Exclude README from zkg sync

Create /opt/so/conf/zeek/zkg directory and sync custom packages
from the manager via file.recurse. Bind mount the directory into
the so-zeek container so the entrypoint can install packages on
startup.

salt/zeek/config.sls

@@ -32,6 +32,15 @@ zeekpolicydir:
     - group: 939
     - makedirs: True
 
+zeekzkgsync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/zkg
+    - source: salt://zeek/zkg
+    - user: 937
+    - group: 939
+    - makedirs: True
+    - exclude_pat: README
+
 # Zeek Log Directory
 zeeklogdir:
   file.directory:
@@ -156,9 +165,6 @@ zeekja4cfg:
     - source: salt://zeek/files/config.zeek.ja4
     - user: 937
     - group: 939
-    - template: jinja
-    - defaults:
-        JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
 
 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}

salt/zeek/defaults.yaml

@@ -1,6 +1,5 @@
 zeek:
   enabled: False
-  ja4plus_enabled: False
   config:
     node:
       lb_procs: 0

salt/zeek/enabled.sls

@@ -35,6 +35,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
       - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
+      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
       {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}

salt/zeek/files/config.zeek.ja4

@@ -8,20 +8,20 @@ export {
   option JA4_raw:        bool = F;
 
   # FoxIO license required for JA4+
-  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4S_enabled:   bool = F;
   option JA4S_raw:   bool = F;
 
-  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4D_enabled:  bool = F;
 
-  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4H_enabled:   bool = F;
   option JA4H_raw:   bool = F;
 
-  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4L_enabled:   bool = F;
+  
+  option JA4SSH_enabled: bool = F;
 
-  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4T_enabled: bool = F;
+  option JA4TS_enabled: bool = F;
 
-  option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
-  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
-
-  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4X_enabled:   bool = F;
 }

salt/zeek/soc_zeek.yaml

@@ -2,10 +2,6 @@ zeek:
   enabled:
     description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
     helpLink: zeek.html
-  ja4plus_enabled:
-    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
-    forcedType: bool
-    helpLink: zeek.html
   config:
     local:
       load:

salt/zeek/zkg/README

@@ -0,0 +1 @@
+# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/