Zeek ignores my spicy plugins

Development
1

I’m creating a spicy protocol analyzer with zkg create and installing it using zkg install. Everything works fine if I call Zeek with its the package path, like:

zeek -C -r file.pcap /usr/local/zeek/share/zeek/site/packages/

However, if I just run:

zeek -C -r file.pcap

the script files in the scripts folder are apparently not loaded.

Am I missing something here?

How to reproduce:

zkg create --features spicy-protocol-analyzer --user-var name=foobar --user-var analyzer=FOOBAR --user-var protocol=TCP --user-var unit_orig=request --user-var unit_resp=response --packagedir foobar
cd foobar
echo "syntax error!" > scripts/main.zeek
git commit -a -m nothing
zkg install --skiptests --force .

Running zeek -C -r file.pcap /usr/local/zeek/share/zeek/site/packages/ results in a syntax error (as expected), but simply running zeek -C -r file.pcap does not.

Zeek is used in version 7.0.6 using the following docker script:

FROM debian:bookworm

RUN apt-get update && \
    apt-get install -y build-essential cmake python3 flex bison libpcap-dev libssl-dev libz-dev swig python3-dev vim less

ADD zeek-7.0.6.tar.gz /root

RUN cd /root/zeek-7.0.6 && \
    ./configure --enable-debug && make && make install

RUN apt-get install -y git python3-pip && \
    pip3 install --break-system-packages GitPython semantic-version
2

This is expected behaviour - although, looking for documentation, I think this is not called out in an explicit enough manner - it’s documented kind of indirectly.

To give a bit more context - the way that packages are typically loaded is by adding @load packages to your site/local.zeek. This is spelled out in 1. Quickstart Guide — Zeek Package Manager Documentation

However, site/local.zeek is only loaded by default if you use zeekctl to start Zeek. If you start Zeek from the command line, Zeek only loads the script in the base directory. You have to explicitly specify that the local scripts should be loaded by executing, e.g., zeek local.zeek.

This behaviour is e.g. documented here, where it’s called out that zeekctl loads local.zeek. However all of this seems a bit hidden if one doesn’t exactly know what Zeek does at startup.

3

Thank you for your very quick help. I had already thought that this is a case of RTFM.