Incorporate custom protocol analyzer in zeek

[ZeelStreet]

• version: 2.3.190
• on-prem, airgapped ISO install
• One master, three forwarders, a couple search nodes

I've written a custom protocol analyzer for zeek through the spicy plugin. Spicy loads the analyzer into zeek through reading a .hlto file in the specified folder /opt/zeek/lib64/zeek-spicy/modules at zeek startup. There is good documentation on how to add custom scripts to zeek but I can't find any information about how to add custom analyzers. I am simply trying to place a file in a specified folder in the so-zeek container.

How would I go about doing this in the best way, that would be persistent to zeek/security onion updates?

What I've tried:
According to the security onion documentation zeek can be configured by editing the "zeek:" section in either the global or the minion specific salt .sls files. This works great for adding custom scripts. Even though these are salt pillar files they do not follow the standard salt syntax, only a few security onion specific keywords are allowed, and they are only used to edit zeek config files (https://docs.securityonion.net/en/2.3/zeek.html#configuration.) It's therefore not possible to use these .sls-files and regular salt syntax such as file.manage (https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html) to add or edit files in the containers.

The logs generated when the so-zeek container is started shows that salt (which seems to follow the standard salt syntax and nothing security onion specific) is used to set up the containers, so somewhere there must be .sls files that are run to setup the containers and could be edited to add the specific files. I have search through the /opt/so/saltstack/local/pillar folder for any other sls files that I might edit to do what I want but found nothing of use. Since the local sub directories are the place outspokenly resistant to changes from updates, changing anything somewhere else would probably not be optimal. There seems to me that there are no clear intended way to modify files on the containers.

[cm-ops]

If you are trying to add a volume bind to the Zeek container, try cp /opt/so/saltstack/default/salt/zeek/init.sls /opt/so/saltstack/local/salt/zeek/init.sls and place your bind in the binds list.

[ZeelStreet]

Thank you!
You do not want to know how many hours I have wasted on this, and such a simple solution! It works great!
Many thanks!