The Zeek team is proud to announce the release of Zeek 5.2, starting the final line of feature releases in the 5.x cycle. Development on 5.2 began in late September 2022 and has included some 660 commits, 178 PRs, and external contributions from the teams at Microsoft and Fox-IT, as well as from Fupeng Zhao, Jason Lu, Josh Soref, Nadav Kluger, and @jeff-bb on GitHub — thank you!
The clear biggie for 5.2 is our emerging support for the Windows platform, thanks to Microsoft open-sourcing their Zeek support and their energetic collaboration to get the work merged — again, thank you! We have started to receive inquiries from users about the status of this work, so here is a summary: please consider Windows support experimental and partial at this time. Zeek’s basic functionality — traffic processing and log production — is functional, and we’ve updated btest, our test driver, to support Windows so a subset of Zeek’s testsuite now passes. Several pieces remain missing, such as support for Spicy, binary plugins, and Zeek packages. If you’re interested in Windows support, we’d very much like to hear from you. Your input and use cases will help us prioritize next steps in this effort.
Given that AF_PACKET has become the default packet capture solution on Linux, we’re now shipping with out-of-the-box AF_PACKET support on Linux. To this end, we’ve expanded use of our ability to build external plugins into the distribution, and have moved Jan Grashöfer’s popular Zeek package into the Zeek project space. The package remains available for users of older Zeek versions, just as before.
Zeek’s analyzer framework has gained significant flexibility, with more helpful
analyzer_violation_info events, improved violation support for analyzers, and new
Analyzer::disable_analyzer() primitives for packet analyzers.
Run-time event-handler management returns! The new
&group attribute allows tagging of individual event handlers into groups, with corresponding
enable_event_group() functions to disable/enable them. Module-level control is provided by the
We’ve also upgraded our Docker image build pipeline for this release. For performance reasons we’ve moved the builds from GitHub to Cirrus CI, and now publish multi-platform images that support both amd64 and arm64 architectures, enabling the use of our official images on Apple’s M family of processors. We’re in the process of switching the DockerHub organization from
zeek, with both receiving image pushes at the moment. If you’re using our Docker images, please pull from the
zeek organization (e.g. “
docker pull zeek/zeek:latest”) as we’ll sunset the
zeekurity account in the near future.
We’ve upgraded several components of Zeek as well:
- Spicy has moved to version 1.7 thanks to the Spicy team’s work, with efforts currently underway to improve build and runtime performance, and to start migrating the first Zeek-included parsers to it. Highlights of the 1.7 release include DPD-style protocol detection, as well as support for arbitrary expressions as arguments to type constructors.
- zeekctl now assigns network ports to workers starting at port 27760, fixing an issue where workers were starting up with ports within Linux’s ephemeral port range.
- zeek-client, the Management Framework’s new management CLI, is now at version 1.2.0, with a significant functional upgrade: it now uses Broker’s WebSocket data transport, removing a hard dependency on Broker itself. As a result, users can now install the client from PyPI with a quick “
pip install zeek-client“.
With 5.2 out the door, we’ve begun to focus on our next LTS line of releases — 6.0.x — to land in the summer. As usual, our “mid-cycle” 5.1.x releases will see no further additions at this point, with 5.0.x LTS releases continuing as required until Zeek 6 comes out.
Feedback and questions are always welcome, so please feel free to get in touch via our community channels.