Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
Okay, with your original line for quickstart, this works rather than
Demo::ConnTaste.
bash-3.2# /usr/local/bro/bin/bro -NN Bro::CONNTASTE
Bro::CONNTASTE - This thing analyzer (dynamic, no version information)
[Analyzer] CONNTASTE (ANALYZER_CONNTASTE, enabled)
[Event] conntaste_event
So we've got some plugin naming issues to deal with, which I hope to work
out tomorrow. It shouldn't be about reinventing the universe, binpac is
hard enough. :)
-Dop
On Wed, Mar 13, 2019 at 4:44 PM anthony kasza
wrote:
> I tried changing the name provided to the setup script as suggested. Doing
> so gives me many errors when I try to ./configure the plugin from within
> the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is
> "reserved or not valid for for certain CMake features". It complains about
> many of the file names.
>
> Additionally, all the files in conn-taste/src/ look like
> DEMO::CONNTASTE.cc :(
>
> -AK
>
> On Wed, Mar 13, 2019, 13:43 Michael Dopheide wrote:
>
>> I believe you want to change this line:
>>
>> ./start.py ConnTaste "Connection Byte Offset Tasting" ...
>>
>> to
>>
>> ./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
>>
>> -Dop
>>
>>
>> On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
>> wrote:
>>
>>> Many thanks for the quick responses!
>>>
>>> I am receiving these errors:
>>> ```
>>> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
>>> Demo::ConnTaste is not available
>>> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
>>> Failed to activate requested dynamic plugin(s).
>>> ```
>>>
>>> After executing these commands:
>>> ```
>>> git clone --recursive https://github.com/zeek/zeek.git
>>> cd zeek
>>> ./configure
>>> make
>>> DIST=`pwd`
>>>
>>> cd aux/bro-aux/plugin-support
>>> ./init-plugin -u ./conn-taste Demo ConnTaste
>>> BRO_PLUGIN_PATH=`pwd`
>>>
>>> cd ${DIST}
>>> cd ../
>>> git clone https://github.com/esnet/binpac_quickstart.git
>>> cd binpac_quickstart
>>> pip install docopt jinja2
>>> ./start.py ConnTaste "Connection Byte Offset Tasting"
>>> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>>>
>>> cd ${BRO_PLUGIN_PATH}/conn-taste
>>> ./configure --bro-dist=${DIST}
>>> make
>>>
>>> cd ${DIST}
>>> ./configure
>>> make
>>> make install
>>>
>>> bro -NN Demo::ConnTaste
>>> ```
>>>
>>> I'm guessing there is some environment variable I am missing as I tried
>>> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
>>> @TEST-EXEC statements worked as expected.
>>>
>>> -AK
>>>
>>> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>>>
On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
wrote:
> However, the docs don't detail much beyond creating a built in
> function. A colleague pointed me at this quickstart script for binpac:
> https://github.com/grigorescu/binpac_quickstart
>
Oops! Sorry about that. Try this one:
https://github.com/esnet/binpac_quickstart
That has a '--plugin' option. That will at least get the boilerplate
stuff built, and then you can start digging into the protocol specifics.
--Vlad
>>> ___
>>> zeek-dev mailing list
>>> zeek-dev@zeek.org
>>> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>>>
>>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
I'm sure there is at least one other Carl Sagan fan on list. I feel like if
I wish to make an analyzer from scratch, I must first invent the universe.
-AK
On Wed, Mar 13, 2019, 15:44 anthony kasza wrote:
> I tried changing the name provided to the setup script as suggested. Doing
> so gives me many errors when I try to ./configure the plugin from within
> the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is
> "reserved or not valid for for certain CMake features". It complains about
> many of the file names.
>
> Additionally, all the files in conn-taste/src/ look like
> DEMO::CONNTASTE.cc :(
>
> -AK
>
> On Wed, Mar 13, 2019, 13:43 Michael Dopheide wrote:
>
>> I believe you want to change this line:
>>
>> ./start.py ConnTaste "Connection Byte Offset Tasting" ...
>>
>> to
>>
>> ./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
>>
>> -Dop
>>
>>
>> On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
>> wrote:
>>
>>> Many thanks for the quick responses!
>>>
>>> I am receiving these errors:
>>> ```
>>> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
>>> Demo::ConnTaste is not available
>>> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
>>> Failed to activate requested dynamic plugin(s).
>>> ```
>>>
>>> After executing these commands:
>>> ```
>>> git clone --recursive https://github.com/zeek/zeek.git
>>> cd zeek
>>> ./configure
>>> make
>>> DIST=`pwd`
>>>
>>> cd aux/bro-aux/plugin-support
>>> ./init-plugin -u ./conn-taste Demo ConnTaste
>>> BRO_PLUGIN_PATH=`pwd`
>>>
>>> cd ${DIST}
>>> cd ../
>>> git clone https://github.com/esnet/binpac_quickstart.git
>>> cd binpac_quickstart
>>> pip install docopt jinja2
>>> ./start.py ConnTaste "Connection Byte Offset Tasting"
>>> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>>>
>>> cd ${BRO_PLUGIN_PATH}/conn-taste
>>> ./configure --bro-dist=${DIST}
>>> make
>>>
>>> cd ${DIST}
>>> ./configure
>>> make
>>> make install
>>>
>>> bro -NN Demo::ConnTaste
>>> ```
>>>
>>> I'm guessing there is some environment variable I am missing as I tried
>>> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
>>> @TEST-EXEC statements worked as expected.
>>>
>>> -AK
>>>
>>> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>>>
On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
wrote:
> However, the docs don't detail much beyond creating a built in
> function. A colleague pointed me at this quickstart script for binpac:
> https://github.com/grigorescu/binpac_quickstart
>
Oops! Sorry about that. Try this one:
https://github.com/esnet/binpac_quickstart
That has a '--plugin' option. That will at least get the boilerplate
stuff built, and then you can start digging into the protocol specifics.
--Vlad
>>> ___
>>> zeek-dev mailing list
>>> zeek-dev@zeek.org
>>> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>>>
>>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
I tried changing the name provided to the setup script as suggested. Doing
so gives me many errors when I try to ./configure the plugin from within
the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is
"reserved or not valid for for certain CMake features". It complains about
many of the file names.
Additionally, all the files in conn-taste/src/ look like
DEMO::CONNTASTE.cc :(
-AK
On Wed, Mar 13, 2019, 13:43 Michael Dopheide wrote:
> I believe you want to change this line:
>
> ./start.py ConnTaste "Connection Byte Offset Tasting" ...
>
> to
>
> ./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
>
> -Dop
>
>
> On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
> wrote:
>
>> Many thanks for the quick responses!
>>
>> I am receiving these errors:
>> ```
>> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
>> Demo::ConnTaste is not available
>> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
>> Failed to activate requested dynamic plugin(s).
>> ```
>>
>> After executing these commands:
>> ```
>> git clone --recursive https://github.com/zeek/zeek.git
>> cd zeek
>> ./configure
>> make
>> DIST=`pwd`
>>
>> cd aux/bro-aux/plugin-support
>> ./init-plugin -u ./conn-taste Demo ConnTaste
>> BRO_PLUGIN_PATH=`pwd`
>>
>> cd ${DIST}
>> cd ../
>> git clone https://github.com/esnet/binpac_quickstart.git
>> cd binpac_quickstart
>> pip install docopt jinja2
>> ./start.py ConnTaste "Connection Byte Offset Tasting"
>> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>>
>> cd ${BRO_PLUGIN_PATH}/conn-taste
>> ./configure --bro-dist=${DIST}
>> make
>>
>> cd ${DIST}
>> ./configure
>> make
>> make install
>>
>> bro -NN Demo::ConnTaste
>> ```
>>
>> I'm guessing there is some environment variable I am missing as I tried
>> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
>> @TEST-EXEC statements worked as expected.
>>
>> -AK
>>
>> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>>
>>> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
>>> wrote:
>>>
>>>
However, the docs don't detail much beyond creating a built in
function. A colleague pointed me at this quickstart script for binpac:
https://github.com/grigorescu/binpac_quickstart
>>>
>>> Oops! Sorry about that. Try this one:
>>> https://github.com/esnet/binpac_quickstart
>>>
>>> That has a '--plugin' option. That will at least get the boilerplate
>>> stuff built, and then you can start digging into the protocol specifics.
>>>
>>> --Vlad
>>>
>> ___
>> zeek-dev mailing list
>> zeek-dev@zeek.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>>
>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
I believe you want to change this line:
./start.py ConnTaste "Connection Byte Offset Tasting" ...
to
./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
-Dop
On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
wrote:
> Many thanks for the quick responses!
>
> I am receiving these errors:
> ```
> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
> Demo::ConnTaste is not available
> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
> Failed to activate requested dynamic plugin(s).
> ```
>
> After executing these commands:
> ```
> git clone --recursive https://github.com/zeek/zeek.git
> cd zeek
> ./configure
> make
> DIST=`pwd`
>
> cd aux/bro-aux/plugin-support
> ./init-plugin -u ./conn-taste Demo ConnTaste
> BRO_PLUGIN_PATH=`pwd`
>
> cd ${DIST}
> cd ../
> git clone https://github.com/esnet/binpac_quickstart.git
> cd binpac_quickstart
> pip install docopt jinja2
> ./start.py ConnTaste "Connection Byte Offset Tasting"
> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>
> cd ${BRO_PLUGIN_PATH}/conn-taste
> ./configure --bro-dist=${DIST}
> make
>
> cd ${DIST}
> ./configure
> make
> make install
>
> bro -NN Demo::ConnTaste
> ```
>
> I'm guessing there is some environment variable I am missing as I tried
> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
> @TEST-EXEC statements worked as expected.
>
> -AK
>
> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>
>> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
>> wrote:
>>
>>
>>> However, the docs don't detail much beyond creating a built in function.
>>> A colleague pointed me at this quickstart script for binpac:
>>> https://github.com/grigorescu/binpac_quickstart
>>>
>>
>> Oops! Sorry about that. Try this one:
>> https://github.com/esnet/binpac_quickstart
>>
>> That has a '--plugin' option. That will at least get the boilerplate
>> stuff built, and then you can start digging into the protocol specifics.
>>
>> --Vlad
>>
> ___
> zeek-dev mailing list
> zeek-dev@zeek.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
Many thanks for the quick responses!
I am receiving these errors:
```
error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
Demo::ConnTaste is not available
fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
Failed to activate requested dynamic plugin(s).
```
After executing these commands:
```
git clone --recursive https://github.com/zeek/zeek.git
cd zeek
./configure
make
DIST=`pwd`
cd aux/bro-aux/plugin-support
./init-plugin -u ./conn-taste Demo ConnTaste
BRO_PLUGIN_PATH=`pwd`
cd ${DIST}
cd ../
git clone https://github.com/esnet/binpac_quickstart.git
cd binpac_quickstart
pip install docopt jinja2
./start.py ConnTaste "Connection Byte Offset Tasting"
${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
cd ${BRO_PLUGIN_PATH}/conn-taste
./configure --bro-dist=${DIST}
make
cd ${DIST}
./configure
make
make install
bro -NN Demo::ConnTaste
```
I'm guessing there is some environment variable I am missing as I tried
zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
@TEST-EXEC statements worked as expected.
-AK
On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
> wrote:
>
>
>> However, the docs don't detail much beyond creating a built in function.
>> A colleague pointed me at this quickstart script for binpac:
>> https://github.com/grigorescu/binpac_quickstart
>>
>
> Oops! Sorry about that. Try this one:
> https://github.com/esnet/binpac_quickstart
>
> That has a '--plugin' option. That will at least get the boilerplate stuff
> built, and then you can start digging into the protocol specifics.
>
> --Vlad
>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Using a BiF across C++ and Zeek Policy
On Wed, Mar 13, 2019 at 11:48 AM Jan Grashöfer wrote: > > On 12/03/2019 17:15, zeo...@gmail.com wrote: > > I am working on improving the btests for the kafka writer plugin with the > > goal of validating some logic in KafkaWriter::DoInit. The best approach > > that I have so far is to write a BiF and use it in both DoInit and the > > btest via Zeek policy, but I have only been able to find limited > > documentation[1][2] on the topic. > If you just need to wrap some internal logic you could extract it into > a normal C++ function and use a BiF to call that function out of a > Bro-Script. Re-reading the problem statement, I agree that does seem like all that may be needed -- factor out a common C++ function that get's called from inside both the BIF and the DoInit() function. - Jon ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Using a BiF across C++ and Zeek Policy
On 12/03/2019 17:15, zeo...@gmail.com wrote: > I am working on improving the btests for the kafka writer plugin with the > goal of validating some logic in KafkaWriter::DoInit. The best approach > that I have so far is to write a BiF and use it in both DoInit and the > btest via Zeek policy, but I have only been able to find limited > documentation[1][2] on the topic. If you just need to wrap some internal logic you could extract it into a normal C++ function and use a BiF to call that function out of a Bro-Script. Jan ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
On Wed, Mar 13, 2019 at 10:17 AM anthony kasza wrote: > However, the docs don't detail much beyond creating a built in function. A > colleague pointed me at this quickstart script for binpac: > https://github.com/grigorescu/binpac_quickstart > Oops! Sorry about that. Try this one: https://github.com/esnet/binpac_quickstart That has a '--plugin' option. That will at least get the boilerplate stuff built, and then you can start digging into the protocol specifics. --Vlad ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
See if this helps: https://github.com/zeek/zeek/blob/master/testing/btest/plugins/protocol.bro That may be the most compact tutorial on writing a protocol analyzer plugin. :) Robin On Wed, Mar 13, 2019 at 09:16 -0600, anthony kasza wrote: > Hello Zeek Devs, > > I would like to write a protocol analyzer and need some direction. I would > like to write something simple which works on TCP, similar to the ConnSize > analyzer. I would like my analyzer to be distributed as a plugin, similar > to MITRE's HTTP2 analyzer, so I am following the docs here: > https://docs.zeek.org/en/stable/devel/plugins.html > > However, the docs don't detail much beyond creating a built in function. A > colleague pointed me at this quickstart script for binpac: > https://github.com/grigorescu/binpac_quickstart > > The quickstart script seems to be intended for writing a protocol analyzer > which gets merged into the Zeek source. This is not how plugins operate. > > I'm looking for some guidance on how to proceed. Thanks in advance. > > -AK > ___ > zeek-dev mailing list > zeek-dev@zeek.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev -- Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
[Zeek-Dev] Writing a Protocol Analyzer Plugin
Hello Zeek Devs, I would like to write a protocol analyzer and need some direction. I would like to write something simple which works on TCP, similar to the ConnSize analyzer. I would like my analyzer to be distributed as a plugin, similar to MITRE's HTTP2 analyzer, so I am following the docs here: https://docs.zeek.org/en/stable/devel/plugins.html However, the docs don't detail much beyond creating a built in function. A colleague pointed me at this quickstart script for binpac: https://github.com/grigorescu/binpac_quickstart The quickstart script seems to be intended for writing a protocol analyzer which gets merged into the Zeek source. This is not how plugins operate. I'm looking for some guidance on how to proceed. Thanks in advance. -AK ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
