Welcome to the Zeek Newsletter
In this Issue:
TL;DR: Zeek 8.1 is officially out and security updates 8.1.1 and 8.0.6 are available. The CERN workshop agenda is live (registration still open!), and we published a few tutorials and guides for you.
Community News & Reminders
-
Threat Intelligence Workshop - Virtual (Feb. 25): Aashish Sharma and Fatema Bannat Wala are presenting on leveraging MISP with Zeek. Registration is open and free.
-
Zeek Workshop at CERN (Mar. 25-26): Agenda for the workshop is live! It’s not too late to register. Check out the schedule and sign up today.
-
Training at Trusted CI Summit (Apr. 21-22): There will be a Zeek mini-training at Trusted CI’s upcoming Regional Cybersecurity Summit. Registration is free.
-
Topic of the Month: February’s theme is “Scripts and Customization”. Join the discussion in #topic-of-the-month and read the January recap on the blog.
Zeek Techniques
If you have multiple PCAP files in a directory (e.g. produced by tcpdump -C or -G) and want to analyze them in one go with Zeek, instructing Wirehark’s mergecap to output to stdout and have Zeek read from stdin is a neat trick:
$ mergecap -w - ./pcaps/*.pcap | zeek -C -r -
Share your tricks, shortcuts, or techniques with us using this form.
Community Call Recap
Highlights from this month’s call:
-
The team released Zeek 8.1 featuring ZeroMQ as the default backend, protocol parser improvements, and JavaScript support on Mac, with security updates 8.1.1 and 8.0.6 now available.
-
New content published:
Missed it? Watch the recording on our YouTube Channel.
The next call is March 4 at 10am Pacific Time. Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!
Development Updates
Zeek 8.1 has been released, marking a major milestone with ZeroMQ now running as the default cluster backend for the first time. This release represents significant architectural work the team has been developing throughout the previous year. Users running demanding clusters are encouraged to test the new backend and provide feedback, though switching back to Broker remains easy for those who prefer it during this transition period.
The release includes substantial protocol parser improvements and a small number of log format changes. Notable additions include op codes in the DNS log as part of implementing dynamic update parsing. After years of requests, JavaScript support is now available on Mac, enabling Mac users to experiment with Zeek scripting and JavaScript. The team also published a detailed blog post walking through the biggest changes and important considerations for the 8.1 release.
A security fix was released shortly after 8.1, bringing the latest versions to 8.1.1 (current) and 8.0.6 (LTS). The update addresses an HTTP vulnerability with no other side effects, making it a straightforward upgrade for all users.
Arne published an in-depth video tutorial explaining the ZeroMQ cluster backend, providing valuable background and context for why this architectural change was implemented and what it means for centralized cluster management. Benjamin also published a blog post addressing how to shield your testing against changes in log formats—advice the team realized had never been formally documented despite being frequently requested.
As always, follow development progress on GitHub to stay current with the latest changes.
Zeek Packages
Anyone in the community can write add-on functionality for Zeek via packages.
- Browse Zeek packages: https://packages.zeek.org
- Head to our zkg package manager documentation to get started on your own
- Questions? Check out #package-sharing to get help
Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Get Involved
- Share ideas or content: news@zeek.org or #security-news on Slack.
- Stay connected: Discourse • YouTube • Mastodon • Bluesky • LinkedIn
- Check out Leadership Team meeting notes for insider updates.
- Looking for Zeek jobs? See openings on LinkedIn.
Thanks for being part of the community. We’ll see you next time!