[Zeek] Development of layer 4 protocol parser (ESP)
Jan Grashöfer
jan.grashoefer at gmail.com
Thu Feb 27 09:55:06 PST 2020
Hi Vlad,
as the code was written in context of a thesis, we were not able to
publish it yet. I'll keep you posted.
Jan
On 26/02/2020 16:58, Vlad Grigorescu wrote:
> Jan,
>
> Is that branch publicly available somewhere? Thanks!
>
> —Vlad
>
> On Wed, Feb 26, 2020 at 04:18 Jan Grashöfer <jan.grashoefer at gmail.com
> <mailto:jan.grashoefer at gmail.com>> wrote:
>
> Hi Bart,
>
> Regarding patch safety, support for pluggable low-lever analyzers would
> help. This is actually a long-standing request:
> https://github.com/zeek/zeek/issues/248 There is a first approach that
> needs some more improvements and reviews. We are working on it.
>
> Jan
>
> On 25/02/2020 19:17, Bart Hermans wrote:
> > Recently I got into Zeek and started to play around with BinPAC
> plugin
> > development. BinPAC allowed me to pretty easily write a protocol
> parser
> > for IKE messages. However, I stumbled upon a problem. As I
> already read
> > on the mailing list, BinPAC is aimed at parsing protocols which
> run on
> > top of UDP or TCP. I also read that to parse protocols on lower
> layers
> > (let's say the transport layer), BinPAC won't be able to help you
> > anymore. The solution that was proposed in a few messages that I read
> > was to modify the source code of Zeek to support layer 4
> protocols other
> > than TCP, UDP and ICMP.
> >
> > First and foremost; before posting this message, that's exactly
> what I
> > did. My approach was to look at the implementation of ICMP and UDP in
> > Zeek (which are also layer 4 protocols). Based on this I tried my
> best
> > at writing a protocol analyzer alongside these protocols.
> However, after
> > spending a good amount of hours trying to write a protocol parser for
> > ESP-messages (protocol number 50) I came to the conclusion that
> the code
> > had become quite messy. Most importantly I didn't get the
> ESP-parser to
> > work properly. Even if I would have got it working, the code
> wouldn't be
> > patch safe anymore from future versions of Zeek.
> >
> > My issue is as follows; I only want to be able to detect that a
> protocol
> > number 50 packet has been seen with the parsing of the very first
> field.
> > Is the only way to get this working to give another shot at modifying
> > the source code or is there a more cleaner/patch friendly path to
> > travel? Even a gentle push in the right direction would very much be
> > appreciated.
> >
> >
> >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org <mailto:zeek at zeek.org>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
More information about the Zeek
mailing list