Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spicy script help for packer analyser #3214

Closed
biswajitutil opened this issue Aug 3, 2023 · 1 comment
Closed

spicy script help for packer analyser #3214

biswajitutil opened this issue Aug 3, 2023 · 1 comment

Comments

@biswajitutil
Copy link

biswajitutil commented Aug 3, 2023
edited by bbannier

Hi,
I am trying to add a very basic analyser for Goose (IEC61850) which will just

  1. detect the protocol (no parsing of PDU as of now) for every packet and prints that it has detected.
  2. Once 1. is done then I will need to send an analyzer confirmation event to my broker module to notify that Goose is detected.
    As it is running over ethernet (type 0x88ba) and so I tried packet analyzer not protocol analyzer.
    GOOSE-frame-structure

I am able to register the plugin and can see in zeek -NN but not able to do 1 & 2. It is printing nothing for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP.

$ /usr/local/zeek/bin/zeek -NN |grep GOOSE
    [Packet Analyzer] spicy_GOOSE (ANALYZER_SPICY_GOOSE, enabled)

Can you please tell where I am doing mistakes.

Below are my spicy scripts

spicy parser script

biswa:~/zeek-spicy-goose/analyzer$ cat goose.spicy

module zeek_spicy_goose;
public type GOOSEPacket = unit {
    appid: uint8;
    pkt_len: uint16;
    payload: bytes &eod;
};

spicy event

biswa:~/zeek-spicy-goose/analyzer$ cat goose.evt
packet analyzer spicy::GOOSE:
    parse with zeek_spicy_goose::GOOSEPacket;

import zeek_spicy_goose;

on zeek_spicy_goose::GOOSEPacket -> event GOOSE::message($packet, self.appid, self.pkt_len);

zeek spicy script

biswa:~/zeek-spicy-goose/analyzer$ cat zeek_goose.spicy

module Zeek_zeek_spicy_goose;

import zeek_spicy_goose;
import zeek;

on zeek_spicy_goose::GOOSEPacket::%done {
    zeek::confirm_protocol();
}

on zeek_spicy_goose::GOOSEPacket::%error {
    zeek::reject_protocol("error while parsing GOOSE record");
}

Zeek script

biswa@dmz-ashish-new:~/zeek-spicy-goose/analyzer$ cat ../scripts/main.zeek
module GOOSE;

global goose_topic = "/topic/goose";

global begin_time: time;
global total_time: interval;

export {
        ## Log stream identifier.
        redef enum Log::ID += { GOOSE_LOG };

        ## Record type containing the column fields of the goose log.
        type Info: record {
                ## Timestamp for when the activity happened.
                ts: time &log &default=network_time();
                appid: count &log &optional;
                pkt_len: count &log &optional;
        };

        global GOOSE::message: event(pkt: raw_pkt_hdr, appid: count, pkt_len: count);

        global analyzer_confirmation: event(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo);

        global GOOSE::log_goose: event(rec: GOOSE::Info);

        global log_GOOSE: event(rec: Info);
}

redef record raw_pkt_hdr  += {
        GOOSE: Info &optional;
};


event zeek_init() &priority=5
{
        suspend_processing();
        Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);

         if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88ba, "spicy_GOOSE") )
               if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88ba, "spicy::GOOSE") )
                    print "cannot register GOOSE Spicy analyzer";

        Log::create_stream(GOOSE::GOOSE_LOG, [$columns=Info, $ev=log_goose, $path="goose"]);
}

#print this event per packet
event GOOSE::message(packet: raw_pkt_hdr, appid: count, pkt_len: count)
{
        local info: Info = [$ts=network_time(), $appid=appid, $pkt_len=pkt_len];
        print "Processing pcakets", packet;
        Log::write(GOOSE::GOOSE_LOG, info);
}

event Broker::peer_added(ep: Broker::EndpointInfo, msg: string)
{
        print "PEER ADDED", ep;
        continue_processing();
}
#send this event over the broker
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
        if ( atype == Analyzer::ANALYZER_SPICY_GOOSE)
        {
                Broker::publish(goose_topic, analyzer_confirmation, atype, info);
        }
}

PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap
@zeek-bot
Copy link
Contributor

zeek-bot commented Aug 3, 2023

This issue has been mentioned on Zeek. There might be relevant details there:

https://community.zeek.org/t/need-a-sample-spicy-script-to-detect-iec-61850/7095/3

@zeek zeek locked and limited conversation to collaborators Aug 7, 2023
@bbannier bbannier converted this issue into discussion #3220 Aug 7, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zeek-bot @biswajitutil