New spicy protocol with zeek broker

Hi community,

I’m trying to run the protocol analyzer for IEC104 by compiling the spicy script and installing the compiled file


to zeek’s plugin folder. The analyzer is being loaded correctly.

ashish@dmz-ashish-new:/code/zeek-iec104$ /usr/local/zeek/bin/zeek -NN | grep 104
    [Analyzer] spicy_IEC104 (ANALYZER_SPICY_IEC104, enabled)

Now I want to subscribe to zeek events using the zeek broker which has this setup of zeek script:

event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
        if (atype == Analyzer::ANALYZER_SPICY_IEC104 || atype == PacketAnalyzer::ANALYZER_SPICY_PROFINETIO)
                print "analyzer", info$c$service;
                Broker::publish(manager_topic, analyzer_confirmation, atype, info); 

event zeek_init() &priority=5 {
        Broker::peer(addr_to_uri(, 50000/tcp);

but using the function analyzer_confirmation_info I’m not able to see the events. Just to debug and print the connection record I tried using connection_state_remove which is able to print the data.

ashish@dmz-ashish-new:/code/zeek-iec104$ /usr/local/zeek/bin/zeek -Cr iec104.pcap analyzer/iec104.hlto scripts/connection_record_01.zeek
[id=[orig_h=, orig_p=46413/tcp, resp_h=, resp_p=2404/tcp], orig=[size=362, state=5, num_pkts=59, num_bytes_ip=2734, flow_label=0, l2_addr=00:22:15:56:0b:54], resp=[size=2315, state=5, num_pkts=46, num_bytes_ip=4159, flow_label=0, l2_addr=00:16:d1:00:09:05], start_time=1372918996.78845, duration=2.0 mins 25.0 secs 112.0 msecs 797.97554 usecs, service={

}, history=ShADdaFf, uid=CnjP1u15vCPiamk19, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={

}, removal_hooks=<uninitialized>, conn=[ts=1372918996.78845, uid=CnjP1u15vCPiamk19, id=[orig_h=, orig_p=46413/tcp, resp_h=, resp_p=2404/tcp], proto=tcp, service=<uninitialized>, duration=2.0 mins 25.0 secs 112.0 msecs 797.97554 usecs, orig_bytes=362, resp_bytes=2315, conn_state=SF, local_orig=T, local_resp=T, missed_bytes=0, history=ShADdaFf, orig_pkts=59, orig_ip_bytes=2734, resp_pkts=46, resp_ip_bytes=4159, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]

How would it be possible to use analyzer_confirmation_info function using this new protocol?


Hey @ashish21

I’m trying to run the protocol analyzer for IEC104 by compiling the spicy script and installing the compiled file

Do you have a link to the analyzer’s source? Is there a call to zeek::confirm_protocol() within the analyzer’s implementation which in turn will results in analyzer_confirmation_info() being raised? The service field of the connection doesn’t hold any entry, so wondering if that’s missing.

Are other IEC104 specific events raised when reading the pcap?

Hey @awelzel

I’m using the protocol implementation from here:

It had zeek::confirm_protocol() commented out but I compiled by uncommenting it.

I see the events like STARTDT and TESTFR being part of the output as when run with main.zeek script as the commandline.

/usr/local/zeek/bin/zeek -Cr iec104.pcap analyzer/iec104.hlto scripts/main.zeek

With a zeek::confirm_protocol() call, the analyzer_confirmation_info() event should work (and conn.log service field populated with the analyzer’s name, too).

If that’s not yet working, possibly provide a diff. Possibly also open an issue to ensure zeek::confirm_protocol() is used at an appropriate place.