[Zeek] Development of layer 4 protocol parser (ESP)

Jan Grashöfer jan.grashoefer at gmail.com
Wed Feb 26 04:09:35 PST 2020 

Hi Bart,

Regarding patch safety, support for pluggable low-lever analyzers would 
help. This is actually a long-standing request: 
https://github.com/zeek/zeek/issues/248 There is a first approach that 
needs some more improvements and reviews. We are working on it.

Jan

On 25/02/2020 19:17, Bart Hermans wrote:
> Recently I got into Zeek and started to play around with BinPAC plugin
> development. BinPAC allowed me to pretty easily write a protocol parser
> for IKE messages. However, I stumbled upon a problem. As I already read
> on the mailing list, BinPAC is aimed at parsing protocols which run on
> top of UDP or TCP. I also read that to parse protocols on lower layers
> (let's say the transport layer), BinPAC won't be able to help you
> anymore. The solution that was proposed in a few messages that I read
> was to modify the source code of Zeek to support layer 4 protocols other
> than TCP, UDP and ICMP.
> 
> First and foremost; before posting this message, that's exactly what I
> did. My approach was to look at the implementation of ICMP and UDP in
> Zeek (which are also layer 4 protocols). Based on this I tried my best
> at writing a protocol analyzer alongside these protocols. However, after
> spending a good amount of hours trying to write a protocol parser for
> ESP-messages (protocol number 50) I came to the conclusion that the code
> had become quite messy. Most importantly I didn't get the ESP-parser to
> work properly. Even if I would have got it working, the code wouldn't be
> patch safe anymore from future versions of Zeek.
> 
> My issue is as follows; I only want to be able to detect that a protocol
> number 50 packet has been seen with the parsing of the very first field.
> Is the only way to get this working to give another shot at modifying
> the source code or is there a more cleaner/patch friendly path to
> travel? Even a gentle push in the right direction would very much be
> appreciated.
> 
> 
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>

More information about the Zeek mailing list