Packaging Spicy analyzers for Zeek #687
Replies: 2 comments 1 reply
-
One more question: Envision a world where we have 30 new Spicy analyzers for Zeek to distribute. Would you rather install one package that gives you all these analyzers, or 30 packages with one analyzer each? In the latter case , we could in addition have a meta package depending on all 30,so that installation is easy, but it would still mean dealing with 30 git repositories, 30 packages to maintain and update, 30 different Spicy versions they could depend on, etc. |
Beta Was this translation helpful? Give feedback.
-
The new spicy-analyzers packages takes the proposed approach and that seems to work well so far. Next thing is would develop a template skeleton for Spicy analyzers maintained outside of spicy-analyzers (while for now, merging new analyzers into spicy-analyzers is generally preferred, that won't be viable forever, and for some use cases it might also just not be an option). |
Beta Was this translation helpful? Give feedback.
-
Let's collect some thoughts on packing Spicy analyzers so that they can be installed for Zeek through
zkg
.Right now, we have two experimental packages
spicy-runtime
(which builds the Zeek plugin, but without JIT compilation capability); andspicy-tftp
; which, as a case study, installs the Spicy-based TFTP analyzer. The latter actually shps the pre-compiled C++ code, so that users don't need the fully Spicy compiler installed.I'm not sure anymore that that's the right approach. With recent changes, installing Spicy has become much easier: one doesn't need clang/llvm anymore, just any C++17 compiler is fine; and many systems come with that already these days. With that, installing the full Spicy toolchain doesn't seem like hurdle anymore.
I'm wondering on thoughts on this model instead:
We require an existing (full) Spicy installation on the system supposed to install the packages. This would be a dependency for any analyzer package.
An analyzer package than ships the Spicy source files (i.e.,
.spicy
,.evt
) as well as any Zeek scripts it needs.The package installation precompiles these source files through
spicyz
into an HLTO file.Activating the package lets Zeek load that HLTO file and hence make the analyzer available.
The advantage here is that we'll have much less versioning trouble: as long as the Spicy source compiles with the installed Spicy version, the package will be fine. Updating the analyzer package will work as expected as well.
Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions