forked from cisagov/icsnpp-genisys
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.zeek
111 lines (88 loc) · 3.26 KB
/
main.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
module GENISYS;
##! Copyright 2022 Battelle Energy Alliance, LLC
export {
redef enum Log::ID += { GENISYS_LOG };
type PayloadData: record {
address: count;
data: count;
};
#############################################################################
type Message: record {
# Timestamp for when the event happened.
ts: time &log;
# Unique ID for the connection.
uid: string &log;
# The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# transport protocol
proto: transport_proto &log &optional;
# header PDU type
header: string &log &optional;
# server ID
server: count &log &optional;
# direction
direction: string &log &optional;
# crc (actual in PCAP, calculated) as hex
crc_transmitted: string &log &optional;
crc_calculated: string &log &optional;
# addr=val pairs
payload: vector of string &log &optional;
};
const HEADER_CODES = {
[Genisys::HeaderCode_ACKNOWLEDGE_CLIENT] = "Acknowledge Client",
[Genisys::HeaderCode_INDICATION_DATA] = "Indication Data",
[Genisys::HeaderCode_CONTROL_DATA_CHECKBACK] = "Control Data Checkback",
[Genisys::HeaderCode_COMMON_CONTROL_DATA] = "Common Control Data",
[Genisys::HeaderCode_ACKNOWLEDGE_INDICATION_AND_POLL] = "Acknowledge Indication and Poll",
[Genisys::HeaderCode_POLL] = "Poll",
[Genisys::HeaderCode_CONTROL_DATA] = "Control Data",
[Genisys::HeaderCode_RECALL_HEADER] = "Recall Header",
[Genisys::HeaderCode_EXECUTE_CONTROLS] = "Execute Controls",
} &default = "unknown";
const DIRECTIONS = {
[Genisys::Direction_CLIENT_TO_SERVER] = "request",
[Genisys::Direction_SERVER_TO_CLIENT] = "response",
} &default = "unknown";
## Event that can be handled to access the genisys logging record.
global log_genisys: event(rec: Message);
global log_policy_genisys: Log::PolicyHook;
}
#############################################################################
redef record connection += {
genisys_proto: string &optional;
};
export {
const genisys_ports_tcp: set[port] = { 10001/tcp } &redef;
}
redef likely_server_ports += { genisys_ports_tcp };
event zeek_init() &priority=5 {
Analyzer::register_for_ports(Analyzer::ANALYZER_GENISYS_TCP, genisys_ports_tcp);
Log::create_stream(GENISYS::GENISYS_LOG, [$columns=Message, $ev=log_genisys, $path="genisys", $policy=log_policy_genisys]);
}
event GENISYS::msg(c: connection,
header: Genisys::HeaderCode,
server: count,
direction: Genisys::Direction,
crc: count,
crcActual: count,
payload: vector of PayloadData) {
local message: Message;
message$ts = network_time();
message$uid = c$uid;
message$id = c$id;
message$proto = get_conn_transport_proto(c$id);
message$header = HEADER_CODES[header];
message$server = server;
message$direction = DIRECTIONS[direction];
if (crc > 0) {
message$crc_transmitted = fmt("0x%02x",crc);
message$crc_calculated = fmt("0x%02x",crcActual);
}
if (|payload| > 0) {
message$payload = vector();
for (pair in payload) {
message$payload += fmt("%d=%d", payload[pair]$address, payload[pair]$data);
}
}
Log::write(GENISYS::GENISYS_LOG, message);
}