New Analyzer

Hi everyone,

I’m working on a BACnet protocol analyzer for Zeek and am having problems getting the analyzer to fire. I’ve been working with Zeek version 2.6.2 and the analyzer was created using binpac_quickstart.

BACnet is a UDP based building automation and control protocol (think furnaces, security/access systems, lighting, etc.).

Not sure what info would be most helpful, if anyone is willing to lend some insight as why the analyzer isn’t firing off? The analyzer is supposed to be signature based and bro -N shows it as built-in and active. If bro -s option is used to specify the signature file then the analyzer will fire off appropriately, but I’m looking for it to auto-magically be included in the UDP analyzer tree.

Greatly appreciate any help or thought for where to look first,

Hi Aaron,

not sure what you have done so far, but maybe you are missing something on the script side?

To activate signature recognition for analyzers, you must write a script with the proper signature (usually called dpd.sig) and load it (usually with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).

Have a look at the script side of some other analyzers to see some examples.


Inviato: mercoledì 10 luglio 2019 03:45


Hi Mauro,
Thanks much for the idea/insight.

I didn’t have a @load-sigs line in the main.bro script, but there is one in the load.bro file. It looks consistent with the other protocols that appear to be signature based (dnp3, ftp, pop3, etc.). I tried adding the @load-sigs ./dpd.sig line to the main.bro script but still no joy. Any other thoughts?

I didn’t think to include it in the original email, but when zeek is run with the -s option and a signature file is specified, the ‘C’ portion of the analyzer fires off (i.e., the …/zeek/src/analyzers/protocol/bacnet/,, and events.bif), but the script side that should generate a log file does not (…/zeek/scripts/base/protocols/bacnet/main.bro, load.bro, and dpd.sig). Maybe that and the analyzer not automatically firing off indicates an issue with the bacnet script not being called appropriately? I’m grasping at straws, so any thoughts are greatly appreciated!

Thanks again,


I don’t think you are loading the scripts at all… which is also why the sigs aren’t loaded.

Are you building this as an in-tree analyzer or as an external plugin?


Hi Justin,
I started off using the binpac_quickstart script, which I thought created an external plugin?


did you run that with --plugin?

Oh, looking at this closer you probably want to use


to create the plugin skeleton. the binpac quickstart I think is a bit
out of date at this point for how to setup an external plugin+package.
The binpac parts it genrates should still be fine though.

so I would use init-plugin to make a new package and copy your
existing code over it. that should give you a working self-contained
external package that you can install. It also takes advantage of the
new bro-config bits which make building and installing the plugin work
without the full source checkout.

I did try running with the bacnet plugin specified and it didn’t work, so I’ll give the init-plugin a shot tomorrow.

Thanks much all for the thoughts and help,

Hi Aaron,

I can confirm the binpac quickstart is a bit out of date. I tried to use it a couple of months ago and run into some issues. You can still use it but then have to edit some files manually.


Inviato: giovedì 11 luglio 2019 03:12