Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Reformat 7.2 NEWS entries for consistent line lengths

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-04-22 16:02:24 -07:00
parent c1a5f70df8
commit ad4fa22889
1 changed files with 64 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

136
NEWS
View file

@ -9,28 +9,26 @@ Zeek 7.2.0
Breaking Changes Breaking Changes
---------------- ----------------
- The ``is_remote_event()``, ``current_analyzer()`` and ``current_event_time()`` - The ``is_remote_event()``, ``current_analyzer()`` and ``current_event_time()`` builtin
builtin functions do not return the previous event's values anymore when event functions do not return the previous event's values anymore when event draining has
draining has completed. The same applies to the corresponding C++ accessors on completed. The same applies to the corresponding C++ accessors on the ``EventMgr``
the ``EventMgr`` class. The functions now return false, 0 or the zero time instead. class. The functions now return false, 0 or the zero time instead.
New Functionality New Functionality
----------------- -----------------
- Some DNS events are not raised when ``dns_skip_all_addl`` is set to true. - Some DNS events are not raised when ``dns_skip_all_addl`` is set to true. Zeek now
Zeek now raises a warning when a script declares these events while this raises a warning when a script declares these events while this option is set to true.
option is set to true.
- Types can now be used as constants in Zeek script. This allows types to be - Types can now be used as constants in Zeek script. This allows types to be directly
directly passed into BIFs without aliasing. passed into BIFs without aliasing.
- A new ``enc_part`` field was added to the Kerberos ``KRB_Response`` record - A new ``enc_part`` field was added to the Kerberos ``KRB_Response`` record passed as
passed as part of the ``krb_as_response`` event. This field contains the part of the ``krb_as_response`` event. This field contains the encrypted session
encrypted session information from a Kerberos response, including the cipher information from a Kerberos response, including the cipher and encrypted data.
and encrypted data.
- Geneve tunnel options of the current packet can be extracted from scripts - Geneve tunnel options of the current packet can be extracted from scripts using the new
using the new PacketAnalyzer::Geneve::get_options() builtin function. PacketAnalyzer::Geneve::get_options() builtin function.
- The new ``is_valid_subnet()`` function mirrors ``is_valid_ip()``, for subnets. - The new ``is_valid_subnet()`` function mirrors ``is_valid_ip()``, for subnets.
@ -55,12 +53,11 @@ New Functionality
backend for NATS that will be available as an external plugin, but it is not quite backend for NATS that will be available as an external plugin, but it is not quite
ready yet. Both of the existing backends support usage in a cluster environment. ready yet. Both of the existing backends support usage in a cluster environment.
- Broker now exposes more information through ``broker.log``. Broker generated - Broker now exposes more information through ``broker.log``. Broker generated log
log messages are now propagated as events to Zeek. This allows exposing more messages are now propagated as events to Zeek. This allows exposing more information for
information for debugging and operational behavior of Broker via Zeek logs. debugging and operational behavior of Broker via Zeek logs. Two new script-level
Two new script-level options ``Broker::log_severity_level`` and options ``Broker::log_severity_level`` and ``Broker::log_stderr_severity_level`` have
``Broker::log_stderr_severity_level`` have been introduced to control been introduced to control the which events to expose by default.
the which events to expose by default.
- New WebSocket functionality was added to Zeek's cluster component. - New WebSocket functionality was added to Zeek's cluster component.
@ -89,71 +86,67 @@ New Functionality
Changed Functionality Changed Functionality
--------------------- ---------------------
- The ``service`` field in the connection log is now sorted in the order that - The ``service`` field in the connection log is now sorted in the order that protocol
protocol analyzers raise their confirmation events. analyzers raise their confirmation events. Since the time at which the protocol
Since the time at which the protocol confirmation is raised depends on the confirmation is raised depends on the individual implementation of each analyzer, there
individual implementation of each analyzer, there is no specific meaning is no specific meaning to the order that the services appear. However, the order should
to the order that the services appear. However, the order should be be deterministic between runs. It also will in many cases represent the order in which
deterministic between runs. It also will in many cases represent layered protocols are parsed (e.g. "quic,ssl").
the order in which layered protocols are parsed (e.g. "quic,ssl").
- The way that protocol violations are handled by the dynamic protocol - The way that protocol violations are handled by the dynamic protocol detection (DPD)
detection (DPD) changed. Now, a violation that is raised by an analyzer changed. Now, a violation that is raised by an analyzer before it is confirmed will
before it is confirmed will immediately disable the analyzer. This adjusts immediately disable the analyzer. This adjusts the behavior back to the historically
the behavior back to the historically desired state, and aligns it with desired state, and aligns it with the treatment of confirmed analyzers.
the treatment of confirmed analyzers.
As a consequence of this, the option ``DPD::max_violations`` is no longer used. As a consequence of this, the option ``DPD::max_violations`` is no longer used.
It will be retained till Zeek 8.1 to prevent script errors, and raises a It will be retained till Zeek 8.1 to prevent script errors, and raises a
deprecation warning. deprecation warning.
To extend the visibility of protocol violations, a new option To extend the visibility of protocol violations, a new option
``DPD::track_removed_services_in_connection`` was added. Enabling it causes ``DPD::track_removed_services_in_connection`` was added. Enabling it causes failed
failed analyzers to no longer be removed from the ``service`` field of the analyzers to no longer be removed from the ``service`` field of the connection
connection log. Instead, analyzers are never removed after they are log. Instead, analyzers are never removed after they are confirmed. Instead, failed
confirmed. Instead, failed analyzers are logged by additionally adding an analyzers are logged by additionally adding an entry with a prepended "-". So a
entry with a prepended "-". So a connection that attached the ``ssl`` connection that attached the ``ssl`` analyzer which later failed due to a protocol error
analyzer which later failed due to a protocol error will be logged as will be logged as ``ssl,-ssl``.
``ssl,-ssl``.
This change also adds a new policy script, This change also adds a new policy script,
``protocols/conn/failed-service-logging.zeek``. Loading this script adds the ``protocols/conn/failed-service-logging.zeek``. Loading this script adds the column
column ``failed_service`` to the connection.log. This column contains the ``failed_service`` to the connection.log. This column contains the list of protocol
list of protocol analyzers that failed due to a protocol error. analyzers that failed due to a protocol error.
- Command line options processing will no longer print usage whenever there - Command line options processing will no longer print usage whenever there is an
is an error. Instead, issues in command line processing will print an error, error. Instead, issues in command line processing will print an error, then prompt to
then prompt to use --help. The --help usage will now print to standard output use --help. The --help usage will now print to standard output rather than standard
rather than standard error. error.
- Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode. - Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode. A
A subsequent ``--load-seeds`` run with the same scripts and traces will produce subsequent ``--load-seeds`` run with the same scripts and traces will produce identical
identical UID values as the original ``--save-seeds` run. UID values as the original ``--save-seeds` run.
- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs - The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs names
names that were found in mDNS broadcasts by default. This is configurable with that were found in mDNS broadcasts by default. This is configurable with the new
the new `DNS::skip_resp_host_port_pairs` option. `DNS::skip_resp_host_port_pairs` option.
Furthermore, the script now supports and logs IPv6 results. Furthermore, the script now supports and logs IPv6 results.
- The ``mkdir()``, ``rmdir()``, ``unlink()``, and ``rename()`` functions now - The ``mkdir()``, ``rmdir()``, ``unlink()``, and ``rename()`` functions now trigger
trigger reporter warnings instead of builtin errors when hitting trouble. This reporter warnings instead of builtin errors when hitting trouble. This allows Zeek to
allows Zeek to continue gracefully in case of such problems, particularly continue gracefully in case of such problems, particularly during ``zeek_init()``.
during ``zeek_init()``.
- The RDP analyzer now also parses connections that do not contain the cookie - The RDP analyzer now also parses connections that do not contain the cookie field, which
field, which were previously rejected. were previously rejected.
- An enum's zeek::detail::ID instance now holds its ``EnumVal``. For example, - An enum's zeek::detail::ID instance now holds its ``EnumVal``. For example, looking up
looking up the "Conn::LOG" identifier allows to directly query the ``EnumVal`` the "Conn::LOG" identifier allows to directly query the ``EnumVal`` using
using ``ID::GetVal()``. ``ID::GetVal()``.
- When the send buffer to a Broker peer overflows and the "disconnect" overflow - When the send buffer to a Broker peer overflows and the "disconnect" overflow policy is
policy is in use, Zeek now only attempts to re-establish peerings when the in use, Zeek now only attempts to re-establish peerings when the node observing the
node observing the overflow originally established the peering. That is, overflow originally established the peering. That is, re-peering is now only attempted
re-peering is now only attempted in consistency with the underlying Broker in consistency with the underlying Broker peering topology. This avoids pointless
peering topology. This avoids pointless connection attempts to ephemeral TCP connection attempts to ephemeral TCP client-side ports, which clould clutter the Broker
client-side ports, which clould clutter the Broker logs. logs.
Removed Functionality Removed Functionality
--------------------- ---------------------
@ -161,10 +154,9 @@ Removed Functionality
Deprecated Functionality Deprecated Functionality
------------------------ ------------------------
- Support for DNS resolution of hostname literals in Zeek scripts has been - Support for DNS resolution of hostname literals in Zeek scripts has been deprecated. If
deprecated. If you've used this feature, use the new ``blocking_lookup_hostname()`` you've used this feature, use the new ``blocking_lookup_hostname()`` builtin function to
builtin function to populate sets or tables in a ``zeek_init()`` handler, populate sets or tables in a ``zeek_init()`` handler, or with top-level statements.
or with top-level statements.
- ``Broker::listen_websocket()`` was deprecated in favor of ``Cluster::listen_websocket()`. - ``Broker::listen_websocket()`` was deprecated in favor of ``Cluster::listen_websocket()`.