Zeek Newsletter - Issue 18 - May-Early June 2022

Welcome to the Zeek Newsletter.

In this Issue:

  • TL;DR
  • Development Updates
  • Zeek Blog and Mailing List
  • Zeek in the Community
  • Zeek Package Updates
  • Zeek in the Enterprise
  • Upcoming Events
  • Zeek Related Jobs
  • Get Involved


There’s a lot of news in this issue, particularly regarding new code. A release candidate for Zeek 5.0 is here, as well as a security and bug fix release for the current branches. Please update your sensors and consider testing the 5.0 RC.

Development Updates

On June 3, Tim Wojtulewicz announced the release of Zeek 4.0.7 and 4.2.2. Both address a potential denial of service vulnerability in the DNS analyzer. Thank you to Google’s OSS-Fuzz project for reporting this vulnerability. Please update Zeek as soon as possible.

These new versions may include other fixes as well. See the release notes for details:



Binary packages for the new releases are available:


Updated source code is available:




On June 3 Tim also published the first release candidate for Zeek 5.0.0. Zeek now includes support for building Spicy and spicy-plugin as part of Zeek. This feature is enabled by default, and can be turned off by passing the --disable-spicy flag to ./configure. Spicy is the new and easier way to build protocol parsers for Zeek.

See the release notes for details:


Updated source code is available:


Along with the Zeek 5.0.0 release candidate, there is also a new Broker release:


Finally, a new version of zkg, version 2.13.0, is available. Details on the minor updates are here:


Users can work with the version bundled with Zeek or install zkg using PyPI.

Zeek Blog and Mailing List

Johanna Amann migrated the mailing list to a Discourse platform in late May. The site is available here:


If you create a new account with the same email address that you used with the previous mailing list, all your old posts will be assigned to you. Please let us know if you encounter any issues, either by Slack, email, or the site-feedback category on Discourse.

For now the old mailing list archives are still available at the previous site:


Zeek in the Community

Richard Bejtlich published one new Zeek in Action video, on May 13:

Zeek in Action, Video 16, Interpreting Cyber Threat Intelligence Reports


On May 4, Fatema Bannat Wala hosted a Zeek community call. The recording is here:


On Jun 1, Fatema Bannat Wala hosted another Zeek community call. The recording is here:


The Zeek training team conducted a free community training session on May 20. Thank you to everyone who taught and participated, especially instructors Keith Lehigh, Fatema Bannat Wala, and Aashish Sharma.

Zeek Package Updates

The following packages recently reported updates (as of June 6), via this search:


Added two new detection packages for recent MS disclosure.

#185 by keithjjones was merged 6 days ago

Add CVE-2022-22954 detector

#184 by ynadji was merged 17 days ago

Add CVE-2022-26809 detector

#183 by ynadji was merged 20 days ago

Added parser for Genisys to CISA ICSNPP package index

#182 by mmguero was merged on May 3

Add two CVE detection packages.

#181 by keithjjones was merged on Apr 25

The packages.zeek.org site reported the last 5 updates as of June 6:

6/3/22, 2:30 PM zeek-netmap

6/3/22, 9:04 AM spicy-http

6/3/22, 9:01 AM spicy-dns

6/2/22, 2:59 PM icsnpp-opcua-binary

6/2/22, 1:51 PM spicy-plugin

Zeek in the Enterprise

In May, Corelight published several blog posts showing how to use Zeek to detect exploitation of the following vulnerabilities:

CVE-2022-26809 (Windows)

CVE-2022-22954 (VMWare)

CVE-2022-26937 (Windows NFS)

CVE-2022-23270 (PPTP)

See the Corelight blog for details:


On May 16, Seth Grover announced the version 6.0.0 release of Malcolm, with Suricata version 6.0.0, Arkime version 3.4.2, and Zeek version 4.2.1 as network traffic metadata providers. Check out the release page on GitHub:


Upcoming Events

Stay tuned for word on the call for papers for ZeekWeek 2022. The project will hold the conference the week of October 11-14, in Austin, Texas, USA.

See https://zeek.org/events/ for other events.

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek skills.

Cyber Threat Hunter, Senior

Booz Allen Hamilton

Washington, DC



National Space Program Blue Force Support


Chantilly, VA



Manager, Compromise Assessments (East, Remote)


Baltimore, MD



For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek

Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.


The Slack channel has been very active during the past month. Here is an invitation link:


Stay up to date by subscribing to the Zeek mailing list:


Follow us on Twitter:


Subscribe to our video channel:


See you next time!