[Zeek] zkg after CentOS zeek 3.1.1 rpm install

Eric Ooi ericooi at gmail.com
Fri Apr 10 16:24:11 PDT 2020 

The package likely isn’t compatible with Zeek 3.1 yet, since it introduced significant changes.  However, you can install pf_ring without using zkg: https://docs.zeek.org/en/current/configuration/#installing-pf-ring <https://docs.zeek.org/en/current/configuration/#installing-pf-ring>

That said, the general recommendation nowadays is to go with af_packet, of which there is a Zeek 3.1 compatible package: https://packages.zeek.org/packages/view/6dedb9cc-5916-11ea-9321-0a645a3f3086 <https://packages.zeek.org/packages/view/6dedb9cc-5916-11ea-9321-0a645a3f3086>

If you go that route, I’ve written a guide to get you started: https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/ <https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/>

Hope that helps!
Eric


> On Apr 10, 2020, at 5:57 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> 
> Greetings,
> 
> I'm trying to use zkg to install pf_ring, I have zeek 3.1.1 source
> available, and the following in the config, but it still errors with
> 
> Cannot determine Bro source directory, use --bro-dist=DIR
> 
> Having bro_dist defined in the config makes no difference
> 
> cat .zkg/config 
> [sources]
> zeek = https://github.com/zeek/packages
> 
> [paths]
> state_dir = /home/zeek/.zkg
> script_dir = /opt/zeek/share/zeek/site
> plugin_dir = /opt/zeek/lib/zeek/plugins
> zeek_dist = /tmp/zeek-3.1.1
> bro_dist = /tmp/zeek-3.1.1
> 
> 
> 
> 
> zkg --verbose install zeek/ntop/bro-pf_ring
> The following packages will be INSTALLED:
>  zeek/ntop/bro-pf_ring (master)
> 
> Proceed? [Y/n] Y
> Running unit tests for "zeek/ntop/bro-pf_ring"
> error: failed to run tests for zeek/ntop/bro-pf_ring: package build_command failed, see log in /home/zeek/.zkg/logs/bro-pf_ring-build.log
> Proceed to install anyway? [N/y] N
> Abort.
> 
> 
> 
> cat /home/zeek/.zkg/logs/bro-pf_ring-build.log
> === STDERR ===
> === STDOUT ===
> Cannot determine Bro source directory, use --bro-dist=DIR.
> 
> Thanks for any pointers.
> 
> Stay Safe,
> 
> Greg
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200410/b3d6134a/attachment.html

More information about the Zeek mailing list