Hi community,
I’m trying to run the protocol analyzer for IEC104 by compiling the spicy script and installing the compiled file
iec104.hlto
to zeek’s plugin folder. The analyzer is being loaded correctly.
ashish@dmz-ashish-new:/code/zeek-iec104$ /usr/local/zeek/bin/zeek -NN | grep 104
[Analyzer] spicy_IEC104 (ANALYZER_SPICY_IEC104, enabled)
Now I want to subscribe to zeek events using the zeek broker which has this setup of zeek script:
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
if (atype == Analyzer::ANALYZER_SPICY_IEC104 || atype == PacketAnalyzer::ANALYZER_SPICY_PROFINETIO)
{
print "analyzer", info$c$service;
Broker::publish(manager_topic, analyzer_confirmation, atype, info);
}
}
event zeek_init() &priority=5 {
suspend_processing();
Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);
}
but using the function analyzer_confirmation_info I’m not able to see the events. Just to debug and print the connection record I tried using connection_state_remove which is able to print the data.
ashish@dmz-ashish-new:/code/zeek-iec104$ /usr/local/zeek/bin/zeek -Cr iec104.pcap analyzer/iec104.hlto scripts/connection_record_01.zeek
[id=[orig_h=10.20.102.1, orig_p=46413/tcp, resp_h=10.20.100.108, resp_p=2404/tcp], orig=[size=362, state=5, num_pkts=59, num_bytes_ip=2734, flow_label=0, l2_addr=00:22:15:56:0b:54], resp=[size=2315, state=5, num_pkts=46, num_bytes_ip=4159, flow_label=0, l2_addr=00:16:d1:00:09:05], start_time=1372918996.78845, duration=2.0 mins 25.0 secs 112.0 msecs 797.97554 usecs, service={
}, history=ShADdaFf, uid=CnjP1u15vCPiamk19, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={
}, removal_hooks=<uninitialized>, conn=[ts=1372918996.78845, uid=CnjP1u15vCPiamk19, id=[orig_h=10.20.102.1, orig_p=46413/tcp, resp_h=10.20.100.108, resp_p=2404/tcp], proto=tcp, service=<uninitialized>, duration=2.0 mins 25.0 secs 112.0 msecs 797.97554 usecs, orig_bytes=362, resp_bytes=2315, conn_state=SF, local_orig=T, local_resp=T, missed_bytes=0, history=ShADdaFf, orig_pkts=59, orig_ip_bytes=2734, resp_pkts=46, resp_ip_bytes=4159, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
How would it be possible to use analyzer_confirmation_info function using this new protocol?
Thanks.