Replies: 3 comments 1 reply
-
I'm torn here — in terms of complexity it's no big deal to include it, but it's also been a nice example of modular functionality. Not sure how many people see these discussions, but it'd be great to hear feedback on this from Community ID users to understand how much of a pain this installation has been for folks in practice. At first I thought we could expose the hashing API to the script layer and reduce the Community ID package to pure scripts, but that's tricky because the hash inputs need some low-level byte wrangling (see the BiF for details). So I don't think that's a good way forward. |
Beta Was this translation helpful? Give feedback.
-
I assume that this is not a problem, because we have a lot of features that already require a development environment on the system. The main one here is Spicy - we will start including spicy parsers in Zeek directly, and I assume spicy parsers in general will become very common. They require a dev-environment. Compiling Zeek scripts does too. |
Beta Was this translation helpful? Give feedback.
-
This work was completed, and CommunityID will part of the base installation as of Zeek 6.0. |
Beta Was this translation helpful? Give feedback.
-
(Mostly food of thought, I was writing docs and wanted to use some package as an example and community-id came to mind, but then it's a plugin and needs a development setup to try).
CommunityID has established itself and is implemented by quite a few products/projects:
https://github.com/corelight/community-id-spec#production-implementations
Zeek does not support CommunityID out of the box. Adding it to a vanilla installation involves setting up a development environment to compile an external plugin and the friction that may come with this. Similar arguments about convenience can be made as for AF_Packet though that was certainly more of a "applies to everyone on Linux".
Still, could minimally the CommunityID::hash_conn bif be included in-tree? It's a hash function specifically tailored for network monitoring applications and yet Zeek base does not offer support for it. This could allow the community-id package to become script-only in the future, too.
EDIT: Seems there are some script-level options involved that the bif is using, so it's not just the bif.
Beta Was this translation helpful? Give feedback.
All reactions