Light

amzn / zeek-plugin-tds Goto Github PK

View Code? Open in Web Editor NEW

24.0 8.0 9.0 29 KB

Zeek network security monitor plugin that enables parsing of the Tabular Data Stream (TDS) protocol

License: BSD 3-Clause "New" or "Revised" License

CMake 1.49% Dockerfile 6.94% Makefile 3.31% Shell 1.62% Zeek 43.10% C++ 14.12% JavaScript 29.43%

zeek zeek-package security-tools

zeek-plugin-tds's Introduction

Zeek Plugin TDS

When running as part of your Zeek installation this plugin will produce three log files containing metadata extracted from any Tabular Data Stream (TDS) traffic observed on TCP port 1433.

Installation and Usage

zeek-plugin-tds is distributed as a Zeek package and is compatible with the zkg command line tool.

Sharing and Contributing

This code is made available under the BSD-3-Clause license. Guidelines for contributing are available as well as a pull request template. A Dockerfile has been included in the repository to assist with setting up an environment for testing any changes to the plugin.

zeek-plugin-tds's People

Contributors

Stargazers

Watchers

Forkers

122672445 tubbz-alt qpc-database awelzel isabella232 mmguero-dev seanpm2001 patrick-kelley kalpinus

zeek-plugin-tds's Issues

unsupported byte length for bytestring_to_count

The plugin works fine but for some pcaps it reports errors such as those listed below:

1352718188.463963 error in /home/mohan/.zkg/plugin_dir//packages/zeek-plugin-tds/scripts/./main.zeek, line 122: unsupported byte length for bytestring_to_count (bytestring_to_count(TDS::parameters[(coerce TDS::param_index to int)], F))
1352718190.479792 error in /home/mohan/.zkg/plugin_dir//packages/zeek-plugin-tds/scripts/./main.zeek, line 122: unsupported byte length for bytestring_to_count (bytestring_to_count(TDS::parameters[(coerce TDS::param_index to int)], F))
...
...
1352718256.971504 error in /home/mohan/.zkg/plugin_dir//packages/zeek-plugin-tds/scripts/./main.zeek, line 122: unsupported byte length for bytestring_to_count (bytestring_to_count(TDS::parameters[(coerce TDS::param_index to int)], F))
1352718264.054506 error in /home/mohan/.zkg/plugin_dir//packages/zeek-plugin-tds/scripts/./main.zeek, line 122: unsupported byte length for bytestring_to_count (bytestring_to_count(TDS::parameters[(coerce TDS::param_index to int)], F))

These errors do not crash Zeek but reflect some corner case where the packet in the pcap my not be processed as desired. The offending pcap is at https://github.com/ITI/ICS-pcap/blob/master/ETHERNET:IP/mb/mb.pcap.

does not install with Zeek v6.0.0

Installing:

$ zkg -vvv install zeek-plugin-tds
2023-09-06 13:29:00 DEBUG    init Manager version 2.14.0
2023-09-06 13:29:00 DEBUG    found source clone of "zeek" at /opt/zeek/var/lib/zkg/clones/source/zeek
2023-09-06 13:29:00 DEBUG    getting info on "zeek-plugin-tds"
2023-09-06 13:29:01 DEBUG    checked out "zeek/amzn/zeek-plugin-tds", branch/version "1.1.0"
2023-09-06 13:29:01 DEBUG    getting info on "zeek/amzn/zeek-plugin-tds"
2023-09-06 13:29:02 DEBUG    checked out "zeek/amzn/zeek-plugin-tds", branch/version "1.1.0"
The following packages will be INSTALLED:
  zeek/amzn/zeek-plugin-tds (1.1.0)

Proceed? [Y/n] y
2023-09-06 13:29:04 INFO     Skipping unit tests for "zeek/amzn/zeek-plugin-tds": no test_command in metadata
2023-09-06 13:29:04 DEBUG    installing "zeek/amzn/zeek-plugin-tds"
Installing "zeek/amzn/zeek-plugin-tds"2023-09-06 13:29:05 DEBUG    staging "zeek/amzn/zeek-plugin-tds": version 1.1.0
2023-09-06 13:29:05 DEBUG    building "zeek/amzn/zeek-plugin-tds": running build_command: ./configure && make
2023-09-06 13:29:05 INFO     installing "zeek/amzn/zeek-plugin-tds": writing build log: /opt/zeek/var/lib/zkg/logs/zeek-plugin-tds-build.log
.
Failed installing "zeek/amzn/zeek-plugin-tds": package build_command failed, see log in /opt/zeek/var/lib/zkg/logs/zeek-plugin-tds-build.log
error: incomplete installation, the follow packages failed to be installed:
  zeek/amzn/zeek-plugin-tds (1.1.0)

Looking at the build.log:

=== STDERR ===
Usage: zeek-config [OPTIONS]

Basic options:

  --build_type          Zeek build type as per cmake, lower case (e.g. 'relwithdebinfo')
  --prefix              Toplevel Zeek distribution installation directory
  --version             Zeek version number
  --zeek_dist           Toplevel directory of source tree the distribution built from
  --zeekpath            ZEEKPATH environment variable paths for this distribution

Specific directories in the Zeek distribution:

  --btest_tools_dir     Zeek-related BTest tooling
  --cmake_dir           Zeek's cmake modules
  --config_dir          Configuration files for cluster topology, zkg, etc
  --include_dir         C/C++ header folders for Zeek and related components, colon-separated
  --lib_dir             Toplevel folder for shared libraries, Python packages, etc
  --plugin_dir          Native-code Zeek plugins
  --python_dir          Python packages (Broker, ZeekControl, zkg, etc)
  --script_dir          Toplevel folder for Zeek scripts
  --site_dir            Site-specific Zeek scripts

Toplevel installation directories for third-party components:

  --binpac_root         BinPAC compiler
  --broker_root         Broker communication framework

Feature tests:

  --have-spicy-analyzers  Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result

CMake Warning at /opt/zeek/share/zeek/cmake/ZeekPlugin.cmake:141 (message):
  Package requires CMake 3.0 which is less than Zeek's requirement (3.15.0).
  This will likely cause build failures and should be fixed.
Call Stack (most recent call first):
  CMakeLists.txt:6 (include)


CMake Warning (dev) at /opt/zeek/share/zeek/cmake/ZeekPlugin.cmake:120 (if):
  Policy CMP0057 is not set: Support new IN_LIST if() operator.  Run "cmake
  --help-policy CMP0057" for policy details.  Use the cmake_policy command to
  set the policy and suppress this warning.

  IN_LIST will be interpreted as an operator when the policy is set to NEW.
  Since the policy is not set the OLD behavior will be used.
Call Stack (most recent call first):
  /opt/zeek/share/zeek/cmake/ZeekPluginDynamic.cmake:77 (zeek_next_pac_block)
  /opt/zeek/share/zeek/cmake/ZeekPlugin.cmake:196 (zeek_add_dynamic_plugin)
  /opt/zeek/share/zeek/cmake/ZeekPluginCommon.cmake:68 (zeek_add_plugin)
  CMakeLists.txt:13 (zeek_plugin_end)
This warning is for project developers.  Use -Wno-dev to suppress it.

CMake Error at /opt/zeek/share/zeek/cmake/ZeekPlugin.cmake:120 (if):
  if given arguments:

    "arg" "IN_LIST" "separators"

  Unknown arguments specified
Call Stack (most recent call first):
  /opt/zeek/share/zeek/cmake/ZeekPluginDynamic.cmake:77 (zeek_next_pac_block)
  /opt/zeek/share/zeek/cmake/ZeekPlugin.cmake:196 (zeek_add_dynamic_plugin)
  /opt/zeek/share/zeek/cmake/ZeekPluginCommon.cmake:68 (zeek_add_plugin)
  CMakeLists.txt:13 (zeek_plugin_end)


=== STDOUT ===
Build Directory        : build
Zeek Source Directory   : 
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success
-- Found Threads: TRUE  
-- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "3.0.9")  
-- Found BinPAC: /opt/zeek/bin/binpac  
-- Found BifCl at /opt/zeek/bin/bifcl
-- Setting plugin CMAKE_BUILD_TYPE to RelWithDebInfo
-- Configuring incomplete, errors occurred!
See also "/opt/zeek/var/lib/zkg/clones/package/zeek-plugin-tds/build/CMakeFiles/CMakeOutput.log".

I know the CAF stuff is deprecated and should be removed. I'm testing a fix now (setting minimum cmake 3.15.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.