Zeek Newsletter - Issue 64 - June 2026

Welcome to the Zeek Newsletter

In this Issue:

TL;DR: Zeek 8.0.9 and 8.2.1 are releasing next week with Zeek 9 on track for the end of August. Lots of community happenings, including the 2026 Zeek Project Survey and an extended CFP deadline for the upcoming Berkeley workshop.


Community News & Reminders

  • Community Call Recap: This month we covered the 8.0.9 and 8.2.1 patch releases, the Berkeley Workshop CFP, our new Contributor Guide, and the 2026 Community Survey. Watch the recording here. The next call is August 5 at 10am PT – use this Zoom link to join.

  • Berkeley Workshop CFP extended: We’ve extended the call for presentations deadline to July 8. If you’ve been meaning to submit a talk and haven’t gotten to it yet, now’s your chance. Learn more and submit your talk here.

  • The 2026 Project Survey is live: The annual community survey launched and runs through August 14. This year includes an optional focus group sign-up if you’re interested in providing feedback on future releases. Take the survey here.

  • Topic of the Month: Last week we wrapped up “Detection Techniques”, you can find the recap from the conversation here. This month’s topic will be announced on Monday – join us on Slack to find out what it is!


Development Updates

Zeek 8.0.9 and 8.2.1 are releasing next week. These are larger than usual patch releases (roughly four times the normal issue count), for a few reasons: an increase in community-submitted bug reports, expanded fuzzing coverage with UBSan now part of the OSS-Fuzz setup, and relatively long wait since the last patch releases in mid-May. As always, you should go ahead and update, but the release notes are worth reading carefully given the volume of changes. A PDG security notification will go out before the end of the week.

Zeek 9 remains on track for the end of August. Feature work slowed slightly to accommodate the patch cycle but nothing material has shifted.

The LDAP analyzer has been extended to forward NTLM and Kerberos authentication data to the respective analyzers by first time contributor Swastik Bose. If you see a lot of LDAP traffic in your environment, this should provide more visibility via the ntlm.log and kerberos.log logs. Feedback on the new behavior is welcome!

Shubham Kumar added DPD signatures for QUIC v1 and v2. Zeek will now attempt to decrypt QUIC INITIAL packets when not using port 443.

As always, follow development progress on GitHub to stay current with the latest changes.


:light_bulb: Zeek Techniques

Analyzing email traffic and tired of manually stitching together separate body segments or multiple MIME attachments? Zeek has a built-in event that does the heavy lifting for you!

Instead of tracking individual entities, you can hook into the mime_all_data event. It automatically combines all decoded MIME data from a single email message (SMTP or POP3) into a single, cohesive string for seamless analysis.

Documentation here

:warning: Keep in Mind: Because Zeek has to buffer the data to glue everything together, using this event can be resource-heavy on high-volume networks. Additionally, this feature currently supports SMTP and POP3 traffic, so it won’t catch MIME entities extracted from HTTP sessions just yet.

Share your tricks, shortcuts, or techniques with us using this form.


Packages

Anyone in the community can write add-on functionality for Zeek via packages.

Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

Recent Updates:


Get Involved

Thanks for being part of the community. We’ll see you next time!