Introducing Zeek 7

The Zeek team is proud to announce the release of Zeek 7! Work on this release began in February 2024 and includes some 1,100 commits, 330 pull requests, and 140 closed issues. As always, we are particularly grateful to our community members who contributed to this release, including Aashish Sharma, AmalieDue, Christopher Knill, Craig Leres, Devon Thompson, Eldon Koyle, FishyFluffer, Fupeng Zhao, Jan Grashöfer, Jordan Barnartt, Justin Azoff, Martin Meredith, Martin van Hensbergen, Matti Bispham, Mike Dopheide, Mohan Dhawan, Oleksandr Pastushkov, Peter Cullen, ronny8360988, Seth Grover, Seth Hall, Simeon Miteff, Steve Smoot, Tanner Kvarfordt, Victor Dvornikov, and Yacin Nadji. Thank you!

Zeek 7 is the first release to include results of a large and ongoing effort to modernize and modularize core parts of Zeek’s architecture. As part of this push, we substantially reworked the Telemetry framework. Previously powered by Broker and its underlying I/O driver CAF, the telemetry code now fully resides in Zeek. Using prometheus-cpp and civetweb, Zeek now supports Prometheus’s HTTP service discovery for scraping metrics from all nodes in the cluster, replacing Zeek’s earlier custom aggregation to the manager node, which could negatively affect performance. Broker now registers its metrics in Zeek’s Prometheus registry, keeping them available to users. The script-level telemetry API has undergone modest changes, mainly to simplify things — for example, you no longer need to distinguish integer and floating-point metrics. For details, please consult the updated telemetry documentation.

Zeek 7 also ships with a new Spicy release, 1.11, As with Zeek, many of our changes to Spicy happened under the hood: we rewrote much of the compiler’s internal infrastructure for representing Spicy code in memory. The original implementation, while functioning correctly, proved overly complex in its logic and data structures. We simplified this code substantially, speeding up the compiler for users and easing maintenance for the development team. The compiler speed-up helps particularly during Spicy analyzer development: when there’s a glitch in the Spicy code, the compiler now reports the corresponding error much more quickly. As a side effect of the new infrastructure, the compiler has also become more strict: where the old implementation sometimes allowed invalid Spicy code to slip through, the compiler will now object more reliably. In particular, tracking correct usage of constant values is now enforced consistently. Other new features include better control over re-synchronization in the presence of packet loss, much improved support for bitfields, and various new methods for built-in data types. If you are upgrading from Zeek 6.0, you’ll see runtime performance improvements of up to 30% for some protocols. Finally, Spicy’s documentation has gained a section on best practices for writing efficient Spicy parsers, with much of the content contributed by the Corelight Labs team.

Another new feature in Zeek 7 is support for ZAM, the Zeek Abstract Machine. An optional script optimization engine, ZAM aims to improve performance through changes to the basic execution model for Zeek scripts. Normally, Zeek first parses scripts into abstract syntax trees, then executes them by recursively interpreting each node in a given tree. With ZAM, Zeek first compiles these trees into a low-level form that it can execute more efficiently. ZAM has been a feature of Zeek since the 4.2 release, but with Zeek 7 has matured to a point where we encourage all users to explore it. Make sure to read the documentation to understand caveats about comparing performance with and without ZAM.

Zeek 7 features a host of other improvements to the scripting language, analyzer configuration, and JSON ingestion. If you’re upgrading from the 6.0 series, there’s a much larger set of additional features to explore, including new Spicy-powered QUIC and LDAP analyzers, proper support for HTTP upgrades and WebSocket analysis, the ability to delay log writes to enable last-minute augmentations, new hooks in the Intel and NetControl frameworks, support for deeper encapsulation nesting levels, and many others. Importantly, you’ll also benefit from additional performance improvements that we summarized recently. As always, please consult Zeek’s and Spicy’s release notes for the full list of changes.

As the first release in the new cycle, Zeek 7.0 builds on the developments of 6.1 and 6.2, and becomes our latest long-term support release, meaning it will see security fixes and relevant backports for a bit over a year. Our past LTS release, Zeek 6.0, will stop seeing updates when we release 7.1 in a few months.

We encourage all users to upgrade to Zeek 7 at this time.

Feedback and questions are always welcome, so please feel free to get in touch via our community channels.