Custom parsers for Zeek6x in SO

[Jackson-Pollock]

We have experimented with multiple custom parsers for the Goose protocol on a local Zeek 2x (formerly known as Bro) setup. These parsers have been successful, generating the desired log files by exporting data from the pcap files. The project repository we used for the parsers can be found at https://github.com/smartgridadsc/Goose-protocol-parser-for-Zeek-IDS.git.

Now, we are planning to implement these parsers on Security Onion to enable real-time monitoring. We are curious if it is feasible to employ similar parsers with Zeek in the Security Onion environment, and if this approach is appropriate. We welcome any suggestions for alternative methods to achieve our goal.

[dougburks]

It looks like that Goose protocol parser is several years old and requires patching Zeek source code. You might consider asking the author(s) of that parser if they can update the parser so that it is just a standard Zeek script and doesn't require patching the actual Zeek source code.