diff --git a/NEWS b/NEWS index f5ed50e96d..a7bae45e1a 100644 --- a/NEWS +++ b/NEWS @@ -9,28 +9,26 @@ Zeek 7.2.0 Breaking Changes ---------------- -- The ``is_remote_event()``, ``current_analyzer()`` and ``current_event_time()`` - builtin functions do not return the previous event's values anymore when event - draining has completed. The same applies to the corresponding C++ accessors on - the ``EventMgr`` class. The functions now return false, 0 or the zero time instead. +- The ``is_remote_event()``, ``current_analyzer()`` and ``current_event_time()`` builtin + functions do not return the previous event's values anymore when event draining has + completed. The same applies to the corresponding C++ accessors on the ``EventMgr`` + class. The functions now return false, 0 or the zero time instead. New Functionality ----------------- -- Some DNS events are not raised when ``dns_skip_all_addl`` is set to true. - Zeek now raises a warning when a script declares these events while this - option is set to true. +- Some DNS events are not raised when ``dns_skip_all_addl`` is set to true. Zeek now + raises a warning when a script declares these events while this option is set to true. -- Types can now be used as constants in Zeek script. This allows types to be - directly passed into BIFs without aliasing. +- Types can now be used as constants in Zeek script. This allows types to be directly + passed into BIFs without aliasing. -- A new ``enc_part`` field was added to the Kerberos ``KRB_Response`` record - passed as part of the ``krb_as_response`` event. This field contains the - encrypted session information from a Kerberos response, including the cipher - and encrypted data. +- A new ``enc_part`` field was added to the Kerberos ``KRB_Response`` record passed as + part of the ``krb_as_response`` event. This field contains the encrypted session + information from a Kerberos response, including the cipher and encrypted data. -- Geneve tunnel options of the current packet can be extracted from scripts - using the new PacketAnalyzer::Geneve::get_options() builtin function. +- Geneve tunnel options of the current packet can be extracted from scripts using the new + PacketAnalyzer::Geneve::get_options() builtin function. - The new ``is_valid_subnet()`` function mirrors ``is_valid_ip()``, for subnets. @@ -55,12 +53,11 @@ New Functionality backend for NATS that will be available as an external plugin, but it is not quite ready yet. Both of the existing backends support usage in a cluster environment. -- Broker now exposes more information through ``broker.log``. Broker generated - log messages are now propagated as events to Zeek. This allows exposing more - information for debugging and operational behavior of Broker via Zeek logs. - Two new script-level options ``Broker::log_severity_level`` and - ``Broker::log_stderr_severity_level`` have been introduced to control - the which events to expose by default. +- Broker now exposes more information through ``broker.log``. Broker generated log + messages are now propagated as events to Zeek. This allows exposing more information for + debugging and operational behavior of Broker via Zeek logs. Two new script-level + options ``Broker::log_severity_level`` and ``Broker::log_stderr_severity_level`` have + been introduced to control the which events to expose by default. - New WebSocket functionality was added to Zeek's cluster component. @@ -89,71 +86,67 @@ New Functionality Changed Functionality --------------------- -- The ``service`` field in the connection log is now sorted in the order that - protocol analyzers raise their confirmation events. - Since the time at which the protocol confirmation is raised depends on the - individual implementation of each analyzer, there is no specific meaning - to the order that the services appear. However, the order should be - deterministic between runs. It also will in many cases represent - the order in which layered protocols are parsed (e.g. "quic,ssl"). +- The ``service`` field in the connection log is now sorted in the order that protocol + analyzers raise their confirmation events. Since the time at which the protocol + confirmation is raised depends on the individual implementation of each analyzer, there + is no specific meaning to the order that the services appear. However, the order should + be deterministic between runs. It also will in many cases represent the order in which + layered protocols are parsed (e.g. "quic,ssl"). -- The way that protocol violations are handled by the dynamic protocol - detection (DPD) changed. Now, a violation that is raised by an analyzer - before it is confirmed will immediately disable the analyzer. This adjusts - the behavior back to the historically desired state, and aligns it with - the treatment of confirmed analyzers. +- The way that protocol violations are handled by the dynamic protocol detection (DPD) + changed. Now, a violation that is raised by an analyzer before it is confirmed will + immediately disable the analyzer. This adjusts the behavior back to the historically + desired state, and aligns it with the treatment of confirmed analyzers. As a consequence of this, the option ``DPD::max_violations`` is no longer used. It will be retained till Zeek 8.1 to prevent script errors, and raises a deprecation warning. To extend the visibility of protocol violations, a new option - ``DPD::track_removed_services_in_connection`` was added. Enabling it causes - failed analyzers to no longer be removed from the ``service`` field of the - connection log. Instead, analyzers are never removed after they are - confirmed. Instead, failed analyzers are logged by additionally adding an - entry with a prepended "-". So a connection that attached the ``ssl`` - analyzer which later failed due to a protocol error will be logged as - ``ssl,-ssl``. + ``DPD::track_removed_services_in_connection`` was added. Enabling it causes failed + analyzers to no longer be removed from the ``service`` field of the connection + log. Instead, analyzers are never removed after they are confirmed. Instead, failed + analyzers are logged by additionally adding an entry with a prepended "-". So a + connection that attached the ``ssl`` analyzer which later failed due to a protocol error + will be logged as ``ssl,-ssl``. This change also adds a new policy script, - ``protocols/conn/failed-service-logging.zeek``. Loading this script adds the - column ``failed_service`` to the connection.log. This column contains the - list of protocol analyzers that failed due to a protocol error. + ``protocols/conn/failed-service-logging.zeek``. Loading this script adds the column + ``failed_service`` to the connection.log. This column contains the list of protocol + analyzers that failed due to a protocol error. -- Command line options processing will no longer print usage whenever there - is an error. Instead, issues in command line processing will print an error, - then prompt to use --help. The --help usage will now print to standard output - rather than standard error. +- Command line options processing will no longer print usage whenever there is an + error. Instead, issues in command line processing will print an error, then prompt to + use --help. The --help usage will now print to standard output rather than standard + error. -- Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode. - A subsequent ``--load-seeds`` run with the same scripts and traces will produce - identical UID values as the original ``--save-seeds` run. +- Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode. A + subsequent ``--load-seeds`` run with the same scripts and traces will produce identical + UID values as the original ``--save-seeds` run. -- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs - names that were found in mDNS broadcasts by default. This is configurable with - the new `DNS::skip_resp_host_port_pairs` option. +- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs names + that were found in mDNS broadcasts by default. This is configurable with the new + `DNS::skip_resp_host_port_pairs` option. Furthermore, the script now supports and logs IPv6 results. -- The ``mkdir()``, ``rmdir()``, ``unlink()``, and ``rename()`` functions now - trigger reporter warnings instead of builtin errors when hitting trouble. This - allows Zeek to continue gracefully in case of such problems, particularly - during ``zeek_init()``. +- The ``mkdir()``, ``rmdir()``, ``unlink()``, and ``rename()`` functions now trigger + reporter warnings instead of builtin errors when hitting trouble. This allows Zeek to + continue gracefully in case of such problems, particularly during ``zeek_init()``. -- The RDP analyzer now also parses connections that do not contain the cookie - field, which were previously rejected. +- The RDP analyzer now also parses connections that do not contain the cookie field, which + were previously rejected. -- An enum's zeek::detail::ID instance now holds its ``EnumVal``. For example, - looking up the "Conn::LOG" identifier allows to directly query the ``EnumVal`` - using ``ID::GetVal()``. +- An enum's zeek::detail::ID instance now holds its ``EnumVal``. For example, looking up + the "Conn::LOG" identifier allows to directly query the ``EnumVal`` using + ``ID::GetVal()``. -- When the send buffer to a Broker peer overflows and the "disconnect" overflow - policy is in use, Zeek now only attempts to re-establish peerings when the - node observing the overflow originally established the peering. That is, - re-peering is now only attempted in consistency with the underlying Broker - peering topology. This avoids pointless connection attempts to ephemeral TCP - client-side ports, which clould clutter the Broker logs. +- When the send buffer to a Broker peer overflows and the "disconnect" overflow policy is + in use, Zeek now only attempts to re-establish peerings when the node observing the + overflow originally established the peering. That is, re-peering is now only attempted + in consistency with the underlying Broker peering topology. This avoids pointless + connection attempts to ephemeral TCP client-side ports, which clould clutter the Broker + logs. Removed Functionality --------------------- @@ -161,10 +154,9 @@ Removed Functionality Deprecated Functionality ------------------------ -- Support for DNS resolution of hostname literals in Zeek scripts has been - deprecated. If you've used this feature, use the new ``blocking_lookup_hostname()`` - builtin function to populate sets or tables in a ``zeek_init()`` handler, - or with top-level statements. +- Support for DNS resolution of hostname literals in Zeek scripts has been deprecated. If + you've used this feature, use the new ``blocking_lookup_hostname()`` builtin function to + populate sets or tables in a ``zeek_init()`` handler, or with top-level statements. - ``Broker::listen_websocket()`` was deprecated in favor of ``Cluster::listen_websocket()`.