Hello,
I have a zeek script to monitor and log modbus traffic between a controller and robots based on specific fields.
I have an event called modbus_message which aggregates messages based on their connection id (c$uid), the function called and the starting read/write address of the function and store them in a table :
global function_ids: table[string, string, count] of Modbus_Detailed;
Based on the icsnpp-modbus package, each function has its own specification, so I use a global variable named modbus_start_address and I overwrite its initial value at each new message depending on the function seen, for example :
event modbus_read_holding_registers_request(c: connection,
headers: ModbusHeaders,
start_address: count,
quantity: count) {
modbus_start_address = start_address;
modbus_quantity = quantity;
}
The first problem is that the requests of the controller contain the start address but not the responses do not, so for each response, I need to retrieve its corresponding request (using the transaction id).
But I dont get the expected results, so I tried to schematize the problem :
If two requests call the same function and happen at almost the same time, Is it possible that the value of the global variable modbus_start_address is overwritten before the first execution is done ? And if yes, what should I do to solve this problem ?
Thank you for your help.