Support SNMP and MODBUS/TCP Protocols?

Zeek
1

We like to use Bro to monitor and analyze SNMP and MODBUS/TCP traffic in industrial control networks. Does the latest version of Bro support SNMP, MODBUS/TCP and any other industrial control protocols?

If not currently supported, what are the typical steps to make bro to support a new protocol?

Thank you,

Huiping

2

We like to use Bro to monitor and analyze SNMP and MODBUS/TCP traffic
in industrial control networks. Does the latest version of Bro
support SNMP, MODBUS/TCP and any other industrial control protocols?

No, not yet. We've a prototype of Modbus support (and DNP3), which
will likely make it into Bro 2.2. Nobody is working on SNMP yet though
as far as I know.

If not currently supported, what are the typical steps to make bro to
support a new protocol?

The best way is to use our binpac parser generator, see here for a
skeleton:

    http://www.bro-ids.org/development/binpac-sample-analyzer.html

Also take a look at the existing analyzers in src/*.pac.

Robin

3

Hi Robin,

Thanks for the updates. Good to know that there will be a prototype of MODBUS support in Bro 2.2. Any estimates about the release timeline for Bro 2.2?

Can the prototype of MODBUS support also be customized to work with Bro 2.0 quickly? We are eager to experiment using Bro to monitor and analyze MODBUS/TCP traffic. :slight_smile:

Best regards,
Huiping

4

Hi, Huiping,

We are working on merging the Modbus at this moment. I think merging Modbus would not take too long as the code size of it is not that big.

Also in case that you want to build your own analyzer in binpac, here is some sample codes:
http://www.bro-ids.org/development/binpac-sample-analyzer.html

FYI, binpac can easily handle application layer protocol directly over TCP or UDP. But with complex protocol which includes session layer or presentation layer, u may need to do some modifications on Bro’s code to integrate binpac code.

Hope this help.

Best,

Hui

5

Hi Hui,

We look forward to testing the MODBUS and DNP3 analyzers as soon as they are available.

We are also interested in protocols for building automation and control networks, such as BACnet. Is there anyone currently working (or plan to work) on BACnet protocol analyzer? We may try to learn/experiment building a BACnet protocol analyzer using the BinPAC parser generator. This looks to be a daunting task at the moment.

Thanks for the help.

Huiping

6

Hi Huiping,

To the best of my(our) knowledge no one is working on BACnet protocol analyzer nor its in near future plans of the people I know (mainly because its building automation protocol and not process automation). But we also might have some data for testing BACnet in near future, so if you manage to have the analyzer running, we might be able to help with more date for validation purposes.

Good luck:)

7

Thanks for the updates. Good to know that there will be a prototype
of MODBUS support in Bro 2.2. Any estimates about the release
timeline for Bro 2.2?

The actual release will still take a bit, maybe around the end of the
year. However, I'm hoping to have initial experimental support merged
into git master rather soon when 2.2 development starts (once the 2.1
release it out later this month, if all goes well).

Can the prototype of MODBUS support also be customized to work with
Bro 2.0 quickly? We are eager to experiment using Bro to monitor and
analyze MODBUS/TCP traffic. :slight_smile:

Once it's in git master, backporting to 2.0 or 2.1 shouldn't be
difficult (if still needed then). If you guys (or anybody else here)
could help us testing, that would be much appreciated.

Robin