Hi there,
as a part of my master's thesis I'm going to write two analyzer which will be able detect S7Comm and S7CommPlus traffic used by Siemens PLCs. Both protocols are proprietary, so I have no official documentation. The goal is to monitor this kind of traffic and/or detect threats against those PLCs.
So far, I am able to read S7Comm traffic and generate various events, covering all standard and most of the additional (UserData) functions. This part is based on the code of Wireshark S7Comm dissector.
The S7CommPlus part is a little bit trickier. Unfortunately, the only code base I can use is an 4 year old git-repo, probably forked from the first S7CommPlus dissector written by Thomas Wiens (https://github.com/moki-ics/s7commwireshark/blob/master/src/s7comm_plus/packet-s7comm_plus.c).
After a quick glance I have discovered 2 "problems", where I hope you could help me.
1) Reassembling packets: Some S7CommPlus packets which payload is over a certain amount of bytes will be split and need to be reassembled. I don't know how to do that in Bro nor how I can keep track of which fragments belongs to the which packet. (LoC: 3917 to 4135)
2) Various payload: Some packets contain different payload, e.g. different addressing types, attributes and/or structures, even though the packet-type is the same (for example: a request packet can contain one or more objects. In each object, there can be various items of type A, B, C or D, each of them have a different structure). If I want to generate a Bro events which contains the payload as a parameter, how do I do that?
Any help will be appreciated!
Thanks.
Dane