├── .DS_Store ├── .gitattributes ├── Additional Captures ├── 4SICS-GeekLounge-151020 │ ├── .state │ │ └── state.bst │ ├── 4SICS-GeekLounge-151020.pcap │ ├── conn.log │ ├── dns.log │ ├── packet_filter.log │ └── weird.log ├── 4SICS-GeekLounge-151021 │ ├── .state │ │ └── state.bst │ ├── 4SICS-GeekLounge-151021.pcap │ ├── conn.log │ ├── dns.log │ ├── dpd.log │ ├── files.log │ ├── http.log │ ├── modbus.log │ ├── packet_filter.log │ ├── reporter.log │ ├── ssh.log │ ├── ssl.log │ ├── weird.log │ └── x509.log ├── 4SICS-GeekLounge-151022 │ ├── .state │ │ └── state.bst │ ├── 4SICS-GeekLounge-151022.pcap │ ├── conn.log │ ├── dhcp.log │ ├── dnp3.log │ ├── dns.log │ ├── dpd.log │ ├── files.log │ ├── ftp.log │ ├── http.log │ ├── modbus.log │ ├── packet_filter.log │ ├── reporter.log │ ├── snmp.log │ ├── ssh.log │ ├── ssl.log │ ├── weird.log │ └── x509.log └── 4sics.txt ├── AdditionalNotes.txt ├── BACNET ├── BACnet-BBMD-on-same-subnet │ ├── .state │ │ └── state.bst │ ├── BACnet-BBMD-on-same-subnet.pcap │ ├── conn.log │ └── packet_filter.log ├── BACnet-MSTP-SNAP-Mixed │ ├── .state │ │ └── state.bst │ ├── BACnet-MSTP-SNAP-Mixed.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── BACnet-discover-enumerate.nse ├── BACnet-exception-schedule-property-1 │ ├── .state │ │ └── state.bst │ ├── BACnet-exception-schedule-property-1.pcapng │ ├── conn.log │ └── packet_filter.log ├── BACnet-exception-schedule-property-2 │ ├── .state │ │ └── state.bst │ ├── BACnet-exception-schedule-property-2.pcapng │ ├── conn.log │ └── packet_filter.log ├── BACnetARRAY-element-0 │ ├── .state │ │ └── state.bst │ ├── BACnetARRAY-element-0.pcap │ ├── conn.log │ └── packet_filter.log ├── BACnetARRAY-elements │ ├── .state │ │ └── state.bst │ ├── BACnetARRAY-elements.pcap │ ├── conn.log │ └── packet_filter.log ├── BACnetDeviceObjectReference │ ├── .state │ │ └── state.bst │ ├── BACnetDeviceObjectReference.pcap │ ├── conn.log │ └── packet_filter.log ├── BACnetIP-MSTP-Mix │ ├── .state │ │ └── state.bst │ ├── BACnetIP-MSTP-Mix.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── BACnetL_SchedRPM │ ├── .state │ │ └── state.bst │ ├── BACnetL_SchedRPM.pcapng │ ├── conn.log │ └── packet_filter.log ├── cimetrics_mstp │ ├── .state │ │ └── state.bst │ ├── cimetrics_mstp.pcap │ ├── packet_filter.log │ └── weird.log └── mstp_wtap │ └── mstp_wtap.pcap ├── CODESYS ├── codesys-v2-discover.nse └── notes.txt ├── DNP3 ├── .DS_Store ├── DNP3-Malformed │ ├── .state │ │ └── state.bst │ ├── DNP3-Malformed.pcap │ ├── conn.log │ ├── dnp3.log │ ├── packet_filter.log │ └── weird.log ├── DNP3-Read │ ├── .state │ │ └── state.bst │ ├── DNP3-Read.pcap │ ├── conn.log │ ├── dnp3.log │ └── packet_filter.log ├── DNP3-ReadRequest │ ├── .state │ │ └── state.bst │ ├── DNP3-ReadRequest.pcap │ ├── conn.log │ └── packet_filter.log ├── DNP3-RequestLink │ ├── .state │ │ └── state.bst │ ├── DNP3-RequestLink.pcap │ ├── conn.log │ └── packet_filter.log ├── DNP3-RequestLinkStatus │ ├── .state │ │ └── state.bst │ ├── DNP3-RequestLinkStatus.pcap │ ├── conn.log │ └── packet_filter.log ├── DNP3-SelectOperate │ ├── .state │ │ └── state.bst │ ├── DNP3-SelectOperate.pcap │ ├── conn.log │ ├── dnp3.log │ └── packet_filter.log ├── DNP3-SelectOperateRequest │ ├── .state │ │ └── state.bst │ ├── DNP3-SelectOperateRequest.pcap │ ├── conn.log │ └── packet_filter.log ├── DNP3-TestDataPart1 │ ├── .state │ │ └── state.bst │ ├── DNP3-TestDataPart1.pcap │ ├── conn.log │ ├── dnp3.log │ ├── packet_filter.log │ └── weird.log ├── DNP3-TestDataPart2 │ ├── .state │ │ └── state.bst │ ├── DNP3-TestDataPart2.pcap │ ├── conn.log │ ├── dnp3.log │ └── packet_filter.log ├── DNP3-Write │ ├── .state │ │ └── state.bst │ ├── DNP3-Write.pcap │ ├── conn.log │ ├── dnp3.log │ └── packet_filter.log ├── DNP3-WriteRequest │ ├── .state │ │ └── state.bst │ ├── DNP3-WriteRequest.pcap │ ├── conn.log │ └── packet_filter.log ├── digitalbond pcaps │ ├── dnp3_test_data_part1 │ │ ├── .state │ │ │ └── state.bst │ │ ├── conn.log │ │ ├── dnp3.log │ │ ├── dnp3_test_data_part1.pcap │ │ ├── packet_filter.log │ │ └── weird.log │ └── dnp3_test_data_part2 │ │ ├── .state │ │ └── state.bst │ │ ├── conn.log │ │ ├── dnp3.log │ │ ├── dnp3_test_data_part2.pcap │ │ └── packet_filter.log └── dnp3-info.nse ├── EIP ├── EIP-ChangeDateAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-ChangeDateAttempt.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-ChangePortConfigurationAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-ChangePortConfigurationAttempt.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-ChangeTimeAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-ChangeTimeAttempt.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-ControlProtocolChangeAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-ControlProtocolChangeAttempt.pcap │ ├── conn.log │ ├── dns.log │ ├── packet_filter.log │ └── weird.log ├── EIP-FirmwareChange │ ├── .state │ │ └── state.bst │ ├── EIP-FirmwareChange.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-FirmwareChangeFailure │ ├── .state │ │ └── state.bst │ ├── EIP-FirmwareChangeFailure.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-IPAddressChangeAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-IPAddressChangeAttempt.pcap │ ├── conn.log │ ├── dhcp.log │ ├── dns.log │ ├── dpd.log │ ├── packet_filter.log │ └── weird.log ├── EIP-LockPLCAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-LockPLCAttempt.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-RebootorRestart │ ├── .state │ │ └── state.bst │ ├── EIP-RebootorRestart.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-RemoteModeChangeAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-RemoteModeChangeAttempt.pcap │ ├── conn.log │ ├── dns.log │ ├── packet_filter.log │ └── weird.log ├── EIP-SoftwareDownload │ ├── .state │ │ └── state.bst │ ├── EIP-SoftwareDownload.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-SoftwareDownloadFailure │ ├── .state │ │ └── state.bst │ ├── EIP-SoftwareDownloadFailure.pcap │ ├── packet_filter.log │ └── weird.log ├── EIP-SoftwareUpload │ ├── .state │ │ └── state.bst │ ├── EIP-SoftwareUpload.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log ├── EIP-SoftwareUploadFailure │ ├── .state │ │ └── state.bst │ ├── EIP-SoftwareUploadFailure.pcap │ ├── conn.log │ ├── dns.log │ ├── packet_filter.log │ └── weird.log ├── EIP-UnlockPLCAttempt │ ├── .state │ │ └── state.bst │ ├── EIP-UnlockPLCAttempt.pcap │ ├── conn.log │ ├── packet_filter.log │ └── weird.log └── EIP-ViewDeviceStatus │ ├── .state │ └── state.bst │ ├── EIP-ViewDeviceStatus.pcap │ ├── conn.log │ ├── dnp3.log │ └── packet_filter.log ├── ETHERCAT └── ethercat │ ├── .state │ └── state.bst │ ├── conn.log │ ├── ethercat.pcap │ ├── packet_filter.log │ └── weird.log ├── ETHERNET_IP ├── .DS_Store ├── digitalbond pcaps │ ├── CL5000EIP-Change-Date-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Change-Date-Attempt.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Change-Port-Configuration-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Change-Port-Configuration-Attempt.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Change-Time-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Change-Time-Attempt.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Control-Protocol-Change-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Control-Protocol-Change-Attempt.pcap │ │ ├── conn.log │ │ ├── dns.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Firmware-Change-Failure │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Firmware-Change-Failure.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Firmware-Change │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Firmware-Change.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-IP-Address-Change-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-IP-Address-Change-Attempt.pcap │ │ ├── conn.log │ │ ├── dhcp.log │ │ ├── dns.log │ │ ├── dpd.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Lock-PLC-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Lock-PLC-Attempt.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Reboot-or-Restart │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Reboot-or-Restart.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Remote-Mode-Change-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Remote-Mode-Change-Attempt.pcap │ │ ├── conn.log │ │ ├── dns.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Software-Download-Failure │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Software-Download-Failure.pcap │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Software-Download │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Software-Download.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Software-Upload-Failure │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Software-Upload-Failure.pcap │ │ ├── conn.log │ │ ├── dns.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Software-Upload │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Software-Upload.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ ├── CL5000EIP-Unlock-PLC-Attempt │ │ ├── .state │ │ │ └── state.bst │ │ ├── CL5000EIP-Unlock-PLC-Attempt.pcap │ │ ├── conn.log │ │ ├── packet_filter.log │ │ └── weird.log │ └── CL5000EIP-View-Device-Status │ │ ├── .state │ │ └── state.bst │ │ ├── CL5000EIP-View-Device-Status.pcap │ │ ├── conn.log │ │ ├── dnp3.log │ │ └── packet_filter.log ├── enip-enumerate.nse ├── mb │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── dns.log │ ├── mb.pcap │ ├── modbus.log │ ├── packet_filter.log │ └── weird.log ├── talabor1_1 │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── dns.log │ ├── packet_filter.log │ ├── talabor1_1.pcap │ └── weird.log └── talabor1_2_2 │ ├── .state │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ ├── snmp.log │ ├── talabor1_2_2.pcap │ └── weird.log ├── ETHERSBUS └── sbus │ ├── .state │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ ├── sbus.pcap │ └── weird.log ├── ETHERSIO ├── .DS_Store └── Ether-S-IO_traffic_01 │ ├── .state │ └── state.bst │ ├── Ether-S-IO_traffic_01.pcap │ ├── conn.log │ └── packet_filter.log ├── FINS (OMRON) ├── notes.txt ├── omron │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── omron.pcap │ └── packet_filter.log ├── omrontcp-info.nse └── omronudp-info.nse ├── GE-SRTP └── Notes.txt ├── HART IP └── hart_ip │ ├── .state │ └── state.bst │ ├── conn.log │ ├── hart_ip.pcap │ └── packet_filter.log ├── IEC 60870 ├── IEC104_SQ │ ├── .state │ │ └── state.bst │ ├── IEC104_SQ.pcapng │ ├── conn.log │ └── packet_filter.log ├── iec104 │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── iec104.pcap │ └── packet_filter.log └── notes.txt ├── MODBUS ├── .DS_Store ├── MODBUS-TestDataPart1 │ ├── .state │ │ └── state.bst │ ├── MODBUS-TestDataPart1.pcap │ ├── conn.log │ ├── modbus.log │ └── packet_filter.log ├── MODBUS-TestDataPart2 │ ├── .state │ │ └── state.bst │ ├── MODBUS-TestDataPart2.pcap │ ├── conn.log │ ├── modbus.log │ ├── packet_filter.log │ └── weird.log ├── Modbus │ ├── .state │ │ └── state.bst │ ├── Modbus.pcap │ ├── conn.log │ ├── modbus.log │ └── packet_filter.log └── digitalbond pcaps │ ├── modbus_test_data_part1 │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── modbus.log │ ├── modbus_test_data_part1.pcap │ └── packet_filter.log │ └── modbus_test_data_part2 │ ├── .state │ └── state.bst │ ├── conn.log │ ├── modbus.log │ ├── modbus_test_data_part2.pcap │ ├── packet_filter.log │ └── weird.log ├── PC WORX ├── notes.txt └── pcworx-info.nse ├── POWERLINK └── epl │ ├── .state │ └── state.bst │ ├── epl.pcap │ ├── packet_filter.log │ └── weird.log ├── PROCONOS ├── notes.txt └── proconos-info.nse ├── README.md ├── Red Lion (Crimson v3) ├── cr3.lua └── notes.txt ├── S7 ├── 1-S7comm-VarService-Read-DB1DBD0 │ ├── .state │ │ └── state.bst │ ├── 1-S7comm-VarService-Read-DB1DBD0.pcap │ ├── conn.log │ └── packet_filter.log ├── 2-S7comm-VarService-CyclicData-1s │ ├── .state │ │ └── state.bst │ ├── 2-S7comm-VarService-CyclicData-1s.pcap │ ├── conn.log │ └── packet_filter.log ├── 3-S7comm-VAT_MB100_MW200_MD300_M400-0 │ ├── .state │ │ └── state.bst │ ├── 3-S7comm-VAT_MB100_MW200_MD300_M400-0.pcap │ ├── conn.log │ └── packet_filter.log ├── 4-S7comm-Download-DB1-with-password-request │ ├── .state │ │ └── state.bst │ ├── 4-S7comm-Download-DB1-with-password-request.pcap │ ├── conn.log │ └── packet_filter.log ├── S7-1200-Uploading-OB1-TIAV12 │ ├── .state │ │ └── state.bst │ ├── S7-1200-Uploading-OB1-TIAV12.pcap │ ├── conn.log │ └── packet_filter.log ├── S7-1511-opc-request-all-types │ ├── .state │ │ └── state.bst │ ├── S7-1511-opc-request-all-types.pcap │ ├── conn.log │ └── packet_filter.log ├── S7-1511_db2_var1_HMI │ ├── .state │ │ └── state.bst │ ├── S7-1511_db2_var1_HMI.pcap │ ├── conn.log │ └── packet_filter.log ├── S7-1511_db3_var1_HMI │ ├── .state │ │ └── state.bst │ ├── S7-1511_db3_var1_HMI.pcap │ ├── conn.log │ └── packet_filter.log ├── S7-1511_db6w0_HMI │ ├── .state │ │ └── state.bst │ ├── S7-1511_db6w0_HMI.pcap │ ├── conn.log │ └── packet_filter.log ├── V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync │ ├── .state │ │ └── state.bst │ ├── V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync.pcapng │ ├── conn.log │ └── packet_filter.log ├── V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100 │ ├── .state │ │ └── state.bst │ ├── V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100.pcapng │ ├── conn.log │ └── packet_filter.log ├── s7-1200-hmi │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7-1200-hmi.pcap ├── s7-enumerate.nse ├── s7comm_downloading_block_db1 │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_downloading_block_db1.pcap ├── s7comm_program_blocklist_onlineview │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_program_blocklist_onlineview.pcap ├── s7comm_reading_plc_status │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_reading_plc_status.pcap ├── s7comm_reading_setting_plc_time │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_reading_setting_plc_time.pcap ├── s7comm_varservice_libnodavedemo │ ├── .state │ │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_varservice_libnodavedemo.pcap └── s7comm_varservice_libnodavedemo_bench │ ├── .state │ └── state.bst │ ├── conn.log │ ├── packet_filter.log │ └── s7comm_varservice_libnodavedemo_bench.pcap └── TRIDIUM ├── .DS_Store ├── plugfest-tridium-1 ├── .state │ └── state.bst ├── conn.log ├── packet_filter.log └── plugfest-tridium-1.pcap ├── plugfest-tridium-2 ├── .state │ └── state.bst ├── conn.log ├── packet_filter.log └── plugfest-tridium-2.pcap └── tridium-jace2 ├── .state └── state.bst ├── conn.log ├── dhcp.log ├── dns.log ├── files.log ├── http.log ├── packet_filter.log ├── tridium-jace2.pcap └── weird.log /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/.DS_Store -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.pcap filter=lfs diff=lfs merge=lfs -text 2 | Additional[[:space:]]Captures/4SICS-GeekLounge-151022/conn.log filter=lfs diff=lfs merge=lfs -text 3 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151020/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/Additional Captures/4SICS-GeekLounge-151020/.state/state.bst -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151020/4SICS-GeekLounge-151020.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8c6ee02dc26b1b5298a7c9b4dc83cc779bd2a3219d5c5cbc51e3d4d325763bc2 3 | size 25711082 4 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151020/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-37-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793467.667406 bro ip or not ip T T 10 | #close 2016-06-24-11-37-50 11 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151021/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm~ -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151021/4SICS-GeekLounge-151021.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:7365b0ea475b76bf79b207fd8f83baa45e4449aead5da6a9214bbcffbc5fa7de 3 | size 139998821 4 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151021/modbus.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path modbus 6 | #open 2016-06-24-11-37-59 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p func exception 8 | #types time string addr port addr port string string 9 | 1445425491.192560 CVM8k81aCQ0PX2hCeg 192.168.2.42 54297 192.168.88.100 502 ENCAP_INTERFACE_TRANSPORT - 10 | 1445425494.216667 CWPfUA1FF19Pptgc4d 192.168.2.42 54298 192.168.88.100 502 unknown-171 - 11 | 1445426017.158105 CrDvrB1d6z2ej3c17d 192.168.2.42 33700 192.168.88.20 502 unknown-171 - 12 | 1445426017.174456 COJLg62xLAXyVupPNk 192.168.2.42 33701 192.168.88.20 502 unknown-171 - 13 | 1445426071.495470 CKJZ703kBBjYziciRe 192.168.2.42 55453 192.168.88.50 502 unknown-171 - 14 | 1445426072.549226 CLSjHi1gexLU9owrah 192.168.2.42 55454 192.168.88.50 502 unknown-171 - 15 | 1445426184.713000 CHhwap3GPq6pLeHTT4 192.168.2.42 59469 192.168.88.100 502 ENCAP_INTERFACE_TRANSPORT - 16 | 1445426187.737086 CW92ER37ccqPHD3g3j 192.168.2.42 59470 192.168.88.100 502 unknown-171 - 17 | #close 2016-06-24-11-38-17 18 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151021/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-37-51 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793471.041407 bro ip or not ip T T 10 | #close 2016-06-24-11-38-17 11 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm~p -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/4SICS-GeekLounge-151022.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:82529c23906416dc73d7f1926a0d38b82527f1f2a7ff8c6f755ce3208feb9643 3 | size 209236002 4 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/conn.log: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0afaef032224370d699c3be9b0deabc591468e19aedbe35c0e8689ea9ff7fa90 3 | size 116066848 4 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/dhcp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dhcp 6 | #open 2016-06-24-11-39-43 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id 8 | #types time string addr port addr port string addr interval count 9 | 1445519331.631236 CQHPZw3TiuAAObB186 10.100.152.128 68 10.100.152.10 67 00:0c:be:04:f3:0a 10.100.152.128 86400.000000 2122513021 10 | #close 2016-06-24-11-39-44 11 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-11-38-44 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1445503521.375539 CG7O2r2TWIFfpSFAd 192.168.2.166 2127 192.168.88.95 20000 DISABLE_UNSOLICITED - - 10 | 1445503563.740016 CKCj3A3zdw0aZK1sQ5 192.168.2.166 2137 192.168.88.95 20000 UNSOLICITED_RESPONSE - - 11 | 1445503636.003435 CzoZVz1OjEQpHOGb85 192.168.2.166 2142 192.168.88.95 20000 READ - - 12 | #close 2016-06-24-11-39-44 13 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/ftp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path ftp 6 | #open 2016-06-24-11-39-24 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid 8 | #types time string addr port addr port string string string string string count count string bool addr addr port string 9 | 1445512144.008716 CRQoDD32KSfgGVEwHe 192.168.2.22 59431 192.168.88.49 21 ftp lol PORT 192,168,2,22,194,16 - - 503 Bad sequence of commands. F 192.168.88.49 192.168.2.22 49680 - 10 | #close 2016-06-24-11-39-44 11 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-38-17 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793497.303943 bro ip or not ip T T 10 | #close 2016-06-24-11-39-44 11 | -------------------------------------------------------------------------------- /Additional Captures/4SICS-GeekLounge-151022/snmp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path snmp 6 | #open 2016-06-24-11-39-23 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration version community get_requests get_bulk_requests get_responses set_requests display_string up_since 8 | #types time string addr port addr port interval string string count count count count string time 9 | 1445511989.246623 CTfFsn3SclGZHZlG36 192.168.2.22 52186 192.168.88.30 161 2.032711 1 public 134 0 134 0 Siemens, SIMATIC S7, CPU-1200, 6ES7 212-1BD30-0XB0 SZVA3YU6014773 , 1, V.1.0.1, SZVA3YU6014773 1445425638.089385 10 | 1445512010.292693 CkDuQz3TStBd2UD4Wd 192.168.2.22 57279 192.168.88.30 161 2.015347 1 public 134 0 134 0 Siemens, SIMATIC S7, CPU-1200, 6ES7 212-1BD30-0XB0 SZVA3YU6014773 , 1, V.1.0.1, SZVA3YU6014773 1445425638.132908 11 | #close 2016-06-24-11-39-44 12 | -------------------------------------------------------------------------------- /Additional Captures/4sics.txt: -------------------------------------------------------------------------------- 1 | https://www.netresec.com/?page=PCAP4SICS 2 | -------------------------------------------------------------------------------- /AdditionalNotes.txt: -------------------------------------------------------------------------------- 1 | Hitachi 2 | Hitachi EH - 3004-3007/tcp-udp 3 | 4 | Mitsubishi 5 | MELSEC - 5000/udp | 5001/tcp 6 | Mitsubishi MC - 5000/udp | 5001/tcp 7 | 5000/udp | 5001/tcp 8 | 5000/udp | 5001/tcp 9 | 10 | Omron 11 | Ethernet/IP - 44818/tcp 12 | FINS/TCP-UDP - 9600/tcp-udp 13 | 14 | Rockwell Automation 15 | Ethernet/IP (exp) - 44818/tcp 16 | Ethernet/IP (imp) - 2222/udp 17 | 18 | Schneider Electric (Telemecanique) 19 | Modbus TCP - 502/tcp 20 | 21 | Siemens 22 | ISOTCP - 102/tcp 23 | 24 | VIPA (Yaskawa) 25 | Ethernet/IP - 44818/tcp 26 | Modbus TCP - 502/tcp 27 | 28 | Niagara Fox 29 | -- 1911/tcp open 30 | -- | fox-info: 31 | -- | Fox Version: 1.0.1 32 | -- | Host Name: xpvm-0omdc01xmy 33 | -- | Host Address: 192.168.1.1 34 | -- | Application Name: Workbench 35 | -- | Application Version: 3.7.44 36 | -- | VM Name: Java HotSpot(TM) Server VM 37 | -- | VM Version: 20.4-b02 38 | -- | OS Name: Windows XP 39 | 40 | ATG 41 | Guardian AST reset 42 | --10001/tcp open 43 | --| atg-info: 44 | --| I20100 45 | --| SEP 19, 2015 5:33 PM 46 | 47 | cspv4 48 | --2222/tcp open CSPV4 49 | --| cspv4-info: 50 | --|_ Session ID: 65792 51 | -------------------------------------------------------------------------------- /BACNET/BACnet-BBMD-on-same-subnet/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnet-BBMD-on-same-subnet/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnet-BBMD-on-same-subnet/BACnet-BBMD-on-same-subnet.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:206d976d00202045a45e167b735b46ec9b51ef562e41f31077887cfb4fd2bc91 3 | size 1298 4 | -------------------------------------------------------------------------------- /BACNET/BACnet-BBMD-on-same-subnet/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-34 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1292339325.919723 CRc7JL2hir8okWsE8i 192.168.0.105 47808 192.168.0.255 47808 udp - - - - S0 - - 0 D 1 53 0 0 (empty) 10 | 1292339325.937216 CRbxpK2vZjdvpxaDCj 192.168.0.18 47808 192.168.0.255 47808 udp - 0.141128 52 0 S0 - - 0 D 2 108 0 0 (empty) 11 | 1292339325.910679 CjiKHc2audCxt9oK95 192.168.0.134 47808 192.168.0.24 47808 udp - 0.173146 18 161 SF - - 0 Dd 2 74 6 329 (empty) 12 | 1292339325.919556 ChGAJd2z8D7dH8VQ3i 192.168.0.24 47808 192.168.0.255 47808 udp - 0.127961 66 0 S0 - - 0 D 3 150 0 0 (empty) 13 | #close 2016-06-24-11-44-34 14 | -------------------------------------------------------------------------------- /BACNET/BACnet-BBMD-on-same-subnet/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-34 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793874.612439 bro ip or not ip T T 10 | #close 2016-06-24-11-44-34 11 | -------------------------------------------------------------------------------- /BACNET/BACnet-MSTP-SNAP-Mixed/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnet-MSTP-SNAP-Mixed/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnet-MSTP-SNAP-Mixed/BACnet-MSTP-SNAP-Mixed.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:72003d0d4852941a44cf10fe48bc27e461a20a31f808a9de4505f64bdb5c843c 3 | size 113787 4 | -------------------------------------------------------------------------------- /BACNET/BACnet-MSTP-SNAP-Mixed/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1218921726.697382 COEGXl3fePwrQs2cse 192.168.0.103 47808 192.168.0.24 47808 udp - 4.654367 704 890 SF - - 0 Dd 31 1572 31 1758 (empty) 10 | 1218921708.829894 CSG6wF4Z1SMqUCkDO3 192.168.0.24 47808 192.168.0.255 47808 udp - 17.864207 76 0 S0 - - 0 D 3 160 0 0 (empty) 11 | 1218921708.802690 C9VKsf26FnRx0oTXI8 192.168.0.103 47808 192.168.0.255 47808 udp - 17.824031 57 0 S0 - - 0 D 3 141 0 0 (empty) 12 | #close 2016-06-24-11-44-35 13 | -------------------------------------------------------------------------------- /BACNET/BACnet-MSTP-SNAP-Mixed/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-35 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793875.280907 bro ip or not ip T T 10 | #close 2016-06-24-11-44-35 11 | -------------------------------------------------------------------------------- /BACNET/BACnet-MSTP-SNAP-Mixed/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-44-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1218921702.109166 - - - - - truncated_IP - F bro 10 | 1218921708.856787 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-44-35 12 | -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-1/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-1/BACnet-exception-schedule-property-1.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnet-exception-schedule-property-1/BACnet-exception-schedule-property-1.pcapng -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-1/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-42-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1415689100.002483 Cd1cyp7Fr4XhegMic 192.168.42.29 47808 192.168.42.207 47808 udp - - - - S0 - - 0 D 1 54 0 0 (empty) 10 | 1415689226.775807 CPnGy01m9TR3FPyfmk 192.168.42.29 47808 192.168.42.207 47808 udp - - - - S0 - - 0 D 1 75 0 0 (empty) 11 | #close 2016-06-24-11-42-35 12 | -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-42-35 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793755.049383 bro ip or not ip T T 10 | #close 2016-06-24-11-42-35 11 | -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-2/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm| -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-2/BACnet-exception-schedule-property-2.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnet-exception-schedule-property-2/BACnet-exception-schedule-property-2.pcapng -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-12 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1415775123.888211 CfIUqrxnl3Ao15FE2 192.168.42.29 47808 192.168.42.207 47808 udp - - - - S0 - - 0 D 1 78 0 0 (empty) 10 | #close 2016-06-24-11-44-12 11 | -------------------------------------------------------------------------------- /BACNET/BACnet-exception-schedule-property-2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-12 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793852.572331 bro ip or not ip T T 10 | #close 2016-06-24-11-44-12 11 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-element-0/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnetARRAY-element-0/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-element-0/BACnetARRAY-element-0.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:b53cd60d1320d3be0e329e0ce4b15c2d2ed83373a124bbb95e878d71e933de44 3 | size 495 4 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-element-0/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-34 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1205514213.976872 CqKqGm1sai2hzpnkG5 192.168.0.103 47808 192.168.0.126 47808 udp - 0.000447 19 22 SF - - 0 Dd 1 47 1 50 (empty) 10 | 1205514324.012243 CT4kjh2ouYSkors2kd 192.168.0.103 47808 192.168.0.126 47808 udp - 0.000426 19 22 SF - - 0 Dd 1 47 1 50 (empty) 11 | 1205514428.271636 Ck6CO134tD4xxfccVe 192.168.0.103 47808 192.168.0.126 47808 udp - 0.000252 19 22 SF - - 0 Dd 1 47 1 50 (empty) 12 | #close 2016-06-24-11-44-34 13 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-element-0/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-34 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793874.185503 bro ip or not ip T T 10 | #close 2016-06-24-11-44-34 11 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-elements/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnetARRAY-elements/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-elements/BACnetARRAY-elements.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d210c0407255ca0114e58a675173d5803278ffaa67a17eacf5c5e10071151dd3 3 | size 3339 4 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-elements/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-34 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1212653515.129197 CAiWX9TCrkzERzUXc 10.0.218.174 47808 192.168.222.128 47808 udp - 0.002120 41 338 SF - - 0 Dd 3 125 5 478 (empty) 10 | 1212653515.129634 CQTUCx4FfieGN71Sf 192.168.222.128 47808 192.168.222.255 47808 udp - 0.000417 43 0 S0 - - 0 D 2 99 0 0 (empty) 11 | 1212653600.450301 C8Ov4VUKsH474XETe 10.0.218.174 47808 192.168.222.128 47808 udp - 41.663551 129 315 SF - - 0 Dd 9 381 15 735 (empty) 12 | 1212653600.450715 CSgqpIjrUXojjMT39 192.168.222.128 47808 192.168.222.255 47808 udp - 41.661914 129 0 S0 - - 0 D 6 297 0 0 (empty) 13 | #close 2016-06-24-11-44-34 14 | -------------------------------------------------------------------------------- /BACNET/BACnetARRAY-elements/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-34 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793874.398331 bro ip or not ip T T 10 | #close 2016-06-24-11-44-34 11 | -------------------------------------------------------------------------------- /BACNET/BACnetDeviceObjectReference/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnetDeviceObjectReference/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnetDeviceObjectReference/BACnetDeviceObjectReference.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:958f0bc237cadd36e5a4ac0b2c88bf2ca2f405fded8878950790e9e4935c4420 3 | size 582 4 | -------------------------------------------------------------------------------- /BACNET/BACnetDeviceObjectReference/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-34 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1182754596.287321 CQgI6i1zj22vFCLqPe 192.168.1.1 51000 192.168.1.255 51000 udp - 15.149115 60 0 S0 - - 0 D 2 116 0 0 (empty) 10 | 1182754589.814075 CIHJPX2to3sdazt3Ol 192.168.1.100 47808 192.168.1.1 47808 udp - 18.847626 34 116 SF - - 0 Dd 2 90 2 172 (empty) 11 | #close 2016-06-24-11-44-34 12 | -------------------------------------------------------------------------------- /BACNET/BACnetDeviceObjectReference/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-34 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793874.833979 bro ip or not ip T T 10 | #close 2016-06-24-11-44-34 11 | -------------------------------------------------------------------------------- /BACNET/BACnetIP-MSTP-Mix/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnetIP-MSTP-Mix/.state/state.bst -------------------------------------------------------------------------------- /BACNET/BACnetIP-MSTP-Mix/BACnetIP-MSTP-Mix.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0c4bfd74c3d55f92f7c2fd05631acee76e2796ea000a07140decf58cee7d46a7 3 | size 118053 4 | -------------------------------------------------------------------------------- /BACNET/BACnetIP-MSTP-Mix/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1218932832.185412 CzOAdsrGbF3zWEqPc 192.168.0.103 47808 192.168.0.24 47808 udp - 4.525427 704 890 SF - - 0 Dd 31 1572 31 1758 (empty) 10 | 1218932816.380851 CctvNK18pLcKo5GX3i 192.168.0.103 47808 192.168.0.255 47808 udp - 15.654985 94 0 S0 - - 0 D 5 234 0 0 (empty) 11 | 1218932816.408017 CaV2sh3As3JBLn00ra 192.168.0.24 47808 192.168.0.255 47808 udp - 15.773742 124 0 S0 - - 0 D 5 264 0 0 (empty) 12 | #close 2016-06-24-11-44-35 13 | -------------------------------------------------------------------------------- /BACNET/BACnetIP-MSTP-Mix/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-35 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793875.050463 bro ip or not ip T T 10 | #close 2016-06-24-11-44-35 11 | -------------------------------------------------------------------------------- /BACNET/BACnetIP-MSTP-Mix/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-44-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1218932803.647214 - - - - - truncated_IP - F bro 10 | 1218932816.438909 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-44-35 12 | -------------------------------------------------------------------------------- /BACNET/BACnetL_SchedRPM/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWmr -------------------------------------------------------------------------------- /BACNET/BACnetL_SchedRPM/BACnetL_SchedRPM.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/BACnetL_SchedRPM/BACnetL_SchedRPM.pcapng -------------------------------------------------------------------------------- /BACNET/BACnetL_SchedRPM/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-44-02 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1415633219.580822 CLpgaab8hiMJ7w6rk 192.168.1.13 56355 192.168.1.99 47808 udp - 0.003411 47 131 SF - - 0 Dd 1 75 1 159 (empty) 10 | #close 2016-06-24-11-44-02 11 | -------------------------------------------------------------------------------- /BACNET/BACnetL_SchedRPM/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-02 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793842.223066 bro ip or not ip T T 10 | #close 2016-06-24-11-44-02 11 | -------------------------------------------------------------------------------- /BACNET/cimetrics_mstp/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/BACNET/cimetrics_mstp/.state/state.bst -------------------------------------------------------------------------------- /BACNET/cimetrics_mstp/cimetrics_mstp.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:2bdee288fb36dc4dd1a249a468f0811ef4d64aa77a3648897385695a6248437e 3 | size 90610 4 | -------------------------------------------------------------------------------- /BACNET/cimetrics_mstp/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-44-35 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793875.500703 bro ip or not ip T T 10 | #close 2016-06-24-11-44-35 11 | -------------------------------------------------------------------------------- /BACNET/cimetrics_mstp/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-44-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1210700877.074521 - - - - - truncated_IP - F bro 10 | 1210700883.823747 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-44-35 12 | -------------------------------------------------------------------------------- /BACNET/mstp_wtap/mstp_wtap.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:839e3d6bec816555070adc61c3aca82c1e42f62f7c00ca2de47ecd0791445068 3 | size 46098 4 | -------------------------------------------------------------------------------- /DNP3/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/DNP3/.DS_Store -------------------------------------------------------------------------------- /DNP3/DNP3-Malformed/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-Malformed/DNP3-Malformed.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:6a7cf45527b7e7bd58bd0cbd861e13f7c51d181f6512c92921582270f940ac00 3 | size 21136 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-Malformed/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-27 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793927.762516 bro ip or not ip T T 10 | #close 2016-06-24-11-45-27 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Read/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-Read/DNP3-Read.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:66f460ea8d274085f7b478a73bab987d79cfe062653fb36bdefc5fe942240fbe 3 | size 603 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-Read/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1227729908.705789 CUotIU2rgwy54njqjg 127.0.0.1 42942 127.0.0.1 20000 tcp dnp3_tcp 0.000222 18 1 RSTO - - 0 ShADadR 5 218 3 121 (empty) 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Read/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1227729908.705944 CUotIU2rgwy54njqjg 127.0.0.1 42942 127.0.0.1 20000 READ - - 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Read/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793928.011417 bro ip or not ip T T 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-ReadRequest/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-ReadRequest/DNP3-ReadRequest.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:765717637e8c210515bc667aa46df731079d53b10f6311225249d75cd4b0d462 3 | size 1096 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-ReadRequest/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1280281287.138748 CLHzCR2If5J53U2ufl 1.1.1.1 43661 1.1.1.2 20000 tcp - 0.000641 10 10 SF - - 0 ShADadFf 6 330 5 278 (empty) 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-ReadRequest/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793928.225097 bro ip or not ip T T 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLink/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLink/DNP3-RequestLink.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:a4e05d73098577f58f27d045f4249e7e316c95a24214e955b7ff81a934b46a23 3 | size 880 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLink/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1280281287.330982 Cn6QVz45eBzSvgnLcj 1.1.1.1 43662 1.1.1.2 20000 tcp - 0.000565 10 10 SF - - 0 ShADadFf 6 330 4 226 (empty) 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLink/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793928.440621 bro ip or not ip T T 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLinkStatus/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLinkStatus/DNP3-RequestLinkStatus.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5ec72214afd7fecbfe51d00b83edfd4e70a33576a1ae8e00c50d11efef8be38d 3 | size 604 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLinkStatus/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1227729907.970109 CXZeg522huyE7omexg 127.0.0.1 57259 127.0.0.1 20000 tcp - 0.000223 10 10 RSTO - - 0 ShADadR 5 210 3 130 (empty) 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-RequestLinkStatus/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793928.650944 bro ip or not ip T T 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperate/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperate/DNP3-SelectOperate.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9cc5c193218d78afba25fec251c4e91f682066f076225c6eaa642e8b32d34b7e 3 | size 936 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperate/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1227729908.575446 Cb2Swx3S4nZKTgXh4c 127.0.0.1 64825 127.0.0.1 20000 tcp dnp3_tcp 0.000377 70 2 RSTO - - 0 ShADadR 7 350 5 202 (empty) 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperate/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-11-45-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1227729908.575758 Cb2Swx3S4nZKTgXh4c 127.0.0.1 64825 127.0.0.1 20000 OPERATE - - 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperate/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793928.876532 bro ip or not ip T T 10 | #close 2016-06-24-11-45-28 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperateRequest/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperateRequest/DNP3-SelectOperateRequest.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:e35329534d27938411b90ac5e575aa27becadb4fb4586e51a37d25aeb7a235e0 3 | size 880 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperateRequest/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1280285287.275790 CFhbhD2xW00zPjbPCa 1.1.1.1 43690 1.1.1.2 20000 tcp - 0.000456 10 10 SF - - 0 ShADadFf 6 330 4 226 (empty) 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-SelectOperateRequest/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793929.087510 bro ip or not ip T T 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart1/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart1/DNP3-TestDataPart1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:71779cac342a37b412df5bb6372ec22c35b5127ad2bfed4447d7ab6b92ebb4bf 3 | size 15838 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793929.302210 bro ip or not ip T T 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart1/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1097502640.430661 CqMCxO3og9dteBYJie 10.0.0.8 2803 10.0.0.3 20000 dnp3_header_lacks_magic - F bro 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart2/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart2/DNP3-TestDataPart2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:cb7de30363a64f1a6d3b7332f78d937a1f05677e546db0ad2790b2c481a7bc4b 3 | size 2976 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1178205958.103372 C2VBbh47f8chh5AXj5 192.168.66.33 1167 192.168.66.34 20000 tcp dnp3_tcp 88.142805 289 287 OTH - - 0 DdA 22 1169 11 727 (empty) 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-TestDataPart2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793929.538201 bro ip or not ip T T 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Write/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-Write/DNP3-Write.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:b8aeabece2584bb6090f213a5a6e263e82d5308c48615c72718b11cc2437225d 3 | size 610 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-Write/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1227729908.341379 CBYYRg2btmHKWnQqh 127.0.0.1 37712 127.0.0.1 20000 tcp dnp3_tcp 0.000242 25 1 RSTO - - 0 ShADadR 5 225 3 121 (empty) 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Write/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1227729908.341553 CBYYRg2btmHKWnQqh 127.0.0.1 37712 127.0.0.1 20000 WRITE - - 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-Write/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793929.761906 bro ip or not ip T T 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-WriteRequest/.state/state.bst: -------------------------------------------------------------------------------- 1 | BRSTWm� -------------------------------------------------------------------------------- /DNP3/DNP3-WriteRequest/DNP3-WriteRequest.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:bf0f24c2b8586c5e3e784aec73c5745d5020843790d35e652e1d4a6bd89872ac 3 | size 962 4 | -------------------------------------------------------------------------------- /DNP3/DNP3-WriteRequest/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-45-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1280285287.477749 CfYwmf4KWVF6zoPgZd 1.1.1.1 43691 1.1.1.2 20000 tcp - 0.000489 10 10 SF - - 0 ShADadFf 6 330 5 278 (empty) 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/DNP3-WriteRequest/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-45-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793929.985968 bro ip or not ip T T 10 | #close 2016-06-24-11-45-29 11 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/DNP3/digitalbond pcaps/dnp3_test_data_part1/.state/state.bst -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part1/dnp3_test_data_part1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:71779cac342a37b412df5bb6372ec22c35b5127ad2bfed4447d7ab6b92ebb4bf 3 | size 15838 4 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-46-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793998.099015 bro ip or not ip T T 10 | #close 2016-06-24-11-46-38 11 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part1/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-46-38 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1097502640.430661 Ctzbkq1s3iQobTQmX6 10.0.0.8 2803 10.0.0.3 20000 dnp3_header_lacks_magic - F bro 10 | #close 2016-06-24-11-46-38 11 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/DNP3/digitalbond pcaps/dnp3_test_data_part2/.state/state.bst -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-46-38 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1178205958.103372 CCA75w49ieigK977P9 192.168.66.33 1167 192.168.66.34 20000 tcp dnp3_tcp 88.142805 289 287 OTH - - 0 DdA 22 1169 11 727 (empty) 10 | #close 2016-06-24-11-46-38 11 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part2/dnp3_test_data_part2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:cb7de30363a64f1a6d3b7332f78d937a1f05677e546db0ad2790b2c481a7bc4b 3 | size 2976 4 | -------------------------------------------------------------------------------- /DNP3/digitalbond pcaps/dnp3_test_data_part2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-46-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466793998.310766 bro ip or not ip T T 10 | #close 2016-06-24-11-46-38 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeDateAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-ChangeDateAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-ChangeDateAttempt/EIP-ChangeDateAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0a29fc866bbb266e34a8cd858c4b8d5a5e1a04cfddddcaeedf66bbc3b5177432 3 | size 57778 4 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeDateAttempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-46 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224804548.739740 CyIuLp4mDY4DRWXtb4 192.168.10.105 3033 192.168.10.120 44818 tcp - 20.296440 13826 18040 OTH - - 0 ADad 176 20866 175 25040 (empty) 10 | #close 2016-06-24-11-58-46 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeDateAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-46 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794726.756642 bro ip or not ip T T 10 | #close 2016-06-24-11-58-46 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeDateAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-46 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224804549.133968 - - - - - truncated_IP - F bro 10 | 1224804558.254386 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-46 12 | -------------------------------------------------------------------------------- /EIP/EIP-ChangePortConfigurationAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-ChangePortConfigurationAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-ChangePortConfigurationAttempt/EIP-ChangePortConfigurationAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5016803f957b1c6ed09f4cf28787bffcc42684dc18bf61620f6edc7e29d3aa64 3 | size 4094337 4 | -------------------------------------------------------------------------------- /EIP/EIP-ChangePortConfigurationAttempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-46 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1253250242.209193 CxE9oOgEgiawXTCae 192.168.10.121 44818 192.168.10.105 1402 tcp - 42.500541 447 392 OTH - - 0 AadD 17 1126 17 1072 (empty) 10 | 1253250236.316934 ChZcI22DM7bXBDWAGk 192.168.10.200 56493 192.168.10.106 443 tcp - 55.104161 0 3809604 OTH - - 0 da 0 0 2950 3986716 (empty) 11 | 1253250278.611838 CN1tp41saJG7ZAMvs5 192.168.10.21 138 192.168.10.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty) 12 | 1253250249.181539 CNMqYd25niwtmpF7Pj 192.168.10.62 32768 192.168.10.249 6000 udp - 29.998725 288 0 S0 - - 0 D 2 344 0 0 (empty) 13 | #close 2016-06-24-11-58-46 14 | -------------------------------------------------------------------------------- /EIP/EIP-ChangePortConfigurationAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-46 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794726.971369 bro ip or not ip T T 10 | #close 2016-06-24-11-58-46 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangePortConfigurationAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-46 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1253250237.118755 - - - - - unknown_packet_type - F bro 10 | 1253250237.118757 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-11-58-46 12 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeTimeAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-ChangeTimeAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-ChangeTimeAttempt/EIP-ChangeTimeAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:419ea677cc2aa5d0633eaca5adfd929217f8fbf88c89acb18f847b58bf404b10 3 | size 115764 4 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeTimeAttempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224804417.531888 CHOqeL1HWNbMYN6NEg 192.168.10.105 3033 192.168.10.120 44818 tcp - 40.180741 27434 36377 OTH - - 0 DadA 348 41354 354 50537 (empty) 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeTimeAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794727.199098 bro ip or not ip T T 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-ChangeTimeAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224804418.243622 - - - - - truncated_IP - F bro 10 | 1224804419.355180 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-47 12 | -------------------------------------------------------------------------------- /EIP/EIP-ControlProtocolChangeAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-ControlProtocolChangeAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-ControlProtocolChangeAttempt/EIP-ControlProtocolChangeAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:66479850e1c98ce63cb7365d1cb76c475d6f88fa4e363ac9973101e2835edfc4 3 | size 663995 4 | -------------------------------------------------------------------------------- /EIP/EIP-ControlProtocolChangeAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794727.421718 bro ip or not ip T T 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-ControlProtocolChangeAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226509330.490562 - - - - - truncated_IP - F bro 10 | 1226509347.838436 - - - - - unknown_packet_type - F bro 11 | 1226509416.736820 CL4D303DlNutwDNe94 192.168.10.22 137 192.168.10.105 137 dns_unmatched_reply - F bro 12 | 1226509426.738509 - - - - - dns_unmatched_msg - F bro 13 | 1226509426.738509 - - - - - dns_unmatched_msg - F bro 14 | 1226509433.907015 - - - - - unknown_protocol_2 - F bro 15 | 1226509517.950699 C4oZpZ2bD4bBtYYyb4 192.168.10.21 137 192.168.10.105 137 dns_unmatched_reply - F bro 16 | 1226509525.222398 CZHARB3ElmgOVES9va 192.168.10.24 137 192.168.10.105 137 dns_unmatched_reply - F bro 17 | 1226509527.967873 - - - - - dns_unmatched_msg - F bro 18 | 1226509527.967873 - - - - - dns_unmatched_msg - F bro 19 | 1226509535.379796 - - - - - dns_unmatched_msg - F bro 20 | 1226509535.379796 - - - - - dns_unmatched_msg - F bro 21 | #close 2016-06-24-11-58-47 22 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChange/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-FirmwareChange/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChange/EIP-FirmwareChange.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3d0f3ea89f8eb56c379c56a915cfd9c469f61f0ee690c66234a92d9c88e37201 3 | size 3114279 4 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChange/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794727.878191 bro ip or not ip T T 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChange/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1220389077.730685 - - - - - truncated_IP - F bro 10 | 1220389077.874879 - - - - - unknown_packet_type - F bro 11 | 1220389159.743247 - - - - - unknown_protocol_2 - F bro 12 | #close 2016-06-24-11-58-47 13 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChangeFailure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-FirmwareChangeFailure/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChangeFailure/EIP-FirmwareChangeFailure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:92d6750bce5916b42f5e874e8d6cd46176419db502975cca024023d21201a43f 3 | size 3101211 4 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChangeFailure/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1220395619.284557 CkC4VV1ui6mkRgBSk4 192.168.10.120 44818 192.168.10.105 1093 tcp - 28.999588 262477 2097660 OTH - - 0 AadD 5302 474556 5253 2307780 (empty) 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChangeFailure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794727.645383 bro ip or not ip T T 10 | #close 2016-06-24-11-58-47 11 | -------------------------------------------------------------------------------- /EIP/EIP-FirmwareChangeFailure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-47 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1220395617.707508 - - - - - truncated_IP - F bro 10 | 1220395618.584528 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-47 12 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-IPAddressChangeAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/EIP-IPAddressChangeAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5eb6a8ee92966600b622a393d95b3cfdee4ce131c9653f1af0077199c9bcb473 3 | size 2078478 4 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/dhcp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dhcp 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id 8 | #types time string addr port addr port string addr interval count 9 | 1226525402.931824 CFrfOk4OGOpxSq9Gdl 255.255.255.255 68 192.168.10.105 67 00:e0:62:60:35:d0 192.168.10.131 4.294967e+09 2882338836 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1226525258.081936 CIpaGn13MQ0Pn2Qfg2 192.168.10.22 137 192.168.10.255 137 udp 38790 DBLICENSESERVER 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | 1226525258.081991 CbYc4L3s7Xc0gwxvR3 192.168.10.22 137 192.168.10.105 137 udp 38790 - - - - - 0 NOERROR F F F F 0 - - F 11 | 1226525359.279888 CEqcy913SopvGWqhoa 192.168.10.21 137 192.168.10.255 137 udp 47137 DBLICENSESERVER 1 C_INTERNET 32 NB - - F F T F 1 - - F 12 | 1226525359.280667 Cp7HEb3YN3w8fgz8Q6 192.168.10.21 137 192.168.10.105 137 udp 47137 - - - - - 0 NOERROR F F F F 0 - - F 13 | 1226525366.552005 CowqDyFs9UpWu4zUl 192.168.10.24 137 192.168.10.255 137 udp 35955 DBLICENSESERVER 1 C_INTERNET 32 NB - - F F T F 1 - - F 14 | 1226525366.552412 CUztAJGUm8NEQM0jg 192.168.10.24 137 192.168.10.105 137 udp 35955 - - - - - 0 NOERROR F F F F 0 - - F 15 | #close 2016-06-24-11-58-48 16 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/dpd.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dpd 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason 8 | #types time string addr port addr port enum string string 9 | 1226525424.490850 Cd2OYZ34MF0lYiTD85 0.0.0.0 68 255.255.255.255 67 udp DHCP no DHCP message type option 10 | 1226525424.491001 CFrfOk4OGOpxSq9Gdl 255.255.255.255 68 192.168.10.105 67 udp DHCP no DHCP message type option 11 | #close 2016-06-24-11-58-48 12 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-48 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794728.109600 bro ip or not ip T T 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-IPAddressChangeAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226525233.630742 - - - - - truncated_IP - F bro 10 | 1226525250.125128 - - - - - unknown_packet_type - F bro 11 | 1226525258.081991 CbYc4L3s7Xc0gwxvR3 192.168.10.22 137 192.168.10.105 137 dns_unmatched_reply - F bro 12 | 1226525268.342247 - - - - - dns_unmatched_msg - F bro 13 | 1226525268.342247 - - - - - dns_unmatched_msg - F bro 14 | 1226525345.194389 - - - - - unknown_protocol_2 - F bro 15 | 1226525359.280667 Cp7HEb3YN3w8fgz8Q6 192.168.10.21 137 192.168.10.105 137 dns_unmatched_reply - F bro 16 | 1226525366.552412 CUztAJGUm8NEQM0jg 192.168.10.24 137 192.168.10.105 137 dns_unmatched_reply - F bro 17 | 1226525369.281797 - - - - - dns_unmatched_msg - F bro 18 | 1226525369.281797 - - - - - dns_unmatched_msg - F bro 19 | 1226525376.565559 - - - - - dns_unmatched_msg - F bro 20 | 1226525376.565559 - - - - - dns_unmatched_msg - F bro 21 | #close 2016-06-24-11-58-48 22 | -------------------------------------------------------------------------------- /EIP/EIP-LockPLCAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-LockPLCAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-LockPLCAttempt/EIP-LockPLCAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f3c0648be9d23856140aea55f6e2a94b0121ff9a67c4642e0033f03e7ffaf995 3 | size 1132704 4 | -------------------------------------------------------------------------------- /EIP/EIP-LockPLCAttempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1231968288.608135 CXs7Ly1wjyDOBnDdh2 192.168.10.105 1054 192.168.10.120 44818 tcp - 43.527389 19719 27081 OTH - - 0 DadA 259 30079 260 37481 (empty) 10 | 1231968288.596607 CWCa8149QzVCk5Ggq9 192.168.10.230 1592 192.168.10.106 443 tcp - 43.476882 0 959596 OTH - - 0 da 0 0 1076 1002636 (empty) 11 | 1231968310.640644 C6OI9DMetbmMlKdMc 192.168.10.22 8 192.168.10.105 0 icmp - 0.003157 224 224 OTH - - 0 - 4 336 4 336 (empty) 12 | #close 2016-06-24-11-58-48 13 | -------------------------------------------------------------------------------- /EIP/EIP-LockPLCAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-48 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794728.351181 bro ip or not ip T T 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-LockPLCAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1231968289.218756 - - - - - unknown_packet_type - F bro 10 | 1231968290.232411 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-11-58-48 12 | -------------------------------------------------------------------------------- /EIP/EIP-RebootorRestart/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-RebootorRestart/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-RebootorRestart/EIP-RebootorRestart.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:57af017500d9c00d0d9e45e2e9c6a489be0f840efa1db08d86d3cebae9c67cb2 3 | size 147121 4 | -------------------------------------------------------------------------------- /EIP/EIP-RebootorRestart/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798438.317086 Cw5Tdm377IZcR5Ok 192.168.10.120 44818 192.168.10.105 2927 tcp - 29.763693 41496 36996 OTH - - 0 AadD 482 60775 471 55836 (empty) 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-RebootorRestart/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-48 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794728.572914 bro ip or not ip T T 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-RebootorRestart/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798431.839392 - - - - - truncated_IP - F bro 10 | 1224798451.548424 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-48 12 | -------------------------------------------------------------------------------- /EIP/EIP-RemoteModeChangeAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-RemoteModeChangeAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-RemoteModeChangeAttempt/EIP-RemoteModeChangeAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:71aec9602f668ec7505d1d0e63d037213bfcd555ce3e7eca257b475bbe9cbe7c 3 | size 130854 4 | -------------------------------------------------------------------------------- /EIP/EIP-RemoteModeChangeAttempt/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1251746662.237127 CtIuSB1U0rcr5nlHQf 192.168.10.21 137 192.168.10.255 137 udp 43109 WIN2K3LAB023 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | 1251746695.564753 CJuq1C1pe5M7kFY2wg 192.168.10.107 137 192.168.10.255 137 udp 40778 WIN2K3LAB021 1 C_INTERNET 32 NB - - F F T F 1 - - F 11 | 1251746695.565365 CjCU4BrfTYu36lXug 192.168.10.107 137 192.168.10.21 137 udp 40778 - - - - - 0 NOERROR F F F F 0 - - F 12 | #close 2016-06-24-11-58-48 13 | -------------------------------------------------------------------------------- /EIP/EIP-RemoteModeChangeAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-48 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794728.793699 bro ip or not ip T T 10 | #close 2016-06-24-11-58-48 11 | -------------------------------------------------------------------------------- /EIP/EIP-RemoteModeChangeAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-48 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1251746658.611803 - - - - - unknown_packet_type - F bro 10 | 1251746659.625874 - - - - - truncated_IP - F bro 11 | 1251746672.239952 - - - - - dns_unmatched_msg - F bro 12 | 1251746695.565365 CjCU4BrfTYu36lXug 192.168.10.107 137 192.168.10.21 137 dns_unmatched_reply - F bro 13 | 1251746695.566875 CvLxlBAgX3ohQanT7 192.168.10.21 139 192.168.10.107 3503 connection_originator_SYN_ack - F bro 14 | 1251746695.568168 CvLxlBAgX3ohQanT7 192.168.10.21 139 192.168.10.107 3503 data_before_established - F bro 15 | 1251746704.730112 - - - - - dns_unmatched_msg - F bro 16 | 1251746704.730112 - - - - - dns_unmatched_msg - F bro 17 | #close 2016-06-24-11-58-48 18 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownload/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-SoftwareDownload/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownload/EIP-SoftwareDownload.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:57af017500d9c00d0d9e45e2e9c6a489be0f840efa1db08d86d3cebae9c67cb2 3 | size 147121 4 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownload/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798438.317086 CRXtzJ4XJWFpJR029 192.168.10.120 44818 192.168.10.105 2927 tcp - 29.763693 41496 36996 OTH - - 0 AadD 482 60775 471 55836 (empty) 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownload/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-49 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794729.234109 bro ip or not ip T T 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownload/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798431.839392 - - - - - truncated_IP - F bro 10 | 1224798451.548424 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-49 12 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownloadFailure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-SoftwareDownloadFailure/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownloadFailure/EIP-SoftwareDownloadFailure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:4057ac0c1d3f4a101b751661b49272d9fb1c8d3c9e82dc2706950272c81fbb93 3 | size 7333 4 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownloadFailure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-49 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794729.014408 bro ip or not ip T T 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareDownloadFailure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226527627.759481 - - - - - truncated_IP - F bro 10 | 1226527636.979071 - - - - - unknown_packet_type - F bro 11 | 1226527657.046977 - - - - - unknown_protocol_2 - F bro 12 | #close 2016-06-24-11-58-49 13 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUpload/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-SoftwareUpload/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUpload/EIP-SoftwareUpload.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8439230c8c1a3e824fc8e5f0637160ad6d88fcd78cae94c60c1e6f9df9358f57 3 | size 129648 4 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUpload/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798651.305335 CK9B6T3Vg2LMmImRih 192.168.10.120 44818 192.168.10.105 2927 tcp - 26.350733 36304 27934 OTH - - 0 AadD 454 54463 447 45814 (empty) 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUpload/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-49 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794729.666112 bro ip or not ip T T 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUpload/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798645.266348 - - - - - truncated_IP - F bro 10 | 1224798659.075226 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-58-49 12 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-SoftwareUploadFailure/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/EIP-SoftwareUploadFailure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:bac99b724f5ba0394c4f920ea5feae4a54a265fa112ed2289d43b33ee6cf9fe3 3 | size 15878 4 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1226527900.973628 CP8YRn35ONHoXYmc52 1.1.1.1 138 1.1.1.255 138 udp - - - - S0 - - 0 D 1 241 0 0 (empty) 10 | 1226527998.048074 Ct2vAI1YVyi4FAzDn2 192.168.10.22 137 192.168.10.255 137 udp dns - - - S0 - - 0 D 1 78 0 0 (empty) 11 | 1226527998.048096 CYxfQI1V4wRt5VRVQl 1.1.1.1 137 1.1.1.255 137 udp dns 1.499676 150 0 S0 - - 0 D 3 234 0 0 (empty) 12 | #close 2016-06-24-11-58-49 13 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1226527998.048074 Ct2vAI1YVyi4FAzDn2 192.168.10.22 137 192.168.10.255 137 udp 38810 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | 1226527998.048096 CYxfQI1V4wRt5VRVQl 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 11 | 1226527998.797854 CYxfQI1V4wRt5VRVQl 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 12 | 1226527999.547772 CYxfQI1V4wRt5VRVQl 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 13 | #close 2016-06-24-11-58-49 14 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-49 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794729.446377 bro ip or not ip T T 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-SoftwareUploadFailure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226527810.986146 - - - - - truncated_IP - F bro 10 | 1226527822.977430 - - - - - unknown_packet_type - F bro 11 | 1226527929.046096 - - - - - unknown_protocol_2 - F bro 12 | 1226528008.346740 - - - - - dns_unmatched_msg - F bro 13 | 1226528018.388663 - - - - - dns_unmatched_msg - F bro 14 | #close 2016-06-24-11-58-49 15 | -------------------------------------------------------------------------------- /EIP/EIP-UnlockPLCAttempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-UnlockPLCAttempt/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-UnlockPLCAttempt/EIP-UnlockPLCAttempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f3c0648be9d23856140aea55f6e2a94b0121ff9a67c4642e0033f03e7ffaf995 3 | size 1132704 4 | -------------------------------------------------------------------------------- /EIP/EIP-UnlockPLCAttempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1231968288.608135 CqZLfr4siyxQNWEMbh 192.168.10.105 1054 192.168.10.120 44818 tcp - 43.527389 19719 27081 OTH - - 0 DadA 259 30079 260 37481 (empty) 10 | 1231968288.596607 CuoNZO2Vlb4DO0uN9f 192.168.10.230 1592 192.168.10.106 443 tcp - 43.476882 0 959596 OTH - - 0 da 0 0 1076 1002636 (empty) 11 | 1231968310.640644 C5rEEx2Ut2lNd8K5Md 192.168.10.22 8 192.168.10.105 0 icmp - 0.003157 224 224 OTH - - 0 - 4 336 4 336 (empty) 12 | #close 2016-06-24-11-58-49 13 | -------------------------------------------------------------------------------- /EIP/EIP-UnlockPLCAttempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-49 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794729.881523 bro ip or not ip T T 10 | #close 2016-06-24-11-58-49 11 | -------------------------------------------------------------------------------- /EIP/EIP-UnlockPLCAttempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-58-49 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1231968289.218756 - - - - - unknown_packet_type - F bro 10 | 1231968290.232411 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-11-58-49 12 | -------------------------------------------------------------------------------- /EIP/EIP-ViewDeviceStatus/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/EIP/EIP-ViewDeviceStatus/.state/state.bst -------------------------------------------------------------------------------- /EIP/EIP-ViewDeviceStatus/EIP-ViewDeviceStatus.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:ffec60115587d9c79fd8e6daa712ea868635a0c31ed02bf43e53c76a834b5b01 3 | size 2389 4 | -------------------------------------------------------------------------------- /EIP/EIP-ViewDeviceStatus/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-58-50 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1252963725.444796 CMraNv4wWeqkN9j4g4 192.168.10.204 1413 192.168.10.140 20000 tcp dnp3_tcp 1.049805 15 17 SF - - 0 ShADadFf 8 343 7 322 (empty) 10 | 1252963725.788546 CJpD273TU61SCYy0H6 192.168.10.204 1400 192.168.10.21 5450 tcp - 9.006836 60 140 OTH - - 0 DdA 10 460 5 340 (empty) 11 | #close 2016-06-24-11-58-50 12 | -------------------------------------------------------------------------------- /EIP/EIP-ViewDeviceStatus/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-11-58-50 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1252963725.960421 CMraNv4wWeqkN9j4g4 192.168.10.204 1413 192.168.10.140 20000 READ RESPONSE 36866 10 | #close 2016-06-24-11-58-50 11 | -------------------------------------------------------------------------------- /EIP/EIP-ViewDeviceStatus/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-58-50 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794730.099608 bro ip or not ip T T 10 | #close 2016-06-24-11-58-50 11 | -------------------------------------------------------------------------------- /ETHERCAT/ethercat/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERCAT/ethercat/.state/state.bst -------------------------------------------------------------------------------- /ETHERCAT/ethercat/ethercat.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:c2c5699ebed47a578e16558b4932ec941cfb16604ff6de0ee42ff5027a24dd37 3 | size 157462 4 | -------------------------------------------------------------------------------- /ETHERCAT/ethercat/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-47-07 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794027.174627 bro ip or not ip T T 10 | #close 2016-06-24-11-47-07 11 | -------------------------------------------------------------------------------- /ETHERCAT/ethercat/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-47-07 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1189592331.278522 - - - - - unknown_packet_type - F bro 10 | 1189592331.279360 - - - - - truncated_header - F bro 11 | 1189592331.279367 - - - - - truncated_IP - F bro 12 | 1189592331.279816 - - - - - unknown_protocol_48 - F bro 13 | 1189592331.536104 - - - - - unknown_protocol_2 - F bro 14 | #close 2016-06-24-11-47-07 15 | -------------------------------------------------------------------------------- /ETHERNET_IP/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/.DS_Store -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/CL5000EIP-Change-Date-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0a29fc866bbb266e34a8cd858c4b8d5a5e1a04cfddddcaeedf66bbc3b5177432 3 | size 57778 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224804548.739740 CbxBqc2xvSi72jiwrk 192.168.10.105 3033 192.168.10.120 44818 tcp - 20.296440 13826 18040 OTH - - 0 ADad 176 20866 175 25040 (empty) 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-26 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795246.017712 bro ip or not ip T T 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Date-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224804549.133968 - - - - - truncated_IP - F bro 10 | 1224804558.254386 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-26 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/CL5000EIP-Change-Port-Configuration-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5016803f957b1c6ed09f4cf28787bffcc42684dc18bf61620f6edc7e29d3aa64 3 | size 4094337 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1253250236.316934 Cd57kH1FjDOfMAahp9 192.168.10.200 56493 192.168.10.106 443 tcp - 55.104161 0 3809604 OTH - - 0 da 0 0 2950 3986716 (empty) 10 | 1253250242.209193 CdhToo1KY3KU3Q6kWh 192.168.10.121 44818 192.168.10.105 1402 tcp - 42.500541 447 392 OTH - - 0 AadD 17 1126 17 1072 (empty) 11 | 1253250278.611838 C8k8d84lCRrY1Xz4Gk 192.168.10.21 138 192.168.10.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty) 12 | 1253250249.181539 C4Kwbq4Nx3XOa7tWug 192.168.10.62 32768 192.168.10.249 6000 udp - 29.998725 288 0 S0 - - 0 D 2 344 0 0 (empty) 13 | #close 2016-06-24-12-07-26 14 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-26 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795246.231729 bro ip or not ip T T 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Port-Configuration-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1253250237.118755 - - - - - unknown_packet_type - F bro 10 | 1253250237.118757 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-12-07-26 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/CL5000EIP-Change-Time-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:419ea677cc2aa5d0633eaca5adfd929217f8fbf88c89acb18f847b58bf404b10 3 | size 115764 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224804417.531888 CBHmPl30GQLmDGTYVi 192.168.10.105 3033 192.168.10.120 44818 tcp - 40.180741 27434 36377 OTH - - 0 DadA 348 41354 354 50537 (empty) 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-26 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795246.457632 bro ip or not ip T T 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Change-Time-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224804418.243622 - - - - - truncated_IP - F bro 10 | 1224804419.355180 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-26 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Control-Protocol-Change-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Control-Protocol-Change-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Control-Protocol-Change-Attempt/CL5000EIP-Control-Protocol-Change-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:66479850e1c98ce63cb7365d1cb76c475d6f88fa4e363ac9973101e2835edfc4 3 | size 663995 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Control-Protocol-Change-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-26 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795246.671253 bro ip or not ip T T 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Control-Protocol-Change-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226509330.490562 - - - - - truncated_IP - F bro 10 | 1226509347.838436 - - - - - unknown_packet_type - F bro 11 | 1226509416.736820 Co4kEc1HfkzTMFAlsh 192.168.10.22 137 192.168.10.105 137 dns_unmatched_reply - F bro 12 | 1226509426.738509 - - - - - dns_unmatched_msg - F bro 13 | 1226509426.738509 - - - - - dns_unmatched_msg - F bro 14 | 1226509433.907015 - - - - - unknown_protocol_2 - F bro 15 | 1226509517.950699 ClSnWE3ZOMy9LOL5C6 192.168.10.21 137 192.168.10.105 137 dns_unmatched_reply - F bro 16 | 1226509525.222398 CTAmjb143GtpgwANK3 192.168.10.24 137 192.168.10.105 137 dns_unmatched_reply - F bro 17 | 1226509527.967873 - - - - - dns_unmatched_msg - F bro 18 | 1226509527.967873 - - - - - dns_unmatched_msg - F bro 19 | 1226509535.379796 - - - - - dns_unmatched_msg - F bro 20 | 1226509535.379796 - - - - - dns_unmatched_msg - F bro 21 | #close 2016-06-24-12-07-26 22 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/CL5000EIP-Firmware-Change-Failure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:92d6750bce5916b42f5e874e8d6cd46176419db502975cca024023d21201a43f 3 | size 3101211 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1220395619.284557 CaVuB239ofrRBofXKd 192.168.10.120 44818 192.168.10.105 1093 tcp - 28.999588 262477 2097660 OTH - - 0 AadD 5302 474556 5253 2307780 (empty) 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-26 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795246.898443 bro ip or not ip T T 10 | #close 2016-06-24-12-07-26 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change-Failure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-26 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1220395617.707508 - - - - - truncated_IP - F bro 10 | 1220395618.584528 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-26 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change/CL5000EIP-Firmware-Change.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3d0f3ea89f8eb56c379c56a915cfd9c469f61f0ee690c66234a92d9c88e37201 3 | size 3114279 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-27 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795247.135981 bro ip or not ip T T 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Firmware-Change/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1220389077.730685 - - - - - truncated_IP - F bro 10 | 1220389077.874879 - - - - - unknown_packet_type - F bro 11 | 1220389159.743247 - - - - - unknown_protocol_2 - F bro 12 | #close 2016-06-24-12-07-27 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/CL5000EIP-IP-Address-Change-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5eb6a8ee92966600b622a393d95b3cfdee4ce131c9653f1af0077199c9bcb473 3 | size 2078478 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/dhcp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dhcp 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id 8 | #types time string addr port addr port string addr interval count 9 | 1226525402.931824 Cv402ee8wwqLZ0dmd 255.255.255.255 68 192.168.10.105 67 00:e0:62:60:35:d0 192.168.10.131 4.294967e+09 2882338836 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/dpd.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dpd 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason 8 | #types time string addr port addr port enum string string 9 | 1226525424.490850 Ce8MMC1PQLdbLpKudb 0.0.0.0 68 255.255.255.255 67 udp DHCP no DHCP message type option 10 | 1226525424.491001 Cv402ee8wwqLZ0dmd 255.255.255.255 68 192.168.10.105 67 udp DHCP no DHCP message type option 11 | #close 2016-06-24-12-07-27 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-27 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795247.364873 bro ip or not ip T T 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-IP-Address-Change-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226525233.630742 - - - - - truncated_IP - F bro 10 | 1226525250.125128 - - - - - unknown_packet_type - F bro 11 | 1226525258.081991 Ch0cRWb7fGpbdF74k 192.168.10.22 137 192.168.10.105 137 dns_unmatched_reply - F bro 12 | 1226525268.342247 - - - - - dns_unmatched_msg - F bro 13 | 1226525268.342247 - - - - - dns_unmatched_msg - F bro 14 | 1226525345.194389 - - - - - unknown_protocol_2 - F bro 15 | 1226525359.280667 CPpfk5cJkuUflHh8j 192.168.10.21 137 192.168.10.105 137 dns_unmatched_reply - F bro 16 | 1226525366.552412 CaLLGT3FpBJDoyPA67 192.168.10.24 137 192.168.10.105 137 dns_unmatched_reply - F bro 17 | 1226525369.281797 - - - - - dns_unmatched_msg - F bro 18 | 1226525369.281797 - - - - - dns_unmatched_msg - F bro 19 | 1226525376.565559 - - - - - dns_unmatched_msg - F bro 20 | 1226525376.565559 - - - - - dns_unmatched_msg - F bro 21 | #close 2016-06-24-12-07-27 22 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/CL5000EIP-Lock-PLC-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f3c0648be9d23856140aea55f6e2a94b0121ff9a67c4642e0033f03e7ffaf995 3 | size 1132704 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1231968288.608135 CnPtT33TF3J32hiMRg 192.168.10.105 1054 192.168.10.120 44818 tcp - 43.527389 19719 27081 OTH - - 0 DadA 259 30079 260 37481 (empty) 10 | 1231968288.596607 CWuG5g4Xp5KDcWAyZd 192.168.10.230 1592 192.168.10.106 443 tcp - 43.476882 0 959596 OTH - - 0 da 0 0 1076 1002636 (empty) 11 | 1231968310.640644 CFhJVx3B40l3M8Fd0c 192.168.10.22 8 192.168.10.105 0 icmp - 0.003157 224 224 OTH - - 0 - 4 336 4 336 (empty) 12 | #close 2016-06-24-12-07-27 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-27 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795247.617081 bro ip or not ip T T 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Lock-PLC-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1231968289.218756 - - - - - unknown_packet_type - F bro 10 | 1231968290.232411 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-12-07-27 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/CL5000EIP-Reboot-or-Restart.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:57af017500d9c00d0d9e45e2e9c6a489be0f840efa1db08d86d3cebae9c67cb2 3 | size 147121 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798438.317086 CiB8cD3xAtJJnveQ8l 192.168.10.120 44818 192.168.10.105 2927 tcp - 29.763693 41496 36996 OTH - - 0 AadD 482 60775 471 55836 (empty) 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-27 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795247.840805 bro ip or not ip T T 10 | #close 2016-06-24-12-07-27 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Reboot-or-Restart/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-27 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798431.839392 - - - - - truncated_IP - F bro 10 | 1224798451.548424 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-27 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/CL5000EIP-Remote-Mode-Change-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:71aec9602f668ec7505d1d0e63d037213bfcd555ce3e7eca257b475bbe9cbe7c 3 | size 130854 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1251746662.237127 Cfnfae4pHOmOxpwwZ6 192.168.10.21 137 192.168.10.255 137 udp 43109 WIN2K3LAB023 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | 1251746695.564753 Co46Bq2NIoEor0Ant1 192.168.10.107 137 192.168.10.255 137 udp 40778 WIN2K3LAB021 1 C_INTERNET 32 NB - - F F T F 1 - - F 11 | 1251746695.565365 C07Csa12tvfnJmUD5k 192.168.10.107 137 192.168.10.21 137 udp 40778 - - - - - 0 NOERROR F F F F 0 - - F 12 | #close 2016-06-24-12-07-28 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795248.056377 bro ip or not ip T T 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Remote-Mode-Change-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1251746658.611803 - - - - - unknown_packet_type - F bro 10 | 1251746659.625874 - - - - - truncated_IP - F bro 11 | 1251746672.239952 - - - - - dns_unmatched_msg - F bro 12 | 1251746695.565365 C07Csa12tvfnJmUD5k 192.168.10.107 137 192.168.10.21 137 dns_unmatched_reply - F bro 13 | 1251746695.566875 CcpKDB3NpRfrUAnKe5 192.168.10.21 139 192.168.10.107 3503 connection_originator_SYN_ack - F bro 14 | 1251746695.568168 CcpKDB3NpRfrUAnKe5 192.168.10.21 139 192.168.10.107 3503 data_before_established - F bro 15 | 1251746704.730112 - - - - - dns_unmatched_msg - F bro 16 | 1251746704.730112 - - - - - dns_unmatched_msg - F bro 17 | #close 2016-06-24-12-07-28 18 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download-Failure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download-Failure/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download-Failure/CL5000EIP-Software-Download-Failure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:4057ac0c1d3f4a101b751661b49272d9fb1c8d3c9e82dc2706950272c81fbb93 3 | size 7333 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download-Failure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795248.267383 bro ip or not ip T T 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download-Failure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226527627.759481 - - - - - truncated_IP - F bro 10 | 1226527636.979071 - - - - - unknown_packet_type - F bro 11 | 1226527657.046977 - - - - - unknown_protocol_2 - F bro 12 | #close 2016-06-24-12-07-28 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/CL5000EIP-Software-Download.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:57af017500d9c00d0d9e45e2e9c6a489be0f840efa1db08d86d3cebae9c67cb2 3 | size 147121 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798438.317086 CpGBAB1zGMnTL36igb 192.168.10.120 44818 192.168.10.105 2927 tcp - 29.763693 41496 36996 OTH - - 0 AadD 482 60775 471 55836 (empty) 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795248.475696 bro ip or not ip T T 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Download/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798431.839392 - - - - - truncated_IP - F bro 10 | 1224798451.548424 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-28 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/CL5000EIP-Software-Upload-Failure.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:bac99b724f5ba0394c4f920ea5feae4a54a265fa112ed2289d43b33ee6cf9fe3 3 | size 15878 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1226527900.973628 C2idTo1INWzs01A1f6 1.1.1.1 138 1.1.1.255 138 udp - - - - S0 - - 0 D 1 241 0 0 (empty) 10 | 1226527998.048074 CxwhXk1qVjA5DkRQZh 192.168.10.22 137 192.168.10.255 137 udp dns - - - S0 - - 0 D 1 78 0 0 (empty) 11 | 1226527998.048096 CplubO33szz1uKRAdi 1.1.1.1 137 1.1.1.255 137 udp dns 1.499676 150 0 S0 - - 0 D 3 234 0 0 (empty) 12 | #close 2016-06-24-12-07-28 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1226527998.048074 CxwhXk1qVjA5DkRQZh 192.168.10.22 137 192.168.10.255 137 udp 38810 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | 1226527998.048096 CplubO33szz1uKRAdi 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 11 | 1226527998.797854 CplubO33szz1uKRAdi 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 12 | 1226527999.547772 CplubO33szz1uKRAdi 1.1.1.1 137 1.1.1.255 137 udp 38811 WIN2K3LAB024 1 C_INTERNET 32 NB - - F F T F 1 - - F 13 | #close 2016-06-24-12-07-28 14 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795248.687934 bro ip or not ip T T 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload-Failure/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1226527810.986146 - - - - - truncated_IP - F bro 10 | 1226527822.977430 - - - - - unknown_packet_type - F bro 11 | 1226527929.046096 - - - - - unknown_protocol_2 - F bro 12 | 1226528008.346740 - - - - - dns_unmatched_msg - F bro 13 | 1226528018.388663 - - - - - dns_unmatched_msg - F bro 14 | #close 2016-06-24-12-07-28 15 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/CL5000EIP-Software-Upload.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8439230c8c1a3e824fc8e5f0637160ad6d88fcd78cae94c60c1e6f9df9358f57 3 | size 129648 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1224798651.305335 CyOWSn2SvNHkKtLl99 192.168.10.120 44818 192.168.10.105 2927 tcp - 26.350733 36304 27934 OTH - - 0 AadD 454 54463 447 45814 (empty) 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-28 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795248.911409 bro ip or not ip T T 10 | #close 2016-06-24-12-07-28 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Software-Upload/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-28 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1224798645.266348 - - - - - truncated_IP - F bro 10 | 1224798659.075226 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-12-07-28 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/CL5000EIP-Unlock-PLC-Attempt.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f3c0648be9d23856140aea55f6e2a94b0121ff9a67c4642e0033f03e7ffaf995 3 | size 1132704 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1231968288.596607 CMFXZw4Z7qk1GOFy6 192.168.10.230 1592 192.168.10.106 443 tcp - 43.476882 0 959596 OTH - - 0 da 0 0 1076 1002636 (empty) 10 | 1231968288.608135 CLvNdN3kij5QhlRG1b 192.168.10.105 1054 192.168.10.120 44818 tcp - 43.527389 19719 27081 OTH - - 0 DadA 259 30079 260 37481 (empty) 11 | 1231968310.640644 CyZxZq1oy9eUlyweOf 192.168.10.22 8 192.168.10.105 0 icmp - 0.003157 224 224 OTH - - 0 - 4 336 4 336 (empty) 12 | #close 2016-06-24-12-07-29 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795249.132025 bro ip or not ip T T 10 | #close 2016-06-24-12-07-29 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-Unlock-PLC-Attempt/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-12-07-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1231968289.218756 - - - - - unknown_packet_type - F bro 10 | 1231968290.232411 - - - - - truncated_IP - F bro 11 | #close 2016-06-24-12-07-29 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/CL5000EIP-View-Device-Status.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:ffec60115587d9c79fd8e6daa712ea868635a0c31ed02bf43e53c76a834b5b01 3 | size 2389 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-07-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1252963725.444796 CqP6Pu3WHnKJleS0Cf 192.168.10.204 1413 192.168.10.140 20000 tcp dnp3_tcp 1.049805 15 17 SF - - 0 ShADadFf 8 343 7 322 (empty) 10 | 1252963725.788546 Ca5pBf4mOJNoeLE1C8 192.168.10.204 1400 192.168.10.21 5450 tcp - 9.006836 60 140 OTH - - 0 DdA 10 460 5 340 (empty) 11 | #close 2016-06-24-12-07-29 12 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/dnp3.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dnp3 6 | #open 2016-06-24-12-07-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin 8 | #types time string addr port addr port string string count 9 | 1252963725.960421 CqP6Pu3WHnKJleS0Cf 192.168.10.204 1413 192.168.10.140 20000 READ RESPONSE 36866 10 | #close 2016-06-24-12-07-29 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/digitalbond pcaps/CL5000EIP-View-Device-Status/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-07-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795249.346629 bro ip or not ip T T 10 | #close 2016-06-24-12-07-29 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/mb/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/mb/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/mb/mb.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:fc91932509a2a777dee0004cb686e92180aae2ad34d8eb3a447573e46091d41d 3 | size 7684492 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/mb/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-59-32 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794772.148033 bro ip or not ip T T 10 | #close 2016-06-24-11-59-32 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/mb/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1352718180.327131 CoOZHJ1GCDQoY9S1q3 192.168.113.4 1594 141.81.0.10 3389 TCP_ack_underflow_or_misorder - F bro 10 | 1352718180.983455 - - - - - unknown_packet_type - F bro 11 | 1352718181.129602 - - - - - truncated_IP - F bro 12 | 1352718202.265346 - - - - - dns_unmatched_msg - F bro 13 | 1352718203.519831 - - - - - dns_unmatched_msg - F bro 14 | 1352718207.765744 - - - - - dns_unmatched_msg - F bro 15 | 1352718241.999778 C70TrT1g5FcIvGhG3e 141.81.0.10 59800 141.81.0.49 8000 bad_HTTP_request - F bro 16 | 1352718242.134118 Ctlq9IdKUQIwTFye8 141.81.0.10 59801 141.81.0.49 8000 bad_HTTP_request - F bro 17 | 1352718261.547274 - - - - - unknown_protocol_2 - F bro 18 | 1352718265.222877 - - - - - dns_unmatched_msg - F bro 19 | 1352718265.222877 - - - - - dns_unmatched_msg - F bro 20 | 1352718265.222877 - - - - - dns_unmatched_msg - F bro 21 | 1352718265.222877 - - - - - dns_unmatched_msg - F bro 22 | #close 2016-06-24-11-59-32 23 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/talabor1_1/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_1/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1256830439.657602 CwmuGu3eZV6oNKjd3j 192.168.0.52 137 192.168.0.255 137 udp 35182 AHIID 1 C_INTERNET 32 NB - - F F T F 1 - - F 10 | #close 2016-06-24-11-59-32 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-59-32 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794772.588997 bro ip or not ip T T 10 | #close 2016-06-24-11-59-32 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_1/talabor1_1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:afab219e4df5db70c48af4551de21d9bd122dfe30e75d110db76baf11f2869aa 3 | size 39457 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_1/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1256830419.815561 - - - - - unknown_packet_type - F bro 10 | 1256830420.746478 - - - - - truncated_IP - F bro 11 | 1256830449.693891 - - - - - dns_unmatched_msg - F bro 12 | #close 2016-06-24-11-59-32 13 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERNET_IP/talabor1_2_2/.state/state.bst -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1256831417.987218 Cs25qS2vi20Rtd1JUi 192.168.0.46 3162 193.40.240.200 445 tcp - 0.218952 1038 351 OTH - - 0 DdA 10 1438 9 711 (empty) 10 | 1256831418.964899 COnRK577DcDWgr2wb 192.168.0.46 3326 192.168.0.101 44818 tcp - 8.507578 1910 2833 RSTR - - 0 ShADadFr 34 3278 35 4237 (empty) 11 | 1256831415.439078 Ce8SiE3j4xwnVu55S5 193.40.240.224 2267 239.255.255.250 1900 udp - 0.000622 411 0 S0 - - 0 D 3 495 0 0 (empty) 12 | 1256831422.135490 CKGojK1lMbXwBQbMOl 192.168.0.46 1088 193.40.240.128 161 udp snmp 5.999178 156 0 S0 - - 0 D 2 212 0 0 (empty) 13 | #close 2016-06-24-11-59-32 14 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-59-32 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794772.808661 bro ip or not ip T T 10 | #close 2016-06-24-11-59-32 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/snmp.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path snmp 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration version community get_requests get_bulk_requests get_responses set_requests display_string up_since 8 | #types time string addr port addr port interval string string count count count count string time 9 | 1256831422.135490 CKGojK1lMbXwBQbMOl 192.168.0.46 1088 193.40.240.128 161 5.999178 1 public 6 0 0 0 - - 10 | #close 2016-06-24-11-59-32 11 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/talabor1_2_2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:7ae7afa4283624aa2a32a09cc8369be6dfbe6cef7f567936a4f972a1906f3e73 3 | size 14205 4 | -------------------------------------------------------------------------------- /ETHERNET_IP/talabor1_2_2/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-59-32 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1256831417.165191 - - - - - truncated_IP - F bro 10 | 1256831418.253276 - - - - - unknown_packet_type - F bro 11 | #close 2016-06-24-11-59-32 12 | -------------------------------------------------------------------------------- /ETHERSBUS/sbus/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERSBUS/sbus/.state/state.bst -------------------------------------------------------------------------------- /ETHERSBUS/sbus/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-47-23 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1119024300.361278 CQ69L43ENJH71CA6ck 172.16.1.120 2467 172.16.1.135 5050 udp - 206.866927 6213 7663 SF - - 0 Dd 439 18505 436 19871 (empty) 10 | #close 2016-06-24-11-47-23 11 | -------------------------------------------------------------------------------- /ETHERSBUS/sbus/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-47-23 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794043.387204 bro ip or not ip T T 10 | #close 2016-06-24-11-47-23 11 | -------------------------------------------------------------------------------- /ETHERSBUS/sbus/sbus.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:2588478c604a83dd38339a63c49261948796cd964b5e748b20260fc21649d24b 3 | size 66825 4 | -------------------------------------------------------------------------------- /ETHERSBUS/sbus/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-47-23 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1119024304.460501 - - - - - unknown_packet_type - F bro 10 | #close 2016-06-24-11-47-23 11 | -------------------------------------------------------------------------------- /ETHERSIO/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERSIO/.DS_Store -------------------------------------------------------------------------------- /ETHERSIO/Ether-S-IO_traffic_01/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/ETHERSIO/Ether-S-IO_traffic_01/.state/state.bst -------------------------------------------------------------------------------- /ETHERSIO/Ether-S-IO_traffic_01/Ether-S-IO_traffic_01.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:37b50a7328d177596519ac47286622092f3fd64d6d6feb2814eb64eb3eb5ee2b 3 | size 283466 4 | -------------------------------------------------------------------------------- /ETHERSIO/Ether-S-IO_traffic_01/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-08-47 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795327.868150 bro ip or not ip T T 10 | #close 2016-06-24-12-08-47 11 | -------------------------------------------------------------------------------- /FINS (OMRON)/notes.txt: -------------------------------------------------------------------------------- 1 | https://wiki.wireshark.org/OMRON-FINS 2 | Protocol dependencies 3 | UDP: Typically, FINS uses UDP as its transport protocol. The well known UDP port for PROTO traffic is 9600. 4 | -------------------------------------------------------------------------------- /FINS (OMRON)/omron/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/FINS (OMRON)/omron/.state/state.bst -------------------------------------------------------------------------------- /FINS (OMRON)/omron/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-47-42 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1233089082.809333 CZJ8Ys5BqfZA52277 10.4.14.102 58722 10.130.130.130 9600 udp - 0.005100 6597 0 S0 - - 0 D 245 13457 0 0 (empty) 10 | #close 2016-06-24-11-47-42 11 | -------------------------------------------------------------------------------- /FINS (OMRON)/omron/omron.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:561fa39d9680bf88addffefc10a5479d74ec92a3defa96454b7d5e08fcc6bd5d 3 | size 20831 4 | -------------------------------------------------------------------------------- /FINS (OMRON)/omron/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-47-42 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794062.233819 bro ip or not ip T T 10 | #close 2016-06-24-11-47-42 11 | -------------------------------------------------------------------------------- /GE-SRTP/Notes.txt: -------------------------------------------------------------------------------- 1 | proto:tcp, port:18245,18246 product:"general electric, general-electric-srtp" 2 | https://www.shodan.io/search?query=port%3A18245%2C18246+product%3A%22general+electric%22 3 | 4 | 18245 5 | tcp 6 | general-electric-srtp 7 | General Electric SRTP 8 | \x01\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 9 | -------------------------------------------------------------------------------- /HART IP/hart_ip/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/HART IP/hart_ip/.state/state.bst -------------------------------------------------------------------------------- /HART IP/hart_ip/hart_ip.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:dda914bff86358caf5bc6e3ed06814124104ecb0eff71e5c7e806fe1b24a09a6 3 | size 11932 4 | -------------------------------------------------------------------------------- /HART IP/hart_ip/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-47-56 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794076.613040 bro ip or not ip T T 10 | #close 2016-06-24-11-47-56 11 | -------------------------------------------------------------------------------- /IEC 60870/IEC104_SQ/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/IEC 60870/IEC104_SQ/.state/state.bst -------------------------------------------------------------------------------- /IEC 60870/IEC104_SQ/IEC104_SQ.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/IEC 60870/IEC104_SQ/IEC104_SQ.pcapng -------------------------------------------------------------------------------- /IEC 60870/IEC104_SQ/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-09-35 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1427295834.904253 CmfPJaLlEyC44Nqsl 10.204.70.90 2404 10.104.99.22 4446 tcp - - - - OTH - - 0 D 1 164 0 0 (empty) 10 | #close 2016-06-24-12-09-35 11 | -------------------------------------------------------------------------------- /IEC 60870/IEC104_SQ/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-09-35 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795375.490080 bro ip or not ip T T 10 | #close 2016-06-24-12-09-35 11 | -------------------------------------------------------------------------------- /IEC 60870/iec104/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/IEC 60870/iec104/.state/state.bst -------------------------------------------------------------------------------- /IEC 60870/iec104/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-12-09-42 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1372918996.788450 C7mQhY3KEP2UV5rLnc 10.20.102.1 46413 10.20.100.108 2404 tcp - 145.112798 362 2315 SF - - 0 ShADdaFf 59 2734 46 4159 (empty) 10 | #close 2016-06-24-12-09-42 11 | -------------------------------------------------------------------------------- /IEC 60870/iec104/iec104.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:a78aa971adc51e54413a865937f1799ef57118d397cef57ccd93a358ed5b85d6 3 | size 10135 4 | -------------------------------------------------------------------------------- /IEC 60870/iec104/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-09-42 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795382.884416 bro ip or not ip T T 10 | #close 2016-06-24-12-09-42 11 | -------------------------------------------------------------------------------- /IEC 60870/notes.txt: -------------------------------------------------------------------------------- 1 | 2404 2 | tcp 3 | iec-104 4 | Data Received: 680e02000200640107000300000000146852040002000d0914000300b03600f6285cbe00b136007ae9e63e00b23600c5800c4300b3360096030c4300b43600f47d0b4300b636003333534000b536000000984200b736000000f04100b836000200f04100680e0600020003011400030011270002680e0800020064010a0003000000001468730a000200240703000300b13600b172e83e0007b53488540610b0360015ae47be0007b53488540610b43600a67b0b430007b53488540610b63600cdcc4c400007b53488540610b23600fa7e0c430007b53488540610b3360052f80b430007b53488540610b536000000a2420007b53488540610 5 | ASDU Address: -1 6 | -------------------------------------------------------------------------------- /MODBUS/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/.DS_Store -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/MODBUS-TestDataPart1/.state/state.bst -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart1/MODBUS-TestDataPart1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:94942b3d014810710f50836c95d3faf6df6e6370a6560bae541397c1df50213d 3 | size 10181 4 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart1/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-48-43 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1093521678.945447 Cc5vCI2ukuCptZFCh1 10.0.0.57 2387 10.0.0.3 502 tcp - 0.000493 0 0 SF - - 0 FafA 2 80 2 80 (empty) 10 | 1093521953.490353 CaSSNv2w9E3yuAVLE1 10.0.0.57 2579 10.0.0.8 502 tcp - 23.256631 24 0 SF - - 0 ShADaFf 6 272 5 208 (empty) 11 | 1093521681.696827 CndlS11MdCmJHy9Erg 10.0.0.57 2578 10.0.0.3 502 tcp - 385.694948 112 138 S3 - - 0 ShADdf 20 920 12 626 (empty) 12 | 1093522326.102435 CBsn7HbeYzmMQhAh4 10.0.0.9 3082 10.0.0.3 502 tcp - 177.095534 72 69 SF - - 0 ShADdFaf 16 720 9 437 (empty) 13 | 1093522946.554059 CfjMj8NfjgimFgsud 10.0.0.57 2585 10.0.0.8 502 tcp - 76.561880 926 0 SF - - 0 ShADafF 8 1254 7 288 (empty) 14 | 1093523065.562221 CI78O83P2YCLJlNbO3 10.0.0.8 502 10.0.0.57 4446 tcp - 155.114237 128 0 SF - - 0 ShADaFf 16 776 15 608 (empty) 15 | #close 2016-06-24-11-48-43 16 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-48-43 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794123.513440 bro ip or not ip T T 10 | #close 2016-06-24-11-48-43 11 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/MODBUS-TestDataPart2/.state/state.bst -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart2/MODBUS-TestDataPart2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f7cca627fe9b740b5881e8b33b4143b59158240192ecbf5caa727a7dda35d110 3 | size 27764 4 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-48-43 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1153491879.610371 CXWWCq4tRWduyB9st6 192.168.66.235 2582 166.161.16.230 502 tcp - 2.905078 0 0 S0 - - 0 S 2 96 0 0 (empty) 10 | 1153491888.530306 CXUtdp1qpEhqXdPFd2 192.168.66.235 2582 166.161.16.230 502 tcp - 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 (empty) 11 | #close 2016-06-24-11-48-43 12 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-48-43 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794123.723395 bro ip or not ip T T 10 | #close 2016-06-24-11-48-43 11 | -------------------------------------------------------------------------------- /MODBUS/MODBUS-TestDataPart2/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-48-43 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1153491905.638732 CXUtdp1qpEhqXdPFd2 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: MaskWriteRegisterRequest: 6 > 4 - F bro 10 | 1153491906.170715 CXUtdp1qpEhqXdPFd2 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_byte_count: 9 > 4 - F bro 11 | #close 2016-06-24-11-48-43 12 | -------------------------------------------------------------------------------- /MODBUS/Modbus/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/Modbus/.state/state.bst -------------------------------------------------------------------------------- /MODBUS/Modbus/Modbus.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9e055a2d15a8e447be131002137341ae5f8f8b91b64576cd2fdbd854e141373e 3 | size 8337 4 | -------------------------------------------------------------------------------- /MODBUS/Modbus/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-48-43 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1223541953.927963 Cw8iyi4v5IftmYcZ5i 192.168.110.131 2074 192.168.110.138 502 tcp - 23.109264 612 561 OTH - - 0 Dd 51 2652 51 2601 (empty) 10 | #close 2016-06-24-11-48-43 11 | -------------------------------------------------------------------------------- /MODBUS/Modbus/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-48-43 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794123.288833 bro ip or not ip T T 10 | #close 2016-06-24-11-48-43 11 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/digitalbond pcaps/modbus_test_data_part1/.state/state.bst -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part1/modbus_test_data_part1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:94942b3d014810710f50836c95d3faf6df6e6370a6560bae541397c1df50213d 3 | size 10181 4 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-49-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794169.060749 bro ip or not ip T T 10 | #close 2016-06-24-11-49-29 11 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/MODBUS/digitalbond pcaps/modbus_test_data_part2/.state/state.bst -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part2/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-49-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1153491879.610371 CdOPXs3dWbJVxCEAkg 192.168.66.235 2582 166.161.16.230 502 tcp - 2.905078 0 0 S0 - - 0 S 2 96 0 0 (empty) 10 | 1153491888.530306 C8iUZaLS8ANQ9l8U 192.168.66.235 2582 166.161.16.230 502 tcp - 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 (empty) 11 | #close 2016-06-24-11-49-29 12 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part2/modbus_test_data_part2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f7cca627fe9b740b5881e8b33b4143b59158240192ecbf5caa727a7dda35d110 3 | size 27764 4 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-49-29 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794169.282232 bro ip or not ip T T 10 | #close 2016-06-24-11-49-29 11 | -------------------------------------------------------------------------------- /MODBUS/digitalbond pcaps/modbus_test_data_part2/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-49-29 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1153491905.638732 C8iUZaLS8ANQ9l8U 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: MaskWriteRegisterRequest: 6 > 4 - F bro 10 | 1153491906.170715 C8iUZaLS8ANQ9l8U 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_byte_count: 9 > 4 - F bro 11 | #close 2016-06-24-11-49-29 12 | -------------------------------------------------------------------------------- /PC WORX/notes.txt: -------------------------------------------------------------------------------- 1 | 1962 2 | tcp 3 | pcworx 4 | ILC 171 ETH 2TXVersion: 2700975 5 | PLC Type: ILC 171 ETH 2TX 6 | Model Number: 2700975 7 | Firmware Version: 4.10 8 | Firmware Date: 05/30/13 9 | Firmware Time: 15:11:58 10 | 11 | Check 4sics pcaps maybe. 12 | -------------------------------------------------------------------------------- /POWERLINK/epl/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/POWERLINK/epl/.state/state.bst -------------------------------------------------------------------------------- /POWERLINK/epl/epl.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:ab0d87f38213b5b8ab336b04e4ea268fc3c01e1368c61c139360d6c55e988fdd 3 | size 130748 4 | -------------------------------------------------------------------------------- /POWERLINK/epl/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-50-03 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794203.166434 bro ip or not ip T T 10 | #close 2016-06-24-11-50-03 11 | -------------------------------------------------------------------------------- /POWERLINK/epl/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2016-06-24-11-50-03 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1152604462.222840 - - - - - unknown_packet_type - F bro 10 | #close 2016-06-24-11-50-03 11 | -------------------------------------------------------------------------------- /PROCONOS/notes.txt: -------------------------------------------------------------------------------- 1 | 20547 2 | tcp 3 | proconos 4 | Bristol: CWM V05:50:00 07/31 5 | Ladder Logic Runtime: ProConOS V4.1.0267 Jul 31 2012 6 | PLC Type: Bristol: CWM V05:50:00 07/31 7 | Project Name: trode 8 | Boot Project: 9 | Project Source Code: 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ICS-pcap 2 | 3 | ## What is this? 4 | This is a collection of PCAPs (or additional notes where PCAPs are still needed) for ICS/SCADA utilities and protocols. 5 | 6 | ## How do I get it? 7 | First, make sure that your git is updated. Second, you'll want to install GIT Large File Storage (LFS). 8 | - Go to https://git-lfs.github.com/ 9 | - Download the archive 10 | - run the installer. 11 | - git lfs clone https://github.com/automayt/ICS-pcap.git 12 | 13 | ## Where did you get these? 14 | Credit for these go out to 15 | - digitalbond 16 | - 4sics 17 | - netresec (http://www.netresec.com/?page=PCAP4SICS) 18 | - https://scadahacker.com 19 | - wireshark sample captures (https://wiki.wireshark.org/SampleCaptures) 20 | - shodan.io 21 | - http://kargs.net/captures/ 22 | - Oak Ridge Datasets 23 | - Many others! (If your stuff is here and I've forgotten you, please feel free to reach out!) 24 | 25 | ## Would you like to contribute? 26 | Feel free to submit pull requests with more PCAPs or info. If you see a mistake or would rather that I upload the PCAPs for you, create an issue and I'll do it for you. 27 | 28 | ## Disclaimer 29 | If any of these are categorized incorrectly, please let me know. This is very possible due to mild caveats between similar protocols or variations of protocols. 30 | -------------------------------------------------------------------------------- /Red Lion (Crimson v3)/notes.txt: -------------------------------------------------------------------------------- 1 | Check out 4sics pcaps 2 | cr3.lua wireshark plugin 3 | 4 | 789 5 | tcp 6 | redlion-crimson3 7 | Red Lion ControlsVersion: G306a 8 | Manufacturer: Red Lion Controls 9 | Model: G306a 10 | -------------------------------------------------------------------------------- /S7/1-S7comm-VarService-Read-DB1DBD0/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/1-S7comm-VarService-Read-DB1DBD0/.state/state.bst -------------------------------------------------------------------------------- /S7/1-S7comm-VarService-Read-DB1DBD0/1-S7comm-VarService-Read-DB1DBD0.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0e9583b7e3d9df9f572e02e90329523281a9d149d9ee862ca16d0d4ad0c686b0 3 | size 3469 4 | -------------------------------------------------------------------------------- /S7/1-S7comm-VarService-Read-DB1DBD0/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-37 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1225017949.539645 CSS3qz3mAUVfjNJJc5 192.168.1.180 1117 192.168.1.11 102 tcp - 7.106685 351 252 S1 - - 0 ShADda 20 1159 18 980 (empty) 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/1-S7comm-VarService-Read-DB1DBD0/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-37 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794297.274197 bro ip or not ip T T 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/2-S7comm-VarService-CyclicData-1s/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/2-S7comm-VarService-CyclicData-1s/.state/state.bst -------------------------------------------------------------------------------- /S7/2-S7comm-VarService-CyclicData-1s/2-S7comm-VarService-CyclicData-1s.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:a5d778c725c34313883849eda83d62e184ffdc712bed18dcca2e96d068257147 3 | size 72518 4 | -------------------------------------------------------------------------------- /S7/2-S7comm-VarService-CyclicData-1s/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-37 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1297714797.887958 CJF1BZ3pQPMDVcqe51 192.168.1.20 1117 192.168.1.130 102 tcp - 6.402802 19240 12690 RSTO - - 0 ShADdaR 296 31186 275 23698 (empty) 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/2-S7comm-VarService-CyclicData-1s/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-37 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794297.493357 bro ip or not ip T T 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/3-S7comm-VAT_MB100_MW200_MD300_M400-0/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/3-S7comm-VAT_MB100_MW200_MD300_M400-0/.state/state.bst -------------------------------------------------------------------------------- /S7/3-S7comm-VAT_MB100_MW200_MD300_M400-0/3-S7comm-VAT_MB100_MW200_MD300_M400-0.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d63d475d3a83e9cea2aceb58910142970f5ecff185efa007c2cf6616e50a8ff5 3 | size 4403 4 | -------------------------------------------------------------------------------- /S7/3-S7comm-VAT_MB100_MW200_MD300_M400-0/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-37 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1288203349.380141 CbZb392IFQYkOj8cNa 192.168.1.12 1748 192.168.1.130 102 tcp - 2.227165 363 493 RSTO - - 0 ShADdaR 27 1458 23 1421 (empty) 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/3-S7comm-VAT_MB100_MW200_MD300_M400-0/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-37 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794297.706241 bro ip or not ip T T 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/4-S7comm-Download-DB1-with-password-request/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/4-S7comm-Download-DB1-with-password-request/.state/state.bst -------------------------------------------------------------------------------- /S7/4-S7comm-Download-DB1-with-password-request/4-S7comm-Download-DB1-with-password-request.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:5aaed04c0d443c2e43df941dbf3ee732fb15ca0578874dfff4a7db402806dc3f 3 | size 7612 4 | -------------------------------------------------------------------------------- /S7/4-S7comm-Download-DB1-with-password-request/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-37 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1246619960.713484 CCufER2CyCTyKCrcu1 192.168.178.32 1632 192.168.178.230 102 tcp - 6.326915 703 929 RSTO - - 0 ShADadR 34 2087 48 2853 (empty) 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/4-S7comm-Download-DB1-with-password-request/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-37 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794297.926620 bro ip or not ip T T 10 | #close 2016-06-24-11-51-37 11 | -------------------------------------------------------------------------------- /S7/S7-1200-Uploading-OB1-TIAV12/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/S7-1200-Uploading-OB1-TIAV12/.state/state.bst -------------------------------------------------------------------------------- /S7/S7-1200-Uploading-OB1-TIAV12/S7-1200-Uploading-OB1-TIAV12.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:73e4b36469447e0fd45ccd38ca0583fbe60f6df27372b1ca11066e335deb650e 3 | size 19895 4 | -------------------------------------------------------------------------------- /S7/S7-1200-Uploading-OB1-TIAV12/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-38 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1387554083.725880 CNUP4b6wTU0bBNXM3 192.168.1.10 60511 192.168.1.191 102 tcp - 5.307035 5528 3823 RSTO - - 0 ShADdaR 92 9220 57 6107 (empty) 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/S7-1200-Uploading-OB1-TIAV12/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794298.366967 bro ip or not ip T T 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/S7-1511-opc-request-all-types/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/S7-1511-opc-request-all-types/.state/state.bst -------------------------------------------------------------------------------- /S7/S7-1511-opc-request-all-types/S7-1511-opc-request-all-types.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:19a7da2fa329aabf87cc0073bb487e5bbfe2ec4065f1e1ef5ffb25f75424dbe1 3 | size 10270 4 | -------------------------------------------------------------------------------- /S7/S7-1511-opc-request-all-types/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-39 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1412861312.240425 C2AW6ktNrQipZPkQ4 192.168.25.146 55863 192.168.25.139 102 tcp - 106.778089 2079 1308 S1 - - 0 ShADda 46 6022 21 2154 (empty) 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/S7-1511-opc-request-all-types/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-39 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794299.220056 bro ip or not ip T T 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/S7-1511_db2_var1_HMI/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/S7-1511_db2_var1_HMI/.state/state.bst -------------------------------------------------------------------------------- /S7/S7-1511_db2_var1_HMI/S7-1511_db2_var1_HMI.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d314ce89d81d4ee02e3cf889efcff4a6abac020a69f371f017a4f8cee754d7e6 3 | size 6024 4 | -------------------------------------------------------------------------------- /S7/S7-1511_db2_var1_HMI/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-38 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1401979283.997027 CddXmf4QdMhwysclba 192.168.25.147 50467 192.168.25.139 102 tcp - 5.298315 1472 750 RSTO - - 0 ShADdaR 22 2364 17 1434 (empty) 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/S7-1511_db2_var1_HMI/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794298.571506 bro ip or not ip T T 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/S7-1511_db3_var1_HMI/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/S7-1511_db3_var1_HMI/.state/state.bst -------------------------------------------------------------------------------- /S7/S7-1511_db3_var1_HMI/S7-1511_db3_var1_HMI.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0d2ad8fafb48234010428f2e2ec30c048217b4d9d7e9a5621798bbb178ea15f9 3 | size 7334 4 | -------------------------------------------------------------------------------- /S7/S7-1511_db3_var1_HMI/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794298.785118 bro ip or not ip T T 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/S7-1511_db6w0_HMI/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/S7-1511_db6w0_HMI/.state/state.bst -------------------------------------------------------------------------------- /S7/S7-1511_db6w0_HMI/S7-1511_db6w0_HMI.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:1fa8a7377e03e12de9bd6fe8a0ed4ba73b258615c01825065a2befca603242d8 3 | size 3396 4 | -------------------------------------------------------------------------------- /S7/S7-1511_db6w0_HMI/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-39 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1411974511.002145 CyjHmRKJlUeanbigb 192.168.25.146 60010 192.168.25.139 102 tcp - 0.091408 935 424 RSTO - - 0 ShADdR 12 1427 6 668 (empty) 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/S7-1511_db6w0_HMI/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-39 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794299.006963 bro ip or not ip T T 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/.state/state.bst -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync.pcapng -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-15 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1414243770.128254 CED9zmf1QODJTiFDe 192.168.1.35 49178 192.168.1.191 102 tcp - 0.110517 491 238 RSTO - - 0 ShADdaR 10 903 6 482 (empty) 10 | 1414243770.272661 CV4XZw96C4Irl5HB2 192.168.1.35 49179 192.168.1.191 102 tcp - 31.178161 1953 1942 RSTO - - 0 ShADdaR 70 4765 83 5266 (empty) 11 | #close 2016-06-24-11-51-15 12 | -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-15 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794275.493515 bro ip or not ip T T 10 | #close 2016-06-24-11-51-15 11 | -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/.state/state.bst -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100.pcapng -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-15 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1414254478.125222 C3xmmW3ldGQmeA1eb2 192.168.1.35 49181 192.168.1.191 102 tcp - 0.105201 491 238 RSTO - - 0 ShADdaR 10 903 6 482 (empty) 10 | 1414254478.261496 CG4alG27OZUE9KdRd6 192.168.1.35 49182 192.168.1.191 102 tcp - 27.194831 1850 1850 RSTO - - 0 ShADdaR 64 4422 75 4854 (empty) 11 | #close 2016-06-24-11-51-15 12 | -------------------------------------------------------------------------------- /S7/V13_1200_TP1200sim_MW100_Int_SPS_5s_MW102_Int_SPS_10s_MW102_ab_1000_Timer_sync_FehlerbeiMW100/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-15 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794275.284383 bro ip or not ip T T 10 | #close 2016-06-24-11-51-15 11 | -------------------------------------------------------------------------------- /S7/s7-1200-hmi/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7-1200-hmi/.state/state.bst -------------------------------------------------------------------------------- /S7/s7-1200-hmi/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-38 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1412165336.989258 CYcpBO2hONWDD69XDf 192.168.25.177 53162 192.168.25.131 102 tcp - 7.114869 1627 2655 S1 - - 0 ShADda 54 5438 25 3659 (empty) 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/s7-1200-hmi/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-38 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794298.139551 bro ip or not ip T T 10 | #close 2016-06-24-11-51-38 11 | -------------------------------------------------------------------------------- /S7/s7-1200-hmi/s7-1200-hmi.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:b38ccaf183673619e7f5d69476293a01da743076a281c96e949f0f29a42d1650 3 | size 11559 4 | -------------------------------------------------------------------------------- /S7/s7comm_downloading_block_db1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_downloading_block_db1/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_downloading_block_db1/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-39 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1408528799.992327 CPOHFy2iz0eAyCG5xb 192.168.1.40 49176 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 10 | 1408528805.989465 CJJEftNBraKmqpmJ1 192.168.1.40 49176 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 11 | 1408528804.313545 CD7lRg4uYbP8YUMeDj 192.168.1.10 4186 192.168.1.40 102 tcp - 0.031444 168 228 RSTO - - 0 ShADdR 12 660 6 472 (empty) 12 | 1408528803.878516 C7OOnP3FnnUj24Qmjg 192.168.1.10 4185 192.168.1.40 102 tcp - 0.426066 1209 1088 RSTO - - 0 ShADdaR 40 2821 21 1932 (empty) 13 | 1408528804.350055 CTPNgi3ob13dveaZJ6 192.168.1.10 4187 192.168.1.40 102 tcp - 0.015811 94 130 RSTO - - 0 ShADdR 8 426 4 294 (empty) 14 | #close 2016-06-24-11-51-39 15 | -------------------------------------------------------------------------------- /S7/s7comm_downloading_block_db1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-39 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794299.439420 bro ip or not ip T T 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/s7comm_downloading_block_db1/s7comm_downloading_block_db1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:48725bd1af7b778821351cd0f50f0ee259e438074a27f8431a8a1a3351dfd3d0 3 | size 9523 4 | -------------------------------------------------------------------------------- /S7/s7comm_program_blocklist_onlineview/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_program_blocklist_onlineview/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_program_blocklist_onlineview/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-39 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794299.658429 bro ip or not ip T T 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/s7comm_program_blocklist_onlineview/s7comm_program_blocklist_onlineview.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:b2e7014362630b803b413dda595e4ba7a3a910105712f448c22dba517ec02851 3 | size 13981 4 | -------------------------------------------------------------------------------- /S7/s7comm_reading_plc_status/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_reading_plc_status/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_reading_plc_status/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-39 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1408529120.002516 CFTSQyypLkT4Ywau4 192.168.1.40 49196 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 10 | 1408529125.999691 CcRo8d3gn0C3b07nLa 192.168.1.40 49196 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 11 | 1408529136.001830 Cxx6qB1CrZA7LeN7ml 192.168.1.40 49197 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 12 | 1408529141.998926 CV69pP195hAS37PVg6 192.168.1.40 49197 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 13 | 1408529128.768670 CikPqd4rXom0ZMGyzh 192.168.1.10 4305 192.168.1.40 102 tcp - 12.354935 2902 5278 RSTO - - 0 ShADdaR 148 8834 86 8722 (empty) 14 | #close 2016-06-24-11-51-39 15 | -------------------------------------------------------------------------------- /S7/s7comm_reading_plc_status/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-39 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794299.876790 bro ip or not ip T T 10 | #close 2016-06-24-11-51-39 11 | -------------------------------------------------------------------------------- /S7/s7comm_reading_plc_status/s7comm_reading_plc_status.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:e71f81b471bd67da2fd6e40dc69a7179574ba66771c6150cd7bfe232cc07b8a9 3 | size 25112 4 | -------------------------------------------------------------------------------- /S7/s7comm_reading_setting_plc_time/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_reading_setting_plc_time/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_reading_setting_plc_time/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-40 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1408528767.992700 CR8IsR3WCPUO9wNS44 192.168.1.40 49174 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 10 | 1408528773.987780 CVxTIv1IzTCQwPDt6f 192.168.1.40 49174 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 11 | 1408528771.456707 C3ISSO150pzgCHaOB2 192.168.1.10 4173 192.168.1.40 102 tcp - 3.902391 520 901 RSTO - - 0 ShADdaR 30 1732 21 1745 (empty) 12 | #close 2016-06-24-11-51-40 13 | -------------------------------------------------------------------------------- /S7/s7comm_reading_setting_plc_time/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-40 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794300.090650 bro ip or not ip T T 10 | #close 2016-06-24-11-51-40 11 | -------------------------------------------------------------------------------- /S7/s7comm_reading_setting_plc_time/s7comm_reading_setting_plc_time.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d74c1eca1f2039dadcccd43c212f649b293acf6a80db1560e9ee22aeabb4c5d4 3 | size 5355 4 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_varservice_libnodavedemo/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-40 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1408528975.998192 CSPM2MOO8NutholXe 192.168.1.40 49187 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 10 | 1408528981.996241 C5kLQa1zoYPwKazVQg 192.168.1.40 49187 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 11 | 1408528978.008261 ConJz91ZA1OG1LOVWh 192.168.1.10 4258 192.168.1.40 102 tcp - 0.070062 296 308 SF - - 0 ShADdFafr 13 828 14 872 (empty) 12 | #close 2016-06-24-11-51-40 13 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-40 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794300.522237 bro ip or not ip T T 10 | #close 2016-06-24-11-51-40 11 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo/s7comm_varservice_libnodavedemo.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:a1ff275c087fafbfdc8821ea59ab9bfb11f5adcc9ce6bb5888a1c4a4d7b6affc 3 | size 2846 4 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo_bench/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/S7/s7comm_varservice_libnodavedemo_bench/.state/state.bst -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo_bench/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2016-06-24-11-51-40 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 9 | 1408529024.002329 C9Ecxt39DdwQTeuBPc 192.168.1.40 49190 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 10 | 1408529029.997402 CjyIYJ2RU8L0xDEtic 192.168.1.40 49190 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 11 | 1408529040.001566 C5JXtD2Lr4n75XfkRl 192.168.1.40 49191 192.168.1.10 102 tcp - - - - S0 - - 0 S 1 44 0 0 (empty) 12 | 1408529021.080446 Cnptj43iBbTXTi5weg 192.168.1.10 4272 192.168.1.40 102 tcp - 20.742209 423872 429878 SF - - 0 ShADdaFfr 5008 624204 5160 636282 (empty) 13 | #close 2016-06-24-11-51-40 14 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo_bench/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-11-51-40 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466794300.304152 bro ip or not ip T T 10 | #close 2016-06-24-11-51-40 11 | -------------------------------------------------------------------------------- /S7/s7comm_varservice_libnodavedemo_bench/s7comm_varservice_libnodavedemo_bench.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:bdbacb1b09c621f23be1c4c55145aec24930b6fa5541e7f4626dab6a314f1308 3 | size 1566710 4 | -------------------------------------------------------------------------------- /TRIDIUM/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/TRIDIUM/.DS_Store -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-1/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/TRIDIUM/plugfest-tridium-1/.state/state.bst -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-1/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-10-15 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795415.259809 bro ip or not ip T T 10 | #close 2016-06-24-12-10-15 11 | -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-1/plugfest-tridium-1.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:54646e0a5d134362d50295208074fa7913166e07352fb8011f3cdb801dd681af 3 | size 584872 4 | -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/TRIDIUM/plugfest-tridium-2/.state/state.bst -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-10-15 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795415.488715 bro ip or not ip T T 10 | #close 2016-06-24-12-10-15 11 | -------------------------------------------------------------------------------- /TRIDIUM/plugfest-tridium-2/plugfest-tridium-2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:2effbe74bedc7db14c8c75a207051758c0ab6bc853717d57dbeb4e3dfbfb9a0b 3 | size 52776 4 | -------------------------------------------------------------------------------- /TRIDIUM/tridium-jace2/.state/state.bst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/automayt/ICS-pcap/13b7ae335529146b40535c2d7aa756886040d8ad/TRIDIUM/tridium-jace2/.state/state.bst -------------------------------------------------------------------------------- /TRIDIUM/tridium-jace2/packet_filter.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path packet_filter 6 | #open 2016-06-24-12-10-57 7 | #fields ts node filter init success 8 | #types time string string bool bool 9 | 1466795457.541196 bro ip or not ip T T 10 | #close 2016-06-24-12-10-58 11 | -------------------------------------------------------------------------------- /TRIDIUM/tridium-jace2/tridium-jace2.pcap: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:4f8ddcac19b462fcb5f6d7479e4a9b239abf51653a21577afd20ad40cb1991e1 3 | size 2168976 4 | --------------------------------------------------------------------------------