Hi, I am new to Zeek and Spicy. I am running Redhat Linux Version 7.9. I installed Zeek and Spicy via RPM and have the following RPMs installed:
zeek-btest-data-5.2.2-1.1.x86_64
zeek-client-5.2.2-1.1.x86_64
zeek-devel-5.2.2-1.1.x86_64
zeek-zkg-5.2.2-1.1.x86_64
zeek-core-5.2.2-1.1.x86_64
zeek-debuginfo-5.2.2-1.1.x86_64
zeek-spicy-devel-5.2.2-1.1.x86_64
zeek-btest-5.2.2-1.1.x86_64
zeekctl-5.2.2-1.1.x86_64
I have verified the Spicy parsers support
[ar435f@ar435f-vmbuild07-clone my-http]$ sudo /opt/zeek/bin/zeek -N Zeek::Spicy
Zeek::Spicy - Support for Spicy parsers (*.hlto) (built-in)
I am attempting to to the “Getting Started” steps at:
https://docs.zeek.org/projects/spicy/en/latest/getting-started.html
I ran the sample “Hello World” app with no problems.
Ran into an issue during Section 2.3 “Zeek Integration”
I downloaded the “request-line.pcap” file
Copied the “my-http.evt” file
Copied the “my-http.zeek” file
However on the next step I got an error:
[ar435f@ar435f-vmbuild07-clone my-http]$ sudo /opt/zeek/bin/zeek -Cr request-line.pcap my-http.spicy my-http.evt my-http.zeek
fatal error: cannot load ‘my-http.spicy’: analyzers need to be precompiled with ‘spicyz’
I was able to run the subsequent steps but I was wondering if there is an explanation to the above error. Am I missing any RPMs?
Thanks