[Bro] Support SNMP and MODBUS/TCP Protocols?

Dina Hadziosmanovic dina at ICSI.Berkeley.EDU
Wed Aug 15 07:28:47 PDT 2012 

Hi Huiping,

 

To the best of my(our) knowledge no one is working on BACnet protocol
analyzer nor its in near future plans of the people I know (mainly because
its building automation protocol and not process automation). But we also
might have some data for testing BACnet in near future, so if you manage to
have the analyzer running, we might be able to help with more date for
validation purposes.   

 

Good luck:)

 

__

Dina Hadziosmanovic

 

Distributed and Embedded Security Group, University of Twente, The
Netherlands

Email: dina.hadziosmanovic at utwente.nl

Homepage: http://dies.ewi.utwente.nl/~hadziosmanovicd

Address: Faculty of EEMCS, P.O. Box 217, 7500 AE, Enschede, The Netherlands

Office: Zilvering building, room 3032

Phone: +31 (0)53 489 2542 

 

 

From: Huiping Song [mailto:Huiping.Song at ultra-3eti.com] 
Sent: woensdag 15 augustus 2012 0:04
To: Hui Lin (Hugo) 
Cc: bro at bro-ids.org
Subject: Re: [Bro] Support SNMP and MODBUS/TCP Protocols?

 

Hi Hui,

 

We look forward to testing the MODBUS and DNP3 analyzers as soon as they are
available.

 

We are also interested in protocols for building automation and control
networks, such as BACnet.   Is there anyone currently working (or plan to
work) on BACnet protocol analyzer?   We may try to learn/experiment
building a BACnet protocol analyzer using the BinPAC parser generator.  This
looks to be a daunting task at the moment.

 

Thanks for the help.

 

Huiping

 

 

From: Hui Lin (Hugo) [mailto:hlin33 at illinois.edu] 
Sent: Tuesday, August 14, 2012 10:38 AM
To: Huiping Song
Cc: Robin Sommer; bro at bro-ids.org
Subject: Re: [Bro] Support SNMP and MODBUS/TCP Protocols?

 

Hi, Huiping,

 

We are working on merging the Modbus at this moment. I think merging Modbus
would not take too long as the code size of it is not that big.  

 

Also in case that you want to build your own analyzer in binpac, here is
some sample codes:

http://www.bro-ids.org/development/binpac-sample-analyzer.html 

 

FYI, binpac can easily handle application layer protocol directly over TCP
or UDP. But with complex protocol which includes session layer or
presentation layer, u may need to do some modifications on Bro's code to
integrate binpac code.

 

Hope this help. 

 

Best,

 

Hui 

 

 

On Tue, Aug 14, 2012 at 9:04 AM, Huiping Song <Huiping.Song at ultra-3eti.com>
wrote:

Hi Robin,

Thanks for the updates.  Good to know that there will be a prototype of
MODBUS support in Bro 2.2.  Any estimates about the release timeline for Bro
2.2?

Can the prototype of MODBUS support also be customized to work with Bro 2.0
quickly?  We are eager to experiment using Bro to monitor and analyze
MODBUS/TCP traffic. :)

Best regards,
Huiping



-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org]
Sent: Monday, August 13, 2012 7:21 PM
To: Huiping Song
Cc: bro at bro-ids.org
Subject: Re: [Bro] Support SNMP and MODBUS/TCP Protocols?


On Mon, Aug 13, 2012 at 20:56 +0000, you wrote:

> We like to use Bro to monitor and analyze SNMP and MODBUS/TCP traffic
> in industrial control networks.  Does the latest version of Bro
> support SNMP, MODBUS/TCP and any other industrial control protocols?

No, not yet. We've a prototype of Modbus support (and DNP3), which will
likely make it into Bro 2.2. Nobody is working on SNMP yet though as far as
I know.

> If not currently supported, what are the typical steps to make bro to
> support a new protocol?

The best way is to use our binpac parser generator, see here for a
skeleton:

    http://www.bro-ids.org/development/binpac-sample-analyzer.html

Also take a look at the existing analyzers in src/*.pac.

Robin

--
Robin Sommer * Phone +1 (510) 722-6541 <tel:%2B1%20%28510%29%20722-6541>  *
robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 <tel:%2B1%20%28510%29%20666-2956>  *
www.icir.org

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





 

-- 
Hui Lin

PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120815/5ffa186e/attachment.html

More information about the Bro mailing list