search

cisagov / icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
BSD 3-Clause "New" or "Revised" License
15 stars 11 forks source link

Multiple object types, but only one got output #30

Closed helenwangjia closed 3 months ago

helenwangjia commented 1 year ago

🐛 Summary

When there are multiple object types in one packet, zeek only output one. For example, There are 20 packets in test.pcap, and no.1 has two object types (device and accumulator) as shown in the screenshot of Wireshark. But after I ran this command, zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek, the object_type is output as “accumulator” only in bacnet_discovery.log. Another example is the no.18 got 8 object types. However, after I ran this command, zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek, the object_type is output as “schedule” only in bacnet_property.log. For further confirmation, I output this pcap by tshark, and each object type has output.

To reproduce

Run zeek-Cr test.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/main.zeek

Expected behavior

Logic for which object type should be output

Any helpful log output

bacnet_discovery.log for no.1

1692099997.714948   CyFXcfmZiqRZeZJ4b   10.0.0.2    47808   10.0.0.255  47808   T   i-have  accumulator 4   -   -   (empty)

bacnet_property.log for no.18

1692099997.715010   Cuoso93BOASnNw524i  10.0.0.2    47808   10.0.0.1    47808   T   94  read-property-ack   schedule    385 Vendor Specific (71303554)  -   schedule: 388

Add any screenshots of the problem here. no.1

Screenshot 2023-08-15 at 22 11 10

no.18

Screenshot 2023-08-15 at 22 12 12

test.pcap test.pcap.zip

For further information, log output by tshark for no.1

1692099997.714948000    10.0.0.2    10.0.0.255  i-Have (1)  47808   Unconfirmed-REQ (1) device
1692099997.714948000    10.0.0.2    10.0.0.255  i-Have (1)  47808   Unconfirmed-REQ (1) accumulator

log output by tshark for no.18

1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) binary-input
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) binary-output
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) binary-value
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) device
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) group
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) notification-class
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) schedule
1692099997.715010000    10.0.0.2    10.0.0.1    readProperty (12)   47808   Complex-ACK (3) accumulator
kkvarfordt commented 3 months ago

Fixed see PR #38