From e6ee7dac7cc5be2489b2083abc10faf3bed0e5f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 17 Mar 2026 13:22:59 -0400
Subject: [PATCH 1/3] Add salt states for custom Zeek package loading

Create /opt/so/conf/zeek/zkg directory and sync custom packages
from the manager via file.recurse. Bind mount the directory into
the so-zeek container so the entrypoint can install packages on
startup.
---
 salt/zeek/config.sls  | 14 ++++++++++++++
 salt/zeek/enabled.sls |  1 +
 salt/zeek/zkg/README  |  1 +
 3 files changed, 16 insertions(+)
 create mode 100644 salt/zeek/zkg/README

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 42ea74fc9..2797c6fa2 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -32,6 +32,20 @@ zeekpolicydir:
     - group: 939
     - makedirs: True
 
+zeekzkgdir:
+  file.directory:
+    - name: /opt/so/conf/zeek/zkg
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeekzkgsync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/zkg
+    - source: salt://zeek/zkg
+    - user: 937
+    - group: 939
+
 # Zeek Log Directory
 zeeklogdir:
   file.directory:
diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls
index ff090428f..cf87946af 100644
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -35,6 +35,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
       - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
+      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
       {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}
diff --git a/salt/zeek/zkg/README b/salt/zeek/zkg/README
new file mode 100644
index 000000000..6c3b65ae7
--- /dev/null
+++ b/salt/zeek/zkg/README
@@ -0,0 +1 @@
+# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/

From 6b039b3f9498e377493a315c550ea542b53efd4d Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 17 Mar 2026 13:36:03 -0400
Subject: [PATCH 2/3] Consolidate zkg directory creation into file.recurse with
 makedirs

---
 salt/zeek/config.sls | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 2797c6fa2..41a0ceeb5 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -32,19 +32,13 @@ zeekpolicydir:
     - group: 939
     - makedirs: True
 
-zeekzkgdir:
-  file.directory:
-    - name: /opt/so/conf/zeek/zkg
-    - user: 937
-    - group: 939
-    - makedirs: True
-
 zeekzkgsync:
   file.recurse:
     - name: /opt/so/conf/zeek/zkg
     - source: salt://zeek/zkg
     - user: 937
     - group: 939
+    - makedirs: True
 
 # Zeek Log Directory
 zeeklogdir:

From e0e0e3e97bf8e16d27bc429e7a8992cc8339a9aa Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 17 Mar 2026 13:36:56 -0400
Subject: [PATCH 3/3] Exclude README from zkg sync

---
 salt/zeek/config.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 41a0ceeb5..7313ee0f5 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -39,6 +39,7 @@ zeekzkgsync:
     - user: 937
     - group: 939
     - makedirs: True
+    - exclude_pat: README
 
 # Zeek Log Directory
 zeeklogdir: