Issue 13 – October 2021

Welcome to the Zeek Monthly Newsletter

In this Issue:

  • TL;DR 
  • Development Updates
  • Zeek Blog and Mailing List
  • Zeek in the Community
  • Zeek Package Updates
  • Zeek in the Enterprise
  • Upcoming Events
  • Zeek Related Jobs
  • Get Involved


ZeekWeek 2021 was a great success. Thank you to everyone who participated. Expect to see videos of the sessions posted to the Zeek YouTube channel in November. Also keep an eye open for more Zeek in Action videos: 

Development Updates

As of this writing, the current versions of Zeek are 4.0.4, the Long Term Support (LTS) release, and 4.11, the development release with the newest features.

On October 19, Benjamin Bannier announced the release of Spicy 1.3. Spicy is a parser generator that makes it easy to create robust C++ parsers for network protocols, file formats, and more. Spicy development enables new and improved protocol parsing for network traffic and more.

For details on the new Spicy features, see the release news and changes:

Zeek Blog and Mailing List

The blog and mailing list were fairly quiet in October. Highlights include an announcement for the ZeekWeek Capture the Flag (CTF) contest, and a discussion of Zeek performance on FreeBSD 13.

For more, see the blog and October mailing list archive: 

Zeek in the Community

On October 18, the DFIR (Digital Forensics and Incident Response) Report published an analysis of “an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant.” They utilized the Real Intelligence Threat Analytics (RITA) scripts developed by Active Countermeasures to process Zeek logs created during their analysis. Read more about the event here: 

On October 24, Florian Roth published a Sigma rule for identifying Monero crypto coin mining within Zeek data. See more here: 

Seth Grover released Malcolm 3.4.0, with updates to Zeek 4.1.1 and Spicy 1.3.0. Thank you to Seth for updating many Zeek packages to work with the latest versions! See this Malcolm release page for more details: 

Finally, the Security Onion conference occurred October 1, and the SuriCon conference for Suricata followed on 20-22 October.

To watch the Security Onion videos, see this YouTube playlist:  

Zeek Package Updates

Corelight released a package which raises notices for the Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013) vulnerability. For details, see: 

A visit to the site showed that the Cybersecurity and Infrastructure Security Agency (CISA) updated the following Zeek packages:

These packages are hosted at the agency’s GitHub repository.

Note that Zeek uses these packages to understand industrial control systems and infrastructure protocols.

No packages reported updates in October, according to this search.

Zeek in the Enterprise

Security Onion Solutions released their Response-Ready (R2) Appliances: 

Corelight noted that Splunk was using Zeek and Suricata data in its latest Boss of the SOC (Security Operations Center) (BOTS) exercise: 

Upcoming Events 

Zeek Monthly Webinar Series:  This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests.  These presentations ARE recorded and shared with the community.

Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community.  These calls ARE recorded.

For details, see: 

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek skills.

Director, Professional Services (Remote)

CrowdStrike  Sunnyvale, CA Remote 

Principal Network Security Researcher

Battelle  Chantilly, VA 

Sr. Security Engineer, Detection & Response

Cruise  San Francisco, CA 

Senior Associate, Cybersecurity, Managed Detection and Response Analyst


Washington, DC Remote 

For more, see

Get Involved

If you have any comments or material for the newsletter please email or join the #news Slack channel.

Stay up to date by subscribing to the Zeek Mailing List.

Join the conversation on Slack

Follow us on Twitter.

See you next time!