Transitioning from the previous experience of developing analyzer in Binpac, I find that Spicy provides some additional flexibility, independence, and portability, making zeek-side of the codes cleaner. I have already tried to develop an application layer analyzer for a custom protocol based on TCP that I used for the class that I am teaching right now.
From Spicy documentation, I see that we can also use Spicy to develop analyzers on top of “RawLayer” as well as over TCP/UDP. My question is that is it possible to use Spicy to develop analyzers for protocols in middle layers? For example, for protocol running directly on top of Ethernet or protocols running directly on top of IP layer?
*My question is that is it possible to use Spicy to develop
analyzers for protocols in middle layers? For example, for protocol
running directly on top of Ethernet
or protocols running directly on top of IP layer?*
Not yet. It’s a limitation of Zeek’s plugin API (not Spicy) that doesn’t support this yet. However, we’re working on adding that support, should happen at some point during the 4.x cycle.
Thank you so much for your answer. I am looking forward to the update.
Even though Zeek supported DNP3 and Modbus, these two protocols are ancient. The more updated protocols for industrial control systems, such as Industrial Ethernet Protocols, will provide protocols in all different layers in TCP/IP stacks. Some colleagues and I have students at the University of Rhode Island to do such development on Spicy once these features become available. I believe this can really make Zeek attractive to those utility providers.