Test suite fails on Linux #3
Comments
bbannier
added a commit
to zeek/spicy-analyzers
that referenced
this issue
Jan 25, 2022
Up until v0.1.3 that package does not pass its tests so cannot be installed via zkg, see corelight/zeek-spicy-openvpn#3. Pinning it for now to avoid breaking users.
bbannier
added a commit
to zeek/spicy-analyzers
that referenced
this issue
Jan 25, 2022
Up until v0.1.3 that package does not pass its tests so cannot be installed via zkg, see corelight/zeek-spicy-openvpn#3. Pinning it for now to avoid breaking users.
|
This is probably related to the recent additions for the protocol* functions: https://github.com/corelight/zeek-spicy-openvpn/blob/master/analyzer/analyzer.spicy#L13 This logic works on the Linux sensors (and Macbook) where I install it. |
|
I seem to be unable to reproduce this outside of Docker containers. |
|
I'll try to debug what's going on here. |
rsmmr
added a commit
to zeek/zeek
that referenced
this issue
Jan 28, 2022
…t analyzer. Conceptually, a TCP-based application analyzer should not need any knowledge about the underlying TCP analysis; it's supposed to just process its reassembled input stream as it's handed over. But our analyzers break that assumption at a few places because sometimes knowledge about the TCP state of the connection can be helpful for heuristics. This is fine as long as there actually *is* a TCP parent analyzer available. Sometimes, however, there isn't: if the payload stream is encapsulated inside another application-layer protocol, the semantic link to TCP is broken. And if the outer connection is even UDP, then we don't have a TCP analyzer at all. We didn't handle this situation well so far. Most analyzers needing TCP state would just crash if there's no TCP analyzer (in debug mode with an `assert`, in release mode with a null pointer deref ...). Only HTTP did the right thing already: check if TCP is available and adapt accordingly. We know extend that check to all other analyzers as well: all accesses to `TCP()` are guarded, with reasonable defaults if not available. It's actually a pretty small change overall, which is evidence for how little this layering violation actually matters. The existing behavior is what's causing corelight/zeek-spicy-openvpn#3.
|
spicy-plugin v1.3.7 fixes this. (Sounds like this package will need a base line update now.) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of 6bcb4ec the test suite fails on Linux (e.g., inside the
zeekurity/spicycontainer used by CI) so that the package cannot be installed viazkgthere.The text was updated successfully, but these errors were encountered: