Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add missing NEWS entries for upcoming 6.1 release, reformat slightly

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-10-13 10:00:34 -07:00
parent bd9b82f1fb
commit a4da0c64a1
1 changed files with 76 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

131
NEWS
View file

@ -17,27 +17,34 @@ Breaking Changes
should only cause breakage for people using a version of ``zkg` that doesn't
come bundled with Zeek (which we generally don't recommend doing).
- Zeek does not traverse into dot directories to find plugins or hlto files anymore.
Any dot directories found below the directories specified in ZEEK_PLUGIN_PATH or
ZEEK_SPICY_MODULE_PATH are now skipped. Dot directories explicitly listed in
ZEEK_PLUGIN_PATH or ZEEK_SPICY_MODULE_PATH are not skipped.
- Zeek does not traverse into dot directories to find plugins or hlto files
anymore. Any dot directories found below the directories specified in
ZEEK_PLUGIN_PATH or ZEEK_SPICY_MODULE_PATH are now skipped. Dot directories
explicitly listed in ZEEK_PLUGIN_PATH or ZEEK_SPICY_MODULE_PATH are not
skipped.
- External plugins will fail to configure if their minimum required CMake version
is below 3.15. This was a warning with Zeek 6.0, but has caused user confusion
due to unhelpful error messages around the IN_LIST operator policy.
- External plugins will fail to configure if their minimum required CMake
version is below 3.15. This was a warning with Zeek 6.0, but has caused user
confusion due to unhelpful error messages around the IN_LIST operator policy.
- The FindBISON, FindOpenSSL, FindPackageHandleStandardArgs, FindPackageMessage,
and SelectLibraryConfigurations cmake files were removed from our cmake
repository in favor of the versions that come with CMake. This should not
cause any breakage, but it is possible in the case that someone was using
these in a plugin.
New Functionality
-----------------
- Zeek now includes the LDAP protocol analyzer from the zeek/spicy-ldap
project (https://github.com/zeek/spicy-ldap). This analyzer is enabled by
default. The analyzer's events and its ``ldap.log`` and ``ldap_search.log``
should be considered preliminary and experimental until the arrival of
Zeek's next long-term-stable release (7.0).
- Zeek now includes the LDAP protocol analyzer from the zeek/spicy-ldap project
(https://github.com/zeek/spicy-ldap). This analyzer is enabled by default. The
analyzer's events and its ``ldap.log`` and ``ldap_search.log`` should be
considered preliminary and experimental until the arrival of Zeek's next
long-term-stable release (7.0).
If you observe unusually high CPU consumption or other issues due to this
analyzer being enabled by default, the easiest way to disable it is via
the ``Analyzer::disabled_analyzers`` const as follows:
analyzer being enabled by default, the easiest way to disable it is via the
``Analyzer::disabled_analyzers`` const as follows:
redef Analyzer::disabled_analyzers += {
Analyzer::ANALYZER_LDAP_UDP,
@ -48,20 +55,20 @@ New Functionality
necessary in your environment. We're also open to general feedback about the
structure of the new logs.
- Zeek now includes the QUIC protocol analyzer from the zeek/spicy-quic
project (https://github.com/zeek/spicy-quic). This project is a fork of
Fox-IT's initial implementation (https://github.com/fox-ds/spicy-quic).
- Zeek now includes the QUIC protocol analyzer from the zeek/spicy-quic project
(https://github.com/zeek/spicy-quic). This project is a fork of Fox-IT's
initial implementation (https://github.com/fox-ds/spicy-quic).
As for the LDAP analyzer, the analyzer's events and the new ``quic.log``
should be considered preliminary and experimental until the arrival of
Zeek's next long-term-stable release (7.0). As above, any feedback and
contributions to this analyzer and the new log are welcome.
should be considered preliminary and experimental until the arrival of Zeek's
next long-term-stable release (7.0). As above, any feedback and contributions
to this analyzer and the new log are welcome.
The analyzer's functionality is limited to decryption of the INITIAL packets
of QUIC version 1. If decryption of these packets is successful, the
handshake data is forwarded to Zeek's SSL analyzer. An ``ssl.log`` entry
will appear in ``ssl.log`` for QUIC connections. The entry in the ``conn.log``
will contain ``quic`` and ``ssl`` in the service field.
of QUIC version 1. If decryption of these packets is successful, the handshake
data is forwarded to Zeek's SSL analyzer. An ``ssl.log`` entry will appear in
``ssl.log`` for QUIC connections. The entry in the ``conn.log`` will contain
``quic`` and ``ssl`` in the service field.
To disable the analyzer in case of issues, use the following snippet:
@ -74,22 +81,23 @@ New Functionality
assert <expr: bool>[, <message: string>];
This statement comes with two hooks. First, ``assertion_failure()`` that
is invoked for every failing assert statement. Second, ``assertion_result()``
This statement comes with two hooks. First, ``assertion_failure()`` that is
invoked for every failing assert statement. Second, ``assertion_result()``
which is invoked for every assert statement and its outcome. The latter allows
to construct a summary of failing and passing assert statements. Both hooks
receive the location and call stack for the ``assert`` statement via a
``Backtrace`` vector.
A failing assert will abort execution of the current event handler similar
to scripting errors. By default, a reporter error message is logged. Using
the break statement within ``assertion_failure()`` or ``assertion_result()``
A failing assert will abort execution of the current event handler similar to
scripting errors. By default, a reporter error message is logged. Using the
break statement within ``assertion_failure()`` or ``assertion_result()``
allows to suppress the default message.
- Add a new ``&default_insert`` attribute for tables. This behaves as ``&default``
with the addition that the default value is inserted into the table upon a
failed lookup. Particularly for tables with nested container values, the
``&default`` behavior of not inserting the value can be of little use.
- Add a new ``&default_insert`` attribute for tables. This behaves as
``&default`` with the addition that the default value is inserted into the
table upon a failed lookup. Particularly for tables with nested container
values, the ``&default`` behavior of not inserting the value can be of little
use.
- The ``from_json()`` function now takes an optional key_func argument to
normalize JSON object key names. This can be useful if the keys in a JSON
@ -101,7 +109,8 @@ New Functionality
- Identifiers in the global scope can now be referenced and defined from within
modules by prefixing their names with ``::``. Previously, these required an
explicit ``GLOBAL::`` prefix to be used. Using ``GLOBAL::`` has been deprecated.
explicit ``GLOBAL::`` prefix to be used. Using ``GLOBAL::`` has been
deprecated.
- The ``as`` keyword now supports casting between ``set`` and ``vector`` values
with the same element type. Converting ``set`` values with multiple index
@ -112,29 +121,41 @@ New Functionality
- Fixed appending of ``any`` to ``vector of any``.
- The ModBus analyzer's function support was expanded, with new handling of the
Encapsulation Interface Transport (function 28) And Diagnostics (function 8)
functions. This adds new ``modbus_encap_interface_transport_{request,response}``
and ``modbus_diagnostics_{request,response}`` events.
- The ModBus file record read and write events now provide the full data from
the request and response messages as part of the event data.
- The full PDU length was added to the ``ModBusHeader`` record type passed with
all of the ModBus events.
Changed Functionality
---------------------
- A connection's value is now updated in-place when its directionality is
flipped due to Zeek's heuristics (for example, SYN/SYN-ACK reversal or
protocol specific approaches).
Previously, a connection's value was discarded when flipped, including any
values set in a ``new_connection()`` handler. A new ``connection_flipped()``
event is added to allow updating custom state in script-land.
protocol specific approaches). Previously, a connection's value was discarded
when flipped, including any values set in a ``new_connection()`` handler. A
new ``connection_flipped()`` event is added to allow updating custom state in
script-land.
- Loading ``policy/frameworks/notice/community-id.zeek`` now also automatically
community ID logging. In the past, loading the script had no effect unless
``policy/protocols/conn/community-id-logging.zeek`` was loaded before. This
was fairly unusual and hard to debug behavior.
- Connections to broadcast addresses are not flipped based on ``likely_server_ports``
anymore. Previously, broadcast packets originating from a likely server port
resulted in 255.255.255.255 being the originator in ``conn.log``.
- Connections to broadcast addresses are not flipped based on
``likely_server_ports`` anymore. Previously, broadcast packets originating
from a likely server port resulted in 255.255.255.255 being the originator in
``conn.log``.
- When too many HTTP requests are pending, Zeek will now log them at once and
reset request/response correlation instead of running into unbounded state
growth. This behavior is configurable via a new option ``HTTP::max_pending_requests``.
The default is ``100``.
growth. This behavior is configurable via a new option
``HTTP::max_pending_requests``. The default is ``100``.
- Fix deferred initialization of nested records containing non-const &default
attributes.
@ -142,11 +163,11 @@ Changed Functionality
- Parameter lists for functions, events and hooks now use commas instead of
semicolons in error messages or when printing such functions.
- The IO buffer size used for PCAP file reading is now always 128kb. This
new default can be changed via ``Pcap::bufsize_offline_bytes``.
- The IO buffer size used for PCAP file reading is now always 128kb. This new
default can be changed via ``Pcap::bufsize_offline_bytes``.
Removed Functionality
---------------------
- The input framework now provides better information in error messages when
encountering missing non-optional field while loading data.
Deprecated Functionality
------------------------
@ -154,14 +175,14 @@ Deprecated Functionality
- Accessing globals with ``GLOBAL::name`` has been deprecated and will be
removed with Zeek 7.1. Use ``::name`` instead.
- The original ``trigger::Trigger`` constructor has been deprecated and will
be removed with Zeek 7.1. Use the new alternative constructor
(per ``src/Trigger.h``) instead, including replacing any use of ``new ...``
with ``make_intrusive<...>``. The new constructor differs only in the
placement of the ``timeout`` parameter, and in that - unlike the original -
it always returns a valid pointer, which must be Unref()'d after
construction, either explicitly (if using ``new``) or implicitly
(if using ``make_intrusive<...>``).
- The original ``trigger::Trigger`` constructor has been deprecated and will be
removed with Zeek 7.1. Use the new alternative constructor (per
``src/Trigger.h``) instead, including replacing any use of ``new ...`` with
``make_intrusive<...>``. The new constructor differs only in the placement of
the ``timeout`` parameter, and in that - unlike the original - it always
returns a valid pointer, which must be Unref()'d after construction, either
explicitly (if using ``new``) or implicitly (if using
``make_intrusive<...>``).
Zeek 6.0.0
==========