Zeek Newsletter - Issue 16 - February - March 2022

Welcome to the Zeek Newsletter!

In this Issue:
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved


A lot has happened since issue 15, so this newsletter captures as much of that development as possible. The biggest news involves a vulnerability in OpenSSL, as addressed next.

Development Updates

On March 16, Johanna Amann noted that Zeek was affected by CVE-2022-0778, a vulnerability in OpenSSL.

The OpenSSL advisory is here:


Johnna notes:

“A Zeek process will hang when parsing traffic that contains a malicious certificate that is aimed to exploit this vulnerability. Updating to patched versions of OpenSSL, and restarting Zeek, will fix
this issue.”

In a Twitter thread, Johanna noted that Zeek “can detect exploitation attempts using this script that was originally written for a different exploit in 2020 that had a similar-ish mechanic:”


For more information, see Johanna’s Twitter thread:


On March 11, Benjamin Bannier released Spicy 1.4.0. Developers can leverage Spicy to more easily create new protocol parsers.

See the NEWS file for a high-level summary:


See the CHANGES file for a detailed list of changes that went into this release.


To take full advantage of the new features in this release, spicy-plugin-1.3.8 is


Zeek Blog and Mailing List

In addition to discussions of the OpenSSL vulnerability and the Spicy release, the mailing list was fairly active since the last newsletter.

This discussion offered thoughts on how Zeek creates timestamps in the connection log:


This thread talked about ways to only create the DNS log:


For now, the project is not updating the blog.

For more, see the blog and mailing list archive:



Zeek in the Community

On February 10, Dynamite Analytics released NSM 1.1, which includes Zeek (and Suricata, and other capabilities):


On March 2, Fatema Bannat Wala hosted a Zeek community call. The recording is here:


Fatema highlighted the progress made by the Zeek training group on the Zeek Project Approved Training Framework. See this page for details:


On March 9, Security Onion solutions released Security Onion 2.3.110, which includes an intrusion detection honeypot:


Finally, Patrick Kelley continues to release updated threat intelligence feeds formatted for use by Zeek:


Zeek Package Updates

The following packages reported updates recently (as of March 17), via this search:


Added mvlnetdev and the zkg.index file
#178 by mvlnetdev was merged 17 days ago

The packages.zeek.org site reported the following updates as of March 17:

    3/15/22, 2:06 PM spicy-plugin
    3/15/22, 1:22 PM zeek-agent-v2
    3/14/22, 2:51 PM zeek-long-connections
    3/9/22, 10:59 AM bzar
    3/8/22, 5:34 PM zeek-xor-exe-plugin

Zeek in the Enterprise

On February 28, Alex Kirk described how to use Zeek and Suricata to detect nation-state digital attacks:


The post highlighted the feed of IP addresses that Greynoise had observed attacking its honeypot infrastructure in Ukraine. This Twitter thread has details: