search

georgemakrakis / zeek-iec104

A Zeek Parser for the IEC 104 protcol built using Spicy.
Other
3 stars 5 forks source link

Iec104 parse and event dumping #17

Closed biswajitutil closed 2 months ago

biswajitutil commented 4 months ago

Hi @georgemakrakis ,

I was analysing few pcaps and dumped all the events generated ..

saw that below pcap ( iec104_1.zip ) is able to find only 2 iec 104 events, I was expectig few more, can you please the pcap once and let me know if my understanding is correct?

1706165543.368952 iec104::apci APCI request, [orig_h=172.16.43.1, orig_p=4497/tcp, resp_h=172.16.43.10, resp_p=2404/tcp], 4, 0, 0, 1 TESTFR act 1706165543.368952 iec104::u IEC104 U, [orig_h=172.16.43.1, orig_p=4497/tcp, resp_h=172.16.43.10, resp_p=2404/tcp]

Whereas the below pcap ( iec104_2.zip ) is generating more events, not sure why?

1712316412.866614 iec104::SIQ_CP56Time2a_evt 1712316412.866614 iec104::SIQ_CP56Time2a_evt 1712316412.866614 iec104::SIQ_CP56Time2a_evt 1712316412.866614 iec104::asdu 1712316412.866614 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp], 43, 2, 1, 3 1712316412.866614 iec104::i IEC104 i, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp] 1712316412.920586 new_connection 1712316412.931555 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.16.43.1, orig_p=5000/tcp, resp_h=172.16.43.10, resp_p=2404/tcp], 4, 0, 0, 0 1712316412.931555 iec104::s IEC104 S, [orig_h=172.16.43.1, orig_p=5000/tcp, resp_h=172.16.43.10, resp_p=2404/tcp] 1712316413.001347 new_connection 1712316420.941566 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp], 4, 0, 0, 0 1712316420.941566 iec104::s IEC104 S, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp] 1712316426.055760 iec104::SIQ_CP56Time2a_evt 1712316426.055760 iec104::SIQ_CP56Time2a_evt 1712316426.055760 iec104::asdu 1712316426.055760 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp], 32, 2, 1, 3 1712316426.055760 iec104::i IEC104 i, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp] 1712316426.157191 new_connection 1712316426.437863 iec104::SIQ_CP56Time2a_evt 1712316426.437863 iec104::SIQ_CP56Time2a_evt 1712316426.437863 iec104::asdu 1712316426.437863 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp], 32, 3, 1, 3 1712316426.437863 iec104::i IEC104 i, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp] 1712316430.955496 iec104::apci !!!!!!!!!!!!!!!!!!!!! PARSE ENTRY !!!!!!!!!!!!!!!!!!!!!! APCI request, [orig_h=172.16.43.1, orig_p=5000/tcp, resp_h=172.16.43.10, resp_p=2404/tcp], 4, 0, 0, 1 1712316430.955496 iec104::u IEC104 U, [orig_h=172.16.43.1, orig_p=5000/tcp, resp_h=172.16.43.10, resp_p=2404/tcp]

Note: I am using https://github.com/zeek/zeek/blob/master/scripts/policy/misc/dump-events.zeek for dumping events.

Thanks Biswa

biswajitutil commented 4 months ago

Also one more thing to ask here

are below events are independent or for each packet event iec104::apci will always execute?

1712316426.437863 iec104::SIQ_CP56Time2a_evt 1712316426.437863 iec104::SIQ_CP56Time2a_evt 1712316426.437863 iec104::asdu 1712316426.437863 iec104::apci

georgemakrakis commented 4 months ago

@biswajitutil thank you for bringing up this issue. I see in the iec104_1.zip that there are some ASDU types that are not currently supported, but this should not stop the parser from finding the subsequent events. I will investigate that.

biswajitutil commented 4 months ago

ie104_3.zip If you see the above attached pcap file, you will find few packets with 480 bytes of packet having multiple ASDU. How to process such packets. Currently single message/event is coming.

There are few events where "hook set_session(c)" is not present, is that intentional? then why?

In the iec104_1.zip pcap, I am only able to process few messages, the zeek hung after that, events are as below ` 1712316552.358990 Broker::log_flush 1712316552.702564 ntp_message 1712316552.710231 ntp_message 1712316552.822481 connection_state_remove 1712316552.869682 run_sync_hook 1712316552.906671 connection_state_remove 1712316552.931389 connection_state_remove

It was paused here. GAVE CTRL + C to stop

^C1712316553.053507 received termination signal 1712316553.053507 reporter_info 1712316553.053507 net_done 1712316553.053507 Broker::log_flush 1712316553.053507 run_sync_hook 1712316553.053507 filter_change_tracking 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove REMOVE, [orig_h=172.16.43.1, orig_p=5000/tcp, resp_h=172.16.43.10, resp_p=2404/tcp] 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove REMOVE, [orig_h=172.32.17.2, orig_p=55359/tcp, resp_h=172.16.43.1, resp_p=2404/tcp] 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 analyzer_confirmation_info 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 connection_state_remove 1712316553.053507 zeek_done 1712316553.053507 ChecksumOffloading::check `

Thanks

georgemakrakis commented 3 months ago

@biswajitutil Per that latest commit, all the events can be identified for the iec104_1.zip that you did attach. Can you please let me know if it works at your end?

Also, do you wish that this PCAP file to be part of the testing folder in this repo? If so, please open up a Pull Request by adding it to the testing/Traces/fifth folder and then modify the PCAP section in the README file to include the source of it.

biswajitutil commented 3 months ago

@georgemakrakis Surely, I will check and let you know. Please check the nested ASDU parse , attached in iec104_3.zip ..

biswajitutil commented 3 months ago

@georgemakrakis I can't able to distinguish the exact change you did in your last/latest commit .. as most of the changes were already there in the previous commit ..

georgemakrakis commented 3 months ago

@biswajitutil you are right, the commit has the recent changes, apologies for the confusion. Let me know if it works with your PCAPs since I do not have access to a dev machine at the moment.

Also let me know if you wish that this PCAP file to be part of the testing folder in this repo by opening up a Pull Request and adding it to the testing/Traces/fifth folder.

biswajitutil commented 2 months ago

Hi @georgemakrakis sorry for the late response. I can add the pcap after changing ip and mac addresses or any vendor specific info and can generate PR.. or you can also upload it after these changes.. Thanks

georgemakrakis commented 2 months ago

@biswajitutil you can proceed with adding the info and the PR, and I will review it and merge it.