Btest Failing for spicy-analyzers

Spicy
1

I have installed via zkg install with zeek-6.0.4 on Almalinux 9.5:

http://github.com/zeek/spicy-dhcp (installed: v0.0.11) - Spicy-based analyzer for the DHCP protocol.
http://github.com/zeek/spicy-dns (installed: v0.0.10) - Spicy-based analyzer for the DNS protocol.
http://github.com/zeek/spicy-http (installed: v0.0.10) - Spicy-based analyzer for the HTTP protocol.
http://github.com/zeek/spicy-pe (installed: v0.0.13) - Spicy-based analyzer for the Portable Executable (PE) image format
http://github.com/zeek/spicy-png (installed: v0.0.6) - Spicy-based analyzer for the PNG file format.
http://github.com/zeek/spicy-tftp (installed: v0.0.5) - Spicy-based analyzer for the TFTP protocol.
http://github.com/zeek/spicy-zip (installed: v0.0.7) - Spicy-based analyzer for the ZIP file format.
zeek/zeek/spicy-analyzers (installed: v0.2.33) - Meta package for a number of Spicy-based analyzers.

From the above only the spicy-png and spicy-tftp analyzers pass all of their tests.

I have poked around in the various dirs for logs, diags, stderr, stdout etc. I have read what I can on the forum here and did RTFM of the Btest framework.

I don’t have the time or inclination to debug 5 analyzers, please can someone help me with some possible guidelines or checks as to why so many plugins are failing?

Maybe my Zeek version is too old or some other obvious thing I have missed…

PS: if I need to upload any logs or diags please advise.

2

I just checked and each of these analyzers builds successfully with all supported Zeek versions (7.x).

Yes, your Zeek version is not supported anymore. You might have some luck with older versions of these plugins, but I cannot tell you exact versions off the top of my head.

That said, consider not installing zeek/spicy-analyzers for anything but evaluation, and deliberately picking which analyzers you want, especially if you replace builtin Zeek analyzers (in your list: DHCP, DNS, HTTP). While analyzers written in Spicy should be much easier to write correctly, understand, and maintain, a lot of care has gone into Zeek’s builtin analyzers over a long time and in the face of orders of magnitude more real world traffic than for these Spicy analyzers; for a user Spicy does not automatically mean better.

3

@Benjamin_Bannier thank you so much for the good advice!

I apologise for my ignorance. Let me compile 7.0.5 in the meantime…