[Zeek-Dev] Additional Industrial Control Systems Protocols

Johnson, Blake joblake at amazon.com
Wed Oct 2 16:15:54 PDT 2019

Thanks Amber for following up with us on this.

Tri and I had a chance to talk to Amber today and we've agreed to pursue a release of these protocols on the Zeek package manager rather than directly in to Zeek upstream. I have a few last hoops to jump through internally to arrange this through the Amazon GitHub organization.

My goal is to have this out publically in advance of ZeekWeek next Wednesday.


From: Amber Graner <akgraner at corelight.com> 
Sent: Monday, September 30, 2019 5:46 PM
To: Johnson, Blake <joblake at amazon.com>
Cc: zeek-dev at zeek.org
Subject: Re: [Zeek-Dev] Additional Industrial Control Systems Protocols

Hi Blake,

Thank you so much for reaching out to the list.  YES, please open these through our package manager.  We would be delighted, but more importantly, the community of Zeek users will be. 

Thank you and your team for extending the capabilities of Zeek.

I'll be reaching out off-list to set up some time to meet with you and your colleagues at ZeekWeek. 

Please let me know if you have any questions.


On Mon, Sep 30, 2019 at 3:50 PM Johnson, Blake <mailto:joblake at amazon.com> wrote:
Hi Team -

As part of our work on the Customer Fulfillment Technology Security team at Amazon.com we've developed a set of protocol parsers for industrial control systems devices that we use in our production Zeek deployment. At this stage we're approved to release several of them as open source and would like to understand both if the Zeek team would be interested in taking these as contributions to upstream and, if you are, how best to coordinate the process of merging the contributions in. The five plugins we're approved to share now are:

* BACnet
* Ethernet/IP & Common Industrial Protocol (one plugin)
* Profinet
* S7comm
* MS-TDS Tabular Data Stream Protocol (not strictly ICS but used by some SCADA historians)

If the team is interested in this upstream we can submit as pull requests on GitHub, for example as one pull request per plugin, or via another workflow. If they're not a fit for upstream we can pursue an independent release. I'm really excited to make this available to the community either way!  The two main authors, my colleague Tri and myself, will be at ZeekWeek here in Seattle next month to discuss these and a few others we have coming down the pipe.

Let us know what works,

Blake Johnson
Security Engineer
Control Systems Security

zeek-dev mailing list
mailto:zeek-dev at zeek.org


Amber Graner
Director of Community
Corelight, Inc


 * Ask me about how you can participate in the Zeek (formerly Bro) community.

More information about the zeek-dev mailing list