You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I am trying to add a very basic analyser for Goose (IEC61850) which will just
detect the protocol (no parsing of PDU as of now) for every packet and prints that it has detected.
Once 1. is done then I will need to send an analyzer confirmation event to my broker module to notify that Goose is detected.
As it is running over ethernet (type 0x88ba) and so I tried packet analyzer not protocol analyzer.
I am able to register the plugin and can see in zeek -NN but not able to do 1 & 2. It is printing nothing for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP.
Hi,
I am trying to add a very basic analyser for Goose (IEC61850) which will just
As it is running over ethernet (type 0x88ba) and so I tried packet analyzer not protocol analyzer.
I am able to register the plugin and can see in zeek -NN but not able to do 1 & 2. It is printing nothing for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP.
Can you please tell where I am doing mistakes.
Below are my spicy scripts
spicy parser script
spicy event
zeek spicy script
Zeek script
PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap
The text was updated successfully, but these errors were encountered: