Creating 2 analyzer instances of the same type in spicy

Zeek
,
1

Hi,
I’m writing a protocol analyzer for a proprietary protocol in spicy.
I want to perform the following actions:

  1. Skip over some bytes in the stream
  2. Then pass the stream to some zeek analyzer using zeek::protocol_data_in() (I get the analyzer
    handle using protocol_handle_get_or_create() )
  3. Close the handle from step 2 (using protocol_handle_close(), skip over more bytes.
  4. Then pass the reamining stream again to a new analyzer instance (That is the same analyzer
    type from step 2).

For some reason, even after closing the analyzer handle in step 3 and opening a new one in step 4, it seems that this zeek analyzer is the same instance. This is a problem because I need the 2nd analyzer to start from a fresh state.
What is the correct way to instantiate a new analyzer and add it to the analyzer tree in spicy?

Thanks,
Alex

2

Do you have any code I could try to see this? How did you determine it’s going into separate instances?

I have just tried to reproduce the effect but everything seems to work fine for me. Below is what I have tried, adapting one of the existing tests we have (the pcap trace is from those tests, coming with the Zeek source code; and the last command needs a Zeek debug build to produce the debug.log.).

# cat ssh.spicy
module SSH;

import spicy;
import zeek;

type Context = tuple<data_chunks: uint64>;

public type Banner = unit {
    %context = Context;
    magic   : /SSH-/;
    version : /[^-]*/;
    dash    : /-/;
    software: /[^\r\n]*/;
};

on Banner::%done {
    local http1 = zeek::protocol_handle_get_or_create("HTTP");
    zeek::protocol_data_in(True, b"GET /path1 HTTP/1.0\r\n\r\n", http1);
    zeek::protocol_handle_close(http1);

    local http2 = zeek::protocol_handle_get_or_create("HTTP");
    zeek::protocol_data_in(True, b"GET /path2 HTTP/1.0\r\n\r\n", http2);
    zeek::protocol_handle_close(http2);
}

# cat ssh-cond.evt

import zeek;

protocol analyzer spicy::SSH over TCP:
    parse originator with SSH::Banner,
    replaces SSH;

# cat  protocol-analyzer-data-in.zeek
event zeek_init() {
    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
}

# spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
# zeek -B dpd -r zeek/testing/btest/Traces/ssh/single-conn.trace test.hlto protocol-analyzer-data-in.zeek
# cat debug.log
1150485513.396389/1739361335.973541 [dpd] HTTP[5] DeliverStream(19, T) [GET /path1 HTTP/1.0]
1150485513.396389/1739361335.973761 [dpd] HTTP[8] DeliverStream(19, T) [GET /path2 HTTP/1.0]

The numbers in HTTP[..] identify the instance of the analyzer. So seeing 5 and 8, the data is going into separate instances.

3

Thank you, I’ve found my mistake.

4

Would you mind sketching what lead to this issue? That information might be helpful for anybody else running into the same problem in the future, or for us to figure out whether there is a sharp edge which should be taken off. Thanks!