In this Zeek in Action video, Keith Jones explains his Spicy protocol analyzer rapid development process on a new Radius analyzer. Of course Radius is in core Zeek, but it can be replaced with a Spicy Radius protocol analyzer. Keith used this development process on the following open source Spicy analyzers:
- https://github.com/corelight/zeek-spicy-facefish
- https://github.com/corelight/zeek-spicy-ipsec
- https://github.com/corelight/zeek-spicy-openvpn
- https://github.com/corelight/zeek-spicy-ospf
- https://github.com/corelight/zeek-spicy-stun
- https://github.com/corelight/zeek-spicy-wireguard
In this detailed video, Keith explains his ten step process you can replicate:
- Install Zeek + Spicy + zkg
- Install Spicy plugin
- Create package with zkg create –template
- Find PCAPs
- Setup tests with PCAPs
- Find RFCs
- Write Spicy + Zeek code
- Push to GitHub
- Register package with packages.zeek.org
- Rejoice!
Slides used in this video can be found here.
If you would like to follow along, please check out our Zeek in Action playlist on the Zeek YouTube Channel.
If you would like to discuss the video, or consider creating one yourself, please visit the Zeek community Slack workspace and join the #documentation channel.
RSS - Posts