Docker image for producing Zeek logs for BACnet traffic

This project builds a Docker image which adds the icsnpp-bacnet package to a Zeek installation. This image can be used to obtain logs for BACnet traffic. A pcap file can be analyzed using the following command:

sudo docker run -v /directory/containing/pcap:/root ghcr.io/smeetsee/docker-zeek-bacnet:main /bin/bash -c 'cd /root && zeek -r /root/bacnet.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/__load__.zeek'

In the line above, /directory/containing/pcap should be replaced by the directory which contains the pcap file to be analyzed by Zeek. The logs will be stored in the same directory where the pcap file is present. In particular, the following logs will be created:

• bacnet_discovery.log will contain logs for device discovery-related packets. In particular, packets for the who-is and i-am services will be logged in this log.
• bacnet_property.log will contain logs showing BACnet properties read or written over the network. In particular, packets for the ReadProperty, ReadPropertyMultiple and WriteProperty services will be logged in this log.