Comments (7)
duffy-ocraven
commented on July 26, 2024
And why in consts.zeek, only the choice:
const segmentation_supports = {
[3] = "No Segmentation",
instead of the full enumerated possibilities:
BACnetSegmentation ::= ENUMERATED {
segmented-both (0),
segmented-transmit (1),
segmented-receive (2),
no-segmentation (3)
and only the either/or choices:
const limit_enable = {
[1] = "Event Low Limit Enable",
[2] = "Event High Limit Enable",
instead of the full bitstring of possibilities that also includes:
[3] = "Event Both Limits Enable",
from zeek-plugin-bacnet.
duffy-ocraven
commented on July 26, 2024
I am interested in discussing the motivation; doesn't have to be on this Issue thread, but I don't have other contact info for you. Feel free to message me [email protected]
from zeek-plugin-bacnet.
NothinRandom
commented on July 26, 2024
@duffy-corelight, I don't mind discussing it here at all. For both inquiries, this was done so because those are the items that was noticed often in our traffic. I took pcaps for a few days from our production traffic and noticed these in WireShark. The same goes for the enumerations. Is there a reference list that I could use to make sure that all are included? If you have pcaps that you could share, that would be wonderful. I know I pulled the list of vendors from the BACnet website at the time this plugin was developed, so I know at least that was the latest. You could also contact me using my git user name @ gmail.com if there are topics that we need to discuss offline.
I've gone ahead and updated these and will push sometime this week. Again, thanks for being the subject matter expert in BACnet protocol to help improve this plugin!
from zeek-plugin-bacnet.
duffy-ocraven
commented on July 26, 2024
If we wanted to go for completeness, an automated syntax conversion from BACnet clause 21 is warranted. The enumerated string tables in computer-readable format that I have is 3272 lines.
from zeek-plugin-bacnet.
duffy-ocraven
commented on July 26, 2024
The content which is going into bacnet.log currently leaves out the property value content, due to lack of completeness in ranging over all the 13 different datatypes. Implemented are just:
local data_type: count = identifier_info / 16;
switch(data_type) {
case 2, ##! UINT
9: ##! ENUMERATION
case 7, ##! STRING
8: ##! BIT STRING
case 12: ##! OBJECT
Is the omission because the others (NULL, Boolean, Integer, OctetString, Date, Time, REAL, Double) contain data which consumers of bacnet.log wouldn't care about?
from zeek-plugin-bacnet.
NothinRandom
commented on July 26, 2024
@duffy-corelight, it was because we didn't see traffic that contained the missing datatypes, so it was deemed safer to exclude them just in case incorrect parsing could have crashed zeek.
from zeek-plugin-bacnet.
duffy-ocraven
commented on July 26, 2024
Wise choice. Deploying a cure worse than the disease would have been excess hubris.
from zeek-plugin-bacnet.
Related Issues (20)
- SNAP frame of BACnet/MSTP shows up in weird.log HOT 3
- six Network Layer messages should be implemented HOT 8
- Reject-Message-To-Network single octet as uint8, then the network number parameters as uint16 HOT 1
- BACnet-Reject-PDU and BACnet-Abort-PDU to be supported HOT 1
- when negative-ack is TRUE, representing BACnet-SegmentACK-PDU would be usefully diagnostic HOT 3
- .%02d is the appropriate way to express hundredths of seconds HOT 2
- Network Layer Message Types X'12': What-Is-Network-Number and X'13': Network-Number-Is HOT 4
- new unconfirmedServiceChoices who-Am-I (13), you-Are (14)
- Reject-Message-To-Network as 'Rorschach' HOT 1
- Establish-Connection-To-Network message X'08' and Disconnect-Connection-To-Network message X'09'
- Initialize-Router-Table message X'06' and Initialize-Router-Table-Ack message X'07' HOT 1
- incorrect error enum strings, [57] = "Invalid Tag" , [58] = "Network Down" HOT 1
- handling of optional content octets that follow the NPCI control octet
- vendor proprietary Network Layer Message if network_layer_message_type in the range X'80' - X'FF' HOT 1
- NPCI bit-combination 0x2C should be supported
- weird things at Network Layer
- Error loading the plugin HOT 1
- Data is empty (COV Notification)
- Can not output data when there are multiple data (Read Property Multiple)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zeek-plugin-bacnet.