integrate Zeek IEC104 parser

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

357 stars 59 forks source link

integrate Zeek IEC104 parser #557

Open mmguero opened 2 months ago

mmguero commented 2 months ago

cert-lv/zeek-iec104 takes the initial work done by @georgemakrakis and expands on it. I think this would be a great protocol parser to integrate into Malcolm.

see:

adding a new zeek package
parsing new zeek logs

mmguero commented 1 month ago

There are a few issues I'd like to resolve in the plugin before getting this in:

can we make it signature based rather than port based?
I don't like the way it overrides JSON vs. TSV, is there a reason we can't just let Zeek handle it globally like all the other plugins?
this isn't as huge a deal, but the tests directory is kind of weird