From e6ee7dac7cc5be2489b2083abc10faf3bed0e5f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 17 Mar 2026 13:22:59 -0400
Subject: [PATCH] Add salt states for custom Zeek package loading

Create /opt/so/conf/zeek/zkg directory and sync custom packages
from the manager via file.recurse. Bind mount the directory into
the so-zeek container so the entrypoint can install packages on
startup.
---
 salt/zeek/config.sls  | 14 ++++++++++++++
 salt/zeek/enabled.sls |  1 +
 salt/zeek/zkg/README  |  1 +
 3 files changed, 16 insertions(+)
 create mode 100644 salt/zeek/zkg/README

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 42ea74fc9..2797c6fa2 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -32,6 +32,20 @@ zeekpolicydir:
     - group: 939
     - makedirs: True
 
+zeekzkgdir:
+  file.directory:
+    - name: /opt/so/conf/zeek/zkg
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeekzkgsync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/zkg
+    - source: salt://zeek/zkg
+    - user: 937
+    - group: 939
+
 # Zeek Log Directory
 zeeklogdir:
   file.directory:
diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls
index ff090428f..cf87946af 100644
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -35,6 +35,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
       - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
+      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
       {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}
diff --git a/salt/zeek/zkg/README b/salt/zeek/zkg/README
new file mode 100644
index 000000000..6c3b65ae7
--- /dev/null
+++ b/salt/zeek/zkg/README
@@ -0,0 +1 @@
+# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/