Writing analyzers with Spicy
Spicy is a parser generator that makes it easy to create robust C++ parsers network protocols, file formats, and more. Spicy analyzers can be integrated with Zeek with spicy-plugin so that one can create Zeek protocol, packet and file analyzers.
Spicy is documented separately, so this section just presents high-level points relevant for Zeek.
Installation
A Zeek configured with default ./configure
options includes Spicy. If the
--disable-spicy
configure option is used instead, Spicy and
spicy-plugin
need to be installed out of band, see the instructions for
Spicy and
spicy-plugin, respectively.
Writing an analyzer
Analyzer scaffolding including a Spicy grammar .spicy
, Zeek integration
glue code .evt
and a CMake build setup can be generated with the zkg
package manager with the
default package template by passing --feature spicy-analyzer
.
See the Spicy documentation for details on how to write and integrate a parser.