Test / Installation issues

[murraypete]

Seeing some test failures when installing using zkg (reproduced using the manual route). Build completes OK, tests fail with:

~# cat /usr/local/zeek/var/lib/zkg/testing/bro-http2/clones/bro-http2/zkg.test_command.stderr
http2.load_analyzer ... failed
http2.load_intel ... failed
http2.show-plugin ... ok
2 of 3 tests failed
make[1]: *** [Makefile:3: test] Error 1
make: *** [Makefile:29: test] Error 2

Zeek compiled from source, nghttp2 compiled from the current release tgz (1.42.0), brotli installed via vcpkg, on Ubuntu 20.04.

Overriding tests/installing results in Zeek (predictably) failing with:

~# zeekctl deploy
checking configurations ...
zeek scripts failed.
error in /usr/local/zeek/share/zeek/base/bif/event.bif.zeek, line 493 and /usr/local/zeek/lib/zeek/plugins/mitrecnd_HTTP2/scripts/http2/./main.zeek, line 160: parameter mismatch (record { name:string; c:connection; addl:string; source:string; } and unknown_HTTP2_method, HTTP2::c, HTTP2::method)
error in /usr/local/zeek/lib/zeek/plugins/mitrecnd_HTTP2/scripts/http2/./main.zeek, line 160: argument type mismatch in event invocation (conn_weird(unknown_HTTP2_method, HTTP2::c, HTTP2::method))

Any thoughts?

[murraypete]

Ah - my bad, I'd pulled 4.1.0-dev.120 by mistake. So I guess this is more on an FYI:- currently tests fail with 4.1.0.

Clean install with the stable (3.2.3) release works fine 👍

[Mraoul]

Not surprising, there were a number of deprecation warnings when I updated the code for 3.2 that indicated changes in 4.x. The changes looked substantial so I'm not sure when 4.x will be supported as I'll probably have to read the zeek source again to figure out how things are newly organized. I can keep this issue open until 4.x is supported.

[eric-ooi]

It's me again. :) 4.0 was just released and I definitely ran into the same exact errors as posted above while running Zeek 4.0 on CentOS 7. Looking forward to an update. Please let me know if you need any logs or help with testing.

[Mraoul]

Finally got around to taking a look at this -- apparently the deprecation warnings haven't changed in Zeek 4.0 and they've been pushed to 4.1. The plugin still compiles (with all of the warnings) in 4.0. But there's an issue in one of the zeek scripts. I've pushed the very small change needed to fix it to a new branch (support-zeek-40). Use that if you need to use this plugin right away with 4.0.

I would like to address the deprecation warnings, which are numerous, but it will take a little while since the Zeek code is not really documented so I'll have to read through the bits that have changed. A lot of the changes are simple namespace convention changes, but some changes relate to how data is being handled.

[eric-ooi]

Just installed successfully with no errors and verified that http2.log is logging as expected. Thanks again, @Mraoul!!