there is a Profinet plugin: https://github.com/amzn/zeek-plugin-profinet
At first glance, it does not seem to reassemble connections. However, it
might be worth a look. For RPC there is also a Portmap analyzer:
Again, I don't know how it works but might be related.
On 01/12/2020 04:12, Brett D. Rasmussen via zeek wrote:
> I'm currently developing a Zeek plugin that parses the Profinet_IO_CM
> protocol traffic.
> The PROFINET_IO_CM protocol is transported within a DCE/RPC protocol
> The DCE/RPC protocol is transported within a UDP packet.
> I've run into a problem, when Zeek is trying to detect UDP based DCE/RPC
> Zeek can correctly recognize "normal" UDP based client/server connections.
> (e.g. From a DNS client to a DNS server)
> but, it runs into problems when parsing the UDP based PROFINET_IO_CM
> I've attached a detailed write-up (.txt) document that describes the
> nature of the problem
> (along with a proposed solution)
> -and- a small .pcapng file that contains actual PROFINET_IO_CM protocol
> Any ideas on how to resolve this issue?
> It seems like a "Zeek source code change" will be required, to correct
> this issue?
> Brett Rasmussen
> Cyber Security Researcher
> Supporting the DHS CIOCC Advanced Analytical Lab
> Phone: (208) 526-5486
> Fax: (208) 526-6173
> Email: Brett.Rasmussen(a)inl.gov <mailto:Jan.Wright@inl.gov>
> zeek mailing list -- zeek(a)lists.zeek.org
> To unsubscribe send an email to zeek-leave(a)lists.zeek.org