icsnpp-ge-srtp

https://github.com/cisagov/icsnpp-ge-srtp
4 0 2 0 Last Push 10/3/24, 3:18 PM

ICSNPP-GE-SRTP

Industrial Control Systems Network Protocol Parsers (ICSNPP) - GE SRTP

Overview

ICSNPP-GE-SRTP is a Zeek plugin (written in Spicy) for parsing and logging fields used by the GE SRTP protocol, as defined in Leveraging the SRTP protocol for over-the-network memory acquistion of a GE Fanuc Seris 90-30

This parser produces the following log files, defined in scripts/main.zeek:

  • ge_srtp_general.log

For additional information on this log file, see the Logging Capabilities section below.

Installation

Package Manager

This script is available as a package for Zeek Package Manager. It requires Spicy and the Zeek Spicy plugin.

$ zkg refresh
$ zkg install icsnpp-ge-srtp

If this package is installed from ZKG, it will be added to the available plugins. This can be tested by running zeek -NN. If installed correctly, users will see [Analyzer] spicy_GE_SRTP_TCP (ANALYZER_SPICY_GE_SRTP_TCP, enabled) under the list of Zeek::Spicy analyzers.

If users have ZKG configured to load packages (see @load packages in the ZKG Quickstart Guide), this plugin and these scripts will automatically be loaded and ready to go.

Logging Capabilities

GE SRTP Log (ge_srtp_general.log)

Overview

This log summarizes, by connection, GE SRTP frames transmitted to ge_srtp_general.log.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUinque ID for this connection
idconn_idDefault Zeek connection info (IP Addresses, Ports, etc.)
protostringTransport protocol
srtp_typestringType: Request (0x02) Reply (0x03)
sequence_number_1countSequence number identifying request/reply pairs. Repeated twice in message structure.
text_lengthcountLength of the message for messages greater than 56 bytes
time_secondscountTime in seconds
time_minutescountTime in minutes
time_hourscountTime in hours
sequence_number_2countSecond sequence number
message_typestringMessage type
mailbox_sourcecountMailbox source
mailbox_destinationcountMailbox destination
packet_numbercountPacket number
total_packet_numbercountTotal packet number
service_request_codestringService request code based on the type of memory being requested
segment_selectorstringSegment selector determining which memory register is accessed
memory_offsetcountMemory offset starting with zero
data_lengthcountData length for the memory type accessed.
status_codestringStatus code
minor_status_codestringMinor status code
data_requestedstringData requested
control_program_numbercountThe number of the control program task the master is currently logged into.
current_privilege_levelcountCurrent privilege level of the master device
last_sweep_timecountThe last elapsed time to fully execute program task.
oversweep_flagstringOversweep flag. Meaningful only if constant sweep mode is active
constant_sweep_modestringConstant sweep mode. Active (0x01); Not Active (0x00)
plc_fault_entry_last_readstringPLC Fault Entry since last read.
io_fault_entry_last_readstringI/O Falut Entry since last read.
plc_fault_entry_presentstringPLC Fault Entry present.
io_fault_entry_presentstringI/O Fault Entry present.
programmer_attachmentstringProgrammer attachement flag. Attachment found (0x01); No Attachement found (0x00)
front_panel_enable_switchstringFront panel ENABLE/DISABLE switch setting.
front_panel_run_switchstringFront panel RUN/STOP switch setting.
oem_protectedstringOEM protected bit.
plc_statestringPLC State

ICSNPP Packages

All ICSNPP Packages:

Full ICS Protocol Parsers:

  • BACnet
    • Full Zeek protocol parser for BACnet (Building Control and Automation)
  • BSAP
    • Full Zeek protocol parser for BSAP (Bristol Standard Asynchronous Protocol) over IP
    • Full Zeek protocol parser for BSAP Serial comm converted using serial tap device
  • Ethercat
    • Full Zeek protocol parser for Ethercat
  • Ethernet/IP and CIP
    • Full Zeek protocol parser for Ethernet/IP and CIP
  • Genisys
    • Full Zeek protocol parser for Genisys
  • OPCUA-Binary
    • Full Zeek protocol parser for OPC UA (OPC Unified Architecture) - Binary
  • S7Comm
    • Full Zeek protocol parser for S7comm, S7comm-plus, and COTP
  • Synchrophasor
    • Full Zeek protocol parser for Synchrophasor Data Transfer for Power Systems (C37.118)
  • Profinet IO CM
    • Full Zeek protocol parser for Profinet I/O Context Manager

Updates to Zeek ICS Protocol Parsers:

  • DNP3
    • DNP3 Zeek script extending logging capabilities of Zeek's default DNP3 protocol parser
  • Modbus
    • Modbus Zeek script extending logging capabilities of Zeek's default Modbus protocol parser

License

Copyright 2023 Battelle Energy Alliance, LLC. Released under the terms of the 3-Clause BSD License (see LICENSE.txt). ~

Package Version :

Description :

GE-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI.
The GE-SRTP protocol parser is based off of the research paper that can be accessed at https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/70/
Like Modbus, the GE-SRTP protocol can read both discrete and analog inputs.

Script Dir :

scripts

Build Command :

mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .

Test Command :

cd testing && btest -c btest.cfg

Depends :

zeek >=6.0.0