[Zeek] New Analyzer

Wed Jul 10 17:07:45 PDT 2019

Hi Mauro,
Thanks much for the idea/insight.

I didn't have a @load-sigs line in the main.bro script, but there is one in
the __load__.bro file.  It looks consistent with the other protocols that
appear to be signature based (dnp3, ftp, pop3, etc.).  I tried adding the
@load-sigs ./dpd.sig line to the main.bro script but still no joy.  Any
other thoughts?

I didn't think to include it in the original email, but when zeek is run
with the -s option and a signature file is specified, the 'C' portion of
the analyzer fires off (i.e., the
../zeek/src/analyzers/protocol/bacnet/bacnet.cc, Plugin.cc, and
events.bif), but the script side that should generate a log file does not
(../zeek/scripts/base/protocols/bacnet/main.bro, __load__.bro, and
dpd.sig).  Maybe that and the analyzer not automatically firing off
indicates an issue with the bacnet script not being called appropriately?
I'm grasping at straws, so any thoughts are greatly appreciated!

Thanks again,
Aaron

On Wed, Jul 10, 2019 at 3:30 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
wrote:

> Hi Aaron,
>
>    not sure what you have done so far, but maybe you are missing something
> on the script side?
>
>
>
> To activate signature recognition for analyzers, you must write a script
> with the proper signature (usually called dpd.sig) and load it (usually
> with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
>
>
>
> Have a look at the script side of some other analyzers to see some
> examples.
>
>
>
> Mauro
>
>
>
>
>
>
>
>
>
> *Da:* zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] *Per conto di *Aaron
> Heller
> *Inviato:* mercoledì 10 luglio 2019 03:45
> *A:* zeek at zeek.org
> *Oggetto:* [Zeek] New Analyzer
>
>
>
> Hi everyone,
>
> I'm working on a BACnet protocol analyzer for Zeek and am having problems
> getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> and the analyzer was created using binpac_quickstart.
>
>
>
> BACnet is a UDP based building automation and control protocol (think
> furnaces, security/access systems, lighting, etc.).
>
>
>
> Not sure what info would be most helpful, if anyone is willing to lend
> some insight as why the analyzer isn't firing off? The analyzer is supposed
> to be signature based and bro -N shows it as built-in and active.  If bro
> -s option is used to specify the signature file then the analyzer will fire
> off appropriately, but I'm looking for it to auto-magically be included in
> the UDP analyzer tree.
>
>
>
> Greatly appreciate any help or thought for where to look first,
>
> Aaron
>
>
>
> [image: Immagine rimossa dal mittente.]
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 362 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment-0001.jpg 