Loading custom scripts

Hello, I am interested in creating a new script, which should contain a new module and that should generate logs and I would like to know in which directory should I locate it and which files should I modify in order to make Zeek use this script in live traffic monitoring.

Analyzing similar issues on Zeek forums, I tried to located my script in a new directory /usr/local/zeek/share/zeek/policy/protocols/dnstunnel/main.zeek and then I wrote @load /protocols/dnstunnel/main on local.rules file (usr/local/zeek/share/zeek/site/ directory).

However, when I try to run deploy on zeekctl, I get this error message: fatal error in /usr/local/zeek/share/zeek/site/local.zeek, line 10: can’t find /protocols/dnstunnel/main

Also, I was trying to make an offline analysis, in normal mode, using the custom script and got this error message:

1715705549.921046 fatal error in : Val::CONVERTER (types/record) (1715711623.803702, CGvI182aQOcnXDzKil, [orig_h=, orig_p=36068/udp, resp_h=, resp_p=53/udp], 39)

I suppose it means that Zeek obtained the informations that I defined that should be shown on the logs, but could not parse it. This is the custom log I was trying to use. I would like to know how to solve these issues. Thanks in advance (and sorry for creating 3 topics in 2 days, I am a new user of Zeek :sweat_smile:).


typically you should put your scripts into the site directory.

You should never put your own scripts in either the policy or the base directories - Zeek assumes that these are under its exclusive control, and your scripts might be deleted or overwritten in updates.

To help with the second error, we would need more information about your scripts - sadly the link is no longer working.

1 Like