Merge pull request #1 from brimdata/init

Initial version

Author: philrz

.github/workflows/release.yml

@@ -0,0 +1,113 @@
+name: Build/release Zeek
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+    tags:
+      - v*brim*
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    strategy:
+      matrix:
+        platform: [macos-12, ubuntu-20.04, windows-2019]
+    runs-on: ${{ matrix.platform }}
+
+    steps:
+    - name: Checkout build-zeek
+      uses: actions/checkout@v3
+
+    - name: Setup Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.21
+
+    - name: Checkout zeek
+      uses: actions/checkout@v3
+      with:
+        repository: zeek/zeek
+        ref: v6.0.2
+        fetch-depth: 1
+        submodules: recursive
+        path: zeek-src
+
+    - name: Build zeekrunner (Windows)
+      if: startsWith(matrix.platform, 'windows-')
+      run: go build -o zeekrunner.exe zeekrunner.go
+
+    # Includes workaround from https://github.com/maxmind/libmaxminddb/pull/334
+    - name: Build libmaxminddb (Windows)
+      if: startsWith(matrix.platform, 'windows-')
+      run: |
+        call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+        curl -L https://github.com/maxmind/libmaxminddb/releases/download/1.8.0/libmaxminddb-1.8.0.tar.gz | tar xzvf -
+        mkdir libmaxminddb-1.8.0\build
+        cd libmaxminddb-1.8.0\build
+        cmake ..
+        cmake --build .
+        cmake --build . --target install
+        rename "C:\Program Files (x86)\maxminddb\include\maxminddb.h" maxminddb.h.bak
+        sed "/typedef ADDRESS_FAMILY sa_family_t/d" "C:\Program Files (x86)\maxminddb\include\maxminddb.h.bak" > "C:\Program Files (x86)\maxminddb\include\maxminddb.h"
+      shell: cmd
+
+    - name: Build Zeek (Windows)
+      if: startsWith(matrix.platform, 'windows-')
+      run: |
+        choco install -y --no-progress conan --version=1.58.0
+        choco install -y --no-progress winflexbison3
+        call refreshenv
+        call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+        mkdir zeek-src\build
+        cd zeek-src\build
+        cmake.exe .. -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -D CMAKE_INSTALL_PREFIX="C:\Program Files\Git\usr\local\zeek" -DLibMMDB_INCLUDE_DIR="C:\Program Files (x86)\maxminddb\include" -DLibMMDB_LIBRARY="C:\Program Files (x86)\maxminddb\lib\maxminddb.lib" -G Ninja
+        cmake.exe --build .
+        cmake.exe --install .
+        cd
+      shell: cmd
+
+    - name: Install dependencies (Linux)
+      if: startsWith(matrix.platform, 'ubuntu-')
+      run: sudo apt-get -y install cmake make gcc g++ flex libfl-dev bison libpcap-dev libssl-dev python3 python3-dev python3-setuptools swig zlib1g-dev zip libmaxminddb-dev
+
+    - name: Install dependencies (macOS)
+      if: startsWith(matrix.platform, 'macos-')
+      run: brew install cmake swig openssl bison flex libmaxminddb
+
+    - name: Get number of CPU cores
+      uses: SimenB/github-actions-cpu-cores@v1
+      id: cpu-cores
+
+    - name: Build Zeek (Linux/macOS)
+      if: "!startsWith(matrix.platform, 'windows-')"
+      run: |
+        cd zeek-src
+        ./configure --binary-package --enable-static-broker --enable-static-binpac --disable-spicy --disable-af-packet --disable-zeekctl --disable-python --disable-broker-tests --disable-auxtools --disable-archiver --osx-min-version=12
+        make -j${{ steps.cpu-cores.outputs.count }}
+        sudo make install
+        sudo strip /usr/local/zeek/bin/zeek
+
+    - name: Finish packaging artifact
+      run: ./release.sh
+      shell: sh
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.platform }}
+        path: zeek-*.zip
+
+    - name: Publish artifact as release
+      if: startsWith(github.event.ref, 'refs/tags/')
+      uses: svenstaro/[email protected]
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        file: zeek-*.zip
+        file_glob: true
+        tag: ${{ github.ref }}
+        overwrite: true

README.md

@@ -1,2 +1,22 @@
 # build-zeek
-Build Zeek for packaging with Brimcap and Zui
+
+Build [Zeek](https://zeek.org/) for packaging with
+[Brimcap](https://github.com/brimdata/brimcap) and
+[Zui](https://zui.brimdata.io/).
+
+## Background
+
+Before there was official support for compiling Zeek on Windows, developers
+at Brim Data created a [working port](https://github.com/brimdata/zeek) and an
+[artifact based on Zeek v3.2.1](https://github.com/brimdata/zeek/releases/tag/v3.2.1-brim10).
+Because the effort of keeping the port in sync with ongoing Zeek development
+would have been prohibitive, that artifact shipped with Brimcap and Zui for
+years.
+
+In late 2022, work began to officially support
+[Zeek on Windows](https://zeek.org/2022/11/28/zeek-on-windows/),
+and in late 2023 this repo was created to take advantage of that. The minimal
+glue found here starts from the official Zeek source code and makes only the
+changes necessary to build in GitHub Actions, add some needed
+[Zeek Packages](https://packages.zeek.org/), and produce artifacts ready for
+use in Brimcap/Zui.

release.sh

@@ -0,0 +1,89 @@
+#!/bin/sh -ex
+
+case $(uname) in
+    Darwin|Linux)
+        sudo=sudo
+        zip=zip
+        ;;
+    *_NT-*)
+        exe=.exe
+        zip=/c/msys64/usr/bin/zip
+        ;;
+    *)
+        echo "unknown OS: $(uname)" >&2
+        exit 1
+        ;;
+esac
+
+#
+# Install Zeek packages.  We don't use zkg because it didn't work
+# out-of-the-box in recent attempts and our package installation
+# requirements are little more than copying scripts.  We already had
+# the approach below working in our prior Windows port so we'll
+# stick with it for now.
+#
+
+zkg_meta() {
+    section=${1:?'section required'}
+    option=${2:?'option required'}
+    python3 <<EOF
+import configparser
+c = configparser.ConfigParser()
+c.read('zkg.meta')
+print(c.get('$section', '$option', fallback=''))
+EOF
+}
+
+install_zeek_package() {
+    github_repo=${1:?'github_repo required'}
+    git_ref=${2:?'git_ref required'}
+    package=${github_repo#*/}
+    mkdir $package
+    (
+        export PATH=/usr/local/zeek/bin:$PATH
+        cd $package
+        curl -sL https://github.com/$github_repo/tarball/$git_ref |
+            tar -xzf - --strip-components 1
+
+        script_dir=$(zkg_meta package script_dir)
+        $sudo cp -r "$script_dir" /usr/local/zeek/share/zeek/site/$package/
+
+        build_command=$(zkg_meta package build_command)
+        if [ "$build_command" ]; then
+            echo "building plugins not currently supported"
+            exit 1
+        fi
+
+        test_command=$(zkg_meta package test_command)
+        if [ "$test_command" ]; then
+            # Btest fails without explanation on the GitHub Actions
+            # Windows runners, so skip tests there.
+            if [ "$GITHUB_ACTIONS" != true -o "$OS" != Windows_NT ]; then
+               sh -c "$test_command"
+            fi
+        fi
+
+        echo "@load $package" | $sudo tee -a /usr/local/zeek/share/zeek/site/local.zeek
+    )
+    rm -r $package
+}
+
+$sudo pip3 install btest wheel
+
+install_zeek_package brimdata/geoip-conn c9dd7f0f8d40573189b2ed2bae9fad478743cfdf
+install_zeek_package salesforce/hassh 76a47abe9382109ce9ba530e7f1d7014a4a95209
+install_zeek_package salesforce/ja3 421dd4f3616b533e6971bb700289c6bb8355e707
+echo "@load policy/protocols/conn/community-id-logging" | $sudo tee -a /usr/local/zeek/share/zeek/site/local.zeek
+
+#
+# Create zip file.
+#
+
+mkdir -p zeek/bin zeek/lib/zeek zeek/share/zeek
+cp zeekrunner$exe zeek/
+cp /usr/local/zeek/bin/zeek$exe zeek/bin/
+for d in base policy site builtin-plugins; do
+    cp -R /usr/local/zeek/share/zeek/$d zeek/share/zeek/
+done
+
+$zip -r zeek-$(git describe --always --tags).$(go env GOOS)-$(go env GOARCH).zip zeek

zeekrunner

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
+
+export ZEEKPATH=$dir/share/zeek:$dir/share/zeek/policy:$dir/share/zeek/site
+
+# The packet filter and loaded scripts are disabled because they emit either
+# timeless logs or logs with timestamp set to execution time rather than time
+# of capture.
+exec "$dir/bin/zeek" \
+  -C -r - \
+  --exec "event zeek_init() { Log::disable_stream(PacketFilter::LOG); Log::disable_stream(LoadedScripts::LOG); Log::disable_stream(Telemetry::LOG); }" \
+  local

zeekrunner.go

@@ -0,0 +1,82 @@
+// +build windows
+
+// This tool executes zeek on windows, constructing the required ZEEK*
+// environment variables.  It embeds knowledge of the locations of the zeek
+// executable and zeek script locations in the expanded 'zdeps/zeek' directory
+// inside a Brim installation.
+package main
+
+import (
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+// These paths are relative to the zdeps/zeek directory.
+var (
+	zeekExecRelPath  = "bin/zeek.exe"
+	zeekPathRelPaths = []string{
+		"share/zeek",
+		"share/zeek/policy",
+		"share/zeek/site",
+	}
+)
+
+func pathEnvVar(name, topDir string, subdirs []string) string {
+	var s []string
+	for _, d := range subdirs {
+		s = append(s, path.Join(filepath.ToSlash(topDir), d))
+	}
+	val := strings.Join(s, ";")
+	return name + "=" + val
+}
+
+var ExecScript = `
+event zeek_init() {
+       Log::disable_stream(PacketFilter::LOG);
+       Log::disable_stream(LoadedScripts::LOG);
+       Log::disable_stream(Telemetry::LOG);
+}`
+
+func launchZeek(zdepsZeekDir, zeekExecPath string) error {
+	zeekPath := pathEnvVar("ZEEKPATH", zdepsZeekDir, zeekPathRelPaths)
+
+	cmd := exec.Command(zeekExecPath, "-C", "-r", "-", "--exec", ExecScript, "local")
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Env = append(os.Environ(), zeekPath)
+
+	return cmd.Run()
+}
+
+// zdepsZeekDirectory returns the absolute path of the zdeps/zeek directory,
+// based on the assumption that this executable is located directly in it.
+func zdepsZeekDirectory() (string, error) {
+	execFile, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.Dir(execFile), nil
+}
+
+func main() {
+	zdepsZeekDir, err := zdepsZeekDirectory()
+	if err != nil {
+		log.Fatalln("zdepsZeekDirectory failed:", err)
+	}
+
+	zeekExecPath := filepath.Join(zdepsZeekDir, filepath.FromSlash(zeekExecRelPath))
+	if _, err := os.Stat(zeekExecPath); err != nil {
+		log.Fatalln("zeek executable not found at", zeekExecPath)
+	}
+
+	err = launchZeek(zdepsZeekDir, zeekExecPath)
+	if err != nil {
+		log.Fatalln("launchZeek failed", err)
+	}
+}