Skip to content

Zeek

SIEM & Threat Detection

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

Track releases GitHub Website
C++ Latest v8.0.8 · 22d ago Security brief →

Features

  • Provides in‑depth protocol analyzers for semantic network traffic analysis
  • Offers an adaptable domain‑specific scripting language for custom monitoring policies
  • Designed for high‑performance, stateful observation of large networks

Recent releases

View all 7 releases →
Upgrade now
v8.0.8 Security relevant

MIME header DoS fix

Open
Config change
v8.2.0 Breaking risk
Breaking upgrade

ZeroMQ min version + nominal enums

Open
v8.1.2 Breaking risk
Breaking changes
  • ZeroMQ cluster backend now disables IPv6 by default
  • SQLite storage backend now uses quick_check instead of integrity_check by default (fewer checks, faster startup)
Security fixes
  • DNS compression chain recursion DoS — limits recursion depth when extracting labels and names from compression chains
  • LDAP search request recursion evasion — limits recursion depth when processing LDAP search requests
  • LDAP ASN.1 message recursion evasion — limits recursion depth when processing ASN.1 messages in LDAP packets
Notable features
  • Support for non-Broker cluster backends in cluster/experimental scripts
  • SSH analyzer now supports ML-KEM key exchange algorithms
  • SSL extension events (pre_shared_key_server_hello, pre_shared_key_client_hello) can now be used independently
Full changelog

We would like to thank Anthony Alayo (@anthonyalayo), @cccs-graeme on Slack, @cccs-will,
Klemens Nanni (@klemensn), and Octave Charrin (@OctaveCharrin) for their contributions to
this release.

This release fixes the following security issues:

  • A series of DNS messages containing long DNS compression chains can cause Zeek to spend
    a long time processing packets and potentially crash. Due to the fact that these packets
    can be received from remote hosts, this is a DoS risk. The fix included is to limit the
    amount of recursion when extracting labels and names from these chains. A weird is
    returned if the condition is met.

  • A specially-crafted LDAP search request can cause Zeek to spend a long time processing
    the packet, resulting in Zeek silently dropping the LDAP analyzer for the
    connection. Due to the fact that these packets can be received from remote hosts, this
    is an evasion risk. The fix included is to limit the amount of recursion when processing
    search requests. An analyzer violation is returned and logged when the condition is met.

  • A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a
    long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer
    for the connection. Due to the fact that these packets can be received from remote
    hosts, this is an evasion risk. The fix included is to limit the amount of recursion
    when processing ASN.1 messages. An analyzer violation is returned and logged when the
    condition is met.

  • A specially-crafted DNS packet containing HTTP SvcParam RRs can cause Zeek to reach a
    buffer overflow and potentially crash. Due to the fact that these packets can be
    received from remote hosts, this is a DoS risk. The fix included reworks the byte
    accounting when processing these RRs to avoid the overflow.

This release fixes the following bugs:

  • Support for non-Broker cluster backends was added to the cluster/experimental set of
    scripts.

  • The SQLite storage backend now uses quick_check instead of integrity_check in
    the default set of pragmas. This is a trade-off between a slightly fewer number of
    checks and a significant savings in startup time.

  • The events ssl_extension_pre_shared_key_server_hello and
    ssl_extension_pre_shared_key_client_hello can now be used independently. Previously,
    both had to have a handler implemented for either of them to actually be invoked due to
    some logic confusion in the analyzer.

  • The SSH analyzer now supports the ML-KEM family of key exchange algorithms.

  • A memory leak in the telemetry framework's process handling on FreeBSD was fixed.

  • The ZeroMQ cluster backend now disables ipv6 by default. This fixes an issue with
    running on systems without dual-stack socket support.

View release on GitHub
v8.0.7 Security relevant
⚠ Upgrade required
  • SQLite storage backend now defaults to quick_check instead of integrity_check pragma (trades verification completeness for faster startup)
Security fixes
  • Long DNS compression chains can cause DoS by forcing excessive recursion and crashes; fixed by limiting recursion depth in label extraction
  • Specially-crafted LDAP search requests can cause evasion by silently dropping the analyzer; fixed by limiting recursion in search processing
  • Specially-crafted LDAP ASN.1 messages can cause evasion by silently dropping the analyzer; fixed by limiting recursion in ASN.1 processing
Notable features
  • SSH analyzer now supports ML-KEM family of key exchange algorithms
  • SSL pre_shared_key extension events can now be used independently
  • Non-Broker cluster backend support added to cluster/experimental scripts
Full changelog

We would like to thank Anthony Alayo (@anthonyalayo), @cccs-graeme on Slack, @cccs-will,
and Octave Charrin (@OctaveCharrin) for their contributions to this release.

This release fixes the following security issues:

  • A series of DNS messages containing long DNS compression chains can cause Zeek to spend
    a long time processing packets and potentially crash. Due to the fact that these packets
    can be received from remote hosts, this is a DoS risk. The fix included is to limit the
    amount of recursion when extracting labels and names from these chains. A weird is
    returned if the condition is met.

  • A specially-crafted LDAP search request can cause Zeek to spend a long time processing
    the packet, resulting in Zeek silently dropping the LDAP analyzer for the
    connection. Due to the fact that these packets can be received from remote hosts, this
    is an evasion risk. The fix included is to limit the amount of recursion when processing
    search requests. An analyzer violation is returned and logged when the condition is met.

  • A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a
    long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer
    for the connection. Due to the fact that these packets can be received from remote
    hosts, this is an evasion risk. The fix included is to limit the amount of recursion
    when processing ASN.1 messages. An analyzer violation is returned and logged when the
    condition is met.

This release fixes the following bugs:

  • Support for non-Broker cluster backends was added to the cluster/experimental set of
    scripts.

  • The SQLite storage backend now uses quick_check instead of integrity_check in
    the default set of pragmas. This is a trade-off between a slightly fewer number of
    checks and a significant savings in startup time.

  • The events ssl_extension_pre_shared_key_server_hello and
    ssl_extension_pre_shared_key_client_hello can now be used independently. Previously,
    both had to have a handler implemented for either of them to actually be invoked due to
    some logic confusion in the analyzer.

  • The SSH analyzer now supports the ML-KEM family of key exchange algorithms.

  • A memory leak in the telemetry framework's process handling on FreeBSD was fixed.

  • ZeekJS was updated to v0.22.1.

View release on GitHub
v8.0.6 Security relevant
Security fixes
  • HTTP analyzer header interpretation vulnerability in Transfer-Encoding and Content-Length headers
Full changelog

We would like to thank Siavash Tahmureszadeh for their contribution to this release.

This release fixes the following security issues:

  • Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or
    Content-Length headers set in MIME entities within HTTP bodies and change the
    analyzer behavior. This can be used to hide HTTP requests from analysis. Due to the fact
    that these packets can be received from remote hosts, this is an evasion risk. The fix
    is to only process the headers from the outermost MIME entity, which causes all internal
    entities to be parsed.

This release fixes the following bugs:

  • A missing state check was added to the finalize_redis hook in the Redis
    analyzer. This was needed for rare cases where that hook got called and the rest of the
    analyzer had never been invoked, leading to Zeek throwing an error because the state
    didn't exist yet.

  • A bug was fixed when attempting to append a vector to itself that would cause an
    infinite loop.

  • A minor update was added to the documentation to better describe how what versions of
    docs we keep available on the website.

  • A memory leak was fixed that occurred when looping over tables while running Zeek with
    ZAM enabled.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
7,691
Forks
1,355
Languages
C++ Zeek CMake
View on GitHub Homepage Documentation

Community & Support

Slack Community

Similar tools

Zeek Analysis Tools (ZAT)
Wireshark
zitadel
hashgraph-online/hashnet-mcp-js
WatchYourLAN

Beta — feedback welcome: [email protected]