Add MAC adresses to logs in custom script

Leviath · December 12, 2022, 4:14pm

Good Morning,

I am having trouble finding a way to add mac addresses to my modbus logs.

I saw many posts talking about it and I tried the @load /policy/protocols/conn/mac-logging directive to my local.zeek file which successfully creates a conn.log file with the mac addresses of my network.

I tried to retrieve these data in my custom logs by adding new fields in my record :

@load base/protocols/conn
@load base/protocols/modbus

module Modbus_Extended;

export {
    redef enum Log::ID += {LOG_DETAILED};

    #########################################################################################################################
    #####################################  Modbus Detailed Log ######################################
    #########################################################################################################################
    type Modbus_Detailed: record {
        ts_request                      : time              &log;             # Timestamp of event
        ts_last_response                     : time              &log &optional;
        min_response_time               : interval                  &log &optional;
        average_response_time           : interval                  &log &optional;
        max_response_time               : interval                  &log &optional;
        response_count                  : count             &log &optional;
        tid                     : count            &log;             # Zeek unique ID for connection
        orig_l2_addr                    : string           &log &optional;
        dst_l2_addr             : string           &log &optional;
        id                      : conn_id           &log;             # Zeek connection struct (addresses and ports_request)
        conn                    : connection                &log &optional;
        uid                      : string           &log &optional;             # Zeek connection struct (addresses and ports_request)
        unit_id                 : count             &log;             # Modbus unit-id
        func                    : string            &log &optional;   # Modbus Function
        network_direction       : string            &log &optional;   # Message direction (request or response)
        no_response             : string            &log &optional;
        address                 : count             &log &optional;   # Starting address for value(s) field
        quantity                : count             &log &optional;   # Number of addresses/values read or written to
        values                  : string            &log &optional;   # Coils, discrete_inputs_request, or registers read/written to
    };
    global log_modbus_detailed: event(rec: Modbus_Detailed);
}

And then retrieving the addresses in an event with this condition :

global function_ids: table[string, string] of Modbus_Detailed;

if(c$conn?$orig_l2_addr){
 function_ids[c$uid, c$modbus$func]$orig_l2_addr = c$conn$orig_l2_addr;
}

But it doesn’t work. And I can not use DHCP logs since my network has static ip addresses.

Do you have any idea how I should proceed ?

Thank you for your help.

awelzel · December 12, 2022, 5:32pm

If you do it as below, it’s somewhat important to know which event handler you’re using(and at what priority it runs).
The mac-logging.zeek script sets c$conn$orig_l2_addr field during connection_state_remove. That is at the end of a connection. If your handler runs before that, the fields won’t be set.

However, suggestion is to directly access the c$orig and c$resp endpoint records in your own handler, too. This will also avoid the dependency on mac-logging.zeek. Something like the following (copied from mac-logging.zeek):

          if ( c$orig?$l2_addr )                                                  
                  function_ids[...]$orig_l2_addr = c$orig$l2_addr;                           
                                                                                  
          if ( c$resp?$l2_addr )                                                  
                  function_ids[...]$resp_l2_addr = c$resp$l2_addr;

Leviath · December 15, 2022, 1:13pm

Thank you, It’s interesting to know this particularity

Topic		Replies	Views
MAC Address In Logs Zeek	9	996	May 6, 2022
Aggregate similar communications in Zeek script Zeek development	4	264	December 9, 2022
Other log files besides conn.log Zeek	5	100	May 6, 2022
Loading custom scripts Zeek	1	313	May 21, 2024
Modify consts.zeek file Development development , scripting	1	252	November 30, 2022

Add MAC adresses to logs in custom script

Related topics