Zkg plugins usage problems

I’m testing Zeek functionality and just faced with Zkg. Following a Zkg quickstart guide, preinstalled pip3 with “sudo apt install pip3” , installed “zkg” with “sudo pip3 install zkg” and then tried to get packages “ja3” and “file-extract”. Fun fact, that i wasn’t able to install it or use zkg at any way by the root user


But now i’m not able to use it at all by any user

So, i’m able to run Zeek with local policy by user “eth0” and getting correct result(file-extraction package in loaded and its scripts are loaded)
But I dont really understand how it is loading, because in local policy file “local.zeek” I dont have any “@load” states for that scripts.
So I suppose I found place, where zkg stores installed packages, but I dont have it in my “/opt/zeek/share/zeek/site/” directory, as it shown in Zeek Training day 2022

So, i’m confused about this:

  1. Why I’m not able to run “zkg” and why does this error appear?
  2. How package loading process is organised in zeek? Haven’t found required material at zkg documentation

Update: I suppose plugin didnt load. I have a different file format generated

Hi there,

Let me try to untangle this a bit. First, zkg ships with Zeek by default, so you shouldn’t need to install it. You can install it separately via pip, but you then need to ensure that it properly understands your Zeek installation — let’s table that option for the moment.

The thing you install with zkg is called a package. A plugin is binary code — a .so — that extends Zeek’s core. A package may or may not come with a plugin. The packages you’ve mentioned do not involve plugins.

zkg distinguishes between installing a package and loading it (i.e., making it active in Zeek). By default, installation of a package leads to it being loaded. The tail end of local.zeek covers the packages:

# Uncomment this to source zkg's package state
# @load packages

Do so, and Zeek will use the installed packages.

You can alternatively also load select packages only by saying @load ja3 or whatever is the name of that package. You’ll see that zkg places symlinks into your installation’s site folder for that purpose.

Your screenshots show that packages are active.

Hope this helps,
Christian

1 Like