An update in the packet analyzer now makes it Zeek v5.2 ready. You can view more here:
https://github.com/corelight/zeek-spicy-ospf
You can install the latest version with the following command:
zkg install zeek-spicy-ospf
•
An update in the packet analyzer now makes it Zeek v5.2 ready. You can view more here:
https://github.com/corelight/zeek-spicy-ospf
You can install the latest version with the following command:
zkg install zeek-spicy-ospf
Hey Keith,
As you have written a packet analyser, can you please give me few pointers to make my goose protocol run?
I didn’t able to find how packet analyser is working, like in protocol analyser we give transport protocol and port, using which zeek will detect the packet for that protocol and pass it to corresponding spicy parser. What happens for packet analyser?
Below are my scripts, I am able to register the plugin and can see in zeek -NN without any error but It is not printing anything for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP. Can you please help me to understand where I am doing wrong here.
Thanks a lot!
spicy parser script
`biswa:~/zeek-spicy-goose/analyzer$ cat goose.spicy
module zeek_spicy_goose;
public type GOOSEPacket = unit {
appid: uint8;
pkt_len: uint16;
payload: bytes &eod;
};
spicy event
biswa:~/zeek-spicy-goose/analyzer$ cat goose.evt
packet analyzer spicy::GOOSE:
parse with zeek_spicy_goose::GOOSEPacket;
import zeek_spicy_goose;
on zeek_spicy_goose::GOOSEPacket -> event GOOSE::message($packet, self.appid, self.pkt_len);
zeek spicy script
biswa:~/zeek-spicy-goose/analyzer$ cat zeek_goose.spicy
module Zeek_zeek_spicy_goose;
import zeek_spicy_goose;
import zeek;
on zeek_spicy_goose::GOOSEPacket::%done {
zeek::confirm_protocol();
}
on zeek_spicy_goose::GOOSEPacket::%error {
zeek::reject_protocol(“error while parsing GOOSE record”);
}
Zeek script
biswa@dmz-ashish-new:~/zeek-spicy-goose/analyzer$ cat ../scripts/main.zeek
module GOOSE;
global goose_topic = “/topic/goose”;
global begin_time: time;
global total_time: interval;
export {
## Log stream identifier.
redef enum Log::ID += { GOOSE_LOG };
## Record type containing the column fields of the goose log.
type Info: record {
## Timestamp for when the activity happened.
ts: time &log &default=network_time();
appid: count &log &optional;
pkt_len: count &log &optional;
};
global GOOSE::message: event(pkt: raw_pkt_hdr, appid: count, pkt_len: count);
global analyzer_confirmation: event(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo);
global GOOSE::log_goose: event(rec: GOOSE::Info);
global log_GOOSE: event(rec: Info);
}
redef record raw_pkt_hdr += {
GOOSE: Info &optional;
};
event zeek_init() &priority=5
{
suspend_processing();
Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);
if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy_GOOSE”) )
if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy::GOOSE”) )
print “cannot register GOOSE Spicy analyzer”;
Log::create_stream(GOOSE::GOOSE_LOG, [$columns=Info, $ev=log_goose, $path=”goose”]);
}
#print this event per packet
event GOOSE::message(packet: raw_pkt_hdr, appid: count, pkt_len: count)
{
local info: Info = [$ts=network_time(), $appid=appid, $pkt_len=pkt_len];
print “Processing pcakets”, packet;
Log::write(GOOSE::GOOSE_LOG, info);
}
event Broker::peer_added(ep: Broker::EndpointInfo, msg: string)
{
print “PEER ADDED”, ep;
continue_processing();
}
#send this event over the broker
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
if ( atype == Analyzer::ANALYZER_SPICY_GOOSE)
{
Broker::publish(goose_topic, analyzer_confirmation, atype, info);
}
}
`
PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap
A blog isn’t the easiest place to view code. Could you check in all your code you have so far into github and share the link with me? That will make things easier because I can checkout your code using git.
Hi Keith, have you got the link? I am not able to see it in the comment, posting again
https://github.com/biswajitutil/zeek-goose-spicy
Please check
Thanks. I do not see the testing directory set up from zkg create. Could you get that set up with your pcap you want working please? Thanks.
The command to create via zkg is:
zkg create –features spicy-packet-analyzer –packagedir zeek-spicy-goose
Leave a Reply