Forwarding to other analyzers
One often wants to forward an extracted payload to other analyzers.
- HTTP messages with files
- compressed files containing PE files
- protocols using other sub-protocols
Inside Spicy we can forward data from one parser to another one with sink
values,
but in a Zeek context we can also forward data to other analyzers (Spicy or
not).
Forwarding to file analyzers
Let's assume we are parsing protocol messages which contain bytes
corresponding to a file. We want to feed the file data into Zeek's file
analysis.
type Message = unit {
: bytes &chunked &size=512;
};
By using the &chunked attribute on the bytes its field hook is invoked soon as a chunk of data
arrives, even if the full data is not yet available.
The caveat is that only the final chunk will be stored once parsing is done. This is
fine since we usually do not store the data.
The protocol for passing data is:
- open a handle for a new Zeek file with
zeek::file_beginoptionally specifying a MIME type - pass information to Zeek, e.g., feed data or gaps, or notify Zeek about the expected size
- close the handle with
zeek::file_end
E.g.,
import zeek;
public type File = unit {
var h: string;
on %init { self.h = zeek::file_begin(); }
: bytes &chunked &eod {
zeek::file_data_in($$, self.h);
}
on %done { zeek::file_end(self.h); }
};
File handles need to be closed explicitly.
Not closing them would leak them for the duration of the connection.
Forwarding to protocol analyzers
Forwarding to protocol analyzers follows a similar protocol of opening a handle, interacting with it, and closing it.
For opening a handle, two APIs are supported:
function zeek::protocol_begin(analyzer: optional<string> = Null);
function zeek::protocol_handle_get_or_create(analyzer: string) : ProtocolHandle;
When using zeek::protocol_begin without argument all forwarded data will be
passed to Zeek's dynamic protocol detection (DPD).
Otherwise use the Zeek name of the analyzer, e.g.,
local h = zeek::protocol_handle_get_or_create("SSL");
You can inspect the output of zeek -NN for available analyzer names, e.g.,
$ zeek -NN | grep ANALYZER | grep SSL
[Analyzer] SSL (ANALYZER_SSL, enabled)