[Zeek] Development of layer 4 protocol parser (ESP)

Jan Grashöfer jan.grashoefer at gmail.com
Thu Feb 27 09:55:06 PST 2020 

Hi Vlad,

as the code was written in context of a thesis, we were not able to 
publish it yet. I'll keep you posted.

Jan

On 26/02/2020 16:58, Vlad Grigorescu wrote:
> Jan,
> 
> Is that branch publicly available somewhere? Thanks!
> 
>    —Vlad
> 
> On Wed, Feb 26, 2020 at 04:18 Jan Grashöfer <jan.grashoefer at gmail.com 
> <mailto:jan.grashoefer at gmail.com>> wrote:
> 
>     Hi Bart,
> 
>     Regarding patch safety, support for pluggable low-lever analyzers would
>     help. This is actually a long-standing request:
>     https://github.com/zeek/zeek/issues/248 There is a first approach that
>     needs some more improvements and reviews. We are working on it.
> 
>     Jan
> 
>     On 25/02/2020 19:17, Bart Hermans wrote:
>      > Recently I got into Zeek and started to play around with BinPAC
>     plugin
>      > development. BinPAC allowed me to pretty easily write a protocol
>     parser
>      > for IKE messages. However, I stumbled upon a problem. As I
>     already read
>      > on the mailing list, BinPAC is aimed at parsing protocols which
>     run on
>      > top of UDP or TCP. I also read that to parse protocols on lower
>     layers
>      > (let's say the transport layer), BinPAC won't be able to help you
>      > anymore. The solution that was proposed in a few messages that I read
>      > was to modify the source code of Zeek to support layer 4
>     protocols other
>      > than TCP, UDP and ICMP.
>      >
>      > First and foremost; before posting this message, that's exactly
>     what I
>      > did. My approach was to look at the implementation of ICMP and UDP in
>      > Zeek (which are also layer 4 protocols). Based on this I tried my
>     best
>      > at writing a protocol analyzer alongside these protocols.
>     However, after
>      > spending a good amount of hours trying to write a protocol parser for
>      > ESP-messages (protocol number 50) I came to the conclusion that
>     the code
>      > had become quite messy. Most importantly I didn't get the
>     ESP-parser to
>      > work properly. Even if I would have got it working, the code
>     wouldn't be
>      > patch safe anymore from future versions of Zeek.
>      >
>      > My issue is as follows; I only want to be able to detect that a
>     protocol
>      > number 50 packet has been seen with the parsing of the very first
>     field.
>      > Is the only way to get this working to give another shot at modifying
>      > the source code or is there a more cleaner/patch friendly path to
>      > travel? Even a gentle push in the right direction would very much be
>      > appreciated.
>      >
>      >
>      >
>      > _______________________________________________
>      > Zeek mailing list
>      > zeek at zeek.org <mailto:zeek at zeek.org>
>      > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>      >
>     _______________________________________________
>     Zeek mailing list
>     zeek at zeek.org <mailto:zeek at zeek.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>

More information about the Zeek mailing list