-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathevents.bif
206 lines (185 loc) · 10.5 KB
/
events.bif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
## events.bif
##
## Binpac s7comm Analyzer - Defines events the analyzer will generate
##
## Author: Stephen Kleinheider
## Contact: [email protected]
##
## Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved.
###################################################################################################
####################################### LOGGED BY DEFAULT #######################################
###################################################################################################
## ----------------------------------------------cotp----------------------------------------------
## Event Description:
## Event is generated for all COTP packets and contains relevant COTP data
## Event Data:
## - c: connection -> Zeek Connection Struct
## - pdu: count -> COTP PDU Type (see cotp_pdu_types in consts.zeek)
## Default Output:
## Writes to log file cotp.log
## ------------------------------------------------------------------------------------------------
event cotp%(c: connection,
is_orig: bool,
pdu: count%);
## -----------------------------------------s7comm-header------------------------------------------
## Event Description:
## Event is generated for all s7comm packets and contains relevant s7comm header data
## Event Data:
## - c: connection -> Zeek Connection Struct
## - rosctr: count -> Remote Operating Service Control (see rosctr_types in consts.zeek)
## - pdu_reference: count -> Reference ID Used to Link Requests to Responses
## - function_code: count -> Parameter Function Code (see s7comm_functions in consts.zeek)
## - subfunction: count -> User-Data Subfunction Code (see s7comm_userdata_functions in consts.zeek)
## - plc_control: string -> PLC-Control function (see s7comm_plc_control_services in consts.zeek)
## - error_class: count -> Error Class (see s7comm_error_class in consts.zeek)
## - error_code: count -> Error Code within Error Class
## Default Output:
## Writes to log file s7comm.log
## ------------------------------------------------------------------------------------------------
event s7comm_header%(c: connection,
is_orig: bool,
rosctr: count,
pdu_reference: count,
function_code: count,
subfunction: count,
plc_control: string,
error_class: count,
error_code: count%);
## ---------------------------------------s7comm_read-szl------------------------------------------
## Event Description:
## Event is generated for all s7comm User-Data CPU Functions with Read SZL subfunction and
## contains relevant Read SZL data
## Event Data:
## - pdu_reference: count -> Reference ID Used to Link Requests to Responses
## - method: count -> Request or Response
## - return_code: count -> Return Code (see s7comm_userdata_return_codes in consts.zeek)
## - szl_id: count -> SZL ID (see s7comm_szl_id in consts.zeek)
## - szl_index: count -> SZL Index
## Default Output:
## Writes to log file s7comm.log
## ------------------------------------------------------------------------------------------------
event s7comm_read_szl%(c: connection,
is_orig: bool,
pdu_reference: count,
method: count,
return_code: count,
szl_id: count,
szl_index: count%);
## -------------------------------------s7comm_upload_download-------------------------------------
## Event Description:
## Event is generated for all s7comm upload and download functions and contains relevant
## upload and download data
## Event Data:
## - rosctr: count -> Remote Operating Service Control (see rosctr_types in consts.zeek)
## - pdu_reference: count -> Reference ID Used to Link Requests to Responses
## - function_code: count -> Parameter Function Code (see s7comm_functions in consts.zeek)
## - function_status: count -> Function Return Status
## - session_id: count -> Session ID
## - blocklength: count -> Length of Block to Upload/Download
## - filename: string -> Filename of Block to Upload/Download (Contains information in block_type, block_number, and destination_filesystem)
## - block_type: string -> Block Type to Upload/Download (see s7comm_block_types in consts.zeek)
## - block_number: string -> Block Number to Upload/Download
## - destination_filesystem: string -> Destination Filesystem of Upload/Download (Active or Passive)
## Default Output:
## Writes to log file s7comm_upload_download.log
## ------------------------------------------------------------------------------------------------
event s7comm_upload_download%(c: connection,
is_orig: bool,
rosctr: count,
pdu_reference: count,
function_code: count,
function_status: count,
session_id: count,
blocklength: count,
filename: string,
block_type: string,
block_number: string,
destination_filesystem: string%);
## ---------------------------------------s7comm-plus-header---------------------------------------
## Event Description:
## Event is generated for all s7comm-plus packets and contains relevant s7comm-plus header data
## Event Data:
## - c: connection -> Zeek Connection Struct
## - version: count -> S7comm-plus Version (Currently 3)
## - opcode: count -> Opcode (see s7comm_plus_opcodes in consts.zeek)
## - function_code: count -> Function Code (see s7comm_plus_functions in consts.zeek)
## Default Output:
## Writes to log file s7comm-plus.log
## ------------------------------------------------------------------------------------------------
event s7comm_plus_header%(c: connection,
is_orig: bool,
version: count,
opcode: count,
function_code: count%);
###################################################################################################
################################### END OF LOGGED BY DEFAULT ####################################
###################################################################################################
###################################################################################################
##################################### NOT LOGGED BY DEFAULT #####################################
###################################################################################################
event tpkt%(c: connection,
is_orig: bool,
version: count,
reserved: count,
length: count%);
event cotp_data%(c: connection,
is_orig: bool,
tpdu_sequence_num: count,
eot: count,
variable_data: string%);
event cotp_connection_request%(c: connection,
is_orig: bool,
dst_reference: count,
src_reference: count,
class_id: count,
extended_format: count,
explicit_flow_control: count,
variable_data: string%);
event cotp_connection_confirm%(c: connection,
is_orig: bool,
dst_reference: count,
src_reference: count,
class_id: count,
extended_format: count,
explicit_flow_control: count,
variable_data: string%);
event cotp_disconnect_request%(c: connection,
is_orig: bool,
dst_reference: count,
src_reference: count,
reason: count,
variable_data: string%);
event cotp_disconnect_confirm%(c: connection,
is_orig: bool,
dst_reference: count,
src_reference: count,
variable_data: string%);
event cotp_expedited_data%(c: connection,
is_orig: bool,
dst_reference: count,
tpdu_id: count,
eot: count,
variable_data: string%);
event cotp_data_acknowledgement%(c: connection,
is_orig: bool,
dst_reference: count,
next_tpdu: count,
variable_data: string%);
event cotp_expedited_data_acknowledgement%(c: connection,
is_orig: bool,
dst_reference: count,
tpdu_id: count,
variable_data: string%);
event cotp_reject%(c: connection,
is_orig: bool,
dst_reference: count,
next_tpdu: count,
variable_data: string%);
event cotp_error%(c: connection,
is_orig: bool,
dst_reference: count,
error_code: count,
variable_data: string%);
###################################################################################################
################################# END OF NOT LOGGED BY DEFAULT ##################################
###################################################################################################