Welcome to the Zeek Newsletter.
In this Issue:
TL;DR: Zeek 8.2 is targeting early May release with ZeroMQ encryption, Windows improvements, and a new IGMP analyzer. Close to 100 practitioners gathered at CERN for talks on Zeek 9.0, container deployments, and protocol development.
Community News & Reminders
-
Training at Trusted CI Summit (Apr. 21-22): There will be a Zeek-lite training at Trusted CI’s upcoming Regional Cybersecurity Summit. Registration is free.
-
Topic of the Month: We just wrapped up “I didn’t know Zeek could do this!”. Head over to the #topic-of-the-month Slack channel to catch up on stories of surprising or unexpected discoveries about what Zeek can do. The next discussion topic will be announced on April 6.
-
CERN Workshop Recap: Close to 100 practitioners gathered at CERN for two days of talks and hands-on training covering Zeek 9.0 development, container deployments, protocol analyzers with Spicy, and incident response workflows. Read the full recap on our blog.
Zeek Techniques
Zeek has a built-in script debugger. If you’ve ever been stuck figuring out why a script isn’t doing what you expect, try running zeek -d to launch it.
Share your tricks, shortcuts, or techniques with us using this form.
Community Call Recap
Highlights from this month’s call:
-
Fall workshop planning: The Zeek Leadership Team is discussing dates and logistics for U.S. workshop, more details will be shared soon!
-
Community content spotlight: All March content was community-sourced including blogs by David (Your First Zeek Script Doesn’t Need to be Perfect) and Aaron (Reduce conn.log from 35GB to 5GB with a Simple Hook), and Dop’s video on alert pipeline testing.
Missed it? Watch the recording on our YouTube Channel.
The next call is May 6 at 10am Pacific Time. Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!
Development Updates
Zeek 8.2 is rapidly approaching with branching scheduled for mid-April and release candidates expected shortly thereafter. Assuming testing goes smoothly, the team is targeting a release at the beginning of May.
Major features landing in 8.2 include Arne’s &publish_on_change replacement for the old &backend attribute on tables, a new IGMP analyzer, and enhanced cluster functionality with ZeroMQ encryption support. The addition of encryption addresses a key gap for multi-node deployments, providing secure communication between systems.
Windows support is receiving substantial improvements in this release, thanks to contributions from Microsoft developers. The enhancements include numerous bug fixes and potentially Spicy support on Windows—a frequently requested capability. Additionally, the Spicy team has been working on optimizer passes and general performance improvements that will benefit all users.
The usual collection of bug fixes and improvements rounds out the release. Full release notes will be published through the standard channels on Slack and Discourse when the release becomes available.
As always, follow development progress on GitHub to stay current with the latest changes.
Zeek Packages
Anyone in the community can write add-on functionality for Zeek via packages.
- Browse Zeek packages: https://packages.zeek.org
- Head to our zkg package manager documentation to get started on your own
- Questions? Check out #package-sharing to get help
Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Recent updates:
Get Involved
- Share ideas or content: news@zeek.org or #security-news on Slack.
- Stay connected: Discourse • YouTube • Mastodon • Bluesky • LinkedIn
- Check out Leadership Team meeting notes for insider updates.
- Looking for Zeek jobs? See openings on LinkedIn.
Thanks for being part of the community. We’ll see you next time!