Additional Industrial Control Systems Protocols

Development
1

Hi Team -

As part of our work on the Customer Fulfillment Technology Security team at Amazon.com we've developed a set of protocol parsers for industrial control systems devices that we use in our production Zeek deployment. At this stage we're approved to release several of them as open source and would like to understand both if the Zeek team would be interested in taking these as contributions to upstream and, if you are, how best to coordinate the process of merging the contributions in. The five plugins we're approved to share now are:

* BACnet
* Ethernet/IP & Common Industrial Protocol (one plugin)
* Profinet
* S7comm
* MS-TDS Tabular Data Stream Protocol (not strictly ICS but used by some SCADA historians)

If the team is interested in this upstream we can submit as pull requests on GitHub, for example as one pull request per plugin, or via another workflow. If they're not a fit for upstream we can pursue an independent release. I'm really excited to make this available to the community either way! The two main authors, my colleague Tri and myself, will be at ZeekWeek here in Seattle next month to discuss these and a few others we have coming down the pipe.

Let us know what works,

Blake Johnson
Security Engineer
Control Systems Security
Amazon.com

2

Hi Blake,

Thank you so much for reaching out to the list. YES, please open these through our package manager. We would be delighted, but more importantly, the community of Zeek users will be.

Thank you and your team for extending the capabilities of Zeek.

I’ll be reaching out off-list to set up some time to meet with you and your colleagues at ZeekWeek.

Please let me know if you have any questions.

~Amber

3

Thanks Amber for following up with us on this.

Tri and I had a chance to talk to Amber today and we've agreed to pursue a release of these protocols on the Zeek package manager rather than directly in to Zeek upstream. I have a few last hoops to jump through internally to arrange this through the Amazon GitHub organization.

My goal is to have this out publically in advance of ZeekWeek next Wednesday.

Blake