Recently I got into Zeek and started to play around with BinPAC plugin
development. BinPAC allowed me to pretty easily write a protocol parser
for IKE messages. However, I stumbled upon a problem. As I already read
on the mailing list, BinPAC is aimed at parsing protocols which run on
top of UDP or TCP. I also read that to parse protocols on lower layers
(let's say the transport layer), BinPAC won't be able to help you
anymore. The solution that was proposed in a few messages that I read
was to modify the source code of Zeek to support layer 4 protocols other
than TCP, UDP and ICMP.
First and foremost; before posting this message, that's exactly what I
did. My approach was to look at the implementation of ICMP and UDP in
Zeek (which are also layer 4 protocols). Based on this I tried my best
at writing a protocol analyzer alongside these protocols. However, after
spending a good amount of hours trying to write a protocol parser for
ESP-messages (protocol number 50) I came to the conclusion that the code
had become quite messy. Most importantly I didn't get the ESP-parser to
work properly. Even if I would have got it working, the code wouldn't be
patch safe anymore from future versions of Zeek.
My issue is as follows; I only want to be able to detect that a protocol
number 50 packet has been seen with the parsing of the very first field.
Is the only way to get this working to give another shot at modifying
the source code or is there a more cleaner/patch friendly path to
travel? Even a gentle push in the right direction would very much be
appreciated.