track-memmap.zeek¶

This script tracks the memory map of holding (read/write) registers and logs changes as they are discovered.

Todo

Not all register read and write functions are supported yet.

Summary¶

The hosts that should have memory mapping enabled.

The memory map of slaves is tracked with this variable.

`Modbus::MemmapInfo`: `record`
`Modbus::RegisterValue`: `record`
`Modbus::Registers`: `table`	Indexed on the device register value and yielding the register value.

`Log::ID`: `enum`	`Modbus::REGISTER_CHANGE_LOG`
`Modbus::Info`: `record`	New Fields `Modbus::Info` track_address: `count` `&default` = `0` `&optional`

This event is generated every time a register is seen to be different than it was previously seen to be.

The hosts that should have memory mapping enabled.

The memory map of slaves is tracked with this variable.

Type

record

ts: time &log: Timestamp for the detected register change.
uid: string &log: Unique ID for the connection.
id: conn_id &log: Connection ID.
register: count &log: The device memory offset.
old_val: count &log: The old value stored in the register.
new_val: count &log: The new value stored in the register.
delta: interval &log: The time delta between when the old_val and new_val were seen.