I just can’t seem to get it to work.
It’s possible that the issue is only with units that contain other unit fields (I rememberd to export the inner unit types as well).
Can you show an example of what you mean so we could try this out ourselves and potentially suggest workarounds or make fixes?
Of course.
Relevant snippet from my spicy code (names obfuscated):
module Module;
import spicy;
public type InnerUnitA = unit {
field_a: uint32 &byte-order=spicy::ByteOrder::Little;
field_b: uint16 &byte-order=spicy::ByteOrder::Little;
field_c: uint32 &byte-order=spicy::ByteOrder::Little;
field_d: uint8 &byte-order=spicy::ByteOrder::Little;
field_e: uint32 &byte-order=spicy::ByteOrder::Little;
};
public type InnerUnitB = unit {
field_a: bytes &size=6;
};
public type MainUnit = unit {
field_a: bytes &size=22;
: bytes &size=6;
field_b: InnerUnitA;
: bytes &size=5;
field_c: InnerUnitA;
: bytes &size=5;
field_d: InnerUnitB;
field_e: InnerUnitB;
};
Relevant snippet from my evt code:
import Module;
export Module::InnerUnitA;
export Module::InnerUnitB;
export Module::MainUnit;
on Module::MainUnit -> event ZeekModule::ZeekEvent(self);
Relevant snippet from my zeek code:
module ZeekModule;
event ZeekEvent(rec: Module::MainUnit)
{
...
}
The zeek error I get: identifier not defined: Module::MainUnit.
Note 1: The compiled hlto file is copied into lib/zeek-spicy/modules/test.
Note 2: I use the zeek docker image (6.1.1).
Thanks!
Note 1: The compiled
hltofile is copied intolib/zeek-spicy/modules/test.
I strongly suspect the error is somewhere in how you installed the HLTO file. For Zeek to automatically load it it needs to be in a directory in Zeek’s search path for compiled Spicy modules. You can inspect the currently configured paths with
$ spicyz --print-module-path
/usr/local/zeek/lib/zeek/spicy
If you want and need to allow non-standard paths you can adjust the value by setting the ZEEK_SPICY_MODULE_PATH environment variable for zeek.
If this does not fix your issue here a few pointers for debugging:
-
try loading the HLTO file directly to check whether your issue is due to the HLTO file not being loaded automatically, e.g.,
$ zeek -r PCAP.pcap YOUR_ANALYZER.hlto SCRIPT.zeek -
check what functionality is exposed by your analyzer to Zeek, e.g., with explicit HLTO loading
$ zeek -NN Zeek::Spicy YOUR_ANALYZER.hlto Zeek::Spicy - Support for Spicy parsers (.hlto) (built-in) ... [Type] Module::InnerUnitA [Type] Module::InnerUnitB [Type] Module::MainUnit ... -
check the debugging section in the docs for more pointers
In general, I would suggest to build and install Spicy-based analyzers with Zeek’s package manager zkg.
1 Like
The problem was indeed with the path (of the HLTO file), which changed compared to the previous Zeek version I used.
Many thanks!