ZEEK broker service name NULL

Hi Everyone,

I’m trying to use zeek broker python module to filter out some traffic based upon the service name, eg: DNP3, MODBUS etc.

For every new connection I’m trying to generate an event which would then be published to the zeek broker:

event new_connection(c: connection)
        print "NEW", c$id;
        print "SERVICE", c$service;
        Broker::publish(filter_topic, new_conn_added, c);

The c$id is giving the correct output when I run the zeek python broker and give it a pcap:

/usr/local/zeek/bin/zeek -Cr /mnt/zeek/modbus-broker/modbus.pcap filter

But the output of SERVICE is NULL. When I checked the connection struct, this is what it looked like:

[id=[orig_h=, orig_p=51411/tcp, resp_h=, resp_p=502/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=10:9a:dd:4e:06:0d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:0c:29:af:7f:fe], start_time=1342774499.588269, duration=0 secs, service={}, history=, uid=Ci1AF12buBoMVDeOjl, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]

The pcap is a modbus traffic pcap and the MODBUS struct above is uninitialized. Can you please give me some insights of what must be happening here?


Hi Ashish,

the reason for this is that the service field is not yet populated at the time that the new_connection event is raised. That field is populated later during the connection when the analyzer_confirmation_info or potentially the analyzer_violation_info events are raised.

The easiest fix would probably be to use the connection_state_remove event instead of new_connection. That event is raised at the very end of a connection - when all fields are populated in the same way as they appear in the log file.

I hope this helps,

Hi @johanna,

I tried to use connection_state_remove to check if the service field gets populated but it was still NULL. What I’m using right now is analyzer_confirmation_info event with a check of atype == Analyzer::ANALYZER_MODBUS to filter the MODBUS events.