MongoDB protocol analyzer for Zeek using Spicy.
This repository is organized for normal users first:
mongodb.hltois the prebuilt analyzer bundlescripts/contains the Zeek loader and log logictests/pcaps/contains small sample pcaps for quick testinglegacy_bak/keeps the older pure-Zeek reference implementationdev/contains source and build files for developerszkg.metaenables installation through Zeek Package Manager
Your Zeek installation must have Spicy support available.
Check with:
zeek -NN | grep SpicyThis is the recommended option because it builds the analyzer on the target machine.
Make sure the machine has cmake installed before running zkg install.
Install directly from the GitHub repo:
zkg install https://github.com/flowtracex/zeek-mongodb-protocol-analyzerAfter installation, load the package with either:
@load packagesor:
@load mongodbFor quick command-line testing after zkg install, this also works:
zeek -Cr tests/pcaps/mongodb_insert_find.pcap mongodbzkg uses zkg.meta in this repository to:
- install scripts from
scripts/ - build the analyzer from
dev/ - install the built plugin from
dev/build/
This is the quick path.
Copy the analyzer bundle into Zeek's Spicy directory:
cp mongodb.hlto /opt/zeek/lib/zeek/spicy/Then load the script manually when running Zeek:
zeek -Cr tests/pcaps/mongodb_insert_find.pcap scripts/__load__.zeekThis writes mongodb.log in the directory where you run Zeek.
The included mongodb.hlto was built on Ubuntu with the local Zeek/Spicy toolchain used for this repository.
It may work on similar systems, but it is not guaranteed to work on every machine, Zeek version, libc version, or CPU architecture.
If the prebuilt mongodb.hlto does not load correctly on your system, use the zkg install path instead.
request_idresponse_toopcodeis_requestis_replydatabasecollectioncommandcrud_opokerrmsgnn_modified
Small sample pcaps are included in tests/pcaps/:
mongodb_hello.pcapmongodb_insert_find.pcapmongodb_update_delete_error.pcap
If you want to rebuild the analyzer from source, see dev/README.md.