[Zeek] How to turn verbose on (Can't load packages)?

Wed Apr 1 11:26:11 PDT 2020

Ah, you're trying to install some packages that have been updated to
work with zeek on an older bro installation.  Can you upgrade to zeek
3.0.3 ?

On Wed, Apr 1, 2020 at 11:24 AM Mauricio Tavares <raubvogel at gmail.com> wrote:
>
> On Tue, Mar 31, 2020 at 2:52 PM Jon Siwek <jsiwek at corelight.com> wrote:
> >
> > On Tue, Mar 31, 2020 at 11:39 AM Mauricio Tavares <raubvogel at gmail.com> wrote:
> >
> > >       In that case, I think I am in trouble because I did use zkg
> >
> > What's the output of `zkg config` ?
> >
> > Did you previously run `zkg autoconfig` ?
> >
> > If you don't do any configuration, the default location for zkg to
> > install packages is in $HOME/.zkg rather than inside your Zeek install
> > prefix and could explain why your `@load packages` doesn't find
> > anything.
> >
> > - Jon
>
> Thanks for everyone's replies! Yes, I was indeed missing `zkg
> autoconfig` as you all guessed. After running I have
>
> [root at bro scratch]# zkg config
> [sources]
> zeek = https://github.com/zeek/packages
>
> [paths]
> state_dir = /root/.zkg
> script_dir = /usr/local/bro/share/bro/site
> plugin_dir = /usr/local/bro/lib/bro/plugins
> zeek_dist = /usr/local/bro
>
> [root at bro scratch]#
>
> I then installed the packages and then ran `broctl check` whose errors
> now at least indicate I have progress:
>
> [root at bro scratch]# broctl check
> Hint: Run the broctl "deploy" command to get started.
> manager scripts failed.
> error in /usr/local/bro/share/bro/site/packages/__load__.bro, line 3:
> Failed to open package
> '/usr/local/bro/share/bro/site/packages/./add-node-names': missing
> '__load__.bro' file
> fatal error in /usr/local/bro/share/bro/site/packages/__load__.bro,
> line 3: can't open
> /usr/local/bro/share/bro/site/packages/./add-node-names/__load__.bro
> [...]
> [root at bro scratch]#
>
> Now, if I look at __load__.bro
>
> [root at bro scratch]# cat /usr/local/bro/share/bro/site/packages/__load__.bro
> # WARNING: This file is managed by zkg.
> # Do not make direct modifications here.
> @load ./add-node-names
> @load ./bro-shellshock
> @load ./credit-card-exposure
> @load ./domain-tld
> @load ./file-extraction
> @load ./ssn-exposure
> @load ./top-dns
> @load ./venom
> @load ./zeek-cryptomining
> [root at bro scratch]#
>
> all is it doing is loading files off the
> /usr/local/bro/share/bro/site/packages/ dir
>
> [root at bro scratch]# ls -l /usr/local/bro/share/bro/site/packages/
> total 8
> -rw-r--r-- 1 root root  98 Mar 31 19:24 README
> lrwxrwxrwx 1 root root  13 Apr  1 11:56 __load__.bro -> packages.zeek
> lrwxrwxrwx 1 root root  13 Apr  1 11:56 __load__.zeek -> packages.zeek
> drwxr-xr-x 2 root root  54 Mar 31 19:28 add-node-names
> drwxr-xr-x 2 root root  95 Mar 31 19:27 bro-shellshock
> drwxr-xr-x 2 root root  62 Mar 31 19:28 credit-card-exposure
> drwxr-xr-x 2 root root  62 Mar 31 19:27 domain-tld
> drwxr-xr-x 3 root root 106 Mar 31 19:27 file-extraction
> lrwxrwxrwx 1 root root  13 Apr  1 11:56 packages.bro -> packages.zeek
> -rw-r--r-- 1 root root 276 Apr  1 11:56 packages.zeek
> drwxr-xr-x 2 root root  42 Mar 31 19:28 ssn-exposure
> drwxr-xr-x 2 root root  42 Mar 31 19:27 top-dns
> drwxr-xr-x 2 root root  60 Mar 31 19:27 venom
> drwxr-xr-x 3 root root 112 Mar 31 19:28 zeek-cryptomining
> [root at bro scratch]#
>
> I do not know how it is going from that to trying to open
> /usr/local/bro/share/bro/site/packages/./add-node-names/__load__.bro

-- 
Justin