Re: [Zeek-Dev] connection $history - 'g' for gap
I like the idea of logging gap ranges for a connection. Could a vector be used to store gap start and gap stop offsets? -AK On Tue, Apr 9, 2019, 11:01 Jim Mellander wrote: > Thanks. I was thinking of something a bit different - the total amount of > the content gap is useful, but in some cases it might be useful to know > where the content gaps occurred, whether in the head of the connection, > which likely is impactful for protocol analysis, or in a long tail, where > it probably doesn't affect analysis. > > Perhaps some tunable setting indicating that "I only care about content > gaps in the first 10K (or whatever) of the connection" could address that... > > On Tue, Apr 9, 2019 at 9:36 AM Justin Azoff wrote: > >> >> >> On Mon, Apr 8, 2019 at 8:13 PM Jim Mellander wrote: >> >>> It might be valuable to have some (optional) way of accessing the byte >>> counts consisting the content gap(s). If the content gap is somewhere in a >>> long tail, but DPD still fails, then the explanation could be something >>> other than a content gap. >>> >>> On the other hand, maybe you're just thinking about content gaps at the >>> head of a connection before it has been fully analyzed. >>> >> >> This is the missed_bytes field: >> >> missed_bytes: count = 0 >> Indicates the number of bytes missed in content gaps, which is >> representative of packet loss. A value other than zero will normally cause >> protocol analysis to fail but some analysis may have been completed prior >> to the packet loss. >> >> -- >> Justin >> > ___ > zeek-dev mailing list > zeek-dev@zeek.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev > ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
I'm sure there is at least one other Carl Sagan fan on list. I feel like if
I wish to make an analyzer from scratch, I must first invent the universe.
-AK
On Wed, Mar 13, 2019, 15:44 anthony kasza wrote:
> I tried changing the name provided to the setup script as suggested. Doing
> so gives me many errors when I try to ./configure the plugin from within
> the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is
> "reserved or not valid for for certain CMake features". It complains about
> many of the file names.
>
> Additionally, all the files in conn-taste/src/ look like
> DEMO::CONNTASTE.cc :(
>
> -AK
>
> On Wed, Mar 13, 2019, 13:43 Michael Dopheide wrote:
>
>> I believe you want to change this line:
>>
>> ./start.py ConnTaste "Connection Byte Offset Tasting" ...
>>
>> to
>>
>> ./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
>>
>> -Dop
>>
>>
>> On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
>> wrote:
>>
>>> Many thanks for the quick responses!
>>>
>>> I am receiving these errors:
>>> ```
>>> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
>>> Demo::ConnTaste is not available
>>> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
>>> Failed to activate requested dynamic plugin(s).
>>> ```
>>>
>>> After executing these commands:
>>> ```
>>> git clone --recursive https://github.com/zeek/zeek.git
>>> cd zeek
>>> ./configure
>>> make
>>> DIST=`pwd`
>>>
>>> cd aux/bro-aux/plugin-support
>>> ./init-plugin -u ./conn-taste Demo ConnTaste
>>> BRO_PLUGIN_PATH=`pwd`
>>>
>>> cd ${DIST}
>>> cd ../
>>> git clone https://github.com/esnet/binpac_quickstart.git
>>> cd binpac_quickstart
>>> pip install docopt jinja2
>>> ./start.py ConnTaste "Connection Byte Offset Tasting"
>>> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>>>
>>> cd ${BRO_PLUGIN_PATH}/conn-taste
>>> ./configure --bro-dist=${DIST}
>>> make
>>>
>>> cd ${DIST}
>>> ./configure
>>> make
>>> make install
>>>
>>> bro -NN Demo::ConnTaste
>>> ```
>>>
>>> I'm guessing there is some environment variable I am missing as I tried
>>> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
>>> @TEST-EXEC statements worked as expected.
>>>
>>> -AK
>>>
>>> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>>>
>>>> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
>>>> wrote:
>>>>
>>>>
>>>>> However, the docs don't detail much beyond creating a built in
>>>>> function. A colleague pointed me at this quickstart script for binpac:
>>>>> https://github.com/grigorescu/binpac_quickstart
>>>>>
>>>>
>>>> Oops! Sorry about that. Try this one:
>>>> https://github.com/esnet/binpac_quickstart
>>>>
>>>> That has a '--plugin' option. That will at least get the boilerplate
>>>> stuff built, and then you can start digging into the protocol specifics.
>>>>
>>>> --Vlad
>>>>
>>> ___
>>> zeek-dev mailing list
>>> zeek-dev@zeek.org
>>> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>>>
>>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
I tried changing the name provided to the setup script as suggested. Doing
so gives me many errors when I try to ./configure the plugin from within
the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is
"reserved or not valid for for certain CMake features". It complains about
many of the file names.
Additionally, all the files in conn-taste/src/ look like
DEMO::CONNTASTE.cc :(
-AK
On Wed, Mar 13, 2019, 13:43 Michael Dopheide wrote:
> I believe you want to change this line:
>
> ./start.py ConnTaste "Connection Byte Offset Tasting" ...
>
> to
>
> ./start.py Demo::ConnTaste "Connection Byte Offset Tasting" ...
>
> -Dop
>
>
> On Wed, Mar 13, 2019 at 2:35 PM anthony kasza
> wrote:
>
>> Many thanks for the quick responses!
>>
>> I am receiving these errors:
>> ```
>> error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
>> Demo::ConnTaste is not available
>> fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
>> Failed to activate requested dynamic plugin(s).
>> ```
>>
>> After executing these commands:
>> ```
>> git clone --recursive https://github.com/zeek/zeek.git
>> cd zeek
>> ./configure
>> make
>> DIST=`pwd`
>>
>> cd aux/bro-aux/plugin-support
>> ./init-plugin -u ./conn-taste Demo ConnTaste
>> BRO_PLUGIN_PATH=`pwd`
>>
>> cd ${DIST}
>> cd ../
>> git clone https://github.com/esnet/binpac_quickstart.git
>> cd binpac_quickstart
>> pip install docopt jinja2
>> ./start.py ConnTaste "Connection Byte Offset Tasting"
>> ${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
>>
>> cd ${BRO_PLUGIN_PATH}/conn-taste
>> ./configure --bro-dist=${DIST}
>> make
>>
>> cd ${DIST}
>> ./configure
>> make
>> make install
>>
>> bro -NN Demo::ConnTaste
>> ```
>>
>> I'm guessing there is some environment variable I am missing as I tried
>> zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
>> @TEST-EXEC statements worked as expected.
>>
>> -AK
>>
>> On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
>>
>>> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
>>> wrote:
>>>
>>>
>>>> However, the docs don't detail much beyond creating a built in
>>>> function. A colleague pointed me at this quickstart script for binpac:
>>>> https://github.com/grigorescu/binpac_quickstart
>>>>
>>>
>>> Oops! Sorry about that. Try this one:
>>> https://github.com/esnet/binpac_quickstart
>>>
>>> That has a '--plugin' option. That will at least get the boilerplate
>>> stuff built, and then you can start digging into the protocol specifics.
>>>
>>> --Vlad
>>>
>> ___
>> zeek-dev mailing list
>> zeek-dev@zeek.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
>>
>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
Re: [Zeek-Dev] Writing a Protocol Analyzer Plugin
Many thanks for the quick responses!
I am receiving these errors:
```
error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
Demo::ConnTaste is not available
fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
Failed to activate requested dynamic plugin(s).
```
After executing these commands:
```
git clone --recursive https://github.com/zeek/zeek.git
cd zeek
./configure
make
DIST=`pwd`
cd aux/bro-aux/plugin-support
./init-plugin -u ./conn-taste Demo ConnTaste
BRO_PLUGIN_PATH=`pwd`
cd ${DIST}
cd ../
git clone https://github.com/esnet/binpac_quickstart.git
cd binpac_quickstart
pip install docopt jinja2
./start.py ConnTaste "Connection Byte Offset Tasting"
${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin
cd ${BRO_PLUGIN_PATH}/conn-taste
./configure --bro-dist=${DIST}
make
cd ${DIST}
./configure
make
make install
bro -NN Demo::ConnTaste
```
I'm guessing there is some environment variable I am missing as I tried
zeek/testing/btest/plugins/protocol.bro as Robin suggested and the
@TEST-EXEC statements worked as expected.
-AK
On Wed, Mar 13, 2019, 09:51 Vlad Grigorescu wrote:
> On Wed, Mar 13, 2019 at 10:17 AM anthony kasza
> wrote:
>
>
>> However, the docs don't detail much beyond creating a built in function.
>> A colleague pointed me at this quickstart script for binpac:
>> https://github.com/grigorescu/binpac_quickstart
>>
>
> Oops! Sorry about that. Try this one:
> https://github.com/esnet/binpac_quickstart
>
> That has a '--plugin' option. That will at least get the boilerplate stuff
> built, and then you can start digging into the protocol specifics.
>
> --Vlad
>
___
zeek-dev mailing list
zeek-dev@zeek.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
[Zeek-Dev] Writing a Protocol Analyzer Plugin
Hello Zeek Devs, I would like to write a protocol analyzer and need some direction. I would like to write something simple which works on TCP, similar to the ConnSize analyzer. I would like my analyzer to be distributed as a plugin, similar to MITRE's HTTP2 analyzer, so I am following the docs here: https://docs.zeek.org/en/stable/devel/plugins.html However, the docs don't detail much beyond creating a built in function. A colleague pointed me at this quickstart script for binpac: https://github.com/grigorescu/binpac_quickstart The quickstart script seems to be intended for writing a protocol analyzer which gets merged into the Zeek source. This is not how plugins operate. I'm looking for some guidance on how to proceed. Thanks in advance. -AK ___ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
