[Zeek] Known_services detection for MODBUS
fatema bannatwala
fatema.bannatwala at gmail.com
Fri Jan 4 09:17:15 PST 2019
Hi All,
I had a recent case where MODBUS was reported in the known_services.log
file for the scanning attempts on port 502, and no connection being set-up.
I always thought that a known_service is logged when the complete handshake
is seen in the connection:
$ zcat known_services.22:00:00-23:00:00.log.gz | grep "128.175.10.187" |
grep "MODBUS" | more
1544756649.284460 128.175.10.187 502 tcp MODBUS
1544756677.105590 128.175.10.187 502 tcp MODBUS
$ zcat conn.22:00:00-23:00:00.log.gz | grep "modbus" | awk -F'\t' '{if ($5
~ /128.175.10.187/) print;}' | more
1544756649.284460 Coix4i2Hvzy3fHMFH5 118.26.141.219 3901
128.175.10.187 502 tcp modbus - - - S0 F
T 0 S 1 60 0 0 (empty)
worker-2-10
1544756677.105590 C1wLrc4pJoc30fJvL 118.26.141.219 1471
128.175.10.187 502 tcp modbus - - - S0 F
T 0 S 1 60 0 0 (empty) worker-4-5
Usually the number of entries logged in the known_services.log file ranges
between 900-2000 for an hour, but that day for a single hour it was
completely swamped by the MODBUS service logs for the heavy scanning on
port 502.
$ zcat known_services.22:00:00-23:00:00.log.gz | grep "MODBUS" | wc -l
96949
I am looking into the issue, but just wanted to share here if someone
already know about this and can provide any inputs, don't want to re-invent
the wheel :)
Thanks!
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190104/5b24eece/attachment.html
More information about the Zeek
mailing list