What follows is an overview of the existing Zeek package ecosystem. Nothing new, but hopefully a fresh description of the big picture can help guide those less familiar or generally fill in gaps.
What are packages?
Zeek packages contain scripts and plugins that extend or change Zeek’s functionality. For example, there could be packages that detect certain attacks/activities, implement new protocol parsing/analysis, add support for alternate logging formats/behavior, or even provide their own method of packet capture.
A package is simply a Git repository containing the source code/scripts which implement its functionality along with a small amount of descriptive metadata.
Packages are optionally registered to a centralized package source so that the Zeek package manager command-line tool, zkg, automatically knows how to locate and install them.
Why use packages?
- Packages help you customize Zeek functionality to your needs.
- Reciprocity. Sharing your packages helps others and others may share things that help you. If you’ve written a custom Zeek script or plugin to a solve a problem, it’s highly likely someone else has the same problem and could re-use your solution, or vice versa.
- The sharing of any given package has potential to stimulate new ideas amongst the community or serve as a reference for those trying to solve similar problems.
- The package manager provides a convenient workflow for managing and organizing all your Zeek customizations in a standardized way.
- Packages are decoupled from Zeek’s release cycle, so the community of package developers can, on their own, rapidly create new features and fix bugs in their standalone packages and deliver them to users at any time.
Where to get packages and how to use/create them?
You can get the command-line package manager tool, zkg, from PyPI via pip:
pip install zkg
Then use the “list” command to browse packages registered in the main Zeek repository.
zkg list all
You may also browse packages online via https://packages.zeek.org.
Read and follow the full quickstart documentation before using zkg to install packages.
If you want to develop a new package, read the how-to guide.
New packages may be submitted via Pull Requests against the default package source repository on GitHub. Follow the directions in the README.
Who creates and maintains the packages?
The Zeek package ecosystem has been around since late 2016 and contains over 100 packages now. Try some out or contribute your own packages anytime.
If you or your organization have packages that you’d like to share with the community, but have any questions or need help with the process, please join the Zeek mailing list and send email to firstname.lastname@example.org so we can assist.