Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove deprecations tagged for v8.1

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-08-04 15:41:23 -07:00
parent e4dab3dded
commit d95affde4d
108 changed files with 113 additions and 2230 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/frameworks/analyzer/dpd.zeek
View file

@ -6,9 +6,6 @@
module DPD;
export {
## Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
option max_violations: table[Analyzer::Tag] of count = table() &deprecated="Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200" &default = 5;
## Analyzers which you don't want to remove on violations.
option ignore_violations: set[Analyzer::Tag] = set();
@ -110,4 +107,3 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
if ( disabled )
event analyzer_failed(network_time(), atype, info);
}

86
scripts/base/frameworks/broker/main.zeek
View file

@ -28,7 +28,7 @@ export {
## Default address on which to listen for WebSocket connections.
##
## .. zeek:see:: Broker::listen_websocket
## .. zeek:see:: Cluster::listen_websocket
const default_listen_address_websocket = getenv("ZEEK_DEFAULT_LISTEN_ADDRESS") &redef;
## Default interval to retry connecting to a peer if it cannot be made to
@ -69,11 +69,6 @@ export {
## all peers.
const ssl_keyfile = "" &redef;
## The number of buffered messages at the Broker/CAF layer after which
## a subscriber considers themselves congested (i.e. tune the congestion
## control mechanisms).
const congestion_queue_size = 200 &redef &deprecated="Remove in v8.1. Non-functional since v5.0";
## The max number of log entries per log stream to batch together when
## sending log messages to a remote logger.
const log_batch_size = 400 &redef;
@ -319,27 +314,6 @@ export {
p: port &default = default_port,
retry: interval &default = default_listen_retry): port;
## Listen for remote connections using WebSocket.
##
## a: an address string on which to accept connections, e.g.
## "127.0.0.1". An empty string refers to INADDR_ANY.
##
## p: the TCP port to listen on. The value 0 means that the OS should choose
## the next available free port.
##
## retry: If non-zero, retries listening in regular intervals if the port cannot be
## acquired immediately. 0 disables retries. If the
## ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
## of seconds), it overrides any value given here.
##
## Returns: the bound port or 0/? on failure.
##
## .. zeek:see:: Broker::status
global listen_websocket: function(a: string &default = default_listen_address_websocket,
p: port &default = default_port_websocket,
retry: interval &default = default_listen_retry): port
&deprecated="Remove in v8.1. Switch to Cluster::listen_websocket() instead.";
## Initiate a remote connection.
##
## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
@ -450,29 +424,6 @@ export {
##
## Returns: true if a new event forwarding/subscription is now registered.
global forward: function(topic_prefix: string): bool;
## Automatically send an event to any interested peers whenever it is
## locally dispatched. (For example, using "event my_event(...);" in a
## script.)
##
## topic: a topic string associated with the event message.
## Peers advertise interest by registering a subscription to some
## prefix of this topic name.
##
## ev: a Zeek event value.
##
## Returns: true if automatic event sending is now enabled.
global auto_publish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. Switch to explicit Cluster::publish() calls. Auto-publish won't work with all cluster backends.";
## Stop automatically sending an event to peers upon local dispatch.
##
## topic: a topic originally given to :zeek:see:`Broker::auto_publish`.
##
## ev: an event originally given to :zeek:see:`Broker::auto_publish`.
##
## Returns: true if automatic events will not occur for the topic/event
## pair.
global auto_unpublish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. See Broker::auto_publish()";
}
@load base/bif/comm.bif
@ -514,31 +465,6 @@ function listen(a: string, p: port, retry: interval): port
return bound;
}
event retry_listen_websocket(a: string, p: port, retry: interval)
{
@pragma push ignore-deprecations
listen_websocket(a, p, retry);
@pragma pop ignore-deprecations
}
function listen_websocket(a: string, p: port, retry: interval): port
{
local bound = __listen(a, p, Broker::WEBSOCKET);
if ( bound == 0/tcp )
{
local e = getenv("ZEEK_DEFAULT_LISTEN_RETRY");
if ( e != "" )
retry = double_to_interval(to_double(e));
if ( retry != 0secs )
schedule retry { retry_listen_websocket(a, p, retry) };
}
return bound;
}
function peer(a: string, p: port, retry: interval): bool
{
return __peer(a, p, retry);
@ -593,13 +519,3 @@ function unsubscribe(topic_prefix: string): bool
{
return __unsubscribe(topic_prefix);
}
function auto_publish(topic: string, ev: any): bool
{
return __auto_publish(topic, ev);
}
function auto_unpublish(topic: string, ev: any): bool
{
return __auto_unpublish(topic, ev);
}

2
scripts/base/frameworks/cluster/main.zeek
View file

@ -362,8 +362,6 @@ export {
## WebSocket server options to pass to :zeek:see:`Cluster::listen_websocket`.
type WebSocketServerOptions: record {
## The host address to listen on.
listen_host: string &optional &deprecated="Remove in v8.1: Use $listen_addr instead.";
## The address to listen on, cannot be used together with ``listen_host``.
listen_addr: addr &optional;
## The port the WebSocket server is supposed to listen on.

23
scripts/base/frameworks/telemetry/main.zeek
View file

@ -245,16 +245,6 @@ export {
label_values: labels_vector,
measurement: double): bool;
## Interval at which the :zeek:see:`Telemetry::sync` hook is invoked.
##
## By default, the hook is invoked on demand, setting this option to
## a positive interval allows to invoke it regularly, too. Regular
## invocations are relative to Zeek's network time.
##
## Note that on-demand hook invocation will happen even if this
## is set.
option sync_interval = 0sec &deprecated="Remove in 8.1. If you require regular sync invocation, do so explicitly in a scheduled event.";
## Collect all counter and gauge metrics matching the given *name* and *prefix*.
##
## For histogram metrics, use the :zeek:see:`Telemetry::collect_histogram_metrics`.
@ -465,14 +455,6 @@ function collect_histogram_metrics(prefix: string, name: string): vector of Hist
return Telemetry::__collect_histogram_metrics(prefix, name);
}
event run_sync_hook()
{
hook Telemetry::sync();
@pragma push ignore-deprecations
schedule sync_interval { run_sync_hook() };
@pragma pop ignore-deprecations
}
# Expose the Zeek version as Prometheus style info metric
global version_gauge_family = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
@ -485,11 +467,6 @@ global version_gauge_family = Telemetry::register_gauge_family(Telemetry::Metric
event zeek_init()
{
@pragma push ignore-deprecations
if ( sync_interval > 0sec )
schedule sync_interval { run_sync_hook() };
@pragma pop ignore-deprecations
local v = Version::info;
local labels = vector(cat(v$version_number),
cat(v$major), cat(v$minor), cat (v$patch),

15
scripts/base/init-bare.zeek
View file

@ -1726,18 +1726,6 @@ const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024 &redef;
## buffering.
const tcp_max_old_segments = 0 &redef;
## For services without a handler, these sets define originator-side ports
## that still trigger reassembly.
##
## .. zeek:see:: tcp_reassembler_ports_resp
const tcp_reassembler_ports_orig: set[port] = {} &redef &deprecated="Remove in v8.1. Non-functional since v4.1";
## For services without a handler, these sets define responder-side ports
## that still trigger reassembly.
##
## .. zeek:see:: tcp_reassembler_ports_orig
const tcp_reassembler_ports_resp: set[port] = {} &redef &deprecated="Remove in v8.1. Non-functional since v4.1";
## Defines destination TCP ports for which the contents of the originator stream
## should be delivered via :zeek:see:`tcp_contents`.
##
@ -3063,9 +3051,8 @@ type dns_binds_rr: record {
algorithm: count; ##< Algorithm for Public Key.
key_id: count; ##< key tag.
removal_flag: count; ##< rm flag.
complte_flag: string &deprecated="Remove in v8.1: Use complete_flag instead."; ##< complete flag.
is_query: count; ##< The RR is a query/Response.
complete_flag: count; ##< complete flag.
is_query: count; ##< The RR is a query/Response.
};
## A Private RR type LOC record.

96
scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
View file

@ -1,96 +0,0 @@
##! Creates the now deprecated dpd.logfile.
# Remove in v8.1
module DPD;
export {
## Add the DPD logging stream identifier.
redef enum Log::ID += { LOG };
## A default logging policy hook for the stream.
global log_policy: Log::PolicyHook;
## The record type defining the columns to log in the DPD logging stream.
type Info: record {
## Timestamp for when protocol analysis failed.
ts: time &log;
## Connection unique ID.
uid: string &log;
## Connection ID containing the 4-tuple which identifies endpoints.
id: conn_id &log;
## Transport protocol for the violation.
proto: transport_proto &log;
## The analyzer that generated the violation.
analyzer: string &log;
## The textual reason for the analysis failure.
failure_reason: string &log;
};
}
redef record connection += {
dpd: Info &optional;
## The set of services (analyzers) for which Zeek has observed a
## violation after the same service had previously been confirmed.
service_violation: set[string] &default=set() &ordered &deprecated="Remove in v8.1. Consider using failed_analyzers instead";
};
event zeek_init() &priority=5
{
Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
}
# before the same event in dpd.zeek
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=15
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c )
return;
local c = info$c;
local analyzer = Analyzer::name(atype);
# If the service hasn't been confirmed yet, or already failed,
# don't generate a log message for the protocol violation.
if ( analyzer !in c$service || analyzer in c$service_violation )
return;
add c$service_violation[analyzer];
local dpd: Info;
dpd$ts = network_time();
dpd$uid = c$uid;
dpd$id = c$id;
dpd$proto = get_port_transport_proto(c$id$orig_p);
dpd$analyzer = analyzer;
# Encode data into the reason if there's any as done for the old
# analyzer_violation event, previously.
local reason = info$reason;
if ( info?$data )
{
local ellipsis = |info$data| > 40 ? "..." : "";
local data = info$data[0:40];
reason = fmt("%s [%s%s]", reason, data, ellipsis);
}
dpd$failure_reason = reason;
c$dpd = dpd;
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c )
return;
if ( info$c?$dpd )
{
Log::write(DPD::LOG, info$c$dpd);
delete info$c$dpd;
}
}

3
scripts/policy/frameworks/dpd/detect-protocols.zeek
View file

@ -1,3 +0,0 @@
@deprecated("frameworks/dpd/detect-protocols.zeek moved to frameworks/analyzer/detect-protocols.zeek. Please switch to frameworks/analyzer/detect-protocols.zeek. Remove in 8.1")
@load frameworks/analyzer/detect-protocols.zeek

34
scripts/policy/frameworks/dpd/packet-segment-logging.zeek
View file

@ -1,34 +0,0 @@
@deprecated("Please switch to frameworks/analyzer/packet-segment-logging, which logs to analyzer.log. Remove in 8.1")
##! This script enables logging of packet segment data when a protocol
##! parsing violation is encountered. The amount of data from the
##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable.
##! A caveat to logging packet data is that in some cases, the packet may
##! not be the packet that actually caused the protocol violation.
@load frameworks/analyzer/deprecated-dpd-log
module DPD;
export {
redef record Info += {
## A chunk of the payload that most likely resulted in the
## analyzer violation.
packet_segment: string &optional &log;
};
## Size of the packet segment to display in the DPD log.
option packet_segment_size: int = 255;
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=4
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c || ! info$c?$dpd )
return;
info$c$dpd$packet_segment = fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
}

7
scripts/policy/frameworks/management/controller/main.zeek
View file

@ -4,6 +4,7 @@
##! by the supervisor.
@load base/frameworks/broker
@load base/frameworks/cluster
@load policy/frameworks/management
@load policy/frameworks/management/agent/config # For the agent topic prefix
@ -1644,9 +1645,9 @@ event zeek_init()
if ( cni$bound_port != 0/unknown )
{
@pragma push ignore-deprecations
Broker::listen_websocket(cat(cni$address), cni$bound_port);
@pragma pop ignore-deprecations
local ws_opts = Cluster::WebSocketServerOptions($listen_addr=to_addr(cni$address),
$listen_port=cni$bound_port);
Cluster::listen_websocket(ws_opts);
websocket_info = fmt("websocket port %s:%s", cni$address, cni$bound_port);
}

142
scripts/policy/protocols/http/detect-sqli.zeek
View file

@ -1,142 +0,0 @@
##! SQL injection attack detection in HTTP.
## This package is deprecated in favor of detect-sql-injection.zeek.
##
## The replacement script annotates the notices it generates with
## an associated $uid connection identifier; always provides an attacker
## IP address in the $src field; and always provides a victim IP address
## in the $dst field. The notices generated by this script, on the other
## hand, lack a $uid identifier, and do not provide $dst information.
## In addition, for SQL_Injection_Victim notices, this script provides the
## victim's IP address in the $src field, which some find counter-intuitive.
##
## In addition, the replacement script removes support for generating
## Notice emails.
@deprecated "Remove in v8.1: Switch to the improved detect-sql-injection script"
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/protocols/http
module HTTP;
export {
redef enum Notice::Type += {
## Indicates that a host performing SQL injection attacks was
## detected.
SQL_Injection_Attacker,
## Indicates that a host was seen to have SQL injection attacks
## against it. This is tracked by IP address as opposed to
## hostname.
SQL_Injection_Victim,
};
redef enum Tags += {
## Indicator of a URI based SQL injection attack.
URI_SQLI,
## Indicator of client body based SQL injection attack. This is
## typically the body content of a POST request. Not implemented
## yet.
POST_SQLI,
## Indicator of a cookie based SQL injection attack. Not
## implemented yet.
COOKIE_SQLI,
};
## Defines the threshold that determines if an SQL injection attack
## is ongoing based on the number of requests that appear to be SQL
## injection attacks.
const sqli_requests_threshold: double = 50.0 &redef;
## Interval at which to watch for the
## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
## At the end of each interval the counter is reset.
const sqli_requests_interval = 5min &redef;
## Collecting samples will add extra data to notice emails
## by collecting some sample SQL injection url paths. Disable
## sample collection by setting this value to 0.
const collect_SQLi_samples = 5 &redef;
## Regular expression is used to match URI based SQL injections.
const match_sql_injection_uri =
/[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+/
| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
| /[\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/
| /[\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/
| /\/\*![[:digit:]]{5}.*?\*\// &redef;
## A hook that can be used to prevent specific requests from being counted
## as an injection attempt. Use a 'break' statement to exit the hook
## early and ignore the request.
global HTTP::sqli_policy: hook(c: connection, method: string, unescaped_URI: string);
}
function format_sqli_samples(samples: vector of SumStats::Observation): string
{
local ret = "SQL Injection samples\n---------------------";
for ( i in samples )
ret += "\n" + samples[i]$str;
return ret;
}
event zeek_init() &priority=3
{
# Add filters to the metrics so that the metrics framework knows how to
# determine when it looks like an actual attack and how to respond when
# thresholds are crossed.
local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
}
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=3
{
if ( ! hook HTTP::sqli_policy(c, method, unescaped_URI) )
return;
if ( match_sql_injection_uri in unescaped_URI )
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
}
}

4
scripts/test-all-policy.zeek
View file

@ -11,7 +11,6 @@
@load frameworks/analyzer/debug-logging.zeek
@load frameworks/analyzer/detect-protocols.zeek
# @load frameworks/analyzer/deprecated-dpd-log.zeek
@load frameworks/analyzer/packet-segment-logging.zeek
# @load frameworks/control/controllee.zeek
# @load frameworks/control/controller.zeek
@ -50,8 +49,6 @@
@load frameworks/management/request.zeek
@load frameworks/management/types.zeek
@load frameworks/management/util.zeek
# @load frameworks/dpd/detect-protocols.zeek
# @load frameworks/dpd/packet-segment-logging.zeek
@load frameworks/intel/do_notice.zeek
@load frameworks/intel/do_expire.zeek
@load frameworks/intel/whitelist.zeek
@ -126,7 +123,6 @@
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/detect.zeek
@load protocols/ftp/software.zeek
# @load protocols/http/detect-sqli.zeek
@load protocols/http/detect-sql-injection.zeek
@load protocols/http/detect-webapps.zeek
@load protocols/http/header-names.zeek

14
scripts/zeekygen/__load__.zeek
View file

@ -1,14 +1,8 @@
@load test-all-policy.zeek
# Scripts which are commented out in test-all-policy.zeek.
@load frameworks/analyzer/deprecated-dpd-log.zeek
@load frameworks/conn_key/vlan_fivetuple.zeek
# Remove in v8.1: replaced by frameworks/analyzer/detect-protocols.zeek
@pragma push ignore-deprecations
@load frameworks/dpd/detect-protocols.zeek
@pragma pop ignore-deprecations
@load protocols/ssl/decryption.zeek
@ifdef ( Cluster::CLUSTER_BACKEND_ZEROMQ )
@load frameworks/cluster/backend/zeromq/connect.zeek
@ -17,11 +11,6 @@
@load frameworks/control/controllee.zeek
@load frameworks/control/controller.zeek
# Remove in v8.1: replaced by frameworks/analyzer/packet-segment-logging.zeek
@pragma push ignore-deprecations
@load frameworks/dpd/packet-segment-logging.zeek
@pragma pop ignore-deprecations
@load frameworks/management/agent/main.zeek
@load frameworks/management/controller/main.zeek
@load frameworks/management/node/__load__.zeek
@ -31,9 +20,6 @@
@load policy/misc/dump-events.zeek
@load policy/protocols/conn/speculative-service.zeek
# Remove in v8.1: This script is deprecated and conflicts with detect-sql-injection.zeek
# @load policy/protocols/http/detect-sqli.zeek
@if ( have_spicy() )
# Loading this messes up documentation of some elements defined elsewhere.
# @load frameworks/spicy/record-spicy-batch.zeek