Zeek Newsletter - Issue 52 - June 2025

michelle · July 3, 2025, 4:47pm

Welcome to the Zeek Newsletter

In this Issue:

[TL;DR]

Zeek 8 development is charging ahead with pluggable connection keys, improved cluster metrics, and IPv6 support for ZeroMQ.

The Zeek Project Survey 2025 is live! Please fill it out and share it with other users. Plus, catch up on fresh ecosystem news from Security Onion and Malcolm, and don’t forget to check out our Zeek Tip of the Month

Don’t Miss This – Reminders for the Community

We have a lot of ideas for how to improve Zeek, but we want to hear from you:

Zeek Project Survey 2025: Tell us about your experience, needs, and ideas so we can keep making Zeek better. Take the survey and share it with other Zeek users! The survey closes July 17.
Slack Workspace Feedback: We’ve recently reorganized Slack to be easier to navigate. Have thoughts on channels, norms, or ways to help everyone get more value out of it? Join and tell us!

It’ll help us prioritize the right features, improve documentation, and build a better Zeek community.

Zeek Tip of the Month:

Zeek scripts can access system environment variables using the getenv function. This is especially useful when running Zeek in Docker or other containerized environments, where configuration is commonly supplied through environment variables. Check out the documentation to learn more.

Have a tip of your own?

We’re looking for tricks, shortcuts, or helpful techniques to feature in the newsletter. Let us know how you’re using Zeek – your tip might help someone else in the community.

Submit yours here.

Community Call Recap

This month, we shared recent LT meeting discussions, a brief status update on Zeek 8.0 development, and early insights from the Zeek Project Survey 2025 (closes July 17). We also want to remind the community that the next Zeek training will be held at the 2025 NSF Cybersecurity Summit in Boulder, CO (October 20-23).

If you couldn’t join the meeting live, the recording is available on our YouTube channel.

The next call is August 6 at 10am PT (1pm ET). Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!

Development Updates

Work continues on Zeek 8, with several important improvements landing or in progress:

Pluggable Connection Keys

The first pluggable connection keys PR has landed. Zeek has long used the classic 5-tuple as connection keys. Now, you can write Zeek plugins to customize this behavior—enabling support for VLAN IDs or VXLAN/Geneve VNIs in connection keys. This is a big win for deployments monitoring overlapping IP ranges.

VLAN-scoped 5-tuple support is already included and can be enabled via

@load zeek frameworks/conn_key/vlan_fivetuple

We’re still iterating on this feature, but if this piques your interest, check out the current version of the connkey plugin tutorial.

Detailed Cluster Metrics

Zeek now provides more detailed cluster metrics via Prometheus or telemetry.log. By default, it reports the number of incoming and outgoing cluster events per node. You can enable verbose and debug metrics by redefining Cluster::Telemetry::core_metrics, allowing you to monitor events broken down by topic and handler name, and analyze serialized event sizes using Prometheus-style histograms.

WebSocket clients connected to Zeek are tracked separately. If a client includes an X-Application-Name HTTP header, its metrics will be tagged with an app label based on that value.

Note: the endpoint label has been renamed to node. If you use Zeek metrics with Grafana, you may need to update your dashboards accordingly.

Check out the telemetry.zeek script in the cluster module for more details.

IPv6 Support for ZeroMQ Cluster Backend

The ZeroMQ cluster backend now supports IPv6, expanding deployment options in dual-stack environments.

Analyzer Updates

The FTP analyzer gained explicit AUTH TLS support, the DNS analyzer now parses NAPTR responses and reporting of BDAT commands in smtp.log was fixed.

Ecosystem News

Security Onion 2.4.160 Released

The latest Security Onion release includes Playbooks, Guided Analysis, MCP Server, and more. A highlight for Zeek users: the new Guided Analysis tab helps analysts investigate alerts step by step, leveraging Playbooks with built-in queries – many of which automatically correlate Zeek data with other sources. Read the full release announcement here.

Malcolm v25.06.0 Now Available

Malcolm’s latest release adds role-based access control (RBAC), bug fixes, and numerous improvements across components. Notable for Zeek users: support for Zeek 7.2.1, extended intel.log fields via corelight/ExtendIntel integration, and configuration tweaks for easier Kafka plugin use. Malcolm remains an easy-to-deploy suite for network traffic analysis that heavily leverages Zeek logs. See the full release notes here.

Zeek at FIRST 2025

Aashish Sharma (Zeek Leadership Team, Lawrence Berkeley National Lab CSIRT) recently gave a lightning talk on Zeek at FIRST 2025 in Copenhagen, with a great turnout to discuss all things network monitoring and intrusion detection.

Zeek Package Updates

Anyone in the Zeek community can write add-on functionality for Zeek via packages — see https://packages.zeek.org to browse them, and our zkg package manager documentation to get started. Don’t forget to check out #package-sharing on Slack to see what packages others are working on, or share your own.

Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

Latest updates:

pre-commit-hooks

Some out-of-the-box hooks for pre-commit.

https://github.com/pre-commit/pre-commit-hooks

Unauthorized SMB Usage - Zeek Package

This Zeek package detects SMB/SMB2 connections to unauthorized IP addresses based on a configurable whitelist.

https://github.com/Cynthianfatkid/zeek-unauthorized-smb-usage

ICSNPP-C12.22

A plugin (written in Spicy) for parsing and logging fields used by the ANSI C12.22 protocol as presented in IEEE standard 1703-2012, defining a transmission format for utility end device data tables or control elements.

https://github.com/cisagov/icsnpp-c1222

Get Involved

Got ideas, feedback, or content for the newsletter? Send us a note at news@zeek.org or drop by the #security-news channel on Slack. Join Slack here.

Stay in the loop and connect with others in the Zeek community:

See what people are talking about on Discourse
Subscribe to our YouTube channel
Follow us on Mastodon, Bluesky, and LinkedIn

Want more insider updates? Check out the Leadership Team meeting notes.

And if you’re hunting for Zeek-related jobs, here’s a handy LinkedIn search.

Thanks for being part of the community. We’ll see you next time!

Topic		Replies	Views
Zeek Newsletter - Issue 51 - May 2025 Announcements newsletter	3	120	July 3, 2025
Zeek Newsletter - Issue 25 - January 2023 Announcements newsletter	0	377	January 31, 2023
Zeek Newsletter - Issue 47 - January 2025 Announcements newsletter	0	46	February 4, 2025
Zeek Newsletter - Issue 50 - April 2025 Announcements newsletter	0	87	May 14, 2025
Zeek Newsletter - Issue 45 - November 2024 Announcements newsletter	0	43	December 9, 2024