Exercise
Starting from the default protocol analyzer template we want to (redundantly) pass the number of
bytes for Request to Zeek as well.
-
In the EVT file pass the number of
bytesinself.payload.Solution
on Foo::Request -> event Foo::request($conn, $is_orig, self.payload, |self.payload|); -
Manually build your changed analyzer:
mkdir build cd build/ cmake .. make -
Execute the test suite. This runs tests against an included PCAP file. What do you see?
cd testing/ btest -dvSolution
Test
tests.tracetest fails. Its sources are intesting/tests/trace.zeek... analyzer error in <..>/foo/analyzer/foo.evt, line 16: Event parameter mismatch, more parameters given than the 3 that the Zeek event expects -
Fix the signatures of the handlers for
Foo::requestso tests pass. What type do need to use on the Zeek side to pass the length (uint64in Spicy)?Hint
The type mappings are documented here.
Solution
In both
testing/tests/trace.zeekandscripts/main.zeekchange the signatures toevent Foo::request(c: connection, is_orig: bool, payload: string, len: count) {} -
Modify
testing/tests/trace.zeekto include the length in the baseline, i.e., change the test case forFoo::requesttoprint fmt("Testing Foo: [request] %s %s %d", c$id, payload, len);Rerun tests and update the test baseline with
cd testing/ btest -uMake sure all tests with these changes.
Stage and commit all changes in the package repository.
git add -u git commit -v -m "Pass payload length to Zeek"Validate that the package also tests fine with
zkg. This will require no uncommitted changes or untracked files in the repository.# Make progress more verbose. zkg -vvv test . -
Optional Also add the length to the Zeek log generated from the code in
scripts/main.zeek.Hint
This requires adding a
count &optional &logfield to theInforecord.Set the field from the event handler for
Foo::request.Update test baselines as needed.