Replies: 10 comments
-
Are there more benefits to this besides being able to update them outside the normal Zeek release cycle ? Was thinking that updates to Can't think of an overall objection to doing this, just benefits seem minor. As for implementing smoothly: could move them to git submodules so that |
Beta Was this translation helpful? Give feedback.
-
The plan is to go through policy/ during the next cycles and take stock what makes sense to move. |
Beta Was this translation helpful? Give feedback.
-
So realistically. I don't think this is going to happen unless somebody volunteers to take on the (substantial) work. I'll remove the milestone. |
Beta Was this translation helpful? Give feedback.
-
Ok, this doesn't seem as bad as I thought. Some questions:
Here's the stuff in policy that's currently being loaded by default:
More detailed comments for each script:
|
Beta Was this translation helpful? Give feedback.
-
Another open question here is the documentation. I have some Zeekygen + Sphinx scripts which will generate the documentation and link to the RTD docs for the core features but, for instance, new notice types don't get documented in the package docs. Right now, we document base/frameworks/notice with stuff like:
What I'd like to see is documentation for MHR which just shows which Notice types that are added by that script. Maybe a separate issue for that? |
Beta Was this translation helpful? Give feedback.
-
Great list, thanks, Vlad! Yes, there are a number of conceptual questions that we'll need to answer first to make this work. The technical part of actually moving is probably the smallest piece of the work. Some quick thoughts:
I keep mulling over this one as well. One repo per package would of course work, and may just be fine; probably also depending on number of packages we end up with. We could alternatively create a single monorepo containing everything we maintain (say,
I do think this is an opportunity to review what's in base as well, so making changes to standards logs there seems fine to me where it makes sense.
Yeah, I can see leaving some technical helper scripts in there. Your list goes into the right direction I would say: everything that's clearly a self-contained unit of typical add-on analysis functionality should move into a package. Pinging @ckreibich who might have some thoughts here as well. |
Beta Was this translation helpful? Give feedback.
-
To me a new GitHub account/organization feels right. Given that folks currently One thought: in the past we've repeatedly encountered a need for a stronger "standard library" for the scripting layer — something that might include additional container data types, statistical tooling, etc. I'm not sure "policy" alone captures this, so perhaps this is a good opportunity to establish a "Zeek Standard Library" that this new account would then represent. |
Beta Was this translation helpful? Give feedback.
-
I really like the idea of a ZSL. However, I think it would be a bit strange to mix data types and detection scripts like heartbleed. Maybe the ZSL and the policy/standard scripts are two different things?
Because that's the only one that is marked as tricky: I think that would be a candidate to revisit base as Robin already suggested. Moving the Intel Framework as a whole into its own package should be quite straight forward. I have a POC somewhere. |
Beta Was this translation helpful? Give feedback.
-
If effort is going into packaging policy scripts, it may be worthwhile to consider reorganizing "utils" and "misc" scripts into packages too. |
Beta Was this translation helpful? Give feedback.
-
Yeah Anthony, agreed ... there's a lot of scope. But |
Beta Was this translation helpful? Give feedback.
-
This idea has been floating around for a while: The non-standard scripts in
policy/
might be better maintained as external packages these days. That way they could be updated outside of Zeek releases; and also conceptually, there isn't really that much that makes them that special compared to other packages.We'd need to make the upgrade path smooth.
We'd probably still recommend a default set of packages to people and could keep shipping a local version of those packages as a default.
Beta Was this translation helpful? Give feedback.
All reactions