[Zeek] How to turn verbose on (Can't load packages)?

Mauricio Tavares raubvogel at gmail.com
Wed Apr 1 08:23:59 PDT 2020


On Tue, Mar 31, 2020 at 2:52 PM Jon Siwek <jsiwek at corelight.com> wrote:
>
> On Tue, Mar 31, 2020 at 11:39 AM Mauricio Tavares <raubvogel at gmail.com> wrote:
>
> >       In that case, I think I am in trouble because I did use zkg
>
> What's the output of `zkg config` ?
>
> Did you previously run `zkg autoconfig` ?
>
> If you don't do any configuration, the default location for zkg to
> install packages is in $HOME/.zkg rather than inside your Zeek install
> prefix and could explain why your `@load packages` doesn't find
> anything.
>
> - Jon

Thanks for everyone's replies! Yes, I was indeed missing `zkg
autoconfig` as you all guessed. After running I have

[root at bro scratch]# zkg config
[sources]
zeek = https://github.com/zeek/packages

[paths]
state_dir = /root/.zkg
script_dir = /usr/local/bro/share/bro/site
plugin_dir = /usr/local/bro/lib/bro/plugins
zeek_dist = /usr/local/bro

[root at bro scratch]#

I then installed the packages and then ran `broctl check` whose errors
now at least indicate I have progress:

[root at bro scratch]# broctl check
Hint: Run the broctl "deploy" command to get started.
manager scripts failed.
error in /usr/local/bro/share/bro/site/packages/__load__.bro, line 3:
Failed to open package
'/usr/local/bro/share/bro/site/packages/./add-node-names': missing
'__load__.bro' file
fatal error in /usr/local/bro/share/bro/site/packages/__load__.bro,
line 3: can't open
/usr/local/bro/share/bro/site/packages/./add-node-names/__load__.bro
[...]
[root at bro scratch]#

Now, if I look at __load__.bro

[root at bro scratch]# cat /usr/local/bro/share/bro/site/packages/__load__.bro
# WARNING: This file is managed by zkg.
# Do not make direct modifications here.
@load ./add-node-names
@load ./bro-shellshock
@load ./credit-card-exposure
@load ./domain-tld
@load ./file-extraction
@load ./ssn-exposure
@load ./top-dns
@load ./venom
@load ./zeek-cryptomining
[root at bro scratch]#

all is it doing is loading files off the
/usr/local/bro/share/bro/site/packages/ dir

[root at bro scratch]# ls -l /usr/local/bro/share/bro/site/packages/
total 8
-rw-r--r-- 1 root root  98 Mar 31 19:24 README
lrwxrwxrwx 1 root root  13 Apr  1 11:56 __load__.bro -> packages.zeek
lrwxrwxrwx 1 root root  13 Apr  1 11:56 __load__.zeek -> packages.zeek
drwxr-xr-x 2 root root  54 Mar 31 19:28 add-node-names
drwxr-xr-x 2 root root  95 Mar 31 19:27 bro-shellshock
drwxr-xr-x 2 root root  62 Mar 31 19:28 credit-card-exposure
drwxr-xr-x 2 root root  62 Mar 31 19:27 domain-tld
drwxr-xr-x 3 root root 106 Mar 31 19:27 file-extraction
lrwxrwxrwx 1 root root  13 Apr  1 11:56 packages.bro -> packages.zeek
-rw-r--r-- 1 root root 276 Apr  1 11:56 packages.zeek
drwxr-xr-x 2 root root  42 Mar 31 19:28 ssn-exposure
drwxr-xr-x 2 root root  42 Mar 31 19:27 top-dns
drwxr-xr-x 2 root root  60 Mar 31 19:27 venom
drwxr-xr-x 3 root root 112 Mar 31 19:28 zeek-cryptomining
[root at bro scratch]#

I do not know how it is going from that to trying to open
/usr/local/bro/share/bro/site/packages/./add-node-names/__load__.bro


More information about the Zeek mailing list