v6.1.0
Breaking Changes
-
assert
is now a reserved keyword for the newassert
statement. -
The
__bro_plugin__
file that gets generated as part of plugin builds was
renamed to__zeek_plugin__
. This will affect the ability for older
versions ofzkg
to use thezkg unload
andzkg load
commands. This
should only cause breakage for people using a version of ``zkg` that doesn't
come bundled with Zeek (which we generally don't recommend doing). -
Zeek does not traverse into dot directories to find plugins or hlto files
anymore. Any dot directories found below the directories specified in
ZEEK_PLUGIN_PATH or ZEEK_SPICY_MODULE_PATH are now skipped. Dot directories
explicitly listed in ZEEK_PLUGIN_PATH or ZEEK_SPICY_MODULE_PATH are not
skipped. -
External plugins will fail to configure if their minimum required CMake
version is below 3.15. This was a warning with Zeek 6.0, but has caused user
confusion due to unhelpful error messages around the IN_LIST operator policy. -
The FindBISON, FindOpenSSL, FindPackageHandleStandardArgs, FindPackageMessage,
and SelectLibraryConfigurations cmake files were removed from our cmake
repository in favor of the versions that come with CMake. This should not
cause any breakage, but it is possible in the case that someone was using
these in a plugin.
New Functionality
-
Zeek now includes the LDAP protocol analyzer from the zeek/spicy-ldap project
(https://github.com/zeek/spicy-ldap). This analyzer is enabled by default. The
analyzer's events and itsldap.log
andldap_search.log
should be
considered preliminary and experimental until the arrival of Zeek's next
long-term-stable release (7.0).If you observe unusually high CPU consumption or other issues due to this
analyzer being enabled by default, the easiest way to disable it is via the
Analyzer::disabled_analyzers
const as follows:redef Analyzer::disabled_analyzers += {
Analyzer::ANALYZER_LDAP_UDP,
Analyzer::ANALYZER_LDAP_TCP,
};Please do report issues to us including diagnostic information in case this is
necessary in your environment. We're also open to general feedback about the
structure of the new logs. -
Zeek now includes the QUIC protocol analyzer from the zeek/spicy-quic project
(https://github.com/zeek/spicy-quic). This project is a fork of Fox-IT's
initial implementation (https://github.com/fox-ds/spicy-quic).As for the LDAP analyzer, the analyzer's events and the new
quic.log
should be considered preliminary and experimental until the arrival of Zeek's
next long-term-stable release (7.0). As above, any feedback and contributions
to this analyzer and the new log are welcome.The analyzer's functionality is limited to decryption of the INITIAL packets
of QUIC version 1. If decryption of these packets is successful, the handshake
data is forwarded to Zeek's SSL analyzer. Anssl.log
entry will appear in
ssl.log
for QUIC connections. The entry in theconn.log
will contain
quic
andssl
in the service field.To disable the analyzer in case of issues, use the following snippet:
redef Analyzer::disabled_analyzers += {
Analyzer::ANALYZER_QUIC,
}; -
Added a new
assert
statement for assertion based testing and asserting
runtime state.assert <expr: bool>[, <message: string>];
This statement comes with two hooks. First,
assertion_failure()
that is
invoked for every failing assert statement. Second,assertion_result()
which is invoked for every assert statement and its outcome. The latter allows
to construct a summary of failing and passing assert statements. Both hooks
receive the location and call stack for theassert
statement via a
Backtrace
vector.A failing assert will abort execution of the current event handler similar to
scripting errors. By default, a reporter error message is logged. Using the
break statement withinassertion_failure()
orassertion_result()
allows to suppress the default message. -
Add a new
&default_insert
attribute for tables. This behaves as
&default
with the addition that the default value is inserted into the
table upon a failed lookup. Particularly for tables with nested container
values, the&default
behavior of not inserting the value can be of little
use. -
The
from_json()
function now takes an optional key_func argument to
normalize JSON object key names. This can be useful if the keys in a JSON
object are not valid Zeek identifiers or reserved keywords. -
Module names are now included in
global_ids()
. Their key in the returned
table is prefixed with "module " and their value will have thetype_name
field set to "module". -
Identifiers in the global scope can now be referenced and defined from within
modules by prefixing their names with::
. Previously, these required an
explicitGLOBAL::
prefix to be used. UsingGLOBAL::
has been
deprecated. -
The
as
keyword now supports casting betweenset
andvector
values
with the same element type. Convertingset
values with multiple index
values is not supported. We plan to extend the use of theas
keyword to
support more type conversions in the future. -
Added new packet analyzer to handle PCAP files DLT_PPP link type.
-
Fixed appending of
any
tovector of any
. -
The ModBus analyzer's function support was expanded, with new handling of the
Encapsulation Interface Transport (function 28) And Diagnostics (function 8)
functions. This adds newmodbus_encap_interface_transport_{request,response}
andmodbus_diagnostics_{request,response}
events. -
The ModBus file record read and write events now provide the full data from
the request and response messages as part of the event data. -
The full PDU length was added to the
ModBusHeader
record type passed with
all of the ModBus events.
Changed Functionality
-
A connection's value is now updated in-place when its directionality is
flipped due to Zeek's heuristics (for example, SYN/SYN-ACK reversal or
protocol specific approaches). Previously, a connection's value was discarded
when flipped, including any values set in anew_connection()
handler. A
newconnection_flipped()
event is added to allow updating custom state in
script-land. -
Loading
policy/frameworks/notice/community-id.zeek
now also automatically
community ID logging. In the past, loading the script had no effect unless
policy/protocols/conn/community-id-logging.zeek
was loaded before. This
was fairly unusual and hard to debug behavior. -
Connections to broadcast addresses are not flipped based on
likely_server_ports
anymore. Previously, broadcast packets originating
from a likely server port resulted in 255.255.255.255 being the originator in
conn.log
. -
When too many HTTP requests are pending, Zeek will now log them at once and
reset request/response correlation instead of running into unbounded state
growth. This behavior is configurable via a new option
HTTP::max_pending_requests
. The default is100
. -
Fix deferred initialization of nested records containing non-const &default
attributes. -
Parameter lists for functions, events and hooks now use commas instead of
semicolons in error messages or when printing such functions. -
The IO buffer size used for PCAP file reading is now always 128kb. This new
default can be changed viaPcap::bufsize_offline_bytes
. -
The input framework now provides better information in error messages when
encountering missing non-optional field while loading data. -
The SSL analyzer will now parse a configurable maximum of 10 SSL Alerts per
SSL message. For TLS 1.3, the maximum is implicitly 1 as defined by RFC 8446.
If there are more alerts, a new weird "SSL_excessive_alerts_in_record" is raised.
For non-TLS 1.3, the maximum can be redefined viaSSL::max_alerts_per_record
. -
The
ssl_history
field in the ssl.log is now capped at a configurable
limit of 100 characters prevent unbounded growth. The limit can be changed
via the optionSSL::max_ssl_history_length
. When reached, a new weird
named "SSL_max_ssl_history_length_reached" is raised.
Deprecated Functionality
-
Accessing globals with
GLOBAL::name
has been deprecated and will be
removed with Zeek 7.1. Use::name
instead. -
The original
trigger::Trigger
constructor has been deprecated and will be
removed with Zeek 7.1. Use the new alternative constructor (per
src/Trigger.h
) instead, including replacing any use ofnew ...
with
make_intrusive<...>
. The new constructor differs only in the placement of
thetimeout
parameter, and in that - unlike the original - it always
returns a valid pointer, which must be Unref()'d after construction, either
explicitly (if usingnew
) or implicitly (if using
make_intrusive<...>
).