Meta-package for Spicy-based Analyzers for Zeek
This repository provides a Zeek meta-package installing a set of protocol & file analyzers implemented through Spicy.
Currently, the following analyzers are included:
- DHCP [1]
- DNS [1]
- HTTP [1]
- LDAP
- PNG
- Portable Executable (PE) [2]
- TFTP
- ZIP archives
We are working to expand this set. If you have written a Spicy analyzer that you would like to see included here, please file a pull request.
[1] replaces the corresponding Zeek analyzer\ [2] replaces and extends the corresponding Zeek analyzer
Installation
Since this package is a meta-package, the easiest, and recommended way to install the analyzers is through the Zeek package manager:
# zkg install zeek/spicy-analyzers
This will pull down the package and its dependencies, compile and test the
analyzers, and then install and activate them. To check that the new analyzers are
available, run zeek -NN
afterwards, it should list all the included
Spicy analyzers:
# zeek -NN Zeek::Spicy
[...]
[Analyzer] spicy_TFTP (ANALYZER_SPICY_TFTP, enabled)
[...]
The new analyzers are now available to Zeek and used by default when the package is activated.
Configuration
By default, all included analyzers will be activated, and they will
automatically disable any standard analyzers that they replace. If you
want to disable one of the Spicy analyzers, you can do so by calling
one of the built-in functions
disable_protocol_analyzer/disable_file_analyzer().
For example, to disable the HTTP analyzer, add this to your
site.zeek
:
event zeek_init()
{
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
}
You can find the ANALYZER_*
value to use for an analyzer in the
output of zeek -NN Zeek::Spicy
.
(Note that disable_file_analyzer()
requires a current development
version of Zeek to be available.)
License
This package is open source and released under a BSD license. Please see the individual analyzer package for their licenses.