Zeek Newsletter - Issue 17 - April 2022

Welcome to the Zeek Newsletter.

In this Issue:
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved


Please note the security vulnerability in versions of Zeek prior to 4.0.6 and 4.2.1, discussed in Development Updates. Also see the Upcoming Events section for details on free training on May 20.

Development Updates

On April 21, Tim Wojtulewicz announced the release of Zeek 4.0.6 and Zeek 4.2.1. Both address a security issue. Previous versions of Zeek shipped a vulnerability in the File Transfer Protocol (FTP) analyzer. If an intruder provided specially-crafted input, Zeek might crash due to a buffer overflow condition. Please update to the new versions of Zeek as soon as possible to mitigate this vulnerability.

The Zeek Project would like to thank Jason Ish from the Open Information Security Foundation (OISF) for reporting this vulnerability.

These new versions of Zeek include other fixes as well. See the release notes for details:



Binary packages for the new releases will also be available shortly:


Updated source code is already available:




On April 12, Benjamin Bannier published a bug fix for Spicy, version 1.4.1.

The code is posted here:


Details on the changes are posted here:


Zeek Blog and Mailing List

The mailing list featured several interesting threads. The longest involved how to uninstall Zeek:


The blog featured two stories. The first appears in the Upcoming Events section. The second involved Johanna Amann’s notice that ZeekWeek 2022 will be held the week of October 11-14, in Austin, Texas, USA. The project will open a call for presentations soon.

For more, see the blog and mailing list archive:



Zeek in the Community

Richard Bejtlich published two Zeek in Action videos, on March 24 and April 8:

Comparing Zeek Connection Logs with NetFlow Records


Revisiting NetFlow and Zeek Data


On April 6, Fatema Bannat Wala hosted a Zeek community call. The recording is here:


Keith Jones’ presentation on importing Zeek logs into Elastic is now available:


Johanna Amann’s keynote to the 2022 Passive and Active Measurement Conference, titled "Expect the Unexpected: Lessons from a Decade of Passive Network Measurements" is now available:


Zeek Package Updates

The following packages recently reported updates (as of April 22), via this search:


Update EternalSafety package index file
#180 by 0xl3x1 was merged 3 days ago

Remove ReservoirLabs packages since their repos have vanished
#179 by ckreibich was merged 25 days ago

The packages.zeek.org site reported the last 5 updates as of April 22:

    4/21/22, 8:34 PM zeek-kafka
    4/21/22, 2:50 PM spicy-plugin
    4/19/22, 5:18 AM zeek-EternalSafety
    4/18/22, 2:27 PM zeek-spicy-openvpn
    4/15/22, 5:29 PM zeek-httpattacks

Zeek in the Enterprise

On April 21 Corelight published a blog post on Detection Windows NFS [Network File System] Portmap Vulnerabilities.


Corelight developed and published two Zeek packages to detect attempts to exploit these vulnerabilities:



See the blog post as well for links to packet captures used to test and develop these Zeek packages.

Crowdstrike’s Humio Community Edition now features demo data from a Corelight sensor, powered by Zeek. See Ken Greene’s blog post for details:


Humio Community Edition is a no-cost, cloud-based offering that accepts up to 16 GB of data ingested per day, with a 7-day retention period.


Upcoming Events

The project is delighted to announce that members of the training team will offer free online training on May 20. The event will consist of two sessions, beginning at 8 am US Pacific Time (3 pm UTC).

8:00 am - 12:00 pm (Pacific Time)

Beginner training is aimed at users who have little to no experience with Zeek. Keith Lehigh and Fatema Bannat Wala will introduce basic architecture, show how to run and customize Zeek on the command line, and give guidance on basic log analysis.

1:00pm - 4:30pm (Pacific Time)

In this hands-on session, Aashish Sharma will walk attendees through the fundamentals of Zeek scripting and will offer some practical exercises.

The training is free but registration is required, on a first-come, first-served basis. If you want to attend both sessions, you must register for both sessions:


See https://zeek.org/events/ for other events.

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek skills.

Sr. Zeek/Bro Engineer
Latitude Inc Tysons Corner, VA

Lead Engineer - Network Security
Target Brooklyn Park, MN

Senior Consultant, Incident Response (Remote)
CrowdStrike Sunnyvale, CA

For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek

Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.


The Slack channel has been very active during the past month. Join today! Here is an invitation link:


Stay up to date by subscribing to the Zeek mailing list:


Follow us on Twitter:


Subscribe to our video channel:


See you next time!