If not using something like virtualenv to manage Python environments, the default user script directory is ~/.local/bin and you may have to modify your PATH to search there for zkg.
After installing via pip, additional configuration is required. First, make sure that the zeek-config script that gets installed with zeek is in your PATH. Then, as the user you want to run zkg with, do:
$ zkg autoconfig
This automatically generates a config file with the following suggested settings that should work for most Zeek deployments:
script_dir: set to the location of Zeek's site scripts directory (e.g. <zeek_install_prefix>/share/zeek/site)
plugin_dir: set to the location of Zeek's default plugin directory (e.g. <zeek_install_prefix>/lib/zeek/plugins)
zeek_dist: set to the location of Zeek's source code. If you didn't build/install Zeek from source code, this field will not be set, but it's only needed if you plan on installing packages that have uncompiled Zeek plugins.
If your Zeek installation is owned by "root" and you intend to run zkg as a different user, then you should grant "write" access to the directories specified by script_dir and plugin_dir. E.g. you could do something like:
The final step is to edit your site/local.zeek. If you want to have Zeek automatically load the scripts from all installed packages that are also marked as "loaded" add:
@load packages
Install Third-Party Plugin for ZEEK using the ZKG Utility
Start by cloning the git repo of the package you want to install
This script will loop through the listed repos and install install the plugins with zkg
#!/bin/bash# going to clone under /usr/local/srcSRC_BASE_DIR="/usr/local/src"mkdir-p"$SRC_BASE_DIR"## get_latest_github_tagged_release## get the latest GitHub release tag name given a github repo URL#functionget_latest_github_tagged_release() { REPO_URL="$1" REPO_NAME="$(echo "$REPO_URL" |sed 's|.*github\.com/||')" LATEST_URL="https://github.com/$REPO_NAME/releases/latest" REDIRECT_URL="$(curl-fsSLI-o/dev/null-w%{url_effective} "$LATEST_URL" 2>/dev/null)"if [[ "$LATEST_URL"="$REDIRECT_URL"/latest ]]; thenecho""elseecho"$REDIRECT_URL"|sed's|.*tag/||'fi}## clone_github_repo## clone the latest GitHub release tag if available (else, master/HEAD) under $SRC_BASE_DIR#functionclone_github_repo() { REPO_URL="$1"if [[ -n $REPO_URL ]]; then REPO_LATEST_RELEASE="$(get_latest_github_tagged_release "$REPO_URL")" SRC_DIR="$SRC_BASE_DIR"/"$(echo "$REPO_URL" |sed 's|.*/||')"rm-rf"$SRC_DIR"if [[ -n $REPO_LATEST_RELEASE ]]; thengit-ccore.askpass=trueclone--branch"$REPO_LATEST_RELEASE"--depth1"$REPO_URL""$SRC_DIR">/dev/null2>&1elsegit-ccore.askpass=trueclone--depth1"$REPO_URL""$SRC_DIR">/dev/null2>&1fi [ $? -eq0 ] &&echo"$SRC_DIR"||echo"cloning \"$REPO_URL\" failed">&2fi}# install Zeek packages that insatll nicely using zkgZKG_GITHUB_URLS=(https://github.com/amzn/zeek-plugin-bacnethttps://github.com/amzn/zeek-plugin-eniphttps://github.com/amzn/zeek-plugin-profinethttps://github.com/amzn/zeek-plugin-s7commhttps://github.com/amzn/zeek-plugin-tds#https://github.com/salesforce/ja3)for i in ${ZKG_GITHUB_URLS[@]}; do SRC_DIR="$(clone_github_repo "$i")" [[ -d"$SRC_DIR" ]] &&zkginstall--force--skiptests"$SRC_DIR"done
Manual Install
Start by cloning the git repo of the package you want to install
Then follow the steps below
gitclonehttps://github.com/amzn/zeek-plugin-enipcdzeek-plugin-enip./configuremake&&\makeinstall# if plugin_dir && zeek_dist are not in path you will need to manually specify them#./configure --bro-dist="zeek_dist" --install-root="plugin_dir"
