[Zeek] R: New Analyzer

Palumbo Mauro mauro.palumbo at aizoon.it
Thu Jul 11 01:15:25 PDT 2019 

Hi Aaron,
   I can confirm the binpac quickstart is a bit out of date. I tried to use it a couple of months ago and run into some issues. You can still use it but then have to edit some files manually.

Mauro

Da: Aaron Heller [mailto:deltah24 at gmail.com]
Inviato: giovedì 11 luglio 2019 03:12
A: Justin Azoff <justin at corelight.com>
Cc: Palumbo Mauro <mauro.palumbo at aizoon.it>; zeek at zeek.org
Oggetto: Re: [Zeek] New Analyzer

I did try running with the bacnet plugin specified and it didn't work, so I'll give the init-plugin a shot tomorrow.

Thanks much all for the thoughts and help,
Aaron

On Wed, Jul 10, 2019 at 9:01 PM Justin Azoff <justin at corelight.com<mailto:justin at corelight.com>> wrote:
Oh, looking at this closer you probably want to use

zeek/aux/zeek-aux/plugin-support/init-plugin

to create the plugin skeleton.  the binpac quickstart I think is a bit
out of date at this point for how to setup an external plugin+package.
The binpac parts it genrates should still be fine though.

so I would use init-plugin to make a new package and copy your
existing code over it.  that should give you a working self-contained
external package that you can install.  It also takes advantage of the
new bro-config bits which make building and installing the plugin work
without the full source checkout.

On Wed, Jul 10, 2019 at 8:51 PM Justin Azoff <justin at corelight.com<mailto:justin at corelight.com>> wrote:
>
> did you run that with --plugin?
>
> On Wed, Jul 10, 2019 at 8:39 PM Aaron Heller <deltah24 at gmail.com<mailto:deltah24 at gmail.com>> wrote:
> >
> > Hi Justin,
> > I started off using the binpac_quickstart script, which I thought created an external plugin?
> >
> > Thanks,
> > Aaron
> >
> > On Wed, Jul 10, 2019 at 8:20 PM Justin Azoff <justin at corelight.com<mailto:justin at corelight.com>> wrote:
> >>
> >> On Wed, Jul 10, 2019 at 8:16 PM Aaron Heller <deltah24 at gmail.com<mailto:deltah24 at gmail.com>> wrote:
> >>>
> >>>  Maybe that and the analyzer not automatically firing off indicates an issue with the bacnet script not being called appropriately?  I'm grasping at straws, so any thoughts are greatly appreciated!
> >>
> >>
> >> I don't think you are loading the scripts at all..  which is also why the sigs aren't loaded.
> >>
> >> Are you building this as an in-tree analyzer or as an external plugin?
> >>
> >> --
> >> Justin
>
>
>
> --
> Justin



--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190711/82fcbee0/attachment-0001.html

More information about the Zeek mailing list