diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 4d5dbc7fb..49df64e4f 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,4 +1,4 @@ -FROM netboxcommunity/netbox:v3.6.4 +FROM netboxcommunity/netbox:v3.6.5 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 1175de8b5..3caf5a270 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -675,6 +675,7 @@ zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield; zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response +zeek.modbus.mei_type=db:zeek.modbus.mei_type;group:modbus;kind:termfield;friendly:MEI Type;help:MEI Type # modbus_detailed.log # https://github.com/cisagov/ICSNPP @@ -687,6 +688,15 @@ zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kin zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register +# modbus_read_device_identification.log +# https://github.com/cisagov/icsnpp-modbus +zeek.modbus_read_device_identification.conformity_level_code=db:zeek.modbus_read_device_identification.conformity_level_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level Code;help:Conformity Level Code +zeek.modbus_read_device_identification.conformity_level=db:zeek.modbus_read_device_identification.conformity_level;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level;help:Conformity Level +zeek.modbus_read_device_identification.device_id_code=db:zeek.modbus_read_device_identification.device_id_code;group:zeek_modbus_read_device_identification;kind:integer;friendly:Device ID Code;help:Device ID Code +zeek.modbus_read_device_identification.object_id_code=db:zeek.modbus_read_device_identification.object_id_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID Code;help:Object ID Code +zeek.modbus_read_device_identification.object_id=db:zeek.modbus_read_device_identification.object_id;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID;help:Object ID +zeek.modbus_read_device_identification.object_value=db:zeek.modbus_read_device_identification.object_value;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object Value;help:Object Value + # modbus_read_write_multiple_registers.log # https://github.com/cisagov/ICSNPP zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to @@ -2600,9 +2610,10 @@ o_zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;f o_zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument o_zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message o_zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success -o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception +o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception,zeek.modbus.mei_type, o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values o_zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask +o_zeek_modbus_read_device_identification=require:zeek.modbus_read_device_identification;title:Zeek modbus_read_device_identification.log;fields:zeek.modbus_read_device_identification.conformity_level_code,zeek.modbus_read_device_identification.conformity_level,zeek.modbus_read_device_identification.device_id_code,zeek.modbus_read_device_identification.object_id_code,zeek.modbus_read_device_identification.object_id,zeek.modbus_read_device_identification.object_value o_zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers o_zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload o_zeek_mqtt_publish=require:zeek.mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek.mqtt_publish.from_client,zeek.mqtt_publish.retain,zeek.mqtt_publish.qos,zeek.mqtt_publish.status,zeek.mqtt_publish.topic,zeek.mqtt_publish.payload,zeek.mqtt_publish.payload_len,zeek.mqtt_publish.payload_dict.messageType diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index ecdfd3412..ddd1b0e1c 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -1116,11 +1116,18 @@ class MalcolmSource extends WISESource { "zeek.modbus.network_direction", "zeek.modbus.trans_id", "zeek.modbus.unit_id", + "zeek.modbus.mei_type", "zeek.modbus_detailed.address", "zeek.modbus_detailed.quantity", "zeek.modbus_detailed.values", "zeek.modbus_mask_write_register.and_mask", "zeek.modbus_mask_write_register.or_mask", + "zeek.modbus_read_device_identification.conformity_level_code", + "zeek.modbus_read_device_identification.conformity_level", + "zeek.modbus_read_device_identification.device_id_code", + "zeek.modbus_read_device_identification.object_id_code", + "zeek.modbus_read_device_identification.object_id", + "zeek.modbus_read_device_identification.object_value", "zeek.modbus_read_write_multiple_registers.read_quantity", "zeek.modbus_read_write_multiple_registers.read_registers", "zeek.modbus_read_write_multiple_registers.read_start_address", diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index adcd93ba0..ce98e6a07 100644 --- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -7,13 +7,13 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:38:35.641Z", - "version": "Wzk0OSwxXQ==", + "updated_at": "2023-11-10T19:05:19.809Z", + "version": "Wzk1NywxXQ==", "attributes": { "title": "Modbus", "hits": 0, "description": "Dashboard for the Modbus Protocol", - "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":84,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":43,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":43,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":17,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":102,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":125,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":140,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]", + "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":85,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":26,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":26,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":18,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":67,\"w\":32,\"h\":18,\"i\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\"},\"panelIndex\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":103,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":126,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":141,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":156,\"w\":48,\"h\":19,\"i\":\"3711221b-ce64-447a-886b-6ad2c50322f9\"},\"panelIndex\":\"3711221b-ce64-447a-886b-6ad2c50322f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -89,18 +89,28 @@ }, { "name": "panel_13", + "type": "visualization", + "id": "f6d09e10-7ffb-11ee-9964-dd538601517e" + }, + { + "name": "panel_14", "type": "search", "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681" }, { - "name": "panel_14", + "name": "panel_15", "type": "search", "id": "10e72aa0-0816-11eb-987d-c591a71f172b" }, { - "name": "panel_15", + "name": "panel_16", "type": "search", "id": "3ac0f900-0816-11eb-987d-c591a71f172b" + }, + { + "name": "panel_17", + "type": "search", + "id": "624a1d80-7ffa-11ee-9964-dd538601517e" } ], "migrationVersion": { @@ -113,7 +123,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:21:19.884Z", + "updated_at": "2023-11-10T18:35:25.331Z", "version": "Wzg1NywxXQ==", "attributes": { "title": "Network Logs", @@ -136,7 +146,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzNCwxXQ==", "attributes": { "title": "Modbus - Logs", @@ -181,7 +191,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzNSwxXQ==", "attributes": { "title": "Modbus - Source IP", @@ -211,7 +221,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzNiwxXQ==", "attributes": { "title": "Modbus - Destination IP", @@ -241,7 +251,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzNywxXQ==", "attributes": { "title": "Modbus - Observed Clients and Servers", @@ -271,7 +281,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzOCwxXQ==", "attributes": { "title": "Modbus - Observed Client/Server Ratio", @@ -301,7 +311,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzEzOSwxXQ==", "attributes": { "title": "Modbus - Log Count", @@ -330,7 +340,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0MCwxXQ==", "attributes": { "title": "Modbus - Logs Over Time", @@ -359,7 +369,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0MSwxXQ==", "attributes": { "title": "Modbus - Functions and Exceptions", @@ -389,8 +399,8 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", - "version": "WzE0NSwxXQ==", + "updated_at": "2023-11-10T18:34:22.366Z", + "version": "WzE0MiwxXQ==", "attributes": { "title": "Modbus Detailed - Request and Response", "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", @@ -419,11 +429,11 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:36:30.972Z", - "version": "Wzk0NywxXQ==", + "updated_at": "2023-11-10T18:56:50.612Z", + "version": "Wzk1NCwxXQ==", "attributes": { "title": "Modbus - Reads", - "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log", "version": 1, @@ -449,11 +459,11 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:37:28.218Z", - "version": "Wzk0OCwxXQ==", + "updated_at": "2023-11-10T19:01:32.686Z", + "version": "Wzk1NSwxXQ==", "attributes": { "title": "Modbus - Writes", - "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus write register and write coil overview from modbus_detailed.log", "version": 1, @@ -479,8 +489,8 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", - "version": "WzE0MywxXQ==", + "updated_at": "2023-11-10T18:34:22.366Z", + "version": "WzE0NSwxXQ==", "attributes": { "title": "Modbus - Transport", "visState": "{\"title\":\"Modbus - Transport\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", @@ -503,13 +513,43 @@ "visualization": "7.10.0" } }, + { + "id": "f6d09e10-7ffb-11ee-9964-dd538601517e", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-10T19:04:24.945Z", + "version": "Wzk1NiwxXQ==", + "attributes": { + "title": "Modbus - Device Identification Objects", + "visState": "{\"title\":\"Modbus - Device Identification Objects\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.device_id_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device ID\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Value\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "624a1d80-7ffa-11ee-9964-dd538601517e" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, { "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681", "type": "search", "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0NiwxXQ==", "attributes": { "title": "Modbus - Detailed", @@ -553,7 +593,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0NywxXQ==", "attributes": { "title": "Modbus - Mask Write", @@ -597,7 +637,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0OCwxXQ==", "attributes": { "title": "Modbus - Read Write Multiple", @@ -636,13 +676,61 @@ "search": "7.9.3" } }, + { + "id": "624a1d80-7ffa-11ee-9964-dd538601517e", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-10T18:55:03.788Z", + "version": "Wzk1MiwxXQ==", + "attributes": { + "title": "Modbus - Read Device Identification", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "destination.ip", + "zeek.modbus.network_direction", + "event.action", + "event.result", + "zeek.modbus.unit_id", + "zeek.modbus.trans_id", + "zeek.modbus_read_device_identification.device_id_code", + "zeek.modbus_read_device_identification.conformity_level", + "zeek.modbus_read_device_identification.object_id", + "zeek.modbus_read_device_identification.object_value", + "event.id" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:modbus_read_device_identification\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "arkime_sessions3-*" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, { "id": "da7d99a0-ef74-11e9-91bd-23d686ac8389", "type": "search", "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE0OSwxXQ==", "attributes": { "title": "Modbus - Known Clients and Servers Logs", @@ -681,7 +769,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:20:16.971Z", + "updated_at": "2023-11-10T18:34:22.366Z", "version": "WzE1MCwxXQ==", "attributes": { "title": "Modbus - All Logs", @@ -721,7 +809,7 @@ "namespaces": [ "default" ], - "updated_at": "2023-07-19T23:21:16.791Z", + "updated_at": "2023-11-10T18:35:22.307Z", "version": "WzgzMiwxXQ==", "attributes": { "title": "Connections - Logs", diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index 6a1870503..2ed2174ef 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -201,12 +201,19 @@ "zeek.modbus.network_direction": { "type": "keyword" }, "zeek.modbus.trans_id": { "type": "integer" }, "zeek.modbus.unit_id": { "type": "integer" }, + "zeek.modbus.mei_type": { "type": "keyword" }, "zeek.modbus_detailed.address": { "type": "integer" }, "zeek.modbus_detailed.quantity": { "type": "integer" }, "zeek.modbus_detailed.values": { "type": "keyword" }, "zeek.modbus_mask_write_register.address": { "type": "integer" }, "zeek.modbus_mask_write_register.and_mask": { "type": "integer" }, "zeek.modbus_mask_write_register.or_mask": { "type": "integer" }, + "zeek.modbus_read_device_identification.conformity_level_code": { "type": "keyword" }, + "zeek.modbus_read_device_identification.conformity_level": { "type": "keyword" }, + "zeek.modbus_read_device_identification.device_id_code": { "type": "long" }, + "zeek.modbus_read_device_identification.object_id_code": { "type": "keyword" }, + "zeek.modbus_read_device_identification.object_id": { "type": "keyword" }, + "zeek.modbus_read_device_identification.object_value": { "type": "keyword" }, "zeek.modbus_read_write_multiple_registers.read_quantity": { "type": "integer" }, "zeek.modbus_read_write_multiple_registers.read_registers": { "type": "keyword" }, "zeek.modbus_read_write_multiple_registers.read_start_address": { "type": "integer" }, diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index 0c9716b53..791859b42 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -1764,6 +1764,12 @@ filter { mutate { id => "mutate_gsub_zeek_known_modbus_device_type" gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } + mutate { id => "mutate_gsub_zeek_known_modbus_master" + gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] } + + mutate { id => "mutate_gsub_zeek_known_modbus_slave" + gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] } + mutate { id => "mutate_add_tag_ics_known_modbus_log" add_tag => [ "ics" ] } @@ -1932,15 +1938,16 @@ filter { } else if ([log_source] == "modbus_detailed") { ############################################################################################################################# # modbus_detailed.log - # https://github.com/cisagov/ICSNPP + # main.zeek (https://github.com/cisagov/icsnpp-modbus) dissect { id => "dissect_zeek_modbus_detailed" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" } } + if ("_dissectfailure" in [tags]) { mutate { id => "mutate_split_zeek_modbus_detailed" @@ -1949,29 +1956,32 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_detailed" - init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" + init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" code => "event.set('[zeek_cols]', $zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" } } mutate { id => "mutate_add_fields_zeek_modbus_detailed" - add_field => { "[zeek_cols][service]" => "modbus" } + add_field => { + "[zeek_cols][service]" => "modbus" + } add_tag => [ "ics" ] } } else if ([log_source] == "modbus_mask_write_register") { ############################################################################################################################# # modbus_mask_write_register.log - # https://github.com/cisagov/ICSNPP + # main.zeek (https://github.com/cisagov/icsnpp-modbus) dissect { id => "dissect_zeek_modbus_mask_write_register" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" } } + if ("_dissectfailure" in [tags]) { mutate { id => "mutate_split_zeek_modbus_mask_write_register" @@ -1980,28 +1990,66 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_mask_write_register" - init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" - code => "event.set('[zeek_cols]', $zeek_modbus_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" + init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" + code => "event.set('[zeek_cols]', $zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" } } mutate { - id => "mutate_add_fields_modbus_mask_write_register" - add_field => { "[zeek_cols][service]" => "modbus" } + id => "mutate_add_fields_zeek_modbus_mask_write_register" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_read_device_identification") { + ############################################################################################################################# + # modbus_read_device_identification.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + dissect { + id => "dissect_zeek_modbus_read_device_identification" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_read_device_identification" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_read_device_identification" + init => "$zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]" + code => "event.set('[zeek_cols]', $zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_read_device_identification" + add_field => { + "[zeek_cols][service]" => "modbus" + } add_tag => [ "ics" ] } } else if ([log_source] == "modbus_read_write_multiple_registers") { ############################################################################################################################# # modbus_read_write_multiple_registers.log - # https://github.com/cisagov/ICSNPP + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + dissect { id => "dissect_zeek_modbus_read_write_multiple_registers" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][`]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" } } + if ("_dissectfailure" in [tags]) { mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers" @@ -2010,14 +2058,16 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_read_write_multiple_registers" - init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" + init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" code => "event.set('[zeek_cols]', $zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" } } mutate { id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers" - add_field => { "[zeek_cols][service]" => "modbus" } + add_field => { + "[zeek_cols][service]" => "modbus" + } add_tag => [ "ics" ] } diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 6d3b61636..83ed11143 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -1020,11 +1020,12 @@ filter { split => { "[zeek][modbus_detailed][values]" => "," } } } - # rename a to make correlating modbus easier between logs + # rename some fields to make correlating modbus easier between logs mutate { id => "mutate_rename_modbus_detailed_fields" rename => { "[zeek][modbus_detailed][func]" => "[zeek][modbus][func]" } rename => { "[zeek][modbus_detailed][unit_id]" => "[zeek][modbus][unit_id]" } + rename => { "[zeek][modbus_detailed][trans_id]" => "[zeek][modbus][trans_id]" } rename => { "[zeek][modbus_detailed][network_direction]" => "[zeek][modbus][network_direction]" } } @@ -1032,13 +1033,28 @@ filter { ############################################################################################################################# # modbus_mask_write_register.log specific logic - # rename a to make correlating modbus easier between logs + # rename some fields to make correlating modbus easier between logs mutate { id => "mutate_rename_modbus_mask_write_register_fields" rename => { "[zeek][modbus_mask_write_register][address]" => "[zeek][modbus_detailed][address]" } rename => { "[zeek][modbus_mask_write_register][func]" => "[zeek][modbus][func]" } rename => { "[zeek][modbus_mask_write_register][network_direction]" => "[zeek][modbus][network_direction]" } rename => { "[zeek][modbus_mask_write_register][unit_id]" => "[zeek][modbus][unit_id]" } + rename => { "[zeek][modbus_mask_write_register][trans_id]" => "[zeek][modbus][trans_id]" } + } + + } else if ([log_source] == "modbus_read_device_identification") { + ############################################################################################################################# + # modbus_read_device_identification.log specific logic + + # rename some fields to make correlating modbus easier between logs + mutate { + id => "mutate_rename_modbus_read_device_identification_fields" + rename => { "[zeek][modbus_read_device_identification][network_direction]" => "[zeek][modbus][network_direction]" } + rename => { "[zeek][modbus_read_device_identification][unit_id]" => "[zeek][modbus][unit_id]" } + rename => { "[zeek][modbus_read_device_identification][trans_id]" => "[zeek][modbus][trans_id]" } + rename => { "[zeek][modbus_read_device_identification][func]" => "[zeek][modbus][func]" } + rename => { "[zeek][modbus_read_device_identification][mei_type]" => "[zeek][modbus][mei_type]" } } } else if ([log_source] == "modbus_read_write_multiple_registers") { @@ -1055,11 +1071,12 @@ filter { split => { "[zeek][modbus_read_write_multiple_registers][write_registers]" => "," } } } - # rename a to make correlating modbus easier between logs + # rename some fields to make correlating modbus easier between logs mutate { id => "mutate_rename_modbus_read_write_multiple_registers_fields" rename => { "[zeek][modbus_read_write_multiple_registers][network_direction]" => "[zeek][modbus][network_direction]" } rename => { "[zeek][modbus_read_write_multiple_registers][unit_id]" => "[zeek][modbus][unit_id]" } + rename => { "[zeek][modbus_read_write_multiple_registers][trans_id]" => "[zeek][modbus][trans_id]" } rename => { "[zeek][modbus_read_write_multiple_registers][func]" => "[zeek][modbus][func]" } } diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf index 4e735f962..c4e74423b 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/13_zeek_normalize.conf @@ -323,8 +323,17 @@ filter { merge => { "[event][action]" => "[@metadata][zeek_ldap_search_action]" } } } - if ([zeek][modbus][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_func" - merge => { "[event][action]" => "[zeek][modbus][func]" } } } + if ([zeek][modbus][func]) { + mutate { id => "mutate_gsub_zeek_modbus_master" + gsub => [ "[zeek][modbus][func]", "MASTER", "CLIENT" ] } + mutate { id => "mutate_gsub_zeek_modbus_slave" + gsub => [ "[zeek][modbus][func]", "SLAVE", "SERVER" ] } + mutate { id => "mutate_merge_normalize_zeek_modbus_func" + merge => { "[event][action]" => "[zeek][modbus][func]" } } + } + + if ([zeek][modbus][mei_type]) { mutate { id => "mutate_merge_normalize_zeek_modbus_mei_type" + merge => { "[event][action]" => "[zeek][modbus][mei_type]" } } } if ([zeek][mqtt_connect][connect_status]) { # this log entry implicitly means "connect" diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py index 42b9b366b..11c9857d3 100755 --- a/scripts/zeek_script_to_malcolm_boilerplate.py +++ b/scripts/zeek_script_to_malcolm_boilerplate.py @@ -50,6 +50,10 @@ 'resp_h', 'resp_p', 'resp_l2_addr', + 'drop_orig_h', + 'drop_orig_p', + 'drop_resp_h', + 'drop_resp_p', 'proto', 'service', 'user', diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index 0458dbc62..d1588bf8b 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -74,7 +74,7 @@ ZKG_GITHUB_URLS=( "https://github.com/cisagov/icsnpp-enip" "https://github.com/cisagov/icsnpp-ethercat" "https://github.com/cisagov/icsnpp-genisys" - "https://github.com/mmguero-dev/icsnpp-modbus" + "https://github.com/cisagov/icsnpp-modbus" "https://github.com/cisagov/icsnpp-opcua-binary" "https://github.com/cisagov/icsnpp-s7comm" "https://github.com/cisagov/icsnpp-synchrophasor" @@ -98,7 +98,7 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/zeek-spicy-ospf" "https://github.com/corelight/zeek-spicy-stun" "https://github.com/corelight/zeek-spicy-wireguard" - "https://github.com/mmguero-dev/zeek-xor-exe-plugin" + "https://github.com/corelight/zeek-xor-exe-plugin|master" "https://github.com/corelight/zerologon" "https://github.com/cybera/zeek-sniffpass" "https://github.com/mmguero-dev/bzar"