Zeek Logo

Updating a Plugin in Zeek 3.1

by | Feb 21, 2020 | 3.1, Uncategorized

By Tim Wojtulewicz

 

With the release of Zeek 3.1 coming soon, we are now fully deprecating all of the old Bro naming, including for the plugin skeleton. This means that plugins may fail to build once Zeek 3.1 has been installed. This blog post describes a set of instructions for migrating a plugin to the new naming scheme. The changes made here will also work with Zeek 3.0, but 3.1 makes them mandatory.

The plugin skeleton has been updated to take into account all of the new naming changes, and lives in the zeek-aux repo. The easiest first steps are to clone this repo, and then run init-plugin to build a fresh skeleton for your plugin in a separate directory. This will allow you to compare your existing setup with the new naming scheme. The most notable changes will be in the configure and CMakeLists.txt files, the renaming from bro-pkg to zkg, and the renaming of script files from .bro to .zeek.

For most projects, the configure script can be copied over directly from the new skeleton into the existing plugin. The main changes in the new configure script are support for passing in a path to cmake and some minor renaming of a few of the variables used. CMakeLists.txt may contain more changes. The primary change here is the move from CMake 2.x to CMake 3 and the renaming of the CMake project attribute from BroPlugin to ZeekPlugin. If you have any custom changes to your CMakeLists.txt, you’ll likely find it easier to copy over the new skeleton version and merge your changes into it.

Handling the move from bro-pkg to zkg is fairly simply. The bro-pkg.meta file is renamed to zkg.meta. If you have a “depends” block in your zkg.meta file, you’ll need to rename the bro-pkg and bro attributes to zkg and zeek, and bump their version numbers to 2.0 and 3.0 respectively.

There are a few other minor changes that need to be made for code and test. The only real change that needs to be made to the code of a plugin is that bro-config.h is renamed to zeek-config.h and any uses of it need to be fixed. For packet plugins, there are a couple of minor include changes that are necessary for compatibility with the major IO Loop changes in Zeek 3.1. These will be detailed in a longer blog post about the IO Loop work in the near future. For tests, the only real changes are that BRO_SEED_FILE in tests/btest.cfg is now ZEEK_SEED_FILE, and that tests need to call zeek instead of bro.

I recently opened a pull request to make the necessary changes to the bro-af_packet-plugin repository, which can be used as a bit of a roadmap for updating a plugin. The PR can be found at https://github.com/J-Gras/bro-af_packet-plugin/pull/15.

Get Zeek
Downloads
Zeek GitHub
Add-on Packages
Try Zeek Online

Documentation
Feature Release
LTS Release
Dev Version
Dev Resources
FAQs

Community
Getting Started
Mastodon
Twitter
Youtube
Discourse
Slack
GitHub Issues
Security Reporting
Contact Us
Subgroups
Training

Events
Upcoming Events
Calendar
ZeekWeek 2024
Past Events

Blog

About About Zeek Leadership Team Code of Conduct Slack Guidelines Governance Framework Mission, Vision, Values

Discover more from Zeek

Subscribe now to keep reading and get access to the full archive.

Continue reading