This project builds a Docker image which adds the icsnpp-bacnet package to a Zeek installation.
This image can be used to obtain logs for BACnet traffic.
A pcap file can be analyzed using the following command:
sudo docker run -v /directory/containing/pcap:/root ghcr.io/smeetsee/docker-zeek-bacnet:main /bin/bash -c 'cd /root && zeek -r /root/bacnet.pcap /usr/local/zeek/share/zeek/site/icsnpp-bacnet/__load__.zeek'In the line above, /directory/containing/pcap should be replaced by the directory which contains the pcap file to be analyzed by Zeek.
The logs will be stored in the same directory where the pcap file is present.
In particular, the following logs will be created:
bacnet_discovery.logwill contain logs for device discovery-related packets. In particular, packets for thewho-isandi-amservices will be logged in this log.bacnet_property.logwill contain logs showing BACnet properties read or written over the network. In particular, packets for the ReadProperty, ReadPropertyMultiple and WriteProperty services will be logged in this log.