I might be misunderstanding some of the internals of Zeek; I hope someone can explain the following.
- Running Zeek 6.0.1 (had the same in 6.0.0)
- Installed this list of plugins:
$ zkg list
zeek/corelight/zeek-long-connections (installed: v1.3.1) - Find and log long-lived connections into a “conn_long” log.
zeek/corelight/zeek-spicy-ipsec (installed: v0.2.18) - An IPSec Zeek protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-openvpn (installed: v0.1.6) - A Zeek OpenVPN protocol analyzer, based on Spicy.
zeek/corelight/zeek-spicy-stun (installed: v0.2.10) - A Zeek STUN protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-wireguard (installed: v0.1.3) - A Wireguard VPN protocol analyzer, based on Spicy.
zeek/mitre-attack/bzar (installed: master) - BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting.
zeek/salesforce/ja3 (installed: master) - JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.
zeek/zeek/spicy-dhcp (installed: v0.0.6) - Spicy-based analyzer for the DHCP protocol.
zeek/zeek/spicy-dns (installed: v0.0.6) - Spicy-based analyzer for the DNS protocol.
zeek/zeek/spicy-http (installed: v0.0.5) - Spicy-based analyzer for the HTTP protocol.
zeek/zeek/spicy-ldap (installed: v0.0.10) - An LDAP analyzer based on Spicy
zeek/zeek/spicy-pe (installed: v0.0.11) - Spicy-based analyzer for the Portable Executable (PE) image format
zeek/zeek/spicy-png (installed: v0.0.5) - Spicy-based analyzer for the PNG file format.
zeek/zeek/spicy-tftp (installed: v0.0.5) - Spicy-based analyzer for the TFTP protocol.
zeek/zeek/spicy-zip (installed: v0.0.5) - Spicy-based analyzer for the ZIP file format.
- I’m chasing a memory leak so I’m loading only a subset of the above plugins through local.zeek and commented out “@load packages”:
# load individuel packages (chasing a memory leak)
# Uncomment this to source zkg’s package state
- According to loaded_scripts.log, only the above packages are loaded:
However, in my logs I see errors like this:
&size amount not consumed (/usr/local/zeek/var/lib/zkg/clones/package/spicy-dhcp/analyzer/analyzer.spicy:214:17)
expecting 4 bytes for unpacking value (/usr/local/zeek/var/lib/zkg/clones/package/zeek-spicy-ipsec/analyzer/analyzer.spicy:233:18)
Anoyone got a clue?