As Zeek is processing very sensitive data, it would be good if one could contain the running process in an restricted enviroment. In principle, many OSs provide the capabilities to setup jails/sandboxes for processes, however that can be pretty painful to setup and maintain.

BroControl could help with that and manage the sandbox automatically. The code would need to be platform-specific, but by focussing on a few common OSs, we could get pretty far.