112 lines
3.7 KiB
ReStructuredText
112 lines
3.7 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
policy/protocols/modbus/known-masters-slaves.zeek
|
|
=================================================
|
|
.. zeek:namespace:: Known
|
|
|
|
Script for tracking known Modbus masters and slaves.
|
|
|
|
.. todo:: This script needs a lot of work. What might be more interesting
|
|
is to track master/slave relationships based on commands sent and
|
|
successful (non-exception) responses.
|
|
|
|
:Namespace: Known
|
|
:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
State Variables
|
|
###############
|
|
============================================================================================================== ===============================
|
|
:zeek:id:`Known::modbus_nodes`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The Modbus nodes being tracked.
|
|
============================================================================================================== ===============================
|
|
|
|
Types
|
|
#####
|
|
======================================================= =
|
|
:zeek:type:`Known::ModbusDeviceType`: :zeek:type:`enum`
|
|
:zeek:type:`Known::ModbusInfo`: :zeek:type:`record`
|
|
======================================================= =
|
|
|
|
Redefinitions
|
|
#############
|
|
======================================= ================================
|
|
:zeek:type:`Log::ID`: :zeek:type:`enum`
|
|
|
|
* :zeek:enum:`Known::MODBUS_LOG`
|
|
======================================= ================================
|
|
|
|
Events
|
|
######
|
|
====================================================== =====================================================================
|
|
:zeek:id:`Known::log_known_modbus`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
|
|
on to the logging framework.
|
|
====================================================== =====================================================================
|
|
|
|
Hooks
|
|
#####
|
|
================================================================= =
|
|
:zeek:id:`Known::log_policy_modbus`: :zeek:type:`Log::PolicyHook`
|
|
================================================================= =
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
State Variables
|
|
###############
|
|
.. zeek:id:: Known::modbus_nodes
|
|
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 31 31
|
|
|
|
:Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`Known::ModbusDeviceType`]
|
|
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
|
|
:Default: ``{}``
|
|
|
|
The Modbus nodes being tracked.
|
|
|
|
Types
|
|
#####
|
|
.. zeek:type:: Known::ModbusDeviceType
|
|
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 16 20
|
|
|
|
:Type: :zeek:type:`enum`
|
|
|
|
.. zeek:enum:: Known::MODBUS_MASTER Known::ModbusDeviceType
|
|
|
|
.. zeek:enum:: Known::MODBUS_SLAVE Known::ModbusDeviceType
|
|
|
|
|
|
.. zeek:type:: Known::ModbusInfo
|
|
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 21 28
|
|
|
|
:Type: :zeek:type:`record`
|
|
|
|
ts: :zeek:type:`time` :zeek:attr:`&log`
|
|
The time the device was discovered.
|
|
|
|
host: :zeek:type:`addr` :zeek:attr:`&log`
|
|
The IP address of the host.
|
|
|
|
device_type: :zeek:type:`Known::ModbusDeviceType` :zeek:attr:`&log`
|
|
The type of device being tracked.
|
|
|
|
|
|
Events
|
|
######
|
|
.. zeek:id:: Known::log_known_modbus
|
|
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 35 35
|
|
|
|
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::ModbusInfo`)
|
|
|
|
Event that can be handled to access the loggable record as it is sent
|
|
on to the logging framework.
|
|
|
|
Hooks
|
|
#####
|
|
.. zeek:id:: Known::log_policy_modbus
|
|
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 14 14
|
|
|
|
:Type: :zeek:type:`Log::PolicyHook`
|
|
|
|
|
|
|