Exercise

Starting from the default protocol analyzer template we want to (redundantly) pass the number of bytes for Request to Zeek as well.

1. In the EVT file pass the number of bytes in request's self.payload.

   Solution

   on Foo::Request -> event Foo::request($conn, $is_orig, self.payload, |self.payload|);
   

2. Manually build your changed analyzer:

   # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
   mkdir build
   cd build/
   cmake ..
   make
   

   Note

   The build/ directory will contain generated files, some of them specific to the developer environment, and it should not be committed to the repository.

3. Run the test suite. This runs tests against an included PCAP file. What do you see?

   # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
   cd testing/
   btest -dv
   

   Solution

   Test tests.trace test fails. Its sources are in testing/tests/trace.zeek.

   .. analyzer error in <..>/foo/analyzer/foo.evt, line 16: Event parameter mismatch, more parameters given than the 3 that the Zeek event expects
   
   

4. Fix the signatures of the handlers for Foo::request so tests pass. What type do need to use on the Zeek side to pass the length (uint64 in Spicy)?

   Hint

   The type mappings are documented here.

   Solution

   In both testing/tests/trace.zeek and scripts/main.zeek change the signatures to

   event Foo::request(c: connection, is_orig: bool, payload: string, len: count) {}
   

5. Modify testing/tests/trace.zeek to include the length in the baseline, i.e., change the test case for Foo::request to

   print fmt("Testing Foo: [request] %s %s %d", c$id, payload, len);
   

   Rerun tests and update the test baseline with

   # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
   cd testing/
   btest -u
   

   Make sure all tests pass with these changes.

   Stage and commit all changes in the package repository.

   git add -u
   git commit -v -m "Pass payload length to Zeek"
   

   Validate that the package also tests fine with zkg.

   Note

   In contrast to the explicit invocations above, zkg only operates on files committed to the Git repository. It additionally requires that there are no uncommitted changes or untracked files in the repository.

   # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
   # Make progress more verbose with `-vvv`.
   zkg -vvv test .
   

6. Optional Also add the length to the Zeek log generated from the code in scripts/main.zeek.

   Hint

   This requires adding a count &optional &log field to the Info record.

   Set the field from the event handler for Foo::request.

   Update test baselines as needed.