Hi Zeek Community,
I am working on a project for work to identify BGP, RSVP and OSPF data in pcaps via Zeek. I am completely new to all of this and I haven't written any scripts since college (over 15 yrs ago). Is there any existing guide or tutorial explaining how I can develop analyzers for these protocols myself or is there code for other protocols that would be easy to follow? I've looked at the "Introduction to Scripting" on the website but it still seems go over my head a bit.
you might want to have a look at the recent developments around Spicy (https://docs.zeek.org/projects/spicy). For RSVP and OSPF the new packet analyzers should be of interest (https://docs.zeek.org/en/master/frameworks/packet-analysis.html).
I have been looking at Spicy and was testing out a simple packet analyzer modeled from the link you sent just yesterday but it seems it only works on version 4.0 and up and I'm working on 3.2.3 so I have to wait for IT to update Zeek.
Thanks for your response, it seems to be confirmation that I am heading down the right path.
Let me know when your IT dept can upgrade zeek or if you can start working with spicy offline. I have the very beginnings of spicy code to start parsing BGP. Spicy is a bit over my head as well, but I got far enough to parse BGP ‘open’ messages before getting side tracked with other work.
That’s awesome! You’re writing a packet analyzer?
Also, since you’ve started your parsing, have you had issues with Zeek grouping the BGP packets in a pcap by session? I’ve done data dumps in order to see how zeek is reading the pcaps and it seems to embed other messages (update and keep alive) into the open message which makes it even harder to parse through for me.
I would say I started writing a packet analyzer and then got busy. I wouldn’t mind picking it back up again though.
I think grouping BGP messages by session would be expected behavior outside of writing an analyzer. My goal would be to have separate events fire for the different BGP message types (perhaps ignoring keep alives).
Right, I want separate events for the different message types also, just having issues with parsing them out thru the protocol analyzer. Which is why I’m trying to switch over to writing a packet analyzer, to see if it makes things easier.