[Zeek] R: New Analyzer
Palumbo Mauro
mauro.palumbo at aizoon.it
Wed Jul 10 00:30:18 PDT 2019
Hi Aaron,
not sure what you have done so far, but maybe you are missing something on the script side?
To activate signature recognition for analyzers, you must write a script with the proper signature (usually called dpd.sig) and load it (usually with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
Have a look at the script side of some other analyzers to see some examples.
Mauro
Da: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] Per conto di Aaron Heller
Inviato: mercoledì 10 luglio 2019 03:45
A: zeek at zeek.org
Oggetto: [Zeek] New Analyzer
Hi everyone,
I'm working on a BACnet protocol analyzer for Zeek and am having problems getting the analyzer to fire. I've been working with Zeek version 2.6.2 and the analyzer was created using binpac_quickstart.
BACnet is a UDP based building automation and control protocol (think furnaces, security/access systems, lighting, etc.).
Not sure what info would be most helpful, if anyone is willing to lend some insight as why the analyzer isn't firing off? The analyzer is supposed to be signature based and bro -N shows it as built-in and active. If bro -s option is used to specify the signature file then the analyzer will fire off appropriately, but I'm looking for it to auto-magically be included in the UDP analyzer tree.
Greatly appreciate any help or thought for where to look first,
Aaron
[Immagine rimossa dal mittente.]<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free. www.avg.com<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 362 bytes
Desc: image001.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment.jpg
More information about the Zeek
mailing list