The Zeek team is proud to announce the release of Zeek 6! Work on this release began in February and comprises around 720 commits in 210 PRs. We’re deeply grateful to our contributors in this release cycle, including Jan Grashöfer, Eldon Koyle, Michael Torres, and Fupeng Zhao for their feature work, as well as Aashish Sharma, Mike Patterson, and the members of our testing subgroup for their time and effort — thank you!
This release provides a host of new features. We’re most excited about our experimental support for JavaScript as an alternative to the classic Zeek scripting language. Available on all platforms with recent versions of libnode, this integration bridges access to Zeek’s 500+ events, functions, and globals with the richness of the Node ecosystem, drastically simplifying rapid prototyping and API integrations. Support is completely transparent and functions alongside the traditional language, simply by providing JavaScript files to Zeek:
/* hello.js */
zeek.on('zeek_init', () => {
console.log('Hello, Zeek!');
});
$ zeek ./hello.js
Hello, Zeek!
This is powered entirely by ZeekJS, a Zeek plugin originally developed at Corelight that now ships with the distribution by default.
This release also adds out-of-the-box support for Community ID flow hashes, removing the need to install the previously required Zeek package for this frequently used feature. To enable Community IDs you can now directly load included scripts.
Zeek 6 continues work that began in 5.2 to support built-in analyzers powered by Spicy, our domain-specific language for parsing protocols and structured data. Support for Spicy parsers is now fully integrated with Zeek, removing the need to install the spicy-plugin package. We’re treading lightly for now as we gain experience with Spicy in production, with the Finger and Syslog parsers switched over. Expect more transitions in the upcoming releases.
For users working with JSON data there’s now a way to ingest JSON into the script layer. The new from_json() built-in function, contributed by Fupeng Zhao, enables reading JSON lines flexibly into Zeek records.
Users operating large Zeek clusters and logging to disk now enjoy proper support for multiple loggers via zeekctl and zeek-archiver, with the name of the producing logger captured in the log files to avoid clobbering clashing filenames. There’s no change in behavior for single-logger setups.
We’ve made an important change to the Site::local_nets set of subnets. Starting with Zeek 6, this set automatically includes private address space, matching the intuition of many users that for example an IPv4 address in 192.168/16 should show up as local activity in the logs. There are several ways to tune this behavior, including a flag to return to the prior, empty-by-default one.
This release also features a long-overdue overhaul of our cmake infrastructure. More modern and idiomatic, it features a new API for plugin developers and removes many remaining Bro-era constructs. A compatibility layer remains to keep existing plugin cmake code functional, but all plugin authors should bump their cmake version requirement to 3.15, matching Zeek’s.
Our documentation now features a dedicated section for popular Zeek configurations, and provides more detail for many of Zeek’s frameworks.
This is just a glimpse of the changes in Zeek 6. As always, please refer to the release notes for a full walkthrough of important additions, breaking changes, and deprecations.
Several Zeek components that ship with the distribution have new releases as well:
- Spicy 1.8.1 brings the skip keyword and runtime profiling, and reflects a large performance optimization and bugfix push by the Spicy team.
- btest, zkg, and zeek-client all have new releases on PyPI with minor bugfixes and new functionality.
Following our usual release cadence, the 6.0.0 release marks the start of our new long-term support (LTS) release train. It will receive important updates through the 6.x cycle, which will last approximately one year. We encourage everyone to upgrade to Zeek 6 at this point. As in the past, we will provide bugfix releases for the 5.0.x release train until the release of 6.1, to provide those on the previous LTS release time to upgrade.
Feedback and questions are always welcome, so please feel free to get in touch via our community channels.