Zeek Modbus/ IEC 104

Hello All,

I have an ABB RTU560 running IEC 104 protocol. This has an IP 10.180.12.134

I would like to get the logs onto my host machine with IP 10.180.7.188. Zeek is installed on this machine. Problem is the RTU device does not support “ssh”. I run zeekctl with the RTU device as the worker node in a cluster with the host machine as the manager. But it fails with the following error

Error: Failed to establish ssh connection to host 10.180.12.134: [Errno 32] Broken pipe

Kindly help me with the step by step procedure, especially the configuration.

I also have a similar machine running Modbus protocol. I know Zeek has a Modbus package, and I have installed it on the host machine. I am not sure how to proceed further here either.

Any guidance would be very helpful.

Thanks in advance,
Raja

Hey Raja,

In order to manage a remote machine via zeekctl, you need to have sshd running on the remote machine (see the requirements here). If the RTU cannot do that (how do you log into it then?), we need to look for other options. It’d help to know more about your network, but here are some starting points:

  • Run nothing on the RTU. Is there another place in your network where you can tap the RTU’s traffic? This looks like the natural course, particularly if traffic volumes are such that you cannot/should not monitor it all on the RTU itself.
  • Run everything on the RTU. If your Zeek cluster consists only of the RTU and your host machine, and traffic volume is low, perhaps you can simply run it all locally on the RTU. (I don’t know if that’s a reasonable suggestion — not sure what are the capabilities of that box. But if you’re running a Zeek worker on it, this seems at least plausible.)
  • Don’t use zeekctl. You can run your cluster manually, doing away with the need for SSH etc. This could be as simple as single-process Zeek setup, monitoring a local interface on the RTU. You’d just need a way to copy the logs out — this could be scp, or you could configure another log exporter in Zeek that sends the logs straight to an ingestion system (via Elastic, Kafka, fluentd, etc). You could do the same on the modbus machine, assuming suitably low traffic loads.

Best,
Christian

Hi Christian,

This is what I am attempting.
I have a device pumping Modbus data, and I am listening on port 502.
Zeek is running, and Modbus extension is installed.
I dont see a modbus.log file though, which I would like to be picked up by Filebeat, to be given to Elastic eventually.

Thanks,

Hey,

On the system that is running Zeek, when you run tcpdump -n -i <interface> 'port 502', do you see packets incoming? Do they look like valid modbus traffic? If you can record a pcap with such traffic and share it, this might help to provide more hints what might be off.

First thought is always checksums: Does the result change if you run zeek -C -i <interface> ?

Hope this helps,
Arne

Hi Arne

Please find below the screenshots of the statements executed/ output obtained.
Both of them dont give any output, but seem to wait endless, so I had to terminate the processes.

Regards,

Hmm - from your screenshot, assuming you ran tcpdump for a few minutes, it does not look like you’re receiving traffic on eno1 with ‘port 502’. You’ll first need to make sure that the Modbus traffic is visible on the interface that Zeek is sniffing.

Hope that helps,
Arne

1 Like

Dear All,

I guess I am getting the logs now. I have two files created, modbus.log and modbus_detailed.log in the /logs/current folder, and they seem to reflect the data I am pumping across my machines.

Is this the time/ place to stop worrying about the collection of the traffic into logs, and instead, start analyzing them? If so, can some pointers be thrown about how to analyze the Modbus logs thus obtained?

Thanks & Regards,
Raja