I was just digging through the Splunk App for Stream and was wondering how I could add my own custom protocol.
I was thinking of implementing a ModBus TCP protocol to detect the basics, but can't see where a protocol is defined.
https://en.wikipedia.org/wiki/Modbus#Frame_format
Unfortunately Stream doesn't support adding custom protocol dissectors at this point.
Unfortunately Stream doesn't support adding custom protocol dissectors at this point.
Good to see modbus has been added to Splunk Streams 8.0
https://docs.splunk.com/Documentation/StreamApp/8.0.0/ReleaseNotes/NewFeatures
The customers I've worked with wanted to probe endpoints so I've ended up writing my own modular input.
We've also moved to Claroty for security monitoring of modbus data travelling through the network. Claroty can feed Splunk with richer alerts and analysis of "normal" traffic.
Had this been in Streams a few years ago prior to using Claroty I would have had a field day.
I was just wondering if Splunk ever revisited this? I had the same question and was considering trying to consume ModBus TCP packets. Near as I can tell from the documentation this still doesn't seem to be possible with Stream 7.1?
phoenixdigital - did you ever do any custom work in this area (workarounds) to get ModBus info into Splunk?
There are a number of options for this.
https://www.splunk.com/blog/2014/10/22/shining-a-light-on-industrial-data.html
https://www.kepware.com/en-us/products/kepserverex/advanced-plug-ins/industrial-data-forwarder-splun...
https://www.kepware.com/getattachment/8e1a5604-6011-4ea5-a2c2-f53cfb79ae47/idf-for-splunk-datasheet....
https://splunkbase.splunk.com/app/3922/
https://splunkbase.splunk.com/app/3963/
We have been using a python library for a few years now. It is pretty bullet proof but obviously needs custom code written to interract with the devices.
This is the library we use.
https://github.com/ljean/modbus-tk
We wrote a complex set of daemons which actively poll SCADA devices at regular intervals via modbusTCP.
It works but having something in Stream would be great. Primarily I wanted it from a security perspective to "catch" any unwanted modbus traffic being sent to SCADA devices.
The protocol is pretty basic so wouldn't be too hard to implement. A framework for us to add our own Stream decoders would be even better though.
Can I ask is there a plan to support custom protocol dissectors in the future?
I understand there are varying complexities for different protocols but something as simple as Modbus TCP could be handled by a simple configuration file describing the structure of the protocol.
Bytes 1-2 = Transaction identifier
Bytes 3-4 = Protocol Identifier
Bytes 5-6 = Length Field
Byte 7 = Unit Identifier
Byte 8 = Function Code
Those fields plus the sending and receiving IPs are all I would be interested in and would provide some valuable security information for a TCP Modbus system.
Alternatively are the sources available for Splunk Stream so we can add our own dissectors (unsupported of course).
Thanks
Adding simple protocol dissectors may look trivial, but making it into a generic framework where you can describe protocol's structure, etc. is a pretty big task, not to mention integrating it with stream's existing DPI engine, making it perform well at scale, etc. We're evaluating whether the added benefits outweigh the cost, etc. so while we're definitely interested to make Stream more extensible, I cannot promise anything concrete at the moment.
I fully understand creating a generic framework is definitely not a trivial task. Even if it started off relatively primitive and worked towards more complex protocols it would as you say need to be integrated to Streams DPI engine.
I appreciate the response and hope to see something in the future even in it's most basic forms.
I would say it will give Splunk a very competitive advantage having this feature. Which might be why you missed/ignored my comment about if the source was available 😉
Oops, I didn't mean to ignore your question about the source code. Stream is currently not an open source product, and it's beyond my level or responsibility (aka pay grade :)) to tell whether it's going to change or not in the future..
That is very unfortunate. One of our engineers said that was the case but I was hoping things may have changed.
I guess the only solution would be to use something like wireshark?
I believe wireshark supports ModBus/TCP protocol, but getting the data from wireshark to splunk may be a bit cumbersome..