Skip to content

letsgetweird/brick

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
.github
.github
 
 
app
app
 
 
sample-pcaps
sample-pcaps
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
Dockerfile.zeek
Dockerfile.zeek
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
compose.yaml
compose.yaml
 
 
reset.sh
reset.sh
 
 

Repository files navigation

🧱 Brick

Brick is a lightweight, open-source ICS asset discovery tool for industrial networks built with Claude.

Built on Zeek with CISA's ICSNPP plugins, Brick analyzes network captures to identify Modbus, EtherNet/IP, and S7comm devices, providing a simple asset inventory for compliance and network visibility.

Perfect for smaller facilities that need basic asset discovery without enterprise complexity or cost.

License Zeek Python

Why Brick?

After spending time reviewing existing ICS tooling such as GRASSMARLIN and CISA's Malcolm, I saw a need for a lightweight tool that could be utilzed for simple ICS asset inventory for budget-constrained organizations. A lot of tools in this space are either overkill for something as simple as an asset inventory or exist as a paid product (usually from the hardware vendor). There is no special sauce here, this tool is simply glue for the hard work and effort others have put in.

  • Simple - Upload PCAP and view results
  • Effective - Easy to navigate with actionable information upfront
  • Open Source - Community reviewable and contributor-friendly

UI Showcase

Architecture

Brick consists of two main containers:

  1. Zeek Container: Runs Zeek with ICSNPP plugins for industrial protocol analysis
  2. NiceGUI Container: Provides the web interface and manages the SQLite database
┌─────────────────────────────────────────────────────────┐
│                       Brick System                      │
├─────────────────────────────────────────────────────────┤
│  Web Interface (NiceGUI)          Zeek Analyzer         │
│  ├─ Asset Cards                   ├─ Modbus Parser      │
│  ├─ Connection View               ├─ EtherNet/IP Parser │
│  ├─ PCAP Upload                   ├─ S7comm Parser      │
│  └─ SQLite Database               └─ JSON Logging       │
└─────────────────────────────────────────────────────────┘

Quick Start

Prerequisites

  • Podman or Docker
  • Podman Compose or Docker Compose
  • 2GB+ free RAM
  • Linux recommended (tested on Ubuntu 24.04 LTS)

Note: macOS and Windows with Docker Desktop should work but are untested. Feedback welcome!

Installation

  1. Clone the repository:

    git clone https://github.com/letsgetweird/brick.git
cd brick

  2. Start the containers:

    podman-compose up -d
# or
docker-compose up -d
# or
./reset.sh (just a simple bash script for redeploying with podman)

  3. Access the web interface: Open your browser to http://localhost:8080

  4. Upload a PCAP file

Testing with Sample Data

Brick includes sample PCAPs in sample-pcaps/:

# Upload these via the web interface:
sample-pcaps/modbus-sample.pcap
sample-pcaps/enip-sample.pcap
sample-pcaps/s7comm-sample.pcap

See sample-pcaps/README.md for sources.

Custom Zeek Scripts

Add custom Zeek scripts to the scripts/ directory. They will be automatically loaded on container startup.

Usage Examples

Analyzing a PCAP File

  1. Click "Upload PCAP" in the web interface
  2. Select your capture file
  3. Wait for processing to complete
  4. View discovered assets in the dashboard

Reset Development Environment

./reset.sh

This script stops containers, removes volumes, and cleans up temporary files.

Supported Protocols

Brick currently supports the following industrial protocols via CISA ICSNPP plugins:

Protocol Plugin Common Use Cases
Modbus icsnpp-modbus PLCs, RTUs, SCADA systems
EtherNet/IP icsnpp-enip Allen-Bradley PLCs, industrial Ethernet
S7comm icsnpp-s7comm Siemens PLCs (S7-300, S7-400, S7-1200, S7-1500)

Roadmap

  • ?

Contributing

Contributions welcome!

  • Found a bug? Open an issue
  • Have an idea? Open an issue to discuss
  • Want to code? Fork, make changes, open a PR

No formal process yet - just be respectful and we'll figure it out together.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Key points:

  • ✅ Commercial use allowed
  • ✅ Modification allowed
  • ✅ Distribution allowed
  • ✅ Patent grant included
  • ✅ Private use allowed
  • ⚠️ Must include copyright notice and license
  • ⚠️ Must state changes made to code
  • ⚠️ Must include NOTICE file if distributed

Acknowledgments

Built with Zeek, CISA's ICSNPP plugins, and NiceGUI.

Support

Disclaimer

Brick is provided for legitimate security testing and network monitoring purposes only. Users are responsible for ensuring they have appropriate authorization before analyzing network traffic. The authors assume no liability for misuse of this tool.

This tool is designed for trusted, local networks only.

  • Do not expose the web UI (port 8080) to untrusted networks
  • Only process PCAPs from trusted sources
  • The tool performs passive analysis and does not interact with live networks

About

Open-source ICS asset discovery tool

Topics

modbus ics brick zeek industrial-control-systems s7comm

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages