[Zeek] How to debug why some scripts are not loaded?

Carlos Lopez clopmz at outlook.com
Fri Jun 5 00:24:18 PDT 2020


Hi all,

I have a strange problem with dovehawk under Zeek 3.0.6… Yesterday, I have refreshed all installed packages with zkg. Only community-id’s package was updated. After this, I have restarted all Zeek’s cluster. And dovehawk doesn’t works …

Reviewing loaded_script.log, dovehawk is loaded:

{"name":"  /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/__load__.zeek"}
{"name":"    /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/__load__.zeek"}
{"name":"      /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/add-node-names.zeek"}
{"name":"    /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/__load__.zeek"}
{"name":"      /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk_expire.zeek"}
{"name":"        /opt/zeek/share/zeek/policy/frameworks/intel/seen/__load__.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/conn-established.zeek"}
{"name":"            /opt/zeek/share/zeek/policy/frameworks/intel/seen/where-locations.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/dns.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-hashes.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-names.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-headers.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-url.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/pubkey-hashes.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/ssl.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smb-filenames.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek"}
{"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek"}
{"name":"        /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk.zeek"}
{"name":"          /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/config.zeek"}

… but, no action is done (dovehawk reports to stdout.log if all goes well, and in reporter.og if something goes wrong).

How can I debug why dovehawk is not working?

Regards,
C. L. Martinez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200605/a93950b3/attachment.html 


More information about the Zeek mailing list