All Apps and Add-ons

Splunk App for Stream: Is it possible to add my own custom protocol?

phoenixdigital
Builder

I was just digging through the Splunk App for Stream and was wondering how I could add my own custom protocol.

I was thinking of implementing a ModBus TCP protocol to detect the basics, but can't see where a protocol is defined.
https://en.wikipedia.org/wiki/Modbus#Frame_format

0 Karma
1 Solution

vshcherbakov_sp
Splunk Employee
Splunk Employee

Unfortunately Stream doesn't support adding custom protocol dissectors at this point.

View solution in original post

vshcherbakov_sp
Splunk Employee
Splunk Employee

Unfortunately Stream doesn't support adding custom protocol dissectors at this point.

View solution in original post

cameronjust
Path Finder

Good to see modbus has been added to Splunk Streams 8.0 

https://docs.splunk.com/Documentation/StreamApp/8.0.0/ReleaseNotes/NewFeatures

The customers I've worked with wanted to probe endpoints so I've ended up writing my own modular input.

We've also moved to Claroty for security monitoring of modbus data travelling through the network. Claroty can feed Splunk with richer alerts and analysis of "normal" traffic.

Had this been in Streams a few years ago prior to using Claroty I would have had a field day.

 

0 Karma

mab_cu
New Member

I was just wondering if Splunk ever revisited this? I had the same question and was considering trying to consume ModBus TCP packets. Near as I can tell from the documentation this still doesn't seem to be possible with Stream 7.1?

phoenixdigital - did you ever do any custom work in this area (workarounds) to get ModBus info into Splunk?

0 Karma

phoenixdigital
Builder

We have been using a python library for a few years now. It is pretty bullet proof but obviously needs custom code written to interract with the devices.

This is the library we use.
https://github.com/ljean/modbus-tk

We wrote a complex set of daemons which actively poll SCADA devices at regular intervals via modbusTCP.

It works but having something in Stream would be great. Primarily I wanted it from a security perspective to "catch" any unwanted modbus traffic being sent to SCADA devices.

The protocol is pretty basic so wouldn't be too hard to implement. A framework for us to add our own Stream decoders would be even better though.

0 Karma

phoenixdigital
Builder

Can I ask is there a plan to support custom protocol dissectors in the future?

I understand there are varying complexities for different protocols but something as simple as Modbus TCP could be handled by a simple configuration file describing the structure of the protocol.

Bytes 1-2 = Transaction identifier
Bytes 3-4 = Protocol Identifier
Bytes 5-6 = Length Field
Byte 7 = Unit Identifier
Byte 8 = Function Code

Those fields plus the sending and receiving IPs are all I would be interested in and would provide some valuable security information for a TCP Modbus system.

Alternatively are the sources available for Splunk Stream so we can add our own dissectors (unsupported of course).

Thanks

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Adding simple protocol dissectors may look trivial, but making it into a generic framework where you can describe protocol's structure, etc. is a pretty big task, not to mention integrating it with stream's existing DPI engine, making it perform well at scale, etc. We're evaluating whether the added benefits outweigh the cost, etc. so while we're definitely interested to make Stream more extensible, I cannot promise anything concrete at the moment.

0 Karma

phoenixdigital
Builder

I fully understand creating a generic framework is definitely not a trivial task. Even if it started off relatively primitive and worked towards more complex protocols it would as you say need to be integrated to Streams DPI engine.

I appreciate the response and hope to see something in the future even in it's most basic forms.

I would say it will give Splunk a very competitive advantage having this feature. Which might be why you missed/ignored my comment about if the source was available 😉

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Oops, I didn't mean to ignore your question about the source code. Stream is currently not an open source product, and it's beyond my level or responsibility (aka pay grade :)) to tell whether it's going to change or not in the future..

0 Karma

phoenixdigital
Builder

That is very unfortunate. One of our engineers said that was the case but I was hoping things may have changed.

I guess the only solution would be to use something like wireshark?

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

I believe wireshark supports ModBus/TCP protocol, but getting the data from wireshark to splunk may be a bit cumbersome..

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!