zkg after CentOS zeek 3.1.1 rpm install

Greetings,

I'm trying to use zkg to install pf_ring, I have zeek 3.1.1 source
available, and the following in the config, but it still errors with

Cannot determine Bro source directory, use --bro-dist=DIR

Having bro_dist defined in the config makes no difference

cat .zkg/config
[sources]
zeek = https://github.com/zeek/packages

[paths]
state_dir = /home/zeek/.zkg
script_dir = /opt/zeek/share/zeek/site
plugin_dir = /opt/zeek/lib/zeek/plugins
zeek_dist = /tmp/zeek-3.1.1
bro_dist = /tmp/zeek-3.1.1

zkg --verbose install zeek/ntop/bro-pf_ring
The following packages will be INSTALLED:
  zeek/ntop/bro-pf_ring (master)

Proceed? [Y/n] Y
Running unit tests for "zeek/ntop/bro-pf_ring"
error: failed to run tests for zeek/ntop/bro-pf_ring: package build_command failed, see log in /home/zeek/.zkg/logs/bro-pf_ring-build.log
Proceed to install anyway? [N/y] N
Abort.

cat /home/zeek/.zkg/logs/bro-pf_ring-build.log
=== STDERR ===
=== STDOUT ===
Cannot determine Bro source directory, use --bro-dist=DIR.

Thanks for any pointers.

Stay Safe,

Greg

The package likely isn’t compatible with Zeek 3.1 yet, since it introduced significant changes. However, you can install pf_ring without using zkg: https://docs.zeek.org/en/current/configuration/#installing-pf-ring

That said, the general recommendation nowadays is to go with af_packet, of which there is a Zeek 3.1 compatible package: https://packages.zeek.org/packages/view/6dedb9cc-5916-11ea-9321-0a645a3f3086

If you go that route, I’ve written a guide to get you started: https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/

Hope that helps!
Eric

Also - make sure that you install the zeek development headers (assuming you use our rpms, the package is called zeek-devel

Johanna