All ARP Traffic Is Being Logged

Question

All ARP Traffic Is Being Logged

Opened this issue 2 years ago · 0 comments

🐛 Summary

Currently, all ARP traffic is being logged when this analyzer is enabled. Based on the description in the documentation...

This log captures ARP info that is passed through EoE (Ethernet over Ethercat) and logs it to ecat_arp_info.log.
(https://github.com/cisagov/icsnpp-ethercat#ecat-arp-info-ecat_arp_infolog)

...the expectation is that only Ethercat-related ARP traffic is logged.

It appears as though the standard arp_request and arp_reply events are being used to write to ecat_arp_info.log, with no additional qualifiers or filters that would apply to only Ethercat traffic:

https://github.com/cisagov/icsnpp-ethercat/blob/main/scripts/icsnpp/ethercat/main.zeek#L303

To reproduce

Steps to reproduce the behavior:

Enable/install the Ethercat analyzer/plugin.
Replay any ARP traffic.
Review ecat_arp_info.log for records.

Expected behavior

I only expect to see ARP traffic relative to Ethercat traffic being logged.