policy/protocols/modbus/track-memmap.zeek

Modbus

This script tracks the memory map of holding (read/write) registers and logs changes as they are discovered.

Todo

Not all register read and write functions are supported yet.

Namespace:: Modbus
Imports:: base/protocols/modbus, base/utils/directions-and-hosts.zeek

Summary

Runtime Options

Modbus::track_memmap: Host &redef

The hosts that should have memory mapping enabled.

State Variables

Modbus::device_registers: table

The memory map of slaves is tracked with this variable.

Types

`Modbus::MemmapInfo`: `record`
`Modbus::RegisterValue`: `record`
`Modbus::Registers`: `table`	Indexed on the device register value and yielding the register value.

Redefinitions

`Log::ID`: `enum`	`Modbus::REGISTER_CHANGE_LOG`
`Modbus::Info`: `record`	New Fields: `Modbus::Info` track_address: `count` `&default` = `0` `&optional`

Events

Modbus::changed_register: event

This event is generated every time a register is seen to be different than it was previously seen to be.

Hooks

Modbus::log_policy_register_change: Log::PolicyHook

Detailed Interface

Runtime Options

Modbus::track_memmap 

Type:: Host
Attributes:: &redef
Default:: ALL_HOSTS

The hosts that should have memory mapping enabled.

State Variables

Modbus::device_registers 

Type:: table [addr] of Modbus::Registers
Default:: {}

The memory map of slaves is tracked with this variable.

Types

Modbus::MemmapInfo 

Type:

Fields:

ts: time &log: Timestamp for the detected register change.

uid: string &log: Unique ID for the connection.

id: conn_id &log: Connection ID.

register: count &log: The device memory offset.

old_val: count &log: The old value stored in the register.

new_val: count &log: The new value stored in the register.

delta: interval &log: The time delta between when the old_val and new_val were seen.

Modbus::RegisterValue 

Type:

Fields:

last_set: time

value: count

Modbus::Registers 

Type:: table [count] of Modbus::RegisterValue

Indexed on the device register value and yielding the register value.

Events

Modbus::changed_register 

Type:: event (c: connection, register: count, old_val: count, new_val: count, delta: interval)

This event is generated every time a register is seen to be different than it was previously seen to be.

Hooks

Modbus::log_policy_register_change 

Type:: Log::PolicyHook