Spicy Plugin for Zeek
This repository provides a Zeek package that adds Spicy support to Zeek through a plugin. After installing this package, you can then load Spicy-based protocol and file analyzers, such as those coming with the Spicy Analyzers package.
In addition to Zeek, you will first need to install Spicy. Please
follow its instructions.
Ensure that the Spicy toolchain is in your
. For example, with
Spicy installed to /opt/spicy
and using bash`:
which should be able to find
# which spicy-config /opt/spicy/bin/spicy-config
Please also install and configure the Zeek package manager.
Install through package manager
The easiest, and recommended, way to install the Spicy plugin is through the Zeek package manager:
# zkg install zeek/spicy-plugin
This will pull down the package, compile and test the plugin, and then
install and activate it. To check that the plugin becomes available,
zeek -N Zeek::Spicy afterwards, it should show output like
# zeek -NN Zeek::Spicy Zeek::Spicy - Support for Spicy parsers (*.spicy, *.evt, *.hlto) (dynamic, version x.y.z)
If you want to develop your own Spicy analyzers for Zeek, you will
need a tool that comes with the plugin:
. Please see the
on how to make spicyz
show up in your PATH` after the plugin got
You can also install the plugin through normal CMake means. After
cloning this repository, make sure that the Spicy tools are in your
PATH, per above. Then build the plugin like this:
# (mkdir build && cd build && cmake -DCMAKE_INSTALL_PREFIX=/opt/spicy .. && make -j)
The tests should now pass:
# make -C tests
You can then install the plugin (which you may need to do as root so that you can write to the Zeek plugin directory):
# make -C build install
Zeek should now show it:
# zeek -N Zeek::Spicy Zeek::Spicy - Support for Spicy parsers (*.spicy, *.evt, *.hlto) (dynamic, version x.y.z)
You will also find
By default, the plugin will search for precompiled
*.hlto files in
<prefix>/lib/zeek-spicy/modules. You change that path by setting
ZEEK_SPICY_MODULE_DIR through CMake.
The plugin's documentation is part of the Spicy manual.
Just like Spicy, the plugin is open source and released under a BSD license.