type octet which follows. The parser can however, parse all possible network layer messages irrespective of bit2.