From f1ea9f97f0f2d3a29e5e560a21d363f8b8d5d472 Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Tue, 31 Oct 2023 13:04:23 -0700 Subject: [PATCH] Rearrange scripts to prevent double-loading in plugin and package space The Zeek scripts were loaded twice after installation, once via the plugin subsystem and once via zkg also pointing at the scripts folder. Since installation puts these sets of files in two separate locations, Zeek's path-based recognition of redundant loads of a script doesn't catch, and Zeek aborts due to redundant symbols etc. This package has no script content that needs to be loaded at plugin bootstrap time, so this commit shifts the content into the existing subdirectory of the scripts folder and updates zkg accordingly. --- scripts/Corelight/PE_XOR/__load__.zeek | 1 - scripts/__load__.zeek | 6 ------ scripts/init.zeek | 0 zkg.meta | 2 +- 4 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 scripts/init.zeek diff --git a/scripts/Corelight/PE_XOR/__load__.zeek b/scripts/Corelight/PE_XOR/__load__.zeek index 4093e84..0e5caee 100644 --- a/scripts/Corelight/PE_XOR/__load__.zeek +++ b/scripts/Corelight/PE_XOR/__load__.zeek @@ -3,4 +3,3 @@ # @load ./main - diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek index d5ae7b1..da1a767 100644 --- a/scripts/__load__.zeek +++ b/scripts/__load__.zeek @@ -1,8 +1,2 @@ # This is loaded unconditionally at Zeek startup. Include scripts here that should # always be loaded. - -@load ./init -@load ./Corelight/PE_XOR - - - diff --git a/scripts/init.zeek b/scripts/init.zeek deleted file mode 100644 index e69de29..0000000 diff --git a/zkg.meta b/zkg.meta index e3fe7b5..f40f84d 100644 --- a/zkg.meta +++ b/zkg.meta @@ -2,6 +2,6 @@ description = A plugin to find Windows executables that have been XOR encoded. tags = plugin, pe, executable, malware plugin_dir = build -script_dir = scripts +script_dir = scripts/Corelight/PE_XOR build_command = ./configure && make test_command = cd tests && btest -d