various updates for v23.11.0 development:

* replace master/slave with client/server for modbus (idaholab#291) * modbus updates for icsnpp-modbus (idaholab#289) * point some Zeek plugins back upstream * added new visualizations to modbus dashboard
mmguero-dev · Nov 10, 2023 · 0a6565d · 0a6565d
1 parent 5dbb346
commit 0a6565d
Show file tree

Hide file tree

Showing 10 changed files with 246 additions and 53 deletions.
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
@@ -1,4 +1,4 @@
-FROM netboxcommunity/netbox:v3.6.4
+FROM netboxcommunity/netbox:v3.6.5
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="[email protected]"

diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -675,6 +675,7 @@ zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;
 zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID
 zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
 zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response
+zeek.modbus.mei_type=db:zeek.modbus.mei_type;group:modbus;kind:termfield;friendly:MEI Type;help:MEI Type
 
 # modbus_detailed.log
 # https://github.com/cisagov/ICSNPP
@@ -687,6 +688,15 @@ zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kin
 zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
 zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
 
+# modbus_read_device_identification.log
+# https://github.com/cisagov/icsnpp-modbus
+zeek.modbus_read_device_identification.conformity_level_code=db:zeek.modbus_read_device_identification.conformity_level_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level Code;help:Conformity Level Code
+zeek.modbus_read_device_identification.conformity_level=db:zeek.modbus_read_device_identification.conformity_level;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level;help:Conformity Level
+zeek.modbus_read_device_identification.device_id_code=db:zeek.modbus_read_device_identification.device_id_code;group:zeek_modbus_read_device_identification;kind:integer;friendly:Device ID Code;help:Device ID Code
+zeek.modbus_read_device_identification.object_id_code=db:zeek.modbus_read_device_identification.object_id_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID Code;help:Object ID Code
+zeek.modbus_read_device_identification.object_id=db:zeek.modbus_read_device_identification.object_id;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID;help:Object ID
+zeek.modbus_read_device_identification.object_value=db:zeek.modbus_read_device_identification.object_value;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object Value;help:Object Value
+
 # modbus_read_write_multiple_registers.log
 # https://github.com/cisagov/ICSNPP
 zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
@@ -2600,9 +2610,10 @@ o_zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;f
 o_zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument
 o_zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message
 o_zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success
-o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception
+o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception,zeek.modbus.mei_type,
 o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values
 o_zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask
+o_zeek_modbus_read_device_identification=require:zeek.modbus_read_device_identification;title:Zeek modbus_read_device_identification.log;fields:zeek.modbus_read_device_identification.conformity_level_code,zeek.modbus_read_device_identification.conformity_level,zeek.modbus_read_device_identification.device_id_code,zeek.modbus_read_device_identification.object_id_code,zeek.modbus_read_device_identification.object_id,zeek.modbus_read_device_identification.object_value
 o_zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers
 o_zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload
 o_zeek_mqtt_publish=require:zeek.mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek.mqtt_publish.from_client,zeek.mqtt_publish.retain,zeek.mqtt_publish.qos,zeek.mqtt_publish.status,zeek.mqtt_publish.topic,zeek.mqtt_publish.payload,zeek.mqtt_publish.payload_len,zeek.mqtt_publish.payload_dict.messageType

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -1116,11 +1116,18 @@ class MalcolmSource extends WISESource {
       "zeek.modbus.network_direction",
       "zeek.modbus.trans_id",
       "zeek.modbus.unit_id",
+      "zeek.modbus.mei_type",
       "zeek.modbus_detailed.address",
       "zeek.modbus_detailed.quantity",
       "zeek.modbus_detailed.values",
       "zeek.modbus_mask_write_register.and_mask",
       "zeek.modbus_mask_write_register.or_mask",
+      "zeek.modbus_read_device_identification.conformity_level_code",
+      "zeek.modbus_read_device_identification.conformity_level",
+      "zeek.modbus_read_device_identification.device_id_code",
+      "zeek.modbus_read_device_identification.object_id_code",
+      "zeek.modbus_read_device_identification.object_id",
+      "zeek.modbus_read_device_identification.object_value",
       "zeek.modbus_read_write_multiple_registers.read_quantity",
       "zeek.modbus_read_write_multiple_registers.read_registers",
       "zeek.modbus_read_write_multiple_registers.read_start_address",