add s7comm upload/download log support

cisagov · Oct 10, 2022 · 515c170 · 515c170
1 parent 143bfcb
commit 515c170
Show file tree

Hide file tree

Showing 8 changed files with 208 additions and 41 deletions.
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -1181,6 +1181,18 @@ zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7co
 zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Code;help:Return Code
 zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Message;help:Return Message
 
+# s7comm_upload_download.log
+# https://github.com/cisagov/icsnpp-s7comm
+zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
+zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Name;help:Function Name
+zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Result;help:Function Result
+zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;friendly:Session ID;help:Session ID
+zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;friendly:Block Length;help:Block Length
+zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;friendly:File Name;help:File Name
+zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Type;help:Block Type
+zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Number;help::Block Number
+zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;friendly:Destination File System;help:Destination File System
+
 # signatures.log
 zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note
 zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;friendly:Signature ID;help:Signature ID
@@ -2153,6 +2165,7 @@ zeek_rfb=require:zeek.rfb;title:Zeek rfb.log;fields:zeek.rfb.client_major_versio
 zeek_s7comm=require:zeek.s7comm;title:Zeek s7comm.log;fields:zeek.s7comm.rosctr_code,zeek.s7comm.rosctr_name,zeek.s7comm.pdu_reference,zeek.s7comm.function_code,zeek.s7comm.function_name,zeek.s7comm.subfunction_code,zeek.s7comm.subfunction_name,zeek.s7comm.error_class,zeek.s7comm.error_code
 zeek_s7comm_plus=require:zeek.s7comm_plus;title:Zeek s7comm_plus.log;fields:zeek.s7comm_plus.version,zeek.s7comm_plus.opcode,zeek.s7comm_plus.opcode_name,zeek.s7comm_plus.function_code,zeek.s7comm_plus.function_name
 zeek_s7comm_read_szl=require:zeek.s7comm_read_szl;title:Zeek s7comm_read_szl.log;fields:zeek.s7comm.pdu_reference,zeek.s7comm_read_szl.method,zeek.s7comm_read_szl.szl_id,zeek.s7comm_read_szl.szl_id_name,zeek.s7comm_read_szl.szl_index,zeek.s7comm_read_szl.return_code,zeek.s7comm_read_szl.return_code_name
+zeek_s7comm_upload_download=require:zeek.s7comm_upload_download;title:Zeek s7comm_upload_download.log;fields:zeek.s7comm_upload_download.rosctr_name,zeek.s7comm.pdu_reference,zeek.s7comm_upload_download.function_name,zeek.s7comm_upload_download.function_status,zeek.s7comm_upload_download.session_id,zeek.s7comm_upload_download.blocklength,zeek.s7comm_upload_download.filename,zeek.s7comm_upload_download.block_type,zeek.s7comm_upload_download.block_number,zeek.s7comm_upload_download.destination_filesystem
 zeek_signatures=require:zeek.signatures;title:Zeek signatures.log;fields:event.module,rule.category,rule.name,vulnerability.category,vulnerability.enumeration,vulnerability.id,zeek.signatures.sub_message,zeek.signatures.signature_count,zeek.signatures.host_count
 zeek_sip=require:zeek.sip;title:Zeek sip.log;fields:zeek.sip.trans_depth,zeek.sip.method,zeek.sip.uri,zeek.sip.date,zeek.sip.request_from,zeek.sip.request_to,zeek.sip.response_from,zeek.sip.response_to,zeek.sip.reply_to,zeek.sip.call_id,zeek.sip.seq,zeek.sip.subject,zeek.sip.request_path,zeek.sip.response_path,zeek.sip.user_agent,zeek.sip.status_code,zeek.sip.status_msg,zeek.sip.warning,zeek.sip.request_body_len,zeek.sip.response_body_len,zeek.sip.content_type,zeek.sip.version
 zeek_smb_cmd=require:zeek.smb_cmd;title:Zeek smb_cmd.log;fields:zeek.smb_cmd.command,zeek.smb_cmd.sub_command,zeek.smb_cmd.argument,zeek.smb_cmd.status,zeek.smb_cmd.rtt,zeek.smb_cmd.version,zeek.smb_cmd.user,zeek.smb_cmd.tree,zeek.smb_cmd.tree_service

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -1564,6 +1564,15 @@ class MalcolmSource extends WISESource {
       "zeek.s7comm_read_szl.szl_id",
       "zeek.s7comm_read_szl.szl_id_name",
       "zeek.s7comm_read_szl.szl_index",
+      "zeek.s7comm_upload_download.block_number",
+      "zeek.s7comm_upload_download.block_type",
+      "zeek.s7comm_upload_download.blocklength",
+      "zeek.s7comm_upload_download.destination_filesystem",
+      "zeek.s7comm_upload_download.filename",
+      "zeek.s7comm_upload_download.function_name",
+      "zeek.s7comm_upload_download.function_status",
+      "zeek.s7comm_upload_download.rosctr_name",
+      "zeek.s7comm_upload_download.session_id",
       "zeek.signatures.event_message",
       "zeek.signatures.hits.Capa",
       "zeek.signatures.hits.ClamAV",