Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensure all conn.log entries are tagged "ics" for OT protocols #541

Closed
mmguero opened this issue Dec 19, 2024 · 2 comments
Closed

ensure all conn.log entries are tagged "ics" for OT protocols #541

mmguero opened this issue Dec 19, 2024 · 2 comments
Assignees
@mmguero
Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Milestone
v25.01.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Dec 19, 2024

We need to make sure that all conn.log entries get tagged with ics when an ICS protocol is detected.

This is maybe already supposed to be handled but I don't see it is being done in every case. I wonder if it's actually an issue in the parsers. Some of them seem to be setting the service correctly (bacnet, s7comm) but I don't think that all of them.

So here's what needs to happen:

  • Go through all the ICSNPP parsers and make sure that when the protocol is detected, it sets the conn.log's service to the protocol name; if not, this will have to be submitted as a PR to that repository
  • Check the logstash code (linked above in 11_lookups.conf) to set the ics value into the tags field
  • Verify for all of the ICS protocols we support that the tag gets set for conn.log of that protocol
@mmguero mmguero added enhancement New feature or request logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek labels Dec 19, 2024
@mmguero mmguero added this to the v25.01.0 milestone Dec 19, 2024
@mmguero mmguero added this to Malcolm Dec 19, 2024
@mmguero mmguero moved this to Todo (develop) in Malcolm Dec 19, 2024
@mmguero mmguero added the ics Relating to ICS (Industrial Control Systems) devices label Dec 19, 2024
@mmguero mmguero self-assigned this Jan 8, 2025
@mmguero mmguero moved this from Todo (develop) to In Progress in Malcolm Jan 8, 2025
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 9, 2025
@mmguero
Work in progress for cisagov#541, making sure conn.log and known_serv…
de41177 
…ices.log get the ICS protocols assigned to them corrrectly and tagged appropriately
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 9, 2025
edited
Loading

I've made some tweaks made so far to make sure the service gets normalized correctly for conn.log and known_services.log. Also, still need to check:

  • ethercat does't seem to get a conn.log service set correctly this apparently isn't an issue, as ethercat does not even have a UID or conn.log component
  • need to standardize s7comm-plus vs. s7comm_plus in the network.protocol field across some of the logs standardized to s7comm-plus which is what comes out of the parser
  • synchrophasor_tcp is showing up somewhere, we need to trim off the _tcp (I think we need to do the same thing for dpd.log that we're doing for conn.log and known_services.log for service cleanup) fixed

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 9, 2025
@mmguero
Work in progress for cisagov#541
98d7d17
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 9, 2025
@mmguero
standardize ICS protocols in network.protocol field, so they all get …
3866959 
…tagged with 'ics' properly cisagov#541
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 9, 2025

From what I can see now, all appropriate conn.log entries are being tagged with ics as they should be.

@mmguero mmguero closed this as completed Jan 9, 2025
@github-project-automation github-project-automation bot moved this from In Progress to Done in Malcolm Jan 9, 2025
This was referenced Jan 17, 2025
Merged
Merged
mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025
@mmguero
Work in progress for cisagov#541, making sure conn.log and known_serv…
712ca61 
…ices.log get the ICS protocols assigned to them corrrectly and tagged appropriately
mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025
@mmguero
Work in progress for cisagov#541
bacfac2
mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025
@mmguero
standardize ICS protocols in network.protocol field, so they all get …
bc57446 
…tagged with 'ics' properly cisagov#541
@mmguero mmguero moved this from Done to Released in Malcolm Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
v25.01.0
Development

No branches or pull requests
1 participant
@mmguero