[Zeek] Development of layer 4 protocol parser (ESP)

Vlad Grigorescu vlad at es.net
Wed Feb 26 07:58:34 PST 2020 

Jan,

Is that branch publicly available somewhere? Thanks!

  —Vlad

On Wed, Feb 26, 2020 at 04:18 Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:

> Hi Bart,
>
> Regarding patch safety, support for pluggable low-lever analyzers would
> help. This is actually a long-standing request:
> https://github.com/zeek/zeek/issues/248 There is a first approach that
> needs some more improvements and reviews. We are working on it.
>
> Jan
>
> On 25/02/2020 19:17, Bart Hermans wrote:
> > Recently I got into Zeek and started to play around with BinPAC plugin
> > development. BinPAC allowed me to pretty easily write a protocol parser
> > for IKE messages. However, I stumbled upon a problem. As I already read
> > on the mailing list, BinPAC is aimed at parsing protocols which run on
> > top of UDP or TCP. I also read that to parse protocols on lower layers
> > (let's say the transport layer), BinPAC won't be able to help you
> > anymore. The solution that was proposed in a few messages that I read
> > was to modify the source code of Zeek to support layer 4 protocols other
> > than TCP, UDP and ICMP.
> >
> > First and foremost; before posting this message, that's exactly what I
> > did. My approach was to look at the implementation of ICMP and UDP in
> > Zeek (which are also layer 4 protocols). Based on this I tried my best
> > at writing a protocol analyzer alongside these protocols. However, after
> > spending a good amount of hours trying to write a protocol parser for
> > ESP-messages (protocol number 50) I came to the conclusion that the code
> > had become quite messy. Most importantly I didn't get the ESP-parser to
> > work properly. Even if I would have got it working, the code wouldn't be
> > patch safe anymore from future versions of Zeek.
> >
> > My issue is as follows; I only want to be able to detect that a protocol
> > number 50 packet has been seen with the parsing of the very first field.
> > Is the only way to get this working to give another shot at modifying
> > the source code or is there a more cleaner/patch friendly path to
> > travel? Even a gentle push in the right direction would very much be
> > appreciated.
> >
> >
> >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200226/2cc3713c/attachment.html

More information about the Zeek mailing list