Writing a Protocol Analyzer Plugin

Development
1

Hello Zeek Devs,

I would like to write a protocol analyzer and need some direction. I would like to write something simple which works on TCP, similar to the ConnSize analyzer. I would like my analyzer to be distributed as a plugin, similar to MITRE’s HTTP2 analyzer, so I am following the docs here:
https://docs.zeek.org/en/stable/devel/plugins.html

However, the docs don’t detail much beyond creating a built in function. A colleague pointed me at this quickstart script for binpac:
https://github.com/grigorescu/binpac_quickstart

The quickstart script seems to be intended for writing a protocol analyzer which gets merged into the Zeek source. This is not how plugins operate.

I’m looking for some guidance on how to proceed. Thanks in advance.

-AK

2

See if this helps:
https://github.com/zeek/zeek/blob/master/testing/btest/plugins/protocol.bro

That may be the most compact tutorial on writing a protocol analyzer
plugin. :slight_smile:

Robin

3

Oops! Sorry about that. Try this one: https://github.com/esnet/binpac_quickstart

That has a ‘–plugin’ option. That will at least get the boilerplate stuff built, and then you can start digging into the protocol specifics.

–Vlad

4

Many thanks for the quick responses!

I am receiving these errors:

error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: plugin
Demo::ConnTaste is not available
fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1:
Failed to activate requested dynamic plugin(s).

After executing these commands:

git clone --recursive [https://github.com/zeek/zeek.git](https://github.com/zeek/zeek.git)
cd zeek
./configure
make
DIST=`pwd`

cd aux/bro-aux/plugin-support
./init-plugin -u ./conn-taste Demo ConnTaste
BRO_PLUGIN_PATH=`pwd`

cd ${DIST}
cd ../
git clone [https://github.com/esnet/binpac_quickstart.git](https://github.com/esnet/binpac_quickstart.git)
cd binpac_quickstart
pip install docopt jinja2
./start.py ConnTaste "Connection Byte Offset Tasting"
${BRO_PLUGIN_PATH}/conn-taste/ --tcp --buffered --plugin

cd ${BRO_PLUGIN_PATH}/conn-taste
./configure --bro-dist=${DIST}
make

cd ${DIST}
./configure
make
make install

bro -NN Demo::ConnTaste

I’m guessing there is some environment variable I am missing as I tried zeek/testing/btest/plugins/protocol.bro as Robin suggested and the @TEST-EXEC statements worked as expected.

-AK

5

I believe you want to change this line:

./start.py ConnTaste “Connection Byte Offset Tasting” …

to

./start.py Demo::ConnTaste “Connection Byte Offset Tasting” …

-Dop

6

I tried changing the name provided to the setup script as suggested. Doing so gives me many errors when I try to ./configure the plugin from within the conn-taste/ directory. CMake states that DEMO::CONNTASTE-events.bif is “reserved or not valid for for certain CMake features”. It complains about many of the file names.

Additionally, all the files in conn-taste/src/ look like DEMO::CONNTASTE.cc :frowning:

-AK

7

I’m sure there is at least one other Carl Sagan fan on list. I feel like if I wish to make an analyzer from scratch, I must first invent the universe.

-AK

8

Okay, with your original line for quickstart, this works rather than Demo::ConnTaste.

bash-3.2# /usr/local/bro/bin/bro -NN Bro::CONNTASTE
Bro::CONNTASTE - This thing analyzer (dynamic, no version information)
[Analyzer] CONNTASTE (ANALYZER_CONNTASTE, enabled)
[Event] conntaste_event

So we’ve got some plugin naming issues to deal with, which I hope to work out tomorrow. It shouldn’t be about reinventing the universe, binpac is hard enough. :slight_smile:

-Dop

9

Heh… this is what I get for not following up on a WIP merge… Try the topic/dopheide/namespace branch of github.com/esnet/binpac_quickstart.

That should allow you to specify Demo::ConnTaste, but it will uppercase that to Demo::CONNTASTE, which I believe was an old convention.

-Dop

10

I’ll give that a whirl. Thanks again for the quick responses on this!

-AK