Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Remove spicy:: prefix from .evt files #11

Closed
awelzel opened this issue Jan 10, 2023 · 1 comment · Fixed by #19
Closed

RFC: Remove spicy:: prefix from .evt files #11

awelzel opened this issue Jan 10, 2023 · 1 comment · Fixed by #19

Comments

@awelzel
Copy link
Contributor

awelzel commented Jan 10, 2023
edited
Loading

IIUC, the spicy:: prefix causes the analyzer tag to be prefixed with SPICY_ which in turn ends up in the conn.log service field as spicy_<analyzer>. This causes the "tech" used to write an analyzer to leak through into the logs.

Should we remove the spicy:: prefix from the template?

package-template/features/spicy-protocol-analyzer/analyzer/@ANALYZER_LOWER@.evt@ALT-one-unit@

Line 9 in cd045d0

protocol analyzer spicy::@ANALYZER@ over @PROTOCOL_UPPER@:

Reference zeek/zeek#2651
@rsmmr
Copy link
Member

rsmmr commented Jan 11, 2023

Yeah, I can see removing this now. Originally it was meant to help identify when a Spicy analyzer is in use (as opposed to a traditional one), but seems that's less important these days, and it is kind of odd from a user's perspective to have that in there.

awelzel added a commit that referenced this issue Apr 28, 2023
@awelzel
analyzers: Remove spicy:: prefix
7f171a7 
As described #11, the `spicy::` prefix in evt files causes the generated
analyzer tag to contain "SPICY_". This in turn trickles through to
conn.log's service field.

Closes #11.
@awelzel awelzel mentioned this issue Apr 28, 2023
Merged
@awelzel awelzel mentioned this issue Sep 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

analyzers: Remove spicy:: prefix zeek/package-template
2 participants
@rsmmr @awelzel