Hey @arotnemer ,
it appears the documentation is outdated around the JIT approach where .spicy and .evt are provided to Zeek and it compiles these on-the-fly. This feature has been removed.
I’ve been pondering making a change to the Spicy plugin for Zeek where I’d be interested in feedback. Right now, there are two ways to have Zeek pull in a Spicy analyzer: (1) pre-compile the analyzer with spicyz into an HLTO file, then give that HLTO file to Zeek to load; and (2) give Spicy source code and EVT files directly to Zeek for compilation just-in-time at startup.
I’m considering removing Option (2).
For operational usage, Option (1) is already the only viable way to go because Option…
I’ve opened a ticket in the Spicy project, too.
Thanks for the report!
Arne