Zeek Newsletter - Issue 21 - September 2022

Welcome to the Zeek Newsletter.

In this Issue:

  • TL;DR
  • Development Updates
  • Zeek Blog and Mailing List
  • Zeek in the Community
  • Zeek Package Updates
  • Zeek in the Enterprise
  • Upcoming Events
  • Zeek Related Jobs
  • Get Involved


ZeekWeek 2022 will take place 12-14 October, in Austin, Texas, USA. There is now a virtual attendance option for briefings only. The content this year is especially compelling, with two training class options for in-person attendees.

Many thanks to Robin Sommer, who has retired as technical lead for the project after 15 years of faithful service. Robin continues to contribute to the project. Congratulations to Christian Kreibich who has taken on the technical lead role. For more, see Robin’s announcement:


Development Updates

On 19 September, Tim Wojtulewicz announced the release of Zeek 4.0.9 and 5.0.2. Both address security issues and bug fixes. Please update Zeek as soon as possible.

See the release notes for details:



Binary packages for the new releases are available:


Updated source code is available:




On 20 September, Tim published the first release candidate for Zeek 5.1.0. See the release notes for details:


Updated source code is available:


Zeek Blog and Mailing List

Johanna Amann migrated the mailing list to a Discourse platform in late May. The site is available here:


If you create a new account with the same email address that you used with the previous mailing list, all your old posts will be assigned to you. Please let us know if you encounter any issues, either by Slack, email, or the site-feedback category on Discourse.

The old mailing list archives now redirect to this site:


If you’d like to read the Leadership Team meeting notes, they are here:


Zeek in the Community

On 30 August, Doug Burks announced that Security Onion 2.3.160 was now available, including Zeek 4.0.8 and more:


On 7 September, Fatema Bannat Wala hosted a Zeek community call. The recording is here:


Check out the new Zeek Wikipedia page:


Please feel free to contribute to it.

On 8 September, Seth Grover announced the release of Malcolm v6.3.0, with Zeek v5.0.1, Arkime v3.4.2 and OpenSearch v2.2.1. Check out GitHub for details:


Zeek Package Updates

The following packages recently reported updates (as of 28 September), via this search:


Added icsnpp-s7comm parser
#189 by Kleinspider was merged 9 days ago

The https://packages.zeek.org site reported the last 5 updates as of 28 September:

9/28/22, 1:21 AM icsnpp-bacnet
9/27/22, 7:07 PM zeek-exporter
9/26/22, 5:43 PM bro-af_packet-plugin
9/26/22, 5:43 PM zeek-af_packet-plugin
9/23/22, 10:30 PM icsnpp-s7comm

Zeek in the Enterprise

Congratulations to Seth Grover from Idaho National Lab for winning Corelight’s Apex Award for “Best Contribution to the Zeek Community”! See the press release for details:


Upcoming Events

Here is the schedule for ZeekWeek 2022:


All times are US Central time.

12 October 2022 – Day 1 – Training

Option 1:

8:30am - 5:00pm - Training: Intermediate to Zeek - Cluster Edition

By Keith Lehigh, Christian Kreibich, Fatema Bannat Wala

The Introduction to Zeek training is aimed at users who have little to no experience with Zeek. We will introduce you to some basic architecture, show you how to run and customize Zeek on the command line, and give some guidance on how to do basic log analysis. This year we will also be teaching about Zeek cluster deployments in production together with all the cluster components, and the new Zeek management framework.

Option 2:

8:30am - 5:00pm - Training: Hands-on Zeek Scripting

By Aashish Sharma

In the Hands-on Zeek Scripting training, Aashish Sharma will walk attendees through the fundamentals of Zeek Scripting along with some practical exercises. Training will cover scripting basics but will advance through various frameworks such as notice, input, and clusterization techniques. Training will consist of some theory on each topic and hands-on exercises.

5:00pm - 7:00pm – Welcome Reception

13 October 2022 – Day 2

9:15am - 9:30am - Welcome & Opening Remarks

9:30am - 10:30am - Keynote: The Evolving Cyber Threat Landscape, Wendi Whitmore

10:30am - 10:45am - Break

10:45am - 11:15am - Zeek for Windows: The Journey to run on all endpoints

11:15am - 11:45am - Schemaing about Zeek Logs

11:45am - 12:00pm - Lightning Talk

12:00pm - 1:15pm - Lunch

1:15pm - 1:45pm - “Zero Trust, and verify” - Zeek

1:45pm - 2:15pm - CatchM3ifuKan - Detecting Command-and-Control Techniques Up and Down the Networking Stack with Streaming Statistical and Machine Learning Techniques

2:15pm - 2:30pm - An Intro to the Management Framework

2:30pm - 2:50pm - Break

2:50pm - 3:00pm - Lightning Talk

3:00pm - 3:30pm - Lessons Learned: Two Years of Developing Parsers for Industrial Control Systems Protocol

3:30pm - 4:00pm - Closing Remarks

14 October 2022 – Day 3

9:15am - 9:30am - Welcome & Opening Remarks

9:30am - 10:30am - Keynote: Building Killbot-Killing-Killbots for Fun and ?Profit?, Nicholas Weaver

10:30am - 10:45am - Break

10:45am - 11:15am - Filtering logs like a pro

11:15am - 11:45am - Zeek for Endpoint: Detection and Device Discovery

11:45am - 12:00am - Lightning Talk

12:00pm - 1:15pm - Lunch

1:15pm - 1:45pm - Network Tapping for Zeek

1:45pm - 2:15pm - Zeek known services classification - ZTA edition

2:15pm - 2:30pm - Practical GAN-based Synthetic IP Header Trace Generation using NetShare

2:30pm - 2:50pm - Break

2:50pm - 3:00pm - Lightning Talk

3:00pm - 3:30pm - What the Metadata?

3:30pm - 4:00pm - The State of the Zeek Project (Roadmap and Community)

4:00pm - 4:15pm - Closing Remarks

Early bird registration ends 30 September. Full cost registration starts 1 October.


Virtual attendance is now an option for briefings only, for $50 (USD).

Register here:


See https://zeek.org/events/ for other events.

Zeek Related Jobs

To search LinkedIn for jobs mentioning Zeek skills, use this query:


Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.


The Slack channel has been very active during the past month. Here is an invitation link:


Stay up to date by subscribing to the Zeek mailing list:


Follow us on Twitter:


Subscribe to our video channel:


See you next time!