Questions via Email: Zeek development headers

I had a question, are Zeek headers part of the ROCKNSM build? I assume they should be there somewhere so I can run Zeek plugins that require them. ~ Hiphop Anonymous

Yes! Zeek development headers are available for building plugins. You can simply do sudo yum install zeek-devel in order to install them. We don’t install them by default because:

  1. It’s generally a waste of space for everyday use
  2. We don’t like compilers on our sensors
  3. We like to keep a clean house, only install what you need when you need it.

If you’re interested in packaging a Zeek plugin as an RPM, here’s an example for an RPM we created for the CommunityID plugin created by Corelight: https://github.com/rocknsm/rpms/blob/master/zeek-plugin-communityid/zeek-plugin-communityid.spec

At a minimum, you can checkout the %build section to see how we run cmake and specify the standard OS directories. You can also use the ./configure and it should pick up zeek-config to populate all the values it needs.

Hope that helps! I’d love to hear what plugins you’re building!