spicy script help for packer analyser

[biswajitutil]

Hi,
I am trying to add a very basic analyser for Goose (IEC61850) which will just

1. detect the protocol (no parsing of PDU as of now) for every packet and prints that it has detected.
2. Once 1. is done then I will need to send an analyzer confirmation event to my broker module to notify that Goose is detected.
   As it is running over ethernet (type 0x88ba) and so I tried packet analyzer not protocol analyzer.
   

I am able to register the plugin and can see in zeek -NN but not able to do 1 & 2. It is printing nothing for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP.

$ /usr/local/zeek/bin/zeek -NN |grep GOOSE
    [Packet Analyzer] spicy_GOOSE (ANALYZER_SPICY_GOOSE, enabled)

Can you please tell where I am doing mistakes.

Below are my spicy scripts

spicy parser script

biswa:~/zeek-spicy-goose/analyzer$ cat goose.spicy

module zeek_spicy_goose;
public type GOOSEPacket = unit {
    appid: uint8;
    pkt_len: uint16;
    payload: bytes &eod;
};

spicy event

biswa:~/zeek-spicy-goose/analyzer$ cat goose.evt
packet analyzer spicy::GOOSE:
    parse with zeek_spicy_goose::GOOSEPacket;

import zeek_spicy_goose;

on zeek_spicy_goose::GOOSEPacket -> event GOOSE::message($packet, self.appid, self.pkt_len);

zeek spicy script

biswa:~/zeek-spicy-goose/analyzer$ cat zeek_goose.spicy

module Zeek_zeek_spicy_goose;

import zeek_spicy_goose;
import zeek;

on zeek_spicy_goose::GOOSEPacket::%done {
    zeek::confirm_protocol();
}

on zeek_spicy_goose::GOOSEPacket::%error {
    zeek::reject_protocol("error while parsing GOOSE record");
}

Zeek script

biswa@dmz-ashish-new:~/zeek-spicy-goose/analyzer$ cat ../scripts/main.zeek
module GOOSE;

global goose_topic = "/topic/goose";

global begin_time: time;
global total_time: interval;

export {
        ## Log stream identifier.
        redef enum Log::ID += { GOOSE_LOG };

        ## Record type containing the column fields of the goose log.
        type Info: record {
                ## Timestamp for when the activity happened.
                ts: time &log &default=network_time();
                appid: count &log &optional;
                pkt_len: count &log &optional;
        };

        global GOOSE::message: event(pkt: raw_pkt_hdr, appid: count, pkt_len: count);

        global analyzer_confirmation: event(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo);

        global GOOSE::log_goose: event(rec: GOOSE::Info);

        global log_GOOSE: event(rec: Info);
}

redef record raw_pkt_hdr  += {
        GOOSE: Info &optional;
};


event zeek_init() &priority=5
{
        suspend_processing();
        Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);

         if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88ba, "spicy_GOOSE") )
               if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88ba, "spicy::GOOSE") )
                    print "cannot register GOOSE Spicy analyzer";

        Log::create_stream(GOOSE::GOOSE_LOG, [$columns=Info, $ev=log_goose, $path="goose"]);
}

#print this event per packet
event GOOSE::message(packet: raw_pkt_hdr, appid: count, pkt_len: count)
{
        local info: Info = [$ts=network_time(), $appid=appid, $pkt_len=pkt_len];
        print "Processing pcakets", packet;
        Log::write(GOOSE::GOOSE_LOG, info);
}

event Broker::peer_added(ep: Broker::EndpointInfo, msg: string)
{
        print "PEER ADDED", ep;
        continue_processing();
}
#send this event over the broker
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
        if ( atype == Analyzer::ANALYZER_SPICY_GOOSE)
        {
                Broker::publish(goose_topic, analyzer_confirmation, atype, info);
        }
}

PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap

[zeek-bot]

This issue has been mentioned on Zeek. There might be relevant details there:

https://community.zeek.org/t/need-a-sample-spicy-script-to-detect-iec-61850/7095/3

[bbannier]

There are a number of issues here.

In main.zeek:

if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88ba,
    "spicy_GOOSE") )
	if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet",
	    0x88ba, "spicy::GOOSE") )
		print "cannot register GOOSE Spicy analyzer";

This registers your GOOSE analyzer for tag 0x88ba. Looking at your PCAP, this is not the correct tag for GOOSE which should be 0x88b8 instead.

You should change these lines to

if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88b8,
    "spicy_GOOSE") )
	print "cannot register GOOSE Spicy analyzer";

In zeek_goose.spicy:

on zeek_spicy_goose::GOOSEPacket::%done {
    zeek::confirm_protocol();
}

on zeek_spicy_goose::GOOSEPacket::%error {
    zeek::reject_protocol("error while parsing GOOSE record");
}

You here call confirm_protocol and reject_protocol for a packet analyzer. These functions are intended for protocol analyzers to notify Zeek's dynamic protocol detection (DPD) machinery about the particular protocol over a connection. Since you are working on a packet analyzer there is neither a protocol nor a connection and these uses lead to your packet analyzer failing. Remove both these hook implementations.

With both these changes your analyzer produces a goose.log with the following contents:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	goose
#open	2023-08-07-11-19-04
#fields	ts	appid	pkt_len
#types	time	count	count
1216135243.118812	0	256
1216135253.159260	0	256
1216135263.198794	0	256
1216135270.951499	0	256
1216135270.963584	0	256
1216135270.986981	0	256
1216135271.077396	0	256
1216135271.583138	0	256
#close	2023-08-07-11-19-04

Spicy/Zeek come with a number of tools to allow debugging such issues, see e.g., the section on Spicy Zeek analyzer debugging in the Spicy docs. In this case, using HILTI_DEBUG=zeek and HILTI_DEBUG=spicy would have shown that your parser wasn't invoked (mismatching tag), and zeek -B packet_analysis (requires Zeek debug build) would have raised the issue about using confirm_protocol/reject_protocol.

[biswajitutil]

Thanks a lot @bbannier . I have fixed these issues by using "zkg create --features spicy-packet-analyzer --packagedir goose", it worked fine. So, now packets are detecting as goose.
Similarly, I have used "zkg create --features spicy-protocol-analyzer --packagedir mms" for MMS protocol ( IEC 61850).

Now I need help in parsing the protcol or writing the parser. So, if anyone from zeek team can guide me slightly or give me a starting point for this protocol would be very much appreciated. I want to know how to parse such protocols where there are subsequent message passing for PDUs and we need to assemble them ( maybe ) to extract proper information. MMS is a connection-oriented protocol whereas GOOSE is not.

GOOSE PCAP
MMS PCAP
Thanks
Biswa

[bbannier]

@biswajitutil, the Spicy documentation is exactly the guide you are looking for, it e.g., has a walk-through for creating a sample analyzer. If you run into concrete issues, feel free to e.g., open a new spicy topic in our Discourse instance.