I’m running Almalinux 9.2 with zeek-6.0.4 frpm the EPEL Testing repo.
Sadly, the rpm does NOT have Spicy support enabled. If I enable support and rpmbuild, many new files are in the BUILD dir and the rpm build fails due to “unpackaged files.”
Okay, so I’ll compile from source.
Pardon me if this is a dumb question: is it possible to build the Spicy parsers in a dev env and copy the plugins into my plugin dir in the rpm prod env? Do I also still require an rpm with Spicy support enabled at compile time or can the Spicy plugin be copied too?
Is spicyc, spicyz etc. required once plugins/parsers are built? We don’t want to install anything extra in order to maintain security.
While spicyc/spicyz are build time dependencies, the HLTO file with the compiled analyzer will have binary runtime dependencies on the exact Zeek and Spicy versions which were used in its creation. There is no expectation for it to work with any other versions.
Note that even if you were to manually build tag v6.0.4 of the Zeek repo (which by default comes with a version of Spicy) you could not use a HTLO file created with it with your RPM version since it misses the Spicy runtime dependencies.
The best way forward is probably to either switch to a supported version of Zeek with Spicy suport (have a look whether packages for one of the RPM-based distros we provide packages for is compatible with your target distro), or to create a zeek-6.0.x RPM with Spicy support yourself.