[Bro] Support SNMP and MODBUS/TCP Protocols?

Huiping Song Huiping.Song at ultra-3eti.com
Tue Aug 14 07:04:58 PDT 2012


Hi Robin,

Thanks for the updates.  Good to know that there will be a prototype of MODBUS support in Bro 2.2.  Any estimates about the release timeline for Bro 2.2?

Can the prototype of MODBUS support also be customized to work with Bro 2.0 quickly?  We are eager to experiment using Bro to monitor and analyze MODBUS/TCP traffic. :)

Best regards,
Huiping


-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org] 
Sent: Monday, August 13, 2012 7:21 PM
To: Huiping Song
Cc: bro at bro-ids.org
Subject: Re: [Bro] Support SNMP and MODBUS/TCP Protocols?


On Mon, Aug 13, 2012 at 20:56 +0000, you wrote:

> We like to use Bro to monitor and analyze SNMP and MODBUS/TCP traffic 
> in industrial control networks.  Does the latest version of Bro 
> support SNMP, MODBUS/TCP and any other industrial control protocols?

No, not yet. We've a prototype of Modbus support (and DNP3), which will likely make it into Bro 2.2. Nobody is working on SNMP yet though as far as I know.

> If not currently supported, what are the typical steps to make bro to 
> support a new protocol?

The best way is to use our binpac parser generator, see here for a
skeleton:

    http://www.bro-ids.org/development/binpac-sample-analyzer.html

Also take a look at the existing analyzers in src/*.pac.

Robin

--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org




More information about the Bro mailing list