Need help to print data_value in zeek

biswa · April 4, 2023, 1:16pm

Hi,
I need help to print data_value of event dnp3_response_data_object() in dnp3/events.bif.
This event is generated from type Response_Data_Object() of dnp3-objects.pac. I want to know how can I fetch these attributes using the above event. Please suggest.
Thanks
Biswa

awelzel · April 6, 2023, 8:52am

Hello @biswa , it’s not immediately clear what you want to achive.

Have you looked if the dnp3_attribute_common() event would cover your case? Are you looking for an event that gives you just the raw data of a Response_Data_Object? Can you sketch the declaration of the event or a bit of scripting code what you’re looking to do?

Thanks,
Arne

awelzel · April 6, 2023, 8:54am

Ah, this is probably all related to your previous post:

If the existing parser doesn’t provide you with the events you need and you have pcaps available for testing, you could start looking at extending the parser and contributing back

biswa · April 7, 2023, 4:23pm

Thanks a lot @awelzel for the reply. I have started adding few events in the existing parser, I have few doubts.

When I change anything in zeek related files and try to make then it starts again from configure and make from scratch. Is there any option to get rid of this and compile only the changed files?
You mentioned about dnp3_attribute_common(), if you check dnp3-objects.pac, you will see in request and response data object handling these common attributes are mentioned under “device attribute g0” and I am assuming I will get these value only in the script but I am trying to extract deadband which is defined as ai_dead_16, ai_dead_32 in the same file under “analog input g34”. I am not sure if I get these values using this event dnp3_attribute_common().
There is another event in events.bif in dnp3 called dnp3_response_data_object() with argument data_value which states “the value for those objects that carry their information here directly”. Firstly the meaning is not clear to me and secondly how to print/dump such data_value in zeek scripts is not clear. Is it a vector of values or just a value ? As it’s type is count… why I am interested because I think deadband values may be extracted (ai_dead, ai_dead_16 of dnp3-objects.pac). Please help in this area.
There are few more fields needs to be extracted from dnp3 application pdu such as time value in g50 or device name/identifier in g0v247 , fragment size in g0v240 etc are not there . So I am trying to add these things. If you can help here someway will be very much appreciated.

Thanks
Biswa