-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test suite fails on Linux #3
Comments
Up until v0.1.3 that package does not pass its tests so cannot be installed via zkg, see corelight/zeek-spicy-openvpn#3. Pinning it for now to avoid breaking users.
Up until v0.1.3 that package does not pass its tests so cannot be installed via zkg, see corelight/zeek-spicy-openvpn#3. Pinning it for now to avoid breaking users.
This is probably related to the recent additions for the protocol* functions: https://github.com/corelight/zeek-spicy-openvpn/blob/master/analyzer/analyzer.spicy#L13 This logic works on the Linux sensors (and Macbook) where I install it. |
I seem to be unable to reproduce this outside of Docker containers. |
I'll try to debug what's going on here. |
…t analyzer. Conceptually, a TCP-based application analyzer should not need any knowledge about the underlying TCP analysis; it's supposed to just process its reassembled input stream as it's handed over. But our analyzers break that assumption at a few places because sometimes knowledge about the TCP state of the connection can be helpful for heuristics. This is fine as long as there actually *is* a TCP parent analyzer available. Sometimes, however, there isn't: if the payload stream is encapsulated inside another application-layer protocol, the semantic link to TCP is broken. And if the outer connection is even UDP, then we don't have a TCP analyzer at all. We didn't handle this situation well so far. Most analyzers needing TCP state would just crash if there's no TCP analyzer (in debug mode with an `assert`, in release mode with a null pointer deref ...). Only HTTP did the right thing already: check if TCP is available and adapt accordingly. We know extend that check to all other analyzers as well: all accesses to `TCP()` are guarded, with reasonable defaults if not available. It's actually a pretty small change overall, which is evidence for how little this layering violation actually matters. The existing behavior is what's causing corelight/zeek-spicy-openvpn#3.
spicy-plugin v1.3.7 fixes this. (Sounds like this package will need a base line update now.) |
As of 6bcb4ec the test suite fails on Linux (e.g., inside the
zeekurity/spicy
container used by CI) so that the package cannot be installed viazkg
there.The text was updated successfully, but these errors were encountered: