ZEEK broker service name NULL

Zeek
1

Hi Everyone,

I’m trying to use zeek broker python module to filter out some traffic based upon the service name, eg: DNP3, MODBUS etc.

For every new connection I’m trying to generate an event which would then be published to the zeek broker:

event new_connection(c: connection)
{
        print "NEW", c$id;
        print "SERVICE", c$service;
        Broker::publish(filter_topic, new_conn_added, c);
}

The c$id is giving the correct output when I run the zeek python broker and give it a pcap:

/usr/local/zeek/bin/zeek -Cr /mnt/zeek/modbus-broker/modbus.pcap filter

But the output of SERVICE is NULL. When I checked the connection struct, this is what it looked like:

[id=[orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.85, resp_p=502/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=10:9a:dd:4e:06:0d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:0c:29:af:7f:fe], start_time=1342774499.588269, duration=0 secs, service={}, history=, uid=Ci1AF12buBoMVDeOjl, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]

The pcap is a modbus traffic pcap and the MODBUS struct above is uninitialized. Can you please give me some insights of what must be happening here?

Thanks,
Ashish

2

Hi Ashish,

the reason for this is that the service field is not yet populated at the time that the new_connection event is raised. That field is populated later during the connection when the analyzer_confirmation_info or potentially the analyzer_violation_info events are raised.

The easiest fix would probably be to use the connection_state_remove event instead of new_connection. That event is raised at the very end of a connection - when all fields are populated in the same way as they appear in the log file.

I hope this helps,
Johanna

4

Hi @johanna,

I tried to use connection_state_remove to check if the service field gets populated but it was still NULL. What I’m using right now is analyzer_confirmation_info event with a check of atype == Analyzer::ANALYZER_MODBUS to filter the MODBUS events.

Thanks,
Ashish