The Zeek team is proud to announce Zeek 7.1! Work on this release began in July 2024 and includes some 1,400 commits, 340 pull requests, and 130 closed issues. The 7.1 release introduces new user-visible features, contains many bugfixes, and advances a bunch of exciting architectural work that will bear fruit over the course of the next releases.
Zeek 7.1 expands conn.log to report flows of IP-borne protocols other than TCP, UDP, and ICMP. All conn.log entries now have an ip_proto field that indicates the numeric IP protocol identifier used by the flow. The release includes scripts to suppress this behavior, and to add naming for those additional protocols, when known.
This release also includes a number of analyzer improvements. We’ve added a PostgreSQL protocol analyzer, written in Spicy and enabled by default. The analyzer’s events and its postgresql.log should be considered preliminary and experimental. We’ve improved the LDAP, MySQL and DNS analyzers, and Zeek now includes an experimental, off-by-default Spicy-based TLS parser that is test-level equivalent to the existing BinPAC-based one Zeek has included for a long time. Interested users should refer to the release notes for details.
The telemetry framework now provides additional metrics around packet capture. This includes counters for the number of bytes, received packets, and dropped packets, gauges for network time and “packet lag” (the difference between Zeek’s network time and wall time), and a few others. Please refer to the policy/misc/stats.zeek script for more information.
Zeek 7.1 ships with a new Spicy release, 1.12, which provides new syntax for inclusion of conditional unit fields via if-else, improved error handling, faster parser compilation, and a host of other improvements and bugfixes; see the spicy-1.12.0 release notes for more details.
Broker, Zeek’s message I/O layer, features new sender-side buffering logic that operates on per-peer granularity. It adds three policies for dealing with receivers that fall behind sufficiently in their message processing to allow the sender-side buffer to fill. Such receivers can be temporarily disconnected, or the message buffer can drop oldest/newest messages in favor of new messages to transmit. This new buffer granularity avoids “spillover” effects with the previously global buffer, in which a single, substantially slow receiver could cause a peered node to stop transmitting to any of its peers. Telemetry and logging for this feature are available but experimental. Please see the release notes for details.
Under the hood, we’ve done extensive work to make Zeek’s cluster communication and its serialization formats configurable and pluggable, allowing power users to run Zeek on cluster backends of their choosing. As of 7.1, this work is partially functional but not yet suitable for real-world use. We’ll have a lot more to say about it with the upcoming 7.2 and 8 releases.
Zeek 7.1 contains many additional changes, so please take a moment to read Zeek’s and Spicy’s release notes for the full list of changes.
As a reminder, our x.1 and x.2 feature releases contain work that may well change by the time our next long-term-support (LTS) release, 8.0, arrives in the summer. The release of Zeek 7.1 also means we’ll no longer update the 6.0.x LTS series, and encourage all users still on 6.0.x who’d like to remain on an LTS release train to upgrade to 7.0.x now. Furthermore, x.1 releases trigger deprecation removals, and we’ve removed a small number of core APIs deprecated since 6.1. For Zeek package developers, particularly those of you working on plugins, now is a great time to verify that your packages still work as expected.
Feedback and questions are always welcome, so please feel free to get in touch via our community channels.
We would like to thank our community members for their contributions to Zeek: Aashish Sharma, Andras Gemes, Anthony Kasza, Benjamin Grap, @Chiragdeshlehra27, @cooper-grill, Craig Leres, Eldon Koyle, Emmanuele Zambon, Fox-IT Data Science, Fupeng Zhao, Jan Grashöfer, Jordan Barnartt, Jürgen Löhel, Justin Azoff, @Lucasmeteenc, Martin van Hensbergen, Matti Bispham, Matteo, Mike Dopheide, Mike Peters, Mohan Dhawan, @p-l-, @robinkou, Rodrigo Rojo, @scyllaever, Seth Hall, Simeon Miteff, @Sonderino, @superzerosec, Sven van Hal, Theo Buehler, @timo-mue, @Zopazz, and Zach Robinette — thank you!
We’d also like to thank Corelight for its continued support of the Zeek project.