[Zeek] New Analyzer

Aaron Heller deltah24 at gmail.com
Wed Jul 10 18:11:46 PDT 2019 

I did try running with the bacnet plugin specified and it didn't work, so
I'll give the init-plugin a shot tomorrow.

Thanks much all for the thoughts and help,
Aaron

On Wed, Jul 10, 2019 at 9:01 PM Justin Azoff <justin at corelight.com> wrote:

> Oh, looking at this closer you probably want to use
>
> zeek/aux/zeek-aux/plugin-support/init-plugin
>
> to create the plugin skeleton.  the binpac quickstart I think is a bit
> out of date at this point for how to setup an external plugin+package.
> The binpac parts it genrates should still be fine though.
>
> so I would use init-plugin to make a new package and copy your
> existing code over it.  that should give you a working self-contained
> external package that you can install.  It also takes advantage of the
> new bro-config bits which make building and installing the plugin work
> without the full source checkout.
>
> On Wed, Jul 10, 2019 at 8:51 PM Justin Azoff <justin at corelight.com> wrote:
> >
> > did you run that with --plugin?
> >
> > On Wed, Jul 10, 2019 at 8:39 PM Aaron Heller <deltah24 at gmail.com> wrote:
> > >
> > > Hi Justin,
> > > I started off using the binpac_quickstart script, which I thought
> created an external plugin?
> > >
> > > Thanks,
> > > Aaron
> > >
> > > On Wed, Jul 10, 2019 at 8:20 PM Justin Azoff <justin at corelight.com>
> wrote:
> > >>
> > >> On Wed, Jul 10, 2019 at 8:16 PM Aaron Heller <deltah24 at gmail.com>
> wrote:
> > >>>
> > >>>  Maybe that and the analyzer not automatically firing off indicates
> an issue with the bacnet script not being called appropriately?  I'm
> grasping at straws, so any thoughts are greatly appreciated!
> > >>
> > >>
> > >> I don't think you are loading the scripts at all..  which is also why
> the sigs aren't loaded.
> > >>
> > >> Are you building this as an in-tree analyzer or as an external plugin?
> > >>
> > >> --
> > >> Justin
> >
> >
> >
> > --
> > Justin
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/2c9cb4bf/attachment.html

More information about the Zeek mailing list