Skip to content

Latest commit

 

History

History
258 lines (212 loc) · 9.82 KB

README.org

File metadata and controls

258 lines (212 loc) · 9.82 KB

Zeek IEC 104

Overview

zeek-iec104 is a Zeek plugin written using Spicy for parsing and logging fields used by the IEC 104 protocol.

Differences from upstream

  • More ASDU type parsing implemented
  • APDU contents logged to log files (only if log.zeek script is loaded)
    • For unknown (unimplemented) ASDU types hex dump of content is logged
  • Zeek events generated only for high-level units (i.e., no separate events for internal units like CP56Time2a or bit-fields):
    • Control part of an APCI (S, U and I format headers)
    • Identification part of an ASDU
    • Object specific information of an ASDU
  • Easy to correlate APDU sub-part event generation, with the parts mentioned above in sequence:
    • APCI control field
    • ASDU common part (Cause of Transmission, address fields)
    • Object-specific ASDU part (object information)
  • All events carry communication direction information
  • print.zeek script to dump APCIs to console (good for analyzing captured traffic with no need to correlate different log files)
  • Proper parsing (and logging) of R32 (float) and VTI (7-bit signed integer) values
  • Logging in TSV (Zeek default) or JSON formats

Installation

To build and install the parser into Zeek the following can be used:

cmake . && make install

After successful installation the following command:

zeek -NN | grep IEC104

should have output similar to this:

[Analyzer] spicy_iec104 (ANALYZER_SPICY_IEC104, enabled)

Implementation

The plugin is implemented using following files:

analyzer/zeek_iec104.spicy
Spicy protocol analyzer.
analyzer/iec104.evt
Event descriptions for Zeek integration.
scripts/iec104.zeek
Zeek side definitions of structures exported from Spicy.
scripts/log.zeek
IEC 104 communication logging, see Logging capabilities below.
scripts/print.zeek
Support script that prints communication in sequential manner in a way that can be easily cross-checked with other tools (e.g., Wireshark). This is how the initial output of analyzing testing/Traces/first/iec104.pcap using this script looks like:
1372918997.053303 10.20.102.1:46413 -> 10.20.100.108:2404, U TESTFR act
1372918997.053845 10.20.102.1:46413 <- 10.20.100.108:2404, U TESTFR con
1372918997.306461 10.20.102.1:46413 -> 10.20.100.108:2404, U STARTDT act
1372918997.307014 10.20.102.1:46413 <- 10.20.100.108:2404, U STARTDT con
1372918997.321659 10.20.102.1:46413 -> 10.20.100.108:2404, I ssn:0, rsn:0
  ASDU Act OA=0 CA=10, C_IC_NA_1 obj_addr=0 QOI=20
1372918997.323589 10.20.102.1:46413 <- 10.20.100.108:2404, I ssn:0, rsn:0
  ASDU Init OA=0 CA=10, M_EI_NA_1 obj_addr=0 COI=0 LPC=F
1372918997.331734 10.20.102.1:46413 -> 10.20.100.108:2404, I ssn:1, rsn:1
  ASDU Act OA=0 CA=10, C_IC_NA_1 obj_addr=0 QOI=20
1372918997.333710 10.20.102.1:46413 <- 10.20.100.108:2404, I ssn:1, rsn:1
  ASDU Actcon OA=0 CA=10, C_IC_NA_1 obj_addr=0 QOI=20
1372918997.333710 10.20.102.1:46413 <- 10.20.100.108:2404, I ssn:2, rsn:1
  ASDU Inrogen OA=0 CA=10, M_SP_NA_1 obj_addr=1 SIQ=[spi=F, bl=F, sb=F, nt=F, iv=F]
  ASDU Inrogen OA=0 CA=10, M_SP_NA_1 obj_addr=2 SIQ=[spi=F, bl=F, sb=F, nt=F, iv=F]
  ASDU Inrogen OA=0 CA=10, M_SP_NA_1 obj_addr=3 SIQ=[spi=F, bl=F, sb=F, nt=F, iv=F]
  ASDU Inrogen OA=0 CA=10, M_SP_NA_1 obj_addr=4 SIQ=[spi=F, bl=F, sb=F, nt=F, iv=F]
    
scripts/seq.zeek
APCI Send and Receive sequence number tracking.

Supported information object types

The Spicy protocol analyzer and the corresponding Zeek code has support for the following ASDU information object types:

ReferenceTypeIDImplemented
M_SP_NA_11yes
M_SP_TA_12yes
M_DP_NA_13yes
M_DP_TA_14yes
M_ST_NA_15yes
M_ST_TA_16yes
M_BO_NA_17yes
M_BO_TA_18yes
M_ME_NA_19yes
M_ME_TA_110yes
M_ME_NB_111yes
M_ME_TB_112yes
M_ME_NC_113yes
M_ME_TC_114yes
M_IT_NA_115yes
M_IT_TA_116yes
M_EP_TA_117yes
M_EP_TB_118yes
M_EP_TC_119yes
M_PS_NA_120yes
M_ME_ND_121yes
M_SP_TB_130yes
M_DP_TB_131yes
M_ST_TB_132yes
M_BO_TB_133yes
M_ME_TD_134yes
M_ME_TE_135yes
M_ME_TF_136yes
M_IT_TB_137yes
M_EP_TD_138yes
M_EP_TE_139yes
M_EP_TF_140yes
C_SC_NA_145yes
C_DC_NA_146yes
C_RC_NA_147yes
C_SE_NA_148yes
C_SE_NB_149yes
C_SE_NC_150yes
C_BO_NA_151yes
C_SC_TA_158yes
C_DC_TA_159yes
C_RC_TA_160yes
C_SE_TA_161yes
C_SE_TB_162yes
C_SE_TC_163yes
C_BO_TA_164yes
M_EI_NA_170yes
C_IC_NA_1100yes
C_CI_NA_1101yes
C_RD_NA_1102yes
C_CS_NA_1103yes
C_TS_NA_1104
C_RP_NA_1105yes
C_CD_NA_1106
C_TS_TA_1107yes
P_ME_NA_1110yes
P_ME_NB_1111yes
P_ME_NC_1112yes
P_AC_NA_1113yes
F_FR_NA_1120
F_SR_NA_1121
F_SC_NA_1122
F_LS_NA_1123
F_AF_NA_1124
F_SG_NA_1125
F_DR_TA_1126
F_SC_NB_1127

Logging capabilities

This plugin creates many log files, all of which start with a iec104- prefix. All logs have the following fields:

ts
Message timestamp.
uid
Zeek connection identifier.
id.orig_h
Connection originator host.
id.orig_p
Connection originator port.
id.oesp_h
Connection responding host.
id.oesp_p
Connection responding port.
is_orig
True if the message is from the connection originator.
apdu
APDU counter, increased for each APDU. Useful for cross-linking data from different logs.

To write logs in JSON format, set the variable iec104::log_as_json (defined in scripts/log.zeek) to T, either by changing the source or in another script using the following statement:

redef iec104::log_as_json = T;

iec104-apci_i.log

APCI I-Format message fields. In addition to common fields has the following:

ssn
Send sequence number
rsn
Receive sequence number

ASDU fields are in iec104-asdu_ident.log.

iec104-apci_s.log

APCI S-Format message fields. In addition to common fields has the following:

rsn
Receive sequence number

iec104-apci_u.log

APCI U-Format message fields. In addition to common fields has the following:

startdt
stopdt
testfr

iec104-asdu_ident.log

ident.type_id
Information object type ID (symbolic)
ident.nobj
Number of objects in ASDU
ident.sq
SQ flag
ident.cot
Cause of transmission (symbolic)
ident.pn
P/N (positive/negative) flag
ident.test
Test flag
ident.originator_address
Originator address
ident.common_address
Common address

Information object type specific logs

Each ASDU information object type is logged in a separate log file with the symbolic name of ASDU type ID in the file name, e.g., iec104-C_DC_NA_1.log. Each file has information object type specific fields (in addition to common fields), not documented here at the moment.

iec104-unk.log

Messages with unknown (vendor-specific) ASDU types. In addition to common fields has the following fields:

type_id
Symbolic name of the ASDU information object type ID
type_id_code
Numeric value of the ASDU information object type ID
data
Binary message data as a hex string

Resources

PCAPs