We would like to thank Zeek Slack user James_inthe_box for their contribution to this
release.

This release fixes the following bugs:

• zeekctl stats should no longer report a Python error.

• The management framework controller configuration has a new tls_options_websocket
  variable for setting TLS options for the controller's Websocket server.

• Fixed Broker errors being visible/sent to WebSocket clients unrelated to their own
  connection.

We would like to thank Jeff McJunkin (@jeffmcjunkin) and Peter Cullen (@pbcullen) for
their contributions to this release.

This release fixes the following security issue:

• The KRB analyzer can leak information about hosts in analyzed traffic via external DNS
  lookups. This only happens if the script-level variable KRB::keytab is set to point
  at a valid Kerberos keytab file. We're opting to fix the analyzer so it can't happen at
  all. The fix is to use a different method from libkrb5 that reuses known host
  information from the packets instead of re-requesting the same information externally.

This release fixes the following bugs:

• The get_current_packet_header() BIF now populates the returned record also for
  fragmented IP datagrams.

• The decompose_uri() script function now correctly handles URIs containing IPv6
  addresses.

• The QUIC parser now discards packets with the fixed_bit field set to 0, rather than
  continuing to parse and potentially running into analyzer violations.

We would like to thank Jeff McJunkin (@jeffmcjunkin) and Peter Cullen (@pbcullen) for
their contributions to this release.

This release fixes the following security issue:

• The KRB analyzer can leak information about hosts in analyzed traffic via external DNS
  lookups. This only happens if the script-level variable KRB::keytab is set to point
  at a valid Kerberos keytab file. We're opting to fix the analyzer so it can't happen at
  all. The fix is to use a different method from libkrb5 that reuses known host
  information from the packets instead of re-requesting the same information externally.

This release fixes the following bugs:

• The get_current_packet_header() BIF now populates the returned record also for
  fragmented IP datagrams.

• The decompose_uri() script function now correctly handles URIs containing IPv6
  addresses.

We would like to thank Fupeng Zhao (@AmazingPP), Mike Dopheide (@dopheide-esnet), and
@DigiAngel for their contributions to this release.

• The official Zeek docker images are now based on Debian 13.0 (trixie).

• Cluster data passed via websockets was previously double-wrapping Broker data records,
  leading to decoding issues. This is now resolved.

• Cluster events will no longer pass empty arrays for metadata if there was no metadata
  for the event.

• The PostgreSQL analyzer now only reports login success after a ReadyForQuery message
  is received.

• Zeekctl added a new MetricsAddr address to override the address that the telemetry
  uses to communicate to Prometheus. It defaults to 0.0.0.0 and the documentation
  describes how to override it.

• Zeekctl added documentation for the MetricsPort option used to control what ports
  the telemetry framework listens on to communicate with Prometheus. It describes how
  the range is chosen, as well as how to override it.

• The deprecation warning for the zeek::Event should be more clear as to what action
  plugin authors need to take.

We would like to thank Artyom Kalabukhov (@predator89090) for their contribution to this
release.

• The SMB parser now correctly parses the data_offset field correctly. It previously tried
  to parse it as 16 bits, when the field is only 8 bits in the spec.

We would like to thank @aidans111, Anthony Verez (@netantho), Baa (@Baa14453),
Bhaskar Bhar (@bhaskarbhar), @dwhitemv25, EdKo (@ephikos), @edoardomich, Fupeng
Zhao (@AmazingPP), [email protected] (@hendrikschwartke), @i2z1, Jan
Grashöfer (@J-Gras) Jean-Samuel Marier, Justin Azoff (@JustinAzoff), Mario D
(@mari0d), Markus Elfring (@elfring), Peter Cullen (@pbcullen), Sean Donaghy,
Simeon Miteff (@simeonmiteff), Steve Smoot (@stevesmoot), @timo-mue,
@wojciech-graj, and Xiaochuan Ye (@XueSongTap) for their contributions to this
release.

Breaking Changes

• Zeek by default now depends on the availability of the ZeroMQ library for building
  and running. This is in preparation of switching to the ZeroMQ-based cluster backend
  by default in future Zeek versions. On an Ubuntu based system, the required system
  packages are libzmq5, libzmq3-dev and cppzmq-dev. See the Dockerfiles
  in the ci/ directory for other supported platforms.

• Zeek and all of its associated submodules now require C++20-capable compilers to
  build. This will let us move forward in using more modern C++ features and replace some
  workarounds that we have been carrying. Minimum recommended versions of compilers are
  GCC 10, Clang 8, and Visual Studio 2022.

• The zeek::Span class has been deprecated and the APIs in the telemetry subsystem
  switched to use std::span instead of zeek::Span. If your plugin instantiates
  counter or gauge instances using the telemetry subsystem and you've previously used
  zeek::Span explicitly, updates may be needed.

• The code base underwent a big cleanup of #include usage, across almost all of the
  files. We tested builds of all of the existing third-party packages and only noticed one
  or two failures, but there is a possibility for breakage related to this cleanup.

• The lookup_connection() and connection_exists() builtin functions
  now require conn_id instances as argument, rather than internally supporting
  duck type matching conn_id-like records.

• Network timestamps are not added to events by default anymore. Use the following
  redef line to enable them:

  redef EventMetadata::add_network_timestamp = T;

  The background is that event metadata has become more generic and may incur
  a small overhead when enabled. There's not enough users of network timestamp
  metadata to justify the complexity of treating it separate.

• The ASCII writer's JSON::TS_MILLIS timestamp format was changed to produce
  signed integers. This matters for the representation for timestamps that are
  before the UNIX epoch. These are now written as negative values, while previously
  the negative value was interpreted as an unsigned integer, resulting in very large
  timestamps, potentially causing issues for downstream consumers.

  If you prefer to always have unsigned values, it's possible to revert to the previous
  behavior by setting:

  redef LogAscii::json_timestamps = JSON::TS_MILLIS_UNSIGNED;

• The "endpoint" label of metrics exposed via Prometheus or the telemetry.log
  was renamed to "node". This is done for consistency with cluster terminology:
  The label values have always been the value of ``Cluster::node`, so it's more intuitive
  to call it. The "endpoint" name originated from a time when the telemetry framework
  was implemented in Broker.

  To revert to the "endpoint" label, you can do the following, but we strongly
  suggest to migrate to the new default "node" instead:

  redef Telemetry::metrics_endpoint_label = "endpoint";

• The current_event_time() builtin function as well as Event::Time()
  and EventMgr::CurrentEventTime() now return -1.0 if no timestamp
  metadata is available for the current event, or if no event is being
  dispatched. Previously this would've been 0.0, or the timestamp of the previously
  dispatched event.

• Missing network timestamp metadata on remote events is not set to the local
  network time anymore by default. This potentially hid useful debugging information
  about another node not sending timestamp metadata. The old behavior can be
  re-enabled as follows:

  redef EventMetadata::add_missing_remote_network_timestamp = T;

• The IsPacketSource() method on IOSource was removed. It was unused
  and incorrectly returned false on all packet sources.

• The --with-binpac and --with-bifcl arguments for configure are now
  deprecated. Both arguments have for a long time just used the internal version of the
  tooling even if something was passed, so they were mostly useless. This may cause
  breakage of cross-compiling, where the binpac and bifcl tooling needs to be run
  on the host machine. We haven't heard from anyone that this is the case with the
  arguments in their currently-broken state.

• The parsing of data for the ssl_session_ticket_handshake event was fixed.
  In the past, the data contained two extra bytes before the session ticket
  data. The event now contains only the session ticket data. You might have to
  adjust your scripts if you manually worked around this bug in the past.

New Functionality

• Zeek now supports pluggable and customizable connection tracking. The default
  behavior remains unchanged and uses a connection's five tuple based on the
  IP/port pairs and proto field. Zeek 8 ships with one additional implementation,
  to factor VLAN tags into the connection tracking. To switch to VLAN-aware
  connection tracking:

  @load frameworks/conn_key/vlan_fivetuple

  By convention, additional fields used by alternative ConnKey implementations are
  added into the new ctx field of conn_id. The type of ctx is conn_id_ctx.

  The vlan_fivetuple script adds two additional fields to the conn_id_ctx
  record type, representing any VLAN tags involved. Accordingly, every log
  using conn_id reflects the change as well as ctx and the VLAN fields have
  the &log attribute. The columns used for logging will be named id.ctx.vlan
  and id.ctx.inner_vlan.

  This feature does not automatically provide a notion of endpoint that
  corresponds with the effective connection tuple. For example, applications tracking
  endpoints by IP address do not somehow become VLAN-aware when enabling
  VLAN-aware tracking.

  Users may experiment with their own notion of endpoint by combining the orig_h
  or resp_h field of conn_id with the new ctx field. For example, tracking
  the number of connections from a given host in a VLAN-aware fashion can be done
  as follows:

  global connection_counts: table[conn_id_ctx, addr] of count &default=0;

  event new_connection(c: connection) {
  ++connection_counts[c$id$ctx, c$id$orig_h];
  }

  Note that this script snippet isn't VLAN-specific, yet it is VLAN-aware if the
  vlan_fivetuple script is loaded. In future Zeek versions, this pattern is
  likely to be used to adapt base and policy scripts for more "context awareness".

  Users may add their own plugins (for example via a zkg package) to provide
  alternative implementations. This involves implementing a factory for
  connection "keys" that factor in additional flow information. See the VLAN
  implementation in the src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple
  directory for an example.

• Added support to ZeekControl for seamlessly switching to ZeroMQ as cluster
  backend by adding the following settings to zeekctl.cfg:

  ClusterBackend = ZeroMQ
  UseWebSocket = 1

  With the ZeroMQ cluster backend, Zeekctl requires to use Zeek's WebSocket API
  to communicate with individual nodes for the print and netstats commands.
  Setting the UseWebSocket option enables a WebSocket server on the manager
  node, listening on 127.0.0.1:27759 by default (this is configurable with using
  the newly introduced WebSocketHost and WebSocketPort options).
  The UseWebSocket option can also be used when ClusterBackend is set
  to Broker, but isn't strictly required.

  For ZeroMQ (or other future cluster backends), setting UseWebSocket is a
  requirement as Zeekctl does not speak the native ZeroMQ protocol to communicate
  with cluster nodes for executing commands. This functionality requires the
  websockets Python package with version 11.0 or higher.

• Cluster telemetry improvements. Zeek now exposes a configurable number of
  metrics regarding outgoing and incoming cluster events. By default, the number
  of events sent and received by a Zeek cluster node and any attached WebSocket
  clients is tracked as four individual counters. It's possible to gather more
  detailed information by adding Cluster::Telemetry::VERBOSE and
  Cluster::Telemetry::DEBUG to the variables Cluster::core_metrics and
  Cluster::webscoket_metrics:

  redef Cluster::core_metrics += { Cluster::Telemetry::VERBOSE };
  redef Cluster::websocket_metrics += { Cluster::Telemetry::DEBUG };

  Configuring verbose, adds metrics that are labeled with the event handler
  and topic name. Configuring debug, uses histogram metrics to additionally track
  the distribution of the serialized event size. Additionally, when debug is selected,
  outgoing events are labeled with the script location from where they were published.

• Support for the X-Application-Name HTTP header was added to the WebSocket API at
  v1/messages/json. A WebSocket application connecting to Zeek may set the
  X-Application-Name header to a descriptive identifier. The value of this header
  will be added to the cluster metrics as app label. This allows to gather
  incoming and outgoing event metrics of a specific WebSocket application, simply
  by setting the X-Application-Name header.

• The SMTP...

We would like to thank @cccs-jsjm, @edoardomich, and the Canadian Cyber Defence Collective
for their contributions to this release.

This release fixes the following security issue:

• Very large log records can cause Zeek to overflow memory and potentially crash. Due to
  the possibility of building these log records with packets from remote hosts, this is a
  DoS risk. The fix adds additional length checking when serializing log data for writing
  to logging streams. This can be controlled via a new Log::max_log_record_size
  redefinable constant, and reports a new log_record_too_large weird if the limitation
  is reached for any individual log entry. There is an also a new
  log-writer-discarded-writes metric that tracks when this limitation is
  reached.

This release fixes the following bugs:

• The Redis storage backend now requires libhiredis 1.1.0 or later.

• The websocket support in the Cluster framework gained the ability to listen on IPv6
  addresses. This change deprecates the WebSocketServerOptions$listen_host in favor of
  WebSocketServerOptions$listen_addr.

• Likewise, the ZeroMQ cluster backend gained the ability to listen on IPv6 addresses.

• The response to BDAT LAST was never recognized by the SMTP analyzer, resulting in
  the BDAT LAST commands not being logged in a timely fashion and receiving the wrong
  status. Zeek now correctly reports these commands.

• The Docker images for zeek 7.0 releases now include the net-tools (for iproute2)
  package to silience a warning from zeekctl. They also now include the procps
  package (for top) to ensure the zeekctl top command works correctly.

• The Spicy submodule was updated to v1.13.2. This version fixes an error when extracting
  bytes with &eod. This would previously result in a cryptic error message.

• The ZeekJS submodule was updated to v0.18.0. This version fixes a compilation error with
  debug builds and GCC 15.1, as well as adding future support for Node v24.

We would like to thank @cccs-jsjm, @edoardomich, and the Canadian Cyber Defence Collective
for their contributions to this release.

This release fixes the following security issue:

• Very large log records can cause Zeek to overflow memory and potentially crash. Due to
  the possibility of building these log records with packets from remote hosts, this is a
  DoS risk. The fix adds additional length checking when serializing log data for writing
  to logging streams. This can be controlled via a new Log::max_log_record_size
  redefinable constant, and reports a new log_record_too_large weird if the limitation
  is reached for any individual log entry. There is an also a new
  log-writer-discarded-writes metric that tracks when this limitation is
  reached.

This release fixes the following bugs:

• The response to BDAT LAST was never recognized by the SMTP analyzer, resulting in
  the BDAT LAST commands not being logged in a timely fashion and receiving the wrong
  status. Zeek now correctly reports these commands.

• The Docker images for zeek 7.0 releases now include the net-tools (for iproute2)
  package to silience a warning from zeekctl. They also now include the procps
  package (for top) to ensure the zeekctl top command works correctly.

• The ZeekJS submodule was updated to v0.18.0. This version fixes a compilation error with
  debug builds and GCC 15.1, as well as adding future support for Node v24.

We would like to thank Ivan Navi (@i2z1), Seth Grover (@mmguero), and Simeon Miteff
(@simeonmetiff) for their contributions to this release.

This release fixes the following bugs:

• GCC 15.1 failed to build both Zeek and the integrated Paraglob library.

• The requirement for the BIND library to be present for the build was removed. This
  library is not needed since we migrated to C-Ares for DNS lookups.

• The new cluster-based websocket endpoint gained some performance improvements when
  dealing with very high rates of requests.

• The Spicy submodule was updated to v1.13.1. This version brings a fix for a compilation
  failure when iterating over a byte value.

We would like to thank Ivan Navi (@i2z1) and Seth Grover (@mmguero) for their contributions
to this release.

This release fixes the following bugs:

• GCC 15.1 failed to build both Zeek and the integrated Paraglob library.

• The requirement for the BIND library to be present for the build was removed. This
  library is not needed since we migrated to C-Ares for DNS lookups.

• The Spicy submodule was updated to v1.11.5. This version brings a fix for a compilation
  failure when iterating over a byte value.