S7Comm-Analyzer

Bro::Iso_Over_TCP

A plugin for the Zeek (Bro) NIDS, mainly to parse S7Comm protocol data traffic. S7Comm is based on ISO over TCP (RFC1006), so the "main" analyzer is ISO over TCP. The plugin will feature a really simple ISO over TCP analyzer and a S7Comm analyzer.

The S7Comm analyzer covers all known function of the S7Comm protocol excluding the cpu functions of the UserData packages. S7CommPlus analyzer is not finished and works to some extend. It covers the base functions of this protocol and can be used to log some events, but not the data (they will not be parsed).

This plugin was written as a part of a master's thesis at Fachhochschule in Aachen (Aachen University of Applied Sciences). It was only tested with self-generated .pcap files from a Siemens S7 1204 and some .pcap files I found in other GitHub repositories.

Based on the Wireshark dissector written by Thomas Wiens https://github.com/wireshark/wireshark/blob/5d99febe66e96b55a1defa58a906be254bad3a51/epan/dissectors/packet-s7comm.c, https://github.com/wireshark/wireshark/blob/5d99febe66e96b55a1defa58a906be254bad3a51/epan/dissectors/packet-s7comm.h, https://github.com/wireshark/wireshark/blob/fe219637a6748130266a0b0278166046e60a2d68/epan/dissectors/packet-s7comm_szl_ids.h, https://github.com/wireshark/wireshark/blob/fe219637a6748130266a0b0278166046e60a2d68/epan/dissectors/packet-s7comm_szl_ids.c, https://sourceforge.net/projects/s7commwireshark/

partially on the PoC S7Comm-Bro-Plugin written by Gy├Ârgy Miru https://github.com/CrySyS/bro-step7-plugin/blob/master/README.md,

RFC 1006 (ISO Transport Service on top of the TCP) https://tools.ietf.org/html/rfc1006

and RFC 905 (ISO Transport Protocol Specification) https://tools.ietf.org/html/rfc0905

Disclaimer

As I mentioned before, I have never tested this analyzer on in a production environment. Therefore, I do not take responsibility for any damage or loss caused by this piece of software.

Package Version :