module S7comm; @load ./consts export { redef enum Log::ID += { LOG1, LOG2, LOG3, }; ... type InfoS7data: record { ## Time when the command was sent. ts: time &log; ## Unique ID for the connection. uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; ## memory area area: string &log; ## memory areanum areanum: count ; ## the function type of the msg dbnum: count &log; ## s7 type s7type: string &log; ## s7 typenum s7typenum: count ; ## s7 address address: count &log; ## s7 signed data sdata: int &optional &log; ## s7 unsigned data udata: count &optional &log; ## s7 real data ddata: double &optional &log; isread: bool &log; }; global log_iso_cotp: event(rec: InfoIso); global log_s7comm: event(rec: InfoS7comm); global log_s7data: event(rec: InfoS7data); } redef record connection += { iso_cotp: InfoIso &optional; s7comm: InfoS7comm &optional; s7data: InfoS7data &optional; }; const ports = { 102/tcp }; # redef likely_server_ports += { ports }; # ../lib/bif/s7comm.bif event bro_init() &priority=5 { Log::create_stream(S7comm::LOG1, [$columns=InfoIso, $ev=log_iso_cotp, $path="iso_cotp"]); Log::create_stream(S7comm::LOG2, [$columns=InfoS7comm, $ev=log_s7comm, $path="s7comm"]); Log::create_stream(S7comm::LOG3, [$columns=InfoS7data, $ev=log_s7data, $path="s7data"]); Analyzer::register_for_ports(Analyzer::ANALYZER_S7COMM, ports); } ... event siemenss7_read_data_unsigned(c: connection, area: count, db: count, s7type: count, address: count, data: count) &priority=5 { local s: InfoS7data; s$ts=network_time(); s$uid=c$uid; s$id=c$id; s$area=s7area_types[area]; s$areanum=area; s$dbnum=db; s$s7type=s7type_types[s7type]; s$s7typenum=s7type; s$address=address; s$udata=data; s$isread=T; c$s7data=s; Log::write(S7comm::LOG3, c$s7data); } ... event siemenss7_write_data_unsigned(c: connection, area: count, db: count, s7type: count, address: count, data: count) &priority=5 { local s: InfoS7data; s$ts=network_time(); s$uid=c$uid; s$id=c$id; s$area=s7area_types[area]; s$areanum=area; s$dbnum=db; s$s7type=s7type_types[s7type]; s$s7typenum=s7type; s$address=address; s$udata=data; s$isread=F; c$s7data=s; Log::write(S7comm::LOG3, c$s7data); }