forked from cisagov/icsnpp-opcua-binary
-
Notifications
You must be signed in to change notification settings - Fork 1
/
opcua_binary-create_subscription_analyzer.pac
85 lines (67 loc) · 4.58 KB
/
opcua_binary-create_subscription_analyzer.pac
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
## opcua_binary-create_subscription_analyzer.pac
##
## OPCUA Binary Protocol Analyzer
##
## Analyzer code for processing the create subscription service.
##
## Author: Melanie Pierce
## Contact: [email protected]
##
## Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
refine flow OPCUA_Binary_Flow += {
#
# CreateSubscription Request
#
function deliver_Svc_CreateSubscriptionReq(msg: CreateSubscription_Req): bool
%{
// Debug printf("deliver_Svc_CreateSubscriptionReq - begin\n");
// Debug printCreateSubscriptionReq(msg);
// Debug printf("deliver_Svc_CreateSubscriptionReq - end\n");
zeek::RecordValPtr info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::OPCUA_Binary::Info);
info = assignMsgHeader(info, msg->service()->msg_body()->header());
info = assignMsgType(info, msg->service()->msg_body()->header());
info = assignReqHdr(info, msg->req_hdr());
info = assignService(info, msg->service());
zeek::BifEvent::enqueue_opcua_binary_event(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
info);
zeek::RecordValPtr create_subscription_req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::OPCUA_Binary::CreateSubscription);
// OpcUA_id
create_subscription_req->Assign(CREATE_SUB_OPCUA_LINK_ID_DST_IDX, info->GetField(OPCUA_LINK_ID_SRC_IDX));
create_subscription_req->Assign(CREATE_SUB_REQ_PUB_INT_IDX, zeek::val_mgr->Count(bytestringToDouble(msg->req_publishing_interval()->duration())));
create_subscription_req->Assign(CREATE_SUB_REQ_LIFETIME_COUNT_IDX, zeek::val_mgr->Count(msg->req_lifetime_count()));
create_subscription_req->Assign(CREATE_SUB_REQ_MAX_KEEP_ALIVE_IDX, zeek::val_mgr->Count(msg->req_max_keep_alive_count()));
create_subscription_req->Assign(CREATE_SUB_MAX_NOTIFICATIONS_PER_PUBLISH_IDX, zeek::val_mgr->Count(msg->max_notifications_per_publish()));
create_subscription_req->Assign(CREATE_SUB_PUBLISHING_ENABLED_IDX, zeek::val_mgr->Bool(msg->publishing_enabled()));
create_subscription_req->Assign(CREATE_SUB_PRIORITY_IDX, zeek::val_mgr->Count(msg->priority()));
zeek::BifEvent::enqueue_opcua_binary_create_subscription_event(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
create_subscription_req);
return true;
%}
function deliver_Svc_CreateSubscriptionRes(msg: CreateSubscription_Res): bool
%{
// Debug printf("deliver_Svc_CreateSubscriptionRes - begin\n");
// Debug printCreateSubscriptionRes(msg);
// Debug printf("deliver_Svc_CreateSubscriptionRes - end\n");
zeek::RecordValPtr info = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::OPCUA_Binary::Info);
info = assignMsgHeader(info, msg->service()->msg_body()->header());
info = assignMsgType(info, msg->service()->msg_body()->header());
info = assignResHdr(connection(), info, msg->res_hdr());
info = assignService(info, msg->service());
zeek::BifEvent::enqueue_opcua_binary_event(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
info);
zeek::RecordValPtr create_subscription_res = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::OPCUA_Binary::CreateSubscription);
// OpcUA_id
create_subscription_res->Assign(CREATE_SUB_OPCUA_LINK_ID_DST_IDX, info->GetField(OPCUA_LINK_ID_SRC_IDX));
create_subscription_res->Assign(CREATE_SUB_SUB_ID_IDX, zeek::val_mgr->Count(msg->subscription_id()));
create_subscription_res->Assign(CREATE_SUB_REV_PUB_INT_IDX, zeek::val_mgr->Count(bytestringToDouble(msg->revised_publishing_interval()->duration())));
create_subscription_res->Assign(CREATE_SUB_REV_LIFETIME_COUNT_IDX, zeek::val_mgr->Count(msg->revised_lifetime_count()));
create_subscription_res->Assign(CREATE_SUB_REV_MAX_KEEP_ALIVE_IDX, zeek::val_mgr->Count(msg->revised_max_keep_alive_count()));
zeek::BifEvent::enqueue_opcua_binary_create_subscription_event(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
create_subscription_res);
return true;
%}
}