From 7b8f9b5385c4bbd7fe4ff275c95544632fa02bf3 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 10 Dec 2024 16:11:11 -0700 Subject: [PATCH 1/2] NEWS additions for v7.1 [nomail] [skip ci] --- NEWS | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 3c6a78443f..84cced9fd4 100644 --- a/NEWS +++ b/NEWS @@ -119,8 +119,8 @@ New Functionality analyzer used for processing the packet when the event is raised. The ``unknown_protocol.log`` file was extended to include this information. -- The MySQL analyzer now generates a ``mysql_user_change()`` event when - the user changes mid-session via the ``COM_USER_CHANGE`` command. +- The MySQL analyzer now generates a ``mysql_user_change()`` event when the user + changes mid-session via the ``COM_USER_CHANGE`` command. - The DNS analyzer was extended to support TKEY RRs (RFC 2390). A corresponding ``dns_TKEY`` event was added. @@ -182,6 +182,12 @@ New Functionality The analyzer is currently mostly interesting if you want to experiment with SSL; we do not yet recommend to enable it in normal Zeek deployments. +- The majority of the metrics reported via stats.log are also now reported via + the Telemetry framework, and are visible in the output passed to Prometheus. + +- A new weird ``DNS_unknown_opcode`` was added to the DNS analyzer to report + when it receives opcodes that it cannot process. + Changed Functionality --------------------- @@ -226,8 +232,9 @@ Changed Functionality Previously, ``network_time()`` was used. This matters if ``Broker::publish()`` is called within scheduled events or called within remote events. -Removed Functionality ---------------------- +- The SSL analyzer now reports the correct version when an SSLv2 client hello is + used. Zeek previously always reported these as v2, even when the v2 client + hello indicated support for a later version of SSL. Deprecated Functionality ------------------------ From 4eebc97355251ff8498cc139e2b8817e35df060a Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 11 Dec 2024 09:22:55 -0700 Subject: [PATCH 2/2] Add note about various dependency updates [nomail] [skip ci] --- NEWS | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/NEWS b/NEWS index 84cced9fd4..fee004e09a 100644 --- a/NEWS +++ b/NEWS @@ -30,6 +30,18 @@ Breaking Changes New Functionality ----------------- +- The following dependencies have had updates: + + - The bundled version of Spicy was updated to 1.12.0. See + https://github.com/zeek/spicy/releases/tag/v1.12.0 for notes on what's new + with Spicy. + + - The bundled version of c-ares has been updated to v1.34.2, which required + some updates to Zeek's internal DNS resolver due to changes in the c-ares + API. At least version v1.28.0 is now required to build Zeek. + + - Python 3.9 is now required for Zeek and all of it's associated subprojects. + - IP-based connections that were previously not logged due to using an unknown IP protocol (e.g. not TCP, UDP, or ICMP) now appear in conn.log. All conn.log entries have a new ``ip_proto`` column that indicates the numeric IP protocol