Errors in logs from unused(?) plugins

Hi there,

I might be misunderstanding some of the internals of Zeek; I hope someone can explain the following.

  • Running Zeek 6.0.1 (had the same in 6.0.0)
  • Installed this list of plugins:

$ zkg list
zeek/corelight/zeek-long-connections (installed: v1.3.1) - Find and log long-lived connections into a “conn_long” log.
zeek/corelight/zeek-spicy-ipsec (installed: v0.2.18) - An IPSec Zeek protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-openvpn (installed: v0.1.6) - A Zeek OpenVPN protocol analyzer, based on Spicy.
zeek/corelight/zeek-spicy-stun (installed: v0.2.10) - A Zeek STUN protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-wireguard (installed: v0.1.3) - A Wireguard VPN protocol analyzer, based on Spicy.
zeek/mitre-attack/bzar (installed: master) - BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting.
zeek/salesforce/ja3 (installed: master) - JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.
zeek/zeek/spicy-dhcp (installed: v0.0.6) - Spicy-based analyzer for the DHCP protocol.
zeek/zeek/spicy-dns (installed: v0.0.6) - Spicy-based analyzer for the DNS protocol.
zeek/zeek/spicy-http (installed: v0.0.5) - Spicy-based analyzer for the HTTP protocol.
zeek/zeek/spicy-ldap (installed: v0.0.10) - An LDAP analyzer based on Spicy
zeek/zeek/spicy-pe (installed: v0.0.11) - Spicy-based analyzer for the Portable Executable (PE) image format
zeek/zeek/spicy-png (installed: v0.0.5) - Spicy-based analyzer for the PNG file format.
zeek/zeek/spicy-tftp (installed: v0.0.5) - Spicy-based analyzer for the TFTP protocol.
zeek/zeek/spicy-zip (installed: v0.0.5) - Spicy-based analyzer for the ZIP file format.

  • I’m chasing a memory leak so I’m loading only a subset of the above plugins through local.zeek and commented out “@load packages”:

# load individuel packages (chasing a memory leak)
@load packages/ja3
@load packages/zeek-long-connections
@load packages/spicy-dns
@load packages/spicy-tftp

# Uncomment this to source zkg’s package state
#@load packages

  • According to loaded_scripts.log, only the above packages are loaded:

{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/ja3.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/intel_ja3.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/ja3s.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/zeek-long-connections/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/zeek-long-connections/main.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-dns/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-tftp/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-tftp/main.zeek"}

However, in my logs I see errors like this:

&size amount not consumed (/usr/local/zeek/var/lib/zkg/clones/package/spicy-dhcp/analyzer/analyzer.spicy:214:17)
expecting 4 bytes for unpacking value (/usr/local/zeek/var/lib/zkg/clones/package/zeek-spicy-ipsec/analyzer/analyzer.spicy:233:18)

Anoyone got a clue?

Cheers, John

Spicy analyzers typically consist of at least two parts, a *.hlto file which is loaded by the Spicy integration in Zeek, and additional *.zeek files which get loaded through e.g., local.zeek.

When loaded, a *.hlto file registers analyzers with Zeek and takes part in parsing. If the analyzers set up matching of Spicy hooks to Zeek events in their *.evt file(s) these hooks also would be invoked. This is all to say, Spicy analyzers are active even if their scripts are not loaded.

The way to fully disable Spicy analyzers would also involve calling Spicy::disable_protocol_analyzer on the Zeek side, e.g., for spicy-ldap

# Somewhere in `local.zeek`.

event zeek_init()

To get the analyzer tags for these calls you can use

$ zeek -NN Zeek::Spicy | grep Analyzer
    [Analyzer] Finger (ANALYZER_FINGER, enabled)
    [Analyzer] Syslog (ANALYZER_SYSLOG, enabled)

Hi Benjamin,

thanks for the explanation!
I added the various disable rules.