-
|
Hi there, I'm using Malcolm in an environment where modbus traffic occurs and there is a modbus.log and modbus_detailed.log file created for this traffic. In both log files the uid field has the same value, but I can't find this value in the conn.log files. It seems like this tcp connection is never recorded in the conn.log. Therefore I captured some of the modbus traffic and analyzed it with the zeek:7.1 docker container, which created me a conn.log and modbus.log file. There I could find the modbus connection in both log files. So I'm wondering, is there a bug in malcolm? Is the connection not recorded because the modbus session is long living and the handshake not recorded or the disconnection? What do you think is happening here? Greetings |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
My guess is you're right about the long connections thing being the reason it doesn't show up in the conn.log yet. What version of Malcolm are you using? In v25.02.0 we added "include corelight/zeek-long-connections plugin to log long connections (#585)". |
Beta Was this translation helpful? Give feedback.
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
Hi,
it might be a problem with this specific instance of Malcolm. I tested the situation on another instance and there the conn.log entries appeared. Though I could observe, that sometimes the field 'network.protocol' was set with modbus and sometimes it was just empty (-).