[Bro-Dev] Writing analyzer for Siemens PLC

Dane Wullen dane.wullen at alumni.fh-aachen.de
Wed May 2 13:22:22 PDT 2018

Hi there,

as a part of my master's thesis I'm going to write two analyzer which 
will be able detect S7Comm and S7CommPlus traffic used by Siemens PLCs. 
Both protocols are proprietary, so I have no official documentation. The 
goal is to monitor this kind of traffic and/or detect threats against 
those PLCs.
So far, I am able to read S7Comm traffic and generate various events, 
covering all standard and most of the additional (UserData) functions. 
This part is based on the code of Wireshark S7Comm dissector.

The S7CommPlus part is a little bit trickier. Unfortunately, the only 
code base I can use is an 4 year old git-repo, probably forked from the 
first S7CommPlus dissector written by Thomas Wiens 

After a quick glance I have discovered 2 "problems", where I hope you 
could help me.

1) Reassembling packets: Some S7CommPlus packets which payload is over a 
certain amount of bytes will be split and need to be reassembled. I 
don't know how to do that in Bro nor how I can keep track of which 
fragments belongs to the which packet. (LoC: 3917 to 4135)
2) Various payload: Some packets contain different payload, e.g. 
different addressing types, attributes and/or structures, even though 
the packet-type is the same (for example: a request packet can contain 
one or more objects. In each object, there can be various items of type 
A, B, C or D, each of them have a different structure). If I want to 
generate a Bro events which contains the payload as a parameter, how do 
I do that?

Any help will be appreciated!



More information about the bro-dev mailing list