├── .cmake-format.json
├── .github
└── workflows
│ ├── check.yml
│ └── pre-commit.yml
├── .gitignore
├── .mdlrc
├── .pre-commit-config.yaml
├── .update-changes.cfg
├── CHANGES
├── LICENSE
├── README.md
└── zkg.meta
/.cmake-format.json:
--------------------------------------------------------------------------------
1 | {
2 | "parse": {
3 | "additional_commands": {
4 | "spicy_add_analyzer": {
5 | "kwargs": {
6 | "NAME": "*",
7 | "PACKAGE_NAME": "*",
8 | "SOURCES": "*",
9 | "SCRIPTS": "*"
10 | }
11 | }
12 | }
13 | },
14 | "format": {
15 | "line_width": 100,
16 | "tab_size": 4,
17 | "separate_ctrl_name_with_space": true,
18 | "max_subgroups_hwrap": 3
19 | },
20 | "markup": {
21 | "enable_markup": false
22 | },
23 | "lint": {
24 | "disabled_codes": ["C0103"]
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/.github/workflows/check.yml:
--------------------------------------------------------------------------------
1 | name: Check
2 |
3 | on:
4 | pull_request:
5 | push:
6 | branches: [main]
7 |
8 | jobs:
9 | Check:
10 | runs-on: ubuntu-latest
11 | strategy:
12 | matrix:
13 | container:
14 | - zeek/zeek
15 | - zeek/zeek-dev
16 | container: ${{ matrix.container }}
17 |
18 | steps:
19 | - uses: actions/checkout@v2
20 | - name: Install build dependencies
21 | run: |
22 | apt-get update
23 | apt-get install -y cmake g++ libpcap-dev
24 |
25 | - name: Install
26 | run: |
27 | git config --global --add safe.directory $PWD
28 | git clean -fd
29 | eval $(zkg env)
30 | echo Y | zkg -vvvvv install .
31 |
32 | - name: Check install
33 | run: |
34 | zeek -NN local
35 |
36 | - name: Show logs
37 | if: always()
38 | run: |
39 | tail -n 1000000 $(zkg config state_dir)/logs/*.log $(zkg config state_dir)/testing/*/clones/*/zkg.*.stderr || true
40 |
--------------------------------------------------------------------------------
/.github/workflows/pre-commit.yml:
--------------------------------------------------------------------------------
1 | name: pre-commit
2 |
3 | on:
4 | pull_request:
5 | push:
6 | branches: [main]
7 |
8 | jobs:
9 | pre-commit:
10 | runs-on: ubuntu-latest
11 | steps:
12 | - uses: actions/checkout@v2
13 | - uses: actions/setup-python@v2
14 | - uses: pre-commit/action@v2.0.3
15 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | .idea/
3 | cmake-build-debug/
4 | .DS_Store
5 | *.swp
6 | *.tmp
7 |
--------------------------------------------------------------------------------
/.mdlrc:
--------------------------------------------------------------------------------
1 | rules "~MD033", "~MD013", "~MD046", "~MD010"
2 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | # See https://pre-commit.com for more information
2 | # See https://pre-commit.com/hooks.html for more hooks
3 | repos:
4 | - repo: https://github.com/pre-commit/pre-commit-hooks
5 | rev: v4.0.1
6 | hooks:
7 | - id: trailing-whitespace
8 | - id: end-of-file-fixer
9 | - id: check-yaml
10 | - id: check-added-large-files
11 |
12 | - repo: https://github.com/markdownlint/markdownlint
13 | rev: v0.11.0
14 | hooks:
15 | - id: markdownlint
16 |
--------------------------------------------------------------------------------
/.update-changes.cfg:
--------------------------------------------------------------------------------
1 | new_commit_msg="Update CHANGES. [skip ci]"
2 | file_version=""
3 | show_authors=1
4 |
5 | # Add heuristic for pulling GitHub issue number out of the commit message.
6 | git_msg=git_msg_with_issue
7 |
8 | function git_msg_with_issue {
9 | git show -s --pretty=format:%B $1 | gawk 'match($0, "([Ii]ssue|[Gg][Hh]|#)[ _-]?([0-9]+)", x) { issues[x[2]] = 1} { msg = msg $0 "\n"; } END { for ( i in issues ) printf("GH-%s: ", i); print msg; }'
10 | }
11 |
--------------------------------------------------------------------------------
/CHANGES:
--------------------------------------------------------------------------------
1 | 0.2.31-6 | 2023-11-28 08:50:37 +0100
2 |
3 | * Update README for analyzers dropped in 5ae4c15c9d99261d4270cdfaded783a4fc798373 (Benjamin Bannier, Corelight)
4 |
5 | * Update used Zeek images (Benjamin Bannier, Corelight)
6 |
7 | * Workaround GH actions performing checkout as different user. (Benjamin Bannier, Corelight)
8 |
9 | * Move CI to upstream Zeek images. (Benjamin Bannier, Corelight)
10 |
11 | We also extend the test matrix to test both against the latest release
12 | and the current development snapshot.
13 |
14 | 0.2.31 | 2022-02-18 18:01:55 +0100
15 |
16 | * Remove all Corelight analyzers. (Benjamin Bannier, Corelight)
17 |
18 | It seems hard for these packages to support different setups, see
19 | https://github.com/corelight/zeek-spicy-ipsec/issues/4#issuecomment-1044840170.
20 | This patch removes them all from this package for now to avoid breaking
21 | users installing this package.
22 |
23 | 0.2.30 | 2022-02-18 16:17:21 +0100
24 |
25 | * Exclude corelight/zeek-spicy-ipsec. (Benjamin Bannier, Corelight)
26 |
27 | That package can not be installed currently in zeek-4.2 environments due
28 | to https://github.com/corelight/zeek-spicy-ipsec/issues/4.
29 |
30 | 0.2.29 | 2022-01-26 11:07:53 +0100
31 |
32 | * Show package test logs in CI. (Benjamin Bannier, Corelight)
33 |
34 | * Pin zeek-spicy-openvpn==0.1.0. (Benjamin Bannier, Corelight)
35 |
36 | Up until v0.1.3 that package does not pass its tests so cannot be
37 | installed via zkg, see
38 | https://github.com/corelight/zeek-spicy-openvpn/issues/3.
39 |
40 | Pinning it for now to avoid breaking users.
41 |
42 | 0.2.28-29 | 2021-12-10 14:57:48 +0100
43 |
44 | * Bump a couple packages maintained by Zeek. (Benjamin Bannier, Corelight)
45 |
46 | * Add extra CI check validating the installation. (Benjamin Bannier, Corelight)
47 |
48 | 0.2.28-27 | 2021-12-09 13:54:25 +0100
49 |
50 | * Make this package into a meta-package. (Benjamin Bannier, Corelight)
51 |
52 | Since at this point this package does not contain anything to build
53 | directly anymore, this patch removes all unneeded support scripts (e.g.,
54 | CMake sources, setup for testing). We also move the CI from Cirrus CI to
55 | a simpler Github Action-based CI.
56 |
57 | * Move TFTP analyzer to zeek/spicy-tftp. (Benjamin Bannier, Corelight)
58 |
59 | * Move HTTP analyzer to zeek/spicy-http. (Benjamin Bannier, Corelight)
60 |
61 | * Update link to spicy-ldap repo in README. (Benjamin Bannier, Corelight)
62 |
63 | * Move DNS analyzer to zeek/spicy-dns. (Benjamin Bannier, Corelight)
64 |
65 | * Move DHCP analyzer to zeek/spicy-dhcp. (Benjamin Bannier, Corelight)
66 |
67 | * Move PNG analyzer to zeek/spicy-png. (Benjamin Bannier, Corelight)
68 |
69 | * Move ZIP analyzer to zeek/spicy-zip. (Benjamin Bannier, Corelight)
70 |
71 | * Move PE analyzer to zeek/spicy-pe. (Benjamin Bannier, Corelight)
72 |
73 | 0.2.28-17 | 2021-12-09 07:49:40 +0100
74 |
75 | * Bump STUN version to >=0.2.1. (Keith Jones)
76 |
77 | 0.2.28-15 | 2021-12-07 12:56:05 +0100
78 |
79 | * Use unpinned dependencies. (Benjamin Bannier, Corelight)
80 |
81 | * Remove unused traces. (Benjamin Bannier, Corelight)
82 |
83 | 0.2.28-12 | 2021-11-30 15:02:42 +0100
84 |
85 | * Deprecate analyzers. (Keith Jones, Corelight)
86 |
87 | 0.2.28-10 | 2021-11-30 12:45:11 +0100
88 |
89 | * Run macos CI against latest Spicy release instead of HEAD. (Benjamin Bannier, Corelight)
90 |
91 | * Add zkg bin dir to PATH for macos CI. (Benjamin Bannier, Corelight)
92 |
93 | * Increase CI job verbosity. (Benjamin Bannier, Corelight)
94 |
95 | * Run CI against latest Zeek release not dev snapshot (Benjamin Bannier, Corelight)
96 |
97 | 0.2.28-5 | 2021-11-26 10:15:19 +0100
98 |
99 | * Move pre-commit CI check to GH action. (Benjamin Bannier, Corelight)
100 |
101 | * Use zeek-dev image in Linux CI. (Benjamin Bannier, Corelight)
102 |
103 | * Remove option to run CI against specific branch of `zeek/spicy-plugin`. (Benjamin Bannier, Corelight)
104 |
105 | * Move LDAP analyzer to separate package. (Benjamin Bannier, Corelight)
106 |
107 | This moves the LDAP analyzer into the package zeek/spicy-ldap.
108 |
109 | 0.2.28 | 2021-11-17 16:00:17 +0100
110 |
111 | * stun: Fix integer overflow/underflow issues (Arne Welzel, Corelight)
112 |
113 | * ipsec: Fix integer overflow/underflow issues (Arne Welzel, Corelight)
114 |
115 | 0.2.27 | 2021-11-09 10:55:22 +0100
116 |
117 | * Reset environment variables which might affect CMake builds for zkg. (Benjamin Bannier, Corelight)
118 |
119 | 0.2.26 | 2021-11-05 12:05:45 +0100
120 |
121 | * Use absolute links in top-level README. (Benjamin Bannier, Corelight)
122 |
123 | 0.2.25 | 2021-11-03 16:33:43 +0100
124 |
125 | * Improvements in LDAP logging (fox-ds)
126 |
127 | 0.2.24-5 | 2021-11-02 11:54:12 +0100
128 |
129 | * Show diff if pre-commit fails. (Benjamin Bannier, Corelight)
130 |
131 | * Check for invalid STUN error classes and numbers. (Benjamin Bannier, Corelight)
132 |
133 | * Prettier representation of STUN error code attribute values. (Seth Grover)
134 |
135 | 0.2.24 | 2021-10-15 10:38:05 +0200
136 |
137 | * Release 0.2.24.
138 |
139 | 0.2.23-15 | 2021-10-15 10:37:49 +0200
140 |
141 | * Add docstrings to CMake functions and macros. (Benjamin Bannier, Corelight)
142 |
143 | * Break overlong strings. (Benjamin Bannier, Corelight)
144 |
145 | * Reformat CMake files with cmake-format. (Benjamin Bannier, Corelight)
146 |
147 | * Place comment before long invocation. (Benjamin Bannier, Corelight)
148 |
149 | * Cache pre-commit artifacts. (Benjamin Bannier, Corelight)
150 |
151 | * Bump pre-commit-hooks. (Benjamin Bannier, Corelight)
152 |
153 | 0.2.23-8 | 2021-10-06 17:59:24 +0200
154 |
155 | * [LDAP] Redact clear text passwords by default in LDAP simple
156 | binds. (Keith Jones, Corelight)
157 |
158 | * [LDAP] Enable UDP. (Keith Jones, Corelight)
159 |
160 | 0.2.23-5 | 2021-10-02 09:05:42 +0200
161 |
162 | * GH-88: Copy over Zeek DPS signatures for analyzers we replace
163 | (HTTP and DHCP). (Benjamin Bannier, Corelight)
164 |
165 | 0.2.23-2 | 2021-09-15 10:44:23 +0200
166 |
167 | * Adjust macos job for recent Cirrus CI images changes. (Benjamin Bannier, Corelight)
168 |
169 | 0.2.23 | 2021-09-14 13:51:02 +0200
170 |
171 | * GH-77: Explicitly list scripts to install. (Benjamin Bannier, Corelight)
172 |
173 | * Move analyzers one level up. (Benjamin Bannier, Corelight)
174 |
175 | 0.2.22 | 2021-08-27 09:19:09 +0200
176 |
177 | * GH-81: Fix test `protocol.facefish_rootkit.facefish_full_pcap` for zeek-4.1.0. (Benjamin Bannier, Corelight)
178 |
179 | * Remove use of Zeek's `-B` flag in tests. (Benjamin Bannier, Corelight)
180 |
181 | * Add zeek-4.1.0 to the CI. (Benjamin Bannier, Corelight)
182 |
183 | 0.2.21 | 2021-08-03 12:03:34 +0200
184 |
185 | * Fix a typo in STUN analyzer. (Keith Jones)
186 |
187 | 0.2.20 | 2021-07-30 16:07:50 +0200
188 |
189 | * Bump minimum Spicy version to 1.2.0. (Benjamin Bannier, Corelight)
190 |
191 | 0.2.19-5 | 2021-07-17 10:47:01 +0200
192 |
193 | * [ZIP] Fix a version a version issue where scripts could end up
194 | being loaded even when we didn't compile the analyzer. (Robin
195 | Sommer, Corelight)
196 |
197 | * [LDAP] Fix an issue where a switch's `&parse-from` attribute could
198 | end up accessing a unit field even when it wasn't set. (Robin
199 | Sommer, Corelight)
200 |
201 | * Remove support for Spicy-side in-tree build. (Robin Sommer,
202 | Corelight)
203 |
204 | * Pull in new CMake logic and testing scripts from spicy-plugin.
205 | (Robin Sommer, Corelight)
206 |
207 | 0.2.19 | 2021-07-11 08:51:59 +0200
208 |
209 | * [STUN] Fix indexing. (Keith Jones, Corelight)
210 |
211 | 0.2.18 | 2021-07-06 20:34:11 +0200
212 |
213 | * Make Facefish detection more robust by requiring two way communication. (Keith Jones, Corelight)
214 |
215 | 0.2.17-2 | 2021-07-06 20:31:41 +0200
216 |
217 | * GH-46: Fixing false positives discussed in issue #46. (Keith Jones, Corelight)
218 |
219 | 0.2.17 | 2021-07-05 20:17:24 +0200
220 |
221 | * Added OpenVPN HMAC MD5, SHA256 and SHA512 variants to increase detections. (Keith Jones, Corelight)
222 |
223 | 0.2.16-6 | 2021-06-24 19:51:38 +0200
224 |
225 | * Added Tailscale. (Keith Jones, Corelight)
226 |
227 | * Add resources developers might find useful in the future. (Keith Jones, Corelight)
228 |
229 | 0.2.16 | 2021-06-23 12:29:37 +0200
230 |
231 | * Release 0.2.16.
232 |
233 | 0.2.15-9 | 2021-06-23 12:28:27 +0200
234 |
235 | * Added STUN protocol. (Keith Jones, Corelight)
236 |
237 | 0.2.15 | 2021-06-08 13:37:39 +0200
238 |
239 | * Release 0.2.15.
240 |
241 | 0.2.14-10 | 2021-06-08 13:35:56 +0200
242 |
243 | * GH-35: Implement LDAP analyzer enhancements after upstream change.
244 |
245 | - Expose ASN1String as a Spicy string.
246 | - Use unit switch &parse-from construct.
247 | - Remove workaround for zeek/spicy-plugin#35. (Benjamin Bannier, Corelight)
248 |
249 | 0.2.14-6 | 2021-06-08 13:34:24 +0200
250 |
251 | * Added Facefish rootkit analyzer. (Keith Jones, Corelight)
252 |
253 | 0.2.14 | 2021-05-31 12:53:33 +0200
254 |
255 | * Add ZIP analyzer. (Robin Sommer, Corelight)
256 |
257 | This decompresses ZIP files and feeds their content back recursively
258 | into Zeek's file analysis.
259 |
260 | 0.2.13 | 2021-05-31 12:03:12 +0200
261 |
262 | * Make parallel build and test opt-out instead of opt-in. (Benjamin Bannier,
263 | Corelight)
264 |
265 | * Build package without any parallelism. (Benjamin Bannier, Corelight)
266 |
267 | 0.2.12 | 2021-05-19 14:16:26 +0200
268 |
269 | * Add LDAP protocol analyzer. (Seth Grover)
270 |
271 | 0.2.11 | 2021-05-17 09:39:00 +0200
272 |
273 | * Remove `analyzer_id` from scripts for IPSec. (Keith Jones)
274 |
275 | 0.2.10-4 | 2021-05-05 11:49:06 +0200
276 |
277 | * Add Aruba Networks vendor ID info. (Keith Jones, Corelight)
278 |
279 | 0.2.10-2 | 2021-05-04 09:02:25 +0200
280 |
281 | * Removed duplicate line in IPSec constants. (Keith Jones)
282 |
283 | 0.2.10 | 2021-04-23 10:52:52 +0000
284 |
285 | * [IPSec] Add more vendor IDs. (Keith Jones, Corelight)
286 |
287 | 0.2.9 | 2021-04-22 11:58:38 +0000
288 |
289 | * [IPSec] Fix various vector parsing issues and remove typing from a
290 | type where we don't know all cases yet. (Keith Jones, Corelight)
291 |
292 | 0.2.8-6 | 2021-04-20 07:11:11 +0000
293 |
294 | * GH-47: Update source for trace file. (Robin Sommer, Corelight)
295 |
296 | 0.2.8-4 | 2021-04-16 08:40:20 +0000
297 |
298 | * [IPSec] Small cleanup. (Keith Jones, Corelight)
299 |
300 | 0.2.8 | 2021-03-31 15:54:20 +0000
301 |
302 | * [Wireguard] Add missing existence check. (Keith Jones, Corelight)
303 |
304 | 0.2.7 | 2021-03-31 09:55:16 +0000
305 |
306 | * GH-36: [DNS] Implement SVR resource record. (Robin Sommer, Corelight)
307 |
308 | 0.2.6 | 2021-03-31 09:42:47 +0000
309 |
310 | * Add IPSec analyzer. (Keith Jones, Corelight)
311 |
312 | 0.2.5-5 | 2021-03-31 08:24:57 +0000
313 |
314 | * Document the sources of our traces files. (Robin Sommer, Corelight)
315 |
316 | * GH-40: Add MacOS Big Sur CI task. (Benjamin Bannier, Corelight)
317 |
318 | * Allow running CI as non-root user. (Benjamin Bannier, Corelight)
319 |
320 | 0.2.5 | 2021-03-29 12:38:45 +0000
321 |
322 | * [Wireguard] Change logging to only have one line per connection
323 | that tracks connection establishment as well as the number of
324 | handshake initiation and response packets. (Johanna Amann,
325 | Corelight)
326 |
327 | * [Wireguard] Fix Zeek 3.x compatibility (Johanna Amann, Corelight)
328 |
329 | 0.2.4-2 | 2021-03-26 16:36:52 +0000
330 |
331 | * Fix for in-tree Spicy build. (Robin Sommer, Corelight)
332 |
333 | 0.2.4 | 2021-03-26 15:49:07 +0000
334 |
335 | * GH-31: Install Zeek scripts as well during manual install. (Robin
336 | Sommer, Corelight)
337 |
338 | * Let package depend on spicy-plugin. (Robin Sommer, Corelight)
339 |
340 | 0.2.3-14 | 2021-03-25 19:38:52 +0100
341 |
342 | * Fix test & CI instabilities. (Benjamin Bannier, Corelight)
343 |
344 | 0.2.3-2 | 2021-03-24 07:05:49 +0000
345 |
346 | * Limit parsing of a PE file's strings to 512 bytes (Jon Siwek,
347 | Corelight)
348 |
349 | 0.2.3 | 2021-03-22 16:47:25 +0000
350 |
351 | * Add OpenVPN protocol analyzer. (Keith Jones, Corelight)
352 |
353 | 0.2.2-6 | 2021-03-18 15:41:07 +0100
354 |
355 | * Cleanup CI platforms for zeek-4.0.0 as LTS release. (Benjamin
356 | Bannier)
357 |
358 | * Disable JIT parallelism in CI. (Benjamin Bannier)
359 |
360 | * Install Spicy from upstream package. (Benjamin Bannier)
361 |
362 | 0.2.2 | 2021-03-18 12:25:10 +0000
363 |
364 | * GH-10: [HTTP] Fix potential analyzer error reporting unset field.
365 | (Robin Sommer, Corelight)
366 |
367 | 0.2.1 | 2021-03-18 09:47:44 +0000
368 |
369 | * GH-817: Extend PNG test to catch Spicy's #817. (Robin Sommer, Corelight)
370 |
371 | * Add file tests to btest config. (Robin Sommer, Corelight)
372 |
373 | 0.2.0 | 2021-03-15 19:20:12 +0000
374 |
375 | * Release 0.2.0.
376 |
377 | 0.1.0-23 | 2021-03-15 19:19:31 +0000
378 |
379 | * Update README. (Robin Sommer, Corelight)
380 |
381 | * GH-10: [DNS] Add missing event parameters. (Robin Sommer,
382 | Corelight)
383 |
384 | 0.1.0-17 | 2021-03-15 19:02:19 +0000
385 |
386 | * GH-10: [DNS] Add missing event parameters.
387 |
388 | 0.1.0-16 | 2021-03-15 18:46:56 +0000
389 |
390 | * Split CI zkg run into separate test and install steps, and fix
391 | test execution. (Robin Sommer, Corelight)
392 |
393 | 0.1.0-12 | 2021-03-15 13:55:57 +0000
394 |
395 | * Add Portable Executable (PE) file format parser. The current
396 | parses headers along with import/export tables. (Jon Siwek,
397 | Corelight)
398 |
399 | 0.1.0-9 | 2021-03-15 10:18:38 +0000
400 |
401 | * [Wireguard] Check zeroes in protocol and tighten DPD. (Johanna
402 | Amann, Corelight)
403 |
404 | * [Wireguard] GH-13: Check there is no data after handshake
405 | messages. (Johanna Amann, Corelight)
406 |
407 | 0.1.0-6 | 2021-03-12 17:37:22 +0000
408 |
409 | * Fix missing installation of compiled modules in standalone build.
410 | (Robin Sommer, Corelight)
411 |
412 | 0.1.0-4 | 2021-03-11 13:39:37 +0000
413 |
414 | * Tweaking CMake setup. (Robin Sommer, Corelight)
415 |
416 | 0.1.0 | 2021-02-18 13:23:44 +0000
417 |
418 | * Starting CHANGES.
419 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2020-2021 by the Zeek Project through the International Computer
2 | Science Institute. All rights reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without
5 | modification, are permitted provided that the following conditions are met:
6 |
7 | (1) Redistributions of source code must retain the above copyright
8 | notice, this list of conditions and the following disclaimer.
9 |
10 | (2) Redistributions in binary form must reproduce the above copyright
11 | notice, this list of conditions and the following disclaimer in the
12 | documentation and/or other materials provided with the distribution.
13 |
14 | (3) Neither the name of the Zeek Project, the International Computer
15 | Science Institute, nor the names of contributors may be used to
16 | endorse or promote products derived from this software without
17 | specific prior written permission.
18 |
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 | POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Meta-package for Spicy-based Analyzers for Zeek
3 |
4 | This repository provides a [Zeek](https://github.com/zeek/zeek) meta-package
5 | installing a set of protocol & file analyzers implemented through
6 | [Spicy](https://github.com/zeek/spicy).
7 |
8 | Currently, the following analyzers are included:
9 |
10 | - [DHCP](https://github.com/zeek/spicy-dhcp) [1]
11 | - [DNS](https://github.com/zeek/spicy-dns) [1]
12 | - [HTTP](https://github.com/zeek/spicy-http) [1]
13 | - [LDAP](http://github.com/zeek/spicy-ldap)
14 | - [PNG](https://github.com/zeek/spicy-png)
15 | - [Portable Executable (PE)](https://github.com/zeek/spicy-pe) [2]
16 | - [TFTP](https://github.com/zeek/spicy-tftp)
17 | - [ZIP archives](https://github.com/zeek/spicy-zip)
18 |
19 | We are working to expand this set. If you have written a Spicy
20 | analyzer that you would like to see included here, please file a pull
21 | request.
22 |
23 | [1] replaces the corresponding Zeek analyzer\
24 | [2] replaces and extends the corresponding Zeek analyzer
25 |
26 | ## Installation
27 |
28 | Since this package is a meta-package, the easiest, and recommended way to
29 | install the analyzers is through the Zeek package manager:
30 |
31 | # zkg install zeek/spicy-analyzers
32 |
33 | This will pull down the package and its dependencies, compile and test the
34 | analyzers, and then install and activate them. To check that the new analyzers are
35 | available, run `zeek -NN` afterwards, it should list all the included
36 | Spicy analyzers:
37 |
38 | # zeek -NN Zeek::Spicy
39 | [...]
40 | [Analyzer] spicy_TFTP (ANALYZER_SPICY_TFTP, enabled)
41 | [...]
42 |
43 | The new analyzers are now available to Zeek and used by default when
44 | the package is activated.
45 |
46 | ## Configuration
47 |
48 | By default, all included analyzers will be activated, and they will
49 | automatically disable any standard analyzers that they replace. If you
50 | want to disable one of the Spicy analyzers, you can do so by calling
51 | one of the built-in functions
52 | [disable_protocol_analyzer/disable_file_analyzer()](https://docs.zeek.org/projects/spicy/en/latest/zeek.html#functions).
53 | For example, to disable the HTTP analyzer, add this to your
54 | `site.zeek`:
55 |
56 | ```.zeek
57 | event zeek_init()
58 | {
59 | Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
60 | }
61 | ```
62 |
63 | You can find the `ANALYZER_*` value to use for an analyzer in the
64 | output of `zeek -NN Zeek::Spicy`.
65 |
66 | (Note that `disable_file_analyzer()` requires a current development
67 | version of Zeek to be available.)
68 |
69 | ## License
70 |
71 | This package is open source and released under a BSD license. Please see the
72 | individual analyzer package for their licenses.
73 |
--------------------------------------------------------------------------------
/zkg.meta:
--------------------------------------------------------------------------------
1 | [package]
2 | summary = Meta package for a number of Spicy-based analyzers
3 | description = Meta package for a number of Spicy-based analyzers.
4 |
5 | # We depend on spicy-plugin>=1.2.2, but currently cannot
6 | # express that dependency due to zeek/package-manager#106
7 | # depends = spicy-plugin >=1.2.2
8 | depends = http://github.com/zeek/spicy-dhcp >=0.0.1
9 | http://github.com/zeek/spicy-dns >=0.0.2
10 | http://github.com/zeek/spicy-http >=0.0.1
11 | http://github.com/zeek/spicy-pe >=0.0.3
12 | http://github.com/zeek/spicy-png >=0.0.2
13 | http://github.com/zeek/spicy-tftp >=0.0.1
14 | http://github.com/zeek/spicy-zip >=0.0.1
15 |
--------------------------------------------------------------------------------