CoAP Analyzer with Spicy
1. Install Zeek and Spicy
- OS: Ubuntu 22.04.2 VMware
- User: root
- Installed Software: Zeek 5.2.0
- The Official Document and Source to Install Zeek:
https://docs.zeek.org/en/
https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek
- Install Required Dependencies.
apt-get install curl cmake make gcc g++ flex libfl-dev bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
- Install Zeek.
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek
- Add following code in the
.bashrc
file.
echo "export PATH=$PATH:/opt/zeek/bin" > .bashrc
- Make it work.
source .bashrc
- Test.
zeek -v
zeek version 5.2.0
2. Create project file with spicy-protocol-analyzer
template
zkg create --features spicy-protocol-analyzer --packagedir spicy-coap
"package-template" requires a "name" value (the name of the package, e.g. "FooBar" or "spicy-http"):
name: spicy-coap
"package-template" requires a "analyzer" value (name of the Spicy analyzer, which typically corresponds to the protocol/format being parsed (e.g. "HTTP", "PNG")):
analyzer: CoAP
"package-template" requires a "protocol" value (transport protocol for the analyzer to use: TCP or UDP):
protocol: UDP
"package-template" requires a "unit_orig" value (name of the top-level Spicy parsing unit for the originator side of the connection (e.g. "Request")):
unit_orig: Message
"package-template" requires a "unit_resp" value (name of the top-level Spicy parsing unit for the responder side of the connection (e.g. "Reply"); may be the same as originator side):
unit_resp: Message
3. Test and Integrate Spicy code with Zeek
- Test Spicy code to parse GET CoAP traffic with spicy-driver.
cat GET.dat | spicy-driver coap.spicy
The output is:
[$ver_t_tkl=(1, MessageType::CONFIRMABLE, 0), $version=1, $code=Code::GET, $message_id=51378, $t=b"", $preceding_option_number=26, $options=[[$delta_length=(11, 5), $payload=(not set), $value_bytes=b"basic", $delta=11, $length=5, $option_ID=OptionID::URI_PATH, $value="basic"]], $token="", $payload=""]
Test Spicy code to parse POST CoAP traffic with spicy-driver.
cat POST.dat | spicy-driver coap.spicy
The output is:
[$ver_t_tkl=(1, MessageType::CONFIRMABLE, 2), $version=1, $code=Code::POST, $message_id=53074, $t=b"30", $preceding_option_number=27, $options=[[$delta_length=(11, 5), $payload=(not set), $value_bytes=b"basic", $delta=11, $length=5, $option_ID=OptionID::URI_PATH, $value="basic"], [$delta_length=(1, 1), $payload=(not set), $value_bytes=b"\x00", $delta=1, $length=1, $option_ID=OptionID::CONTENT_FORMAT, $value="text/plain; charset=utf-8"]], $token="30", $payload="dummy-packets-49962"]
- Compile analyzer to *.hlto file.
spicyz -o coap.hlto coap.spicy coap.evt zeek_coap.spicy
-
Copy *.hlto file into /opt/zeek/lib/zeek-spicy/modules.
-
Check out Zeek Spicy plugin:
zeek -NN Zeek::Spicy
.
The output should contains these.
[Analyzer] spicy_CoAP (ANALYZER_SPICY_COAP, enabled)
[Type] CoAP::MessageType
[Type] CoAP::Code
[Type] CoAP::OptionID
- Use Zeek to load main.zeek to create log file in JSON format.
zeek -Cr Test.pcap main.zeek LogAscii::use_json=T
- Use
jq
tool to see the log file:jq . coap.log
.
{
"ts": 1618846973.65904,
"uid": "CwGKCs3fAA0WXJMNN3",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_GET",
"message_id": 53404,
"token": "Le",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
]
}
{
"ts": 1618846973.688292,
"uid": "CwGKCs3fAA0WXJMNN3",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_POST",
"message_id": 53405,
"token": "XP",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
],
"payload": "dummydata-9948"
}
{
"ts": 1618846973.710531,
"uid": "CwGKCs3fAA0WXJMNN3",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_GET",
"message_id": 53406,
"token": "qp",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
]
}
{
"ts": 1618846973.732999,
"uid": "CwGKCs3fAA0WXJMNN3",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_POST",
"message_id": 53407,
"token": "cK",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
],
"payload": "dummydata-9949"
}
2. Change these files and write your code.
├── analyzer
│ ├── coap.evt
│ ├── coap.spicy
│ └── zeek_coap.spicy
├── scripts
├── __load__.zeek
├── dpd.sig
└── main.zeek
3. Build the Spicy analyzer.
root@zeek-ubuntu:~/spicy-coap# rm -rf build
root@zeek-ubuntu:~/spicy-coap# mkdir build
root@zeek-ubuntu:~/spicy-coap# cd build
root@zeek-ubuntu:~/spicy-coap/build# cmake ..
root@zeek-ubuntu:~/spicy-coap/build# cmake --build .
4. Test the Spicy analyzer.
-
Put your PCAP files under
spicy-coap/testing/Traces
directory. -
Change
spicy-coap/testing/tests/standalone.spicy
andspicy-coap/testing/tests/trace.zeek
testing commands. -
Update
Baseline
directory files.
root@zeek-ubuntu:~/spicy-coap/testing# btest -U
- Test.
root@zeek-ubuntu:~/spicy-coap/testing# btest
5. Install the analyzer and verify it.
zkg install .
zeek -NN Zeek::Spicy
6. Run Zeek with CoAP analyzer.
Add spicy-coap
if you want to generate coap.log
file.
zeek -Cr Test.pcap spicy-coap
It’s the format of coap.log
in JSON.
{
"ts": 1618846973.710531,
"uid": "CzQ5u56kn79ScgWC7",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_GET",
"message_id": 53406,
"token": "qp",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
]
}
{
"ts": 1618846973.732999,
"uid": "CzQ5u56kn79ScgWC7",
"id.orig_h": "10.0.0.2",
"id.orig_p": 56955,
"id.resp_h": "10.0.0.6",
"id.resp_p": 5683,
"version": 1,
"message_type": "CoAP::MessageType_CONFIRMABLE",
"code": "CoAP::Code_POST",
"message_id": 53407,
"token": "cK",
"option_id": [
"CoAP::OptionID_URI_PATH"
],
"option_value": [
"basic"
],
"payload": "dummydata-9949"
}
If you want to load all your installed packages, add @load packages
in /opt/zeek/share/zeek/site/local.zeek
file. And add local
or local.zeek
when you use Zeek.
zeek -Cr Test.pcap local
References
- Zeek Documentation
- Spicy Documentation
- Anatomy Of A Zeek Spicy Protocol Analyzer YouTube Video from Keith Jones