[Bro-Dev] Writing analyzer for Siemens PLC
Dane Wullen
dane.wullen at alumni.fh-aachen.de
Wed May 2 13:22:22 PDT 2018
Hi there,
as a part of my master's thesis I'm going to write two analyzer which
will be able detect S7Comm and S7CommPlus traffic used by Siemens PLCs.
Both protocols are proprietary, so I have no official documentation. The
goal is to monitor this kind of traffic and/or detect threats against
those PLCs.
So far, I am able to read S7Comm traffic and generate various events,
covering all standard and most of the additional (UserData) functions.
This part is based on the code of Wireshark S7Comm dissector.
The S7CommPlus part is a little bit trickier. Unfortunately, the only
code base I can use is an 4 year old git-repo, probably forked from the
first S7CommPlus dissector written by Thomas Wiens
(https://github.com/moki-ics/s7commwireshark/blob/master/src/s7comm_plus/packet-s7comm_plus.c).
After a quick glance I have discovered 2 "problems", where I hope you
could help me.
1) Reassembling packets: Some S7CommPlus packets which payload is over a
certain amount of bytes will be split and need to be reassembled. I
don't know how to do that in Bro nor how I can keep track of which
fragments belongs to the which packet. (LoC: 3917 to 4135)
2) Various payload: Some packets contain different payload, e.g.
different addressing types, attributes and/or structures, even though
the packet-type is the same (for example: a request packet can contain
one or more objects. In each object, there can be various items of type
A, B, C or D, each of them have a different structure). If I want to
generate a Bro events which contains the payload as a parameter, how do
I do that?
Any help will be appreciated!
Thanks.
Dane
More information about the bro-dev
mailing list