Errors in logs from unused(?) plugins

0x4A6F686E · September 15, 2023, 8:29am

Hi there,

I might be misunderstanding some of the internals of Zeek; I hope someone can explain the following.

Running Zeek 6.0.1 (had the same in 6.0.0)
Installed this list of plugins:

$ zkg list
zeek/corelight/zeek-long-connections (installed: v1.3.1) - Find and log long-lived connections into a “conn_long” log.
zeek/corelight/zeek-spicy-ipsec (installed: v0.2.18) - An IPSec Zeek protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-openvpn (installed: v0.1.6) - A Zeek OpenVPN protocol analyzer, based on Spicy.
zeek/corelight/zeek-spicy-stun (installed: v0.2.10) - A Zeek STUN protocol analyzer based on Spicy.
zeek/corelight/zeek-spicy-wireguard (installed: v0.1.3) - A Wireguard VPN protocol analyzer, based on Spicy.
zeek/mitre-attack/bzar (installed: master) - BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting.
zeek/salesforce/ja3 (installed: master) - JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.
zeek/zeek/spicy-dhcp (installed: v0.0.6) - Spicy-based analyzer for the DHCP protocol.
zeek/zeek/spicy-dns (installed: v0.0.6) - Spicy-based analyzer for the DNS protocol.
zeek/zeek/spicy-http (installed: v0.0.5) - Spicy-based analyzer for the HTTP protocol.
zeek/zeek/spicy-ldap (installed: v0.0.10) - An LDAP analyzer based on Spicy
zeek/zeek/spicy-pe (installed: v0.0.11) - Spicy-based analyzer for the Portable Executable (PE) image format
zeek/zeek/spicy-png (installed: v0.0.5) - Spicy-based analyzer for the PNG file format.
zeek/zeek/spicy-tftp (installed: v0.0.5) - Spicy-based analyzer for the TFTP protocol.
zeek/zeek/spicy-zip (installed: v0.0.5) - Spicy-based analyzer for the ZIP file format.

I’m chasing a memory leak so I’m loading only a subset of the above plugins through local.zeek and commented out “@load packages”:

# load individuel packages (chasing a memory leak)
@load packages/ja3
@load packages/zeek-long-connections
@load packages/spicy-dns
@load packages/spicy-tftp

# Uncomment this to source zkg’s package state
#@load packages

According to loaded_scripts.log, only the above packages are loaded:

{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/ja3.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/intel_ja3.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/ja3/ja3s.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/zeek-long-connections/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/zeek-long-connections/main.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-dns/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-tftp/load.zeek"}
{“name”:" /usr/local/zeek/spool/installed-scripts-do-not-touch/site/packages/spicy-tftp/main.zeek"}

However, in my logs I see errors like this:

&size amount not consumed (/usr/local/zeek/var/lib/zkg/clones/package/spicy-dhcp/analyzer/analyzer.spicy:214:17)
expecting 4 bytes for unpacking value (/usr/local/zeek/var/lib/zkg/clones/package/zeek-spicy-ipsec/analyzer/analyzer.spicy:233:18)

Anoyone got a clue?

Cheers, John

Benjamin_Bannier · September 15, 2023, 11:18am

Spicy analyzers typically consist of at least two parts, a *.hlto file which is loaded by the Spicy integration in Zeek, and additional *.zeek files which get loaded through e.g., local.zeek.

When loaded, a *.hlto file registers analyzers with Zeek and takes part in parsing. If the analyzers set up matching of Spicy hooks to Zeek events in their *.evt file(s) these hooks also would be invoked. This is all to say, Spicy analyzers are active even if their scripts are not loaded.

The way to fully disable Spicy analyzers would also involve calling Spicy::disable_protocol_analyzer on the Zeek side, e.g., for spicy-ldap

# Somewhere in `local.zeek`.

event zeek_init()
	{
	Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
	Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_UDP);
	}

To get the analyzer tags for these calls you can use

$ zeek -NN Zeek::Spicy | grep Analyzer
    [Analyzer] Finger (ANALYZER_FINGER, enabled)
    [Analyzer] Syslog (ANALYZER_SYSLOG, enabled)

0x4A6F686E · September 15, 2023, 3:17pm

Hi Benjamin,

thanks for the explanation!
I added the various disable rules.

Regards,
John

Topic		Replies	Views
Errors with Spicy 1.3.0 with Zeek 4.0.4 Zeek	1	120	May 6, 2022
Spicy-http plugin returns protocol violation on WinRM traffic Zeek	4	172	May 22, 2024
Spicy plugin , Corelight, and btest Zeek spicy	1	467	May 6, 2022
Analysing PCAPNG files from Wireshark traffic captured with Zeek or Spicy Zeek	6	1249	April 11, 2023
Packet Analyzer over TCP Development	2	31	December 11, 2024

Errors in logs from unused(?) plugins

Related topics