Skip to content

DINA-community/icsnpp-cotp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ICSNPP-COTP

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Connection-Oriented Transport Protocol (COTP)

Overview

This plugin provides a protocol analyzer for the OSI Connection-Oriented Transport Protocol (COTP) (ISO 8073 / X.224) for use within Zeek.

Dependencies

COTP is dependent on TPKT, which must also be installed. In addition, zeek must support spicy.

Installation

This script is available as a package for Zeek Package Manager.

zkg refresh
zkg install cotp

If this package is installed from ZKG, it will be added to the available plugins. This can be tested by running zeek -NN. If installed correctly, users will see ANALYZER_COTP under the list of plugins.

If users have ZKG configured to load packages (see @load packages in the( ZKG Quickstart Guide), this plugin and these scripts will automatically be loaded and ready to go.)

Logging

One dataset is logged for each cotp connection containing the following fields.

Field Type Description
ts_start time Timestamp of the first pdu
ts_end time Timestamp of the last pdu
uid string Unique ID for this connection
orig_h address Source IP address
orig_p port Source port
resp_h address Destination IP address
resp_p port Destination port
calling_tsap string Calling transport service access point (tsap)
called_tsap string Called transport service access point (tsap)
class count Class
has_connect bool True if the connection request pdu was seen else false
has_disconnect bool True if the disconnect request pdu was seen else false
data_pkts count Total number of pdus
data_bytes count Total number of payload bytes
error bool True if an error pdu was received else false
reject_cause bool cause if the error; only valid if error is true

Limitations

Payload extraction is only supported for class 0. Higher layers are therefore only called when class 0 is used.

License

The software was developed on behalf of the BSI (Federal Office for Information Security)

Copyright (c) 2025-2026 by DINA-Community BSD 3-Clause. See License

About

Zeek plugin for Connection Oriented Transport Protocol (COTP) specified by ISO 8073

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors