track-memmap.zeek¶

This script tracks the memory map of holding (read/write) registers and logs changes as they are discovered.

Todo

Not all register read and write functions are supported yet.

Namespace:	Modbus
Imports:	base/protocols/modbus, base/utils/directions-and-hosts.zeek

Summary¶

Modbus::track_memmap: Host &redef The hosts that should have memory mapping enabled.

Modbus::device_registers: table The memory map of slaves is tracked with this variable.

`Modbus::MemmapInfo`: `record`
`Modbus::RegisterValue`: `record`
`Modbus::Registers`: `table`	Indexed on the device register value and yielding the register value.

`Log::ID`: `enum`
`Modbus::Info`: `record`

Modbus::changed_register: event This event is generated every time a register is seen to be different than it was previously seen to be.

Modbus::track_memmap¶

The hosts that should have memory mapping enabled.

Modbus::device_registers¶

Type:	`table` [`addr`] of `Modbus::Registers`
Default:	`{}`

The memory map of slaves is tracked with this variable.

Modbus::MemmapInfo¶

Type:

ts: time &log: Timestamp for the detected register change.
uid: string &log: Unique ID for the connection.
id: conn_id &log: Connection ID.
register: count &log: The device memory offset.
old_val: count &log: The old value stored in the register.
new_val: count &log: The new value stored in the register.
delta: interval &log: The time delta between when the old_val and new_val were seen.

Modbus::RegisterValue¶

Type:

last_set: time

Modbus::Registers¶

Type:	`table` [`count`] of `Modbus::RegisterValue`

Indexed on the device register value and yielding the register value.

Modbus::changed_register¶

Type:	`event` (c: `connection`, register: `count`, old_val: `count`, new_val: `count`, delta: `interval`)

This event is generated every time a register is seen to be different than it was previously seen to be.