Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Exercise

Starting from the default protocol analyzer template we want to (redundantly) pass the number of bytes for Request to Zeek as well.

  1. In the EVT file pass the number of bytes in request's self.payload.

    Solution 
    on Foo::Request -> event Foo::request($conn, $is_orig, self.payload, |self.payload|);

  2. Manually build your changed analyzer:

    # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
mkdir build
cd build/
cmake ..
make

    Note

    The build/ directory will contain generated files, some of them specific to the developer environment, and it should not be committed to the repository.

  3. Run the test suite. This runs tests against an included PCAP file. What do you see?

    # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
cd testing/
btest -dv
    Solution

    Test tests.trace test fails. Its sources are in testing/tests/trace.zeek.

    .. analyzer error in <..>/foo/analyzer/foo.evt, line 16: Event parameter mismatch, more parameters given than the 3 that the Zeek event expects

  4. Fix the signatures of the handlers for Foo::request so tests pass. What type do need to use on the Zeek side to pass the length (uint64 in Spicy)?

    Hint

    The type mappings are documented here.

    Solution

    In both testing/tests/trace.zeek and scripts/main.zeek change the signatures to

    event Foo::request(c: connection, is_orig: bool, payload: string, len: count) {}

  5. Modify testing/tests/trace.zeek to include the length in the baseline, i.e., change the test case for Foo::request to

    print fmt("Testing Foo: [request] %s %s %d", c$id, payload, len);

    Rerun tests and update the test baseline with

    # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
cd testing/
btest -u

    Make sure all tests pass with these changes.

    Stage and commit all changes in the package repository.

    git add -u
git commit -v -m "Pass payload length to Zeek"

    Validate that the package also tests fine with zkg.

    Note

    In contrast to the explicit invocations above, zkg only operates on files committed to the Git repository. It additionally requires that there are no uncommitted changes or untracked files in the repository.

    # Inside the directory of your generated analyzer (the directory with `zkg.meta`).
# Make progress more verbose with `-vvv`.
zkg -vvv test .

  6. Optional Also add the length to the Zeek log generated from the code in scripts/main.zeek.

    Hint

    This requires adding a count &optional &log field to the Info record.

    Set the field from the event handler for Foo::request.

    Update test baselines as needed.