Updating CHANGES and VERSION.

Update docs submodule [nomail] [skip ci]
Merge remote-tracking branch 'origin/topic/christian/news-contributors'
2025-10-14 12:38:20 +00:00 · 2024-03-13 11:02:11 -07:00 · 2024-03-13 10:53:51 -07:00 · 2024-03-13 10:19:42 -07:00 · 2024-03-04 13:11:25 -07:00 · 2024-03-04 13:04:32 -07:00
5368 changed files with 182922 additions and 674964 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -10,16 +10,12 @@ btest_jobs: &BTEST_JOBS 4
 btest_retries: &BTEST_RETRIES 2
 memory: &MEMORY 16GB

-config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror -D FETCHCONTENT_FULLY_DISCONNECTED:BOOL=ON
+config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
-binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
-spicy_ssl_config: &SPICY_SSL_CONFIG --build-type=release --disable-broker-tests --enable-spicy-ssl --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
-asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
-ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
-tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
-macos_config: &MACOS_CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --with-krb5=/opt/homebrew/opt/krb5
-clang_tidy_config: &CLANG_TIDY_CONFIG --build-type=debug --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --enable-clang-tidy
+asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache --enable-werror
+ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache --enable-werror
+tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache --enable-werror

 resources_template: &RESOURCES_TEMPLATE
  cpu: *CPUS
@ -35,11 +31,11 @@ macos_environment: &MACOS_ENVIRONMENT
    ZEEK_CI_BTEST_JOBS: 12
    # No permission to write to default location of /zeek
    CIRRUS_WORKING_DIR: /tmp/zeek
-    ZEEK_CI_CONFIGURE_FLAGS: *MACOS_CONFIG

 freebsd_resources_template: &FREEBSD_RESOURCES_TEMPLATE
  cpu: 8
-  memory: *MEMORY
+  # Not allowed to request less than 8GB for an 8 CPU FreeBSD VM.
+  memory: 8GB
  # For greediness, see https://medium.com/cirruslabs/introducing-greedy-container-instances-29aad06dc2b4
  greedy: true

@ -48,108 +44,40 @@ freebsd_environment: &FREEBSD_ENVIRONMENT
    ZEEK_CI_CPUS: 8
    ZEEK_CI_BTEST_JOBS: 8

-only_if_pr_master_release: &ONLY_IF_PR_MASTER_RELEASE
+builds_only_if_template: &BUILDS_ONLY_IF_TEMPLATE
+  # Rules for skipping builds:
+  # - Do not run builds for anything that's cron triggered
+  # - Don't do darwin builds on zeek-security repo because they use up a ton of compute credits.
+  # - Always build PRs, but not if they come from dependabot
+  # - Always build master and release/* builds from the main repo
  only_if: >
+    ( $CIRRUS_CRON == '' ) &&
+    ( ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH == 'master' ||
-        $CIRRUS_BRANCH =~ 'release/.*'
+      (
+      $CIRRUS_BRANCH == 'master' ||
+      $CIRRUS_BRANCH =~ 'release/.*'
      )
-    )
+    ) )

-only_if_pr_master_release_nightly: &ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
+skip_task_on_pr: &SKIP_TASK_ON_PR
+  # Skip this task on PRs if it does not have the fullci label,
+  # it continues to run for direct pushes to master/release.
+  skip: >
+    ($CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ '.*fullci.*')
+
+benchmark_only_if_template: &BENCHMARK_ONLY_IF_TEMPLATE
+  # only_if condition for cron-triggered benchmarking tests.
+  # These currently do not run for release/.*
  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH == 'master' ||
-        $CIRRUS_BRANCH =~ 'release/.*' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_pr_release_and_nightly: &ONLY_IF_PR_RELEASE_AND_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH =~ 'release/.*' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_pr_nightly: &ONLY_IF_PR_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_release_tag_nightly: &ONLY_IF_RELEASE_TAG_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( ( $CIRRUS_BRANCH =~ 'release/.*' && $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$' ) ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_nightly: &ONLY_IF_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
-      ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-    )
-
-only_if_weekly: &ONLY_IF_WEEKLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON == 'weekly' && $CIRRUS_BRANCH == 'master' )
-    )
-
-skip_if_pr_skip_all: &SKIP_IF_PR_SKIP_ALL
-  skip: >
-    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-
-skip_if_pr_not_full_ci: &SKIP_IF_PR_NOT_FULL_CI
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: Full.*") ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_benchmark: &SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Benchmark).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_cluster_test: &SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Cluster Test).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_zam: &SKIP_IF_PR_NOT_FULL_OR_ZAM
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|ZAM).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_zeekctl: &SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Zeekctl).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_windows: &SKIP_IF_PR_NOT_FULL_OR_WINDOWS
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Windows).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
+    ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+    ( $CIRRUS_CRON == 'benchmark-nightly' ||
+      $CIRRUS_PR_LABELS =~ '.*fullci.*' ||
+      $CIRRUS_PR_LABELS =~ '.*benchmark.*' )

 ci_template: &CI_TEMPLATE
+  << : *BUILDS_ONLY_IF_TEMPLATE
+
  # Default timeout is 60 minutes, Cirrus hard limit is 120 minutes for free
  # tasks, so may as well ask for full time.
  timeout_in: 120m
@ -193,7 +121,6 @@ ci_template: &CI_TEMPLATE

 env:
  CIRRUS_WORKING_DIR: /zeek
-  CIRRUS_LOG_TIMESTAMP: true
  ZEEK_CI_CPUS: *CPUS
  ZEEK_CI_BTEST_JOBS: *BTEST_JOBS
  ZEEK_CI_BTEST_RETRIES: *BTEST_RETRIES
@ -238,88 +165,45 @@ env:
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle

-fedora42_task:
+fedora39_task:
  container:
-    # Fedora 42 EOL: Around May 2026
-    dockerfile: ci/fedora-42/Dockerfile
+    # Fedora 39 EOL: Around Nov 2024
+    dockerfile: ci/fedora-39/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG

-fedora41_task:
+fedora38_task:
  container:
-    # Fedora 41 EOL: Around Nov 2025
-    dockerfile: ci/fedora-41/Dockerfile
+    # Fedora 38 EOL: Around May 2024
+    dockerfile: ci/fedora-38/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR

 centosstream9_task:
  container:
-    # Stream 9 EOL: 31 May 2027
+    # Stream 9 EOL: Around Dec 2027
    dockerfile: ci/centos-stream-9/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

-centosstream10_task:
+centosstream8_task:
  container:
-    # Stream 10 EOL: 01 January 2030
-    dockerfile: ci/centos-stream-10/Dockerfile
+    # Stream 8 EOL: May 31, 2024
+    dockerfile: ci/centos-stream-8/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR

-debian13_task:
+centos7_task:
  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
+    # CentOS 7 EOL: June 30, 2024
+    dockerfile: ci/centos-7/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-
-arm_debian13_task:
-  arm_container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
-
-debian13_static_task:
-  container:
-    # Just use a recent/common distro to run a static compile test.
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
-
-debian13_binary_task:
-  container:
-    # Just use a recent/common distro to run binary mode compile test.
-    # As of 2024-03, the used configure flags are equivalent to the flags
-    # that we use to create binary packages.
-    # Just use a recent/common distro to run a static compile test.
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
+    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG

 debian12_task:
  container:
@ -327,17 +211,48 @@ debian12_task:
    dockerfile: ci/debian-12/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

-opensuse_leap_15_6_task:
-  container:
-    # Opensuse Leap 15.6 EOL: ~Dec 2025
-    dockerfile: ci/opensuse-leap-15.6/Dockerfile
+arm_debian12_task:
+  arm_container:
+    # Debian 12 (bookworm) EOL: TBD
+    dockerfile: ci/debian-12/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
+
+debian12_static_task:
+  container:
+    # Just use a recent/common distro to run a static compile test.
+    # Debian 12 (bookworm) EOL: TBD
+    dockerfile: ci/debian-12/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
+
+debian11_task:
+  container:
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+
+debian10_task:
+  container:
+    # Debian 10 EOL: June 2024
+    dockerfile: ci/debian-10/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+
+opensuse_leap_15_5_task:
+  container:
+    # Opensuse Leap 15.5 EOL: ~Dec 2024
+    dockerfile: ci/opensuse-leap-15.5/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

 opensuse_tumbleweed_task:
  container:
@ -346,140 +261,72 @@ opensuse_tumbleweed_task:
    << : *RESOURCES_TEMPLATE
  prepare_script: ./ci/opensuse-tumbleweed/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+#  << : *SKIP_TASK_ON_PR

-weekly_current_gcc_task:
+ubuntu23_task:
  container:
-    # Opensuse Tumbleweed has no EOL
-    dockerfile: ci/opensuse-tumbleweed/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_WEEKLY
-  env:
-    ZEEK_CI_COMPILER: gcc
-
-weekly_current_clang_task:
-  container:
-    # Opensuse Tumbleweed has no EOL
-    dockerfile: ci/opensuse-tumbleweed/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_WEEKLY
-  env:
-    ZEEK_CI_COMPILER: clang
-
-ubuntu25_04_task:
-  container:
-    # Ubuntu 25.04 EOL: 2026-01-31
-    dockerfile: ci/ubuntu-25.04/Dockerfile
+    # Ubuntu 23.10 EOL: July 2024
+    dockerfile: ci/ubuntu-23.10/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

-ubuntu24_04_task:
+ubuntu22_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
+  # Run on PRs, merges to master and release/.* and benchmark-nightly cron.
+  only_if: >
+    ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
+    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+        $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_BRANCH =~ 'release/.*' ||
+        $CIRRUS_CRON == 'benchmark-nightly' )

-# Same as above, but running the ZAM tests instead of the regular tests.
-ubuntu24_04_zam_task:
+ubuntu22_spicy_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
-  env:
-    ZEEK_CI_SKIP_UNIT_TESTS: 1
-    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
-    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
-
-# Same as above, but using Clang and libc++
-ubuntu24_04_clang_libcpp_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    CXXFLAGS: -stdlib=libc++
-
-ubuntu24_04_clang_tidy_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    ZEEK_CI_CONFIGURE_FLAGS: *CLANG_TIDY_CONFIG
-
-# Also enable Spicy SSL for this
-ubuntu24_04_spicy_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
-    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
+  test_script: true  # Don't run tests, these are redundant.
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
+  << : *BENCHMARK_ONLY_IF_TEMPLATE

-ubuntu24_04_spicy_head_task:
+ubuntu22_spicy_head_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
-    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
    # Pull auxil/spicy to the latest head version. May or may not build.
    ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
+  << : *BENCHMARK_ONLY_IF_TEMPLATE

-ubuntu22_04_task:
+ubuntu20_task:
  container:
-    # Ubuntu 22.04 EOL: June 2027
-    dockerfile: ci/ubuntu-22.04/Dockerfile
+    # Ubuntu 20.04 EOL: April 2025
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR

 alpine_task:
  container:
@ -489,141 +336,89 @@ alpine_task:
    dockerfile: ci/alpine/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

-# Cirrus only supports the following macos runner currently, selecting
-# anything else automatically upgrades to this one.
-#
-#    ghcr.io/cirruslabs/macos-runner:sequoia
-#
-# See also: https://cirrus-ci.org/guide/macOS/
-macos_sequoia_task:
+# Apple doesn't publish official long-term support timelines.
+# We aim to support both the current and previous macOS release.
+macos_sonoma_task:
  macos_instance:
-    image: ghcr.io/cirruslabs/macos-runner:sequoia
+    image: ghcr.io/cirruslabs/macos-sonoma-base:latest
+  prepare_script: ./ci/macos/prepare.sh
+  << : *CI_TEMPLATE
+  << : *MACOS_ENVIRONMENT
+
+macos_ventura_task:
+  macos_instance:
+    image: ghcr.io/cirruslabs/macos-ventura-base:latest
  prepare_script: ./ci/macos/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  << : *MACOS_ENVIRONMENT

 # FreeBSD EOL timelines: https://www.freebsd.org/security/#sup
 freebsd14_task:
  freebsd_instance:
    # FreeBSD 14 EOL: Nov 30 2028
-    image_family: freebsd-14-2
+    image_family: freebsd-14-0
    << : *FREEBSD_RESOURCES_TEMPLATE

  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  << : *FREEBSD_ENVIRONMENT

 freebsd13_task:
  freebsd_instance:
    # FreeBSD 13 EOL: January 31, 2026
-    image_family: freebsd-13-5
+    image_family: freebsd-13-3
    << : *FREEBSD_RESOURCES_TEMPLATE

  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  << : *FREEBSD_ENVIRONMENT

 asan_sanitizer_task:
  container:
    # Just uses a recent/common distro to run memory error/leak checks.
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  test_fuzzers_script: ./ci/test-fuzzers.sh
  coverage_script: ./ci/upload-coverage.sh
  env:
    CXXFLAGS: -DZEEK_DICT_DEBUG
    ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
-    ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0
-    # Use absolute paths for coverage files.
-    CCACHE_BASEDIR:
-
-# ASAN task executing btests with zam alternative.
-asan_sanitizer_zam_task:
-  container:
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
-    ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0
-    ZEEK_CI_SKIP_UNIT_TESTS: 1
-    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
-    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
+    ASAN_OPTIONS: detect_leaks=1

 ubsan_sanitizer_task:
  container:
    # Just uses a recent/common distro to run undefined behavior checks.
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  test_fuzzers_script: ./ci/test-fuzzers.sh
  env:
-    CC: clang-19
-    CXX: clang++-19
    CXXFLAGS: -DZEEK_DICT_DEBUG
    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
    ZEEK_TAILORED_UB_CHECKS: 1
    UBSAN_OPTIONS: print_stacktrace=1

-ubsan_sanitizer_zam_task:
-  container:
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
+# tsan_sanitizer_task:
+#   container:
+#     # Just uses a recent/common distro to run memory error/leak checks.
+#     dockerfile: ci/ubuntu-22.04/Dockerfile
+#     << : *RESOURCES_TEMPLATE

-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
-    ZEEK_TAILORED_UB_CHECKS: 1
-    UBSAN_OPTIONS: print_stacktrace=1
-    ZEEK_CI_SKIP_UNIT_TESTS: 1
-    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
-    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
-
-tsan_sanitizer_task:
-  container:
-    # Just uses a recent/common distro to run memory error/leak checks.
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    ZEEK_CI_CONFIGURE_FLAGS: *TSAN_SANITIZER_CONFIG
-    ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
-    # If this is defined directly in the environment, configure fails to find
-    # OpenSSL. Instead we define it with a different name and then give it
-    # the correct name in the testing scripts.
-    ZEEK_TSAN_OPTIONS: suppressions=/zeek/ci/tsan_suppressions.txt
+#   << : *CI_TEMPLATE
+#   << : *SKIP_TASK_ON_PR
+#   env:
+#     ZEEK_CI_CONFIGURE_FLAGS: *TSAN_SANITIZER_CONFIG
+#     ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
+#     # If this is defined directly in the environment, configure fails to find
+#     # OpenSSL. Instead we define it with a different name and then give it
+#     # the correct name in the testing scripts.
+#     ZEEK_TSAN_OPTIONS: suppressions=/zeek/ci/tsan_suppressions.txt

 windows_task:
  # 2 hour timeout just for potential of building Docker image taking a while
@ -638,12 +433,11 @@ windows_task:
  prepare_script: ci/windows/prepare.cmd
  build_script: ci/windows/build.cmd
  test_script: ci/windows/test.cmd
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_WINDOWS
  env:
    ZEEK_CI_CPUS: 8
    # Give verbose error output on a test failure.
    CTEST_OUTPUT_ON_FAILURE: 1
+  << : *BUILDS_ONLY_IF_TEMPLATE


 # Container images
@ -724,18 +518,22 @@ arm64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: arm64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  << : *SKIP_TASK_ON_PR

 amd64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: amd64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
+  << : *SKIP_TASK_ON_PR

 container_image_manifest_docker_builder:
  cpu: 1
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  # Push master builds to zeek/zeek-dev, or tagged release branches to zeek/zeek
+  only_if: >
+    ( $CIRRUS_CRON == '' ) &&
+    ( $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' &&
+      ( $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+$' ) )
  env:
    DOCKER_USERNAME: ENCRYPTED[!505b3dee552a395730a7e79e6aab280ffbe1b84ec62ae7616774dfefe104e34f896d2e20ce3ad701f338987c13c33533!]
    DOCKER_PASSWORD: ENCRYPTED[!6c4b2f6f0e5379ef1091719cc5d2d74c90cfd2665ac786942033d6d924597ffb95dbbc1df45a30cc9ddeec76c07ac620!]
@ -744,7 +542,7 @@ container_image_manifest_docker_builder:
  login_script: |
    docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
    AWS_ACCESS_KEY_ID=$AWS_ECR_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$AWS_ECR_SECRET_ACCESS_KEY aws ecr-public get-login-password --region us-east-1 | \
-        docker login --username AWS --password-stdin public.ecr.aws
+        docker login --username AWS $AWS_ECR_USERNAME --password-stdin public.ecr.aws
  set_image_tag_script: |
    # If we have a CIRRUS_TAG, use the value in VERSION to push the multiarch
    # images, otherwise use latest. Basically we push the arch images as
@ -754,12 +552,8 @@ container_image_manifest_docker_builder:
    # for tags, or zeek/zeek-dev:latest for pushes to master.
    set -x
    if [ -n "${CIRRUS_TAG}" ]; then
-      echo "IMAGE_NAME=zeek"  >> $CIRRUS_ENV
      echo "IMAGE_TAG=$(cat VERSION)" >> $CIRRUS_ENV
-      if [ "${CIRRUS_TAG}" != "v$(cat VERSION)" ]; then
-        echo "CIRRUS_TAG '${CIRRUS_TAG}' and VERSION '$(cat VERSION)' inconsistent!" >&2
-        exit 1
-      fi
+      echo "IMAGE_NAME=zeek"  >> $CIRRUS_ENV
    elif [ "${CIRRUS_BRANCH}" = "master" ]; then
      echo "IMAGE_NAME=zeek-dev"  >> $CIRRUS_ENV
      echo "IMAGE_TAG=latest" >> $CIRRUS_ENV
@ -786,7 +580,31 @@ container_image_manifest_docker_builder:
        '+refs/heads/release/*:refs/remotes/origin/release/*' \
        '+refs/heads/master:refs/remotes/origin/master'

-    ./ci/container-images-addl-tags.sh "${CIRRUS_TAG}" | tee -a $CIRRUS_ENV
+    # Find current versions for lts and feature depending on branches and
+    # tags in the repo. sed for escaping the dot in the version for using
+    # it in the regex below to match against CIRRUS_TAG.
+    lts_ver=$(./ci/find-current-version.sh lts)
+    lts_pat="^v$(echo $lts_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
+    feature_ver=$(./ci/find-current-version.sh feature)
+    feature_pat="^v$(echo $feature_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
+
+    # Construct additional tags for the image. At most this will
+    # be "lts x.0 feature" for an lts branch x.0 that is currently
+    # also the latest feature branch.
+    ADDL_MANIFEST_TAGS=
+    if echo "${CIRRUS_TAG}" | grep -E "${lts_pat}"; then
+        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} lts ${lts_ver}"
+    fi
+
+    if echo "${CIRRUS_TAG}" | grep -E "${feature_pat}"; then
+        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} latest"
+        if [ "${feature_ver}" != "${lts_ver}" ]; then
+          ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} ${feature_ver}"
+        fi
+    fi
+
+    # Let downstream know about it.
+    echo "ADDITIONAL_MANIFEST_TAGS=${ADDL_MANIFEST_TAGS}" >> $CIRRUS_ENV

  # These should've been populated by the previous jobs
  zeek_image_arm64_cache:
@ -814,7 +632,8 @@ container_image_manifest_docker_builder:
 # images from the public ECR repository to stay within free-tier bounds.
 public_ecr_cleanup_docker_builder:
  cpu: 1
-  << : *ONLY_IF_NIGHTLY
+  only_if: >
+    $CIRRUS_CRON == '' && $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' && $CIRRUS_BRANCH == 'master'
  env:
    AWS_ACCESS_KEY_ID: ENCRYPTED[!eff52f6442e1bc78bce5b15a23546344df41bf519f6201924cb70c7af12db23f442c0e5f2b3687c2d856ceb11fcb8c49!]
    AWS_SECRET_ACCESS_KEY: ENCRYPTED[!748bc302dd196140a5fa8e89c9efd148882dc846d4e723787d2de152eb136fa98e8dea7e6d2d6779d94f72dd3c088228!]
@ -854,23 +673,27 @@ cluster_testing_docker_builder:
      path: "testing/external/zeek-testing-cluster/.tmp/**"
  depends_on:
    - amd64_container_image
-  << : *ONLY_IF_PR_RELEASE_AND_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
+  << : *SKIP_TASK_ON_PR


 # Test zeekctl upon master and release pushes and also when
-# a PR has a "CI: Zeekctl" or "CI: Full" label.
+# a PR has a zeekctlci or fullci label.
 #
 # Also triggers on CIRRUS_CRON == 'zeekctl-nightly' if that is configured
 # through the Cirrus Web UI.
-zeekctl_debian12_task:
+zeekctl_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
+  only_if: >
+    ( $CIRRUS_CRON == 'zeekctl-nightly' ) ||
+    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ '.*(zeekctlci|fullci).*' ) ||
+    ( $CIRRUS_REPO_NAME == 'zeek' && (
+        $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_BRANCH =~ 'release/.*' )
+    )
  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
  always:
@ -884,46 +707,31 @@ zeekctl_debian12_task:
  build_script:
    - cd auxil/zeekctl/testing && ./Scripts/build-zeek
  test_script:
-    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${ZEEK_CI_BTEST_JOBS}
+    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${BTEST_JOBS}
  on_failure:
    upload_zeekctl_testing_artifacts:
      path: "auxil/zeekctl/testing/.tmp/**"

-include_plugins_debian12_task:
+# Test building Zeek with builtin plugins available in
+# testing/builtin-plugins/Files/
+include_plugins_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
-  fetch_external_plugins_script:
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-perf-support.git
-    - cd zeek-perf-support && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-more-hashes.git
-    - cd zeek-more-hashes && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-cluster-backend-nats.git
-    - cd zeek-cluster-backend-nats && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/SeisoLLC/zeek-kafka.git
-    - cd zeek-kafka && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
  always:
    ccache_cache:
      folder: /tmp/ccache
      fingerprint_script: echo builtin-plugins-ccache-$ZEEK_CCACHE_EPOCH-$CIRRUS_TASK_NAME-$CIRRUS_OS
      reupload_on_changes: true
-  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin;/zeek/testing/builtin-plugins/external/zeek-perf-support;/zeek/testing/builtin-plugins/external/zeek-more-hashes;/zeek/testing/builtin-plugins/external/zeek-cluster-backend-nats;/zeek/testing/builtin-plugins/external/zeek-kafka'" ./ci/build.sh
+  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin'" ./ci/build.sh
  test_script:
    - cd testing/builtin-plugins && ../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
-  test_external_plugins_script: |
-    . /zeek/build/zeek-path-dev.sh
-    set -ex
-    # For now, just check if the external plugins are available.
-    zeek -N Zeek::PerfSupport
-    zeek -N Zeek::MoreHashes
-    zeek -N Zeek::Cluster_Backend_NATS
-    zeek -N Seiso::Kafka
  on_failure:
    upload_include_plugins_testing_artifacts:
      path: "testing/builtin-plugins/.tmp/**"
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *BUILDS_ONLY_IF_TEMPLATE
+  << : *SKIP_TASK_ON_PR
--- a/.clang-format
+++ b/.clang-format
@ -1,4 +1,4 @@
-# See the file "COPYING" in the main distribution directory for copyright.
+# Copyright (c) 2020-2023 by the Zeek Project. See LICENSE for details.

 ---
 Language:        Cpp
@ -71,7 +71,6 @@ IncludeBlocks: Regroup
 # 4: any header that starts with "zeek/"
 # 5: everything else, which should catch any of the auto-generated code from the
 #    build directory as well
-# 6: third party doctest header
 #
 # Sections 0-1 and 2-3 get grouped together in their respective blocks
 IncludeCategories:
@ -87,8 +86,6 @@ IncludeCategories:
  - Regex: '^<[[:print:]]+>'
    Priority: 2
    SortPriority: 3
-  - Regex: '^"zeek/3rdparty/doctest.h'
-    Priority: 6
  - Regex: '^"zeek/'
    Priority: 4
  - Regex: '.*'
--- a/.clang-tidy
+++ b/.clang-tidy
@ -1,76 +1,5 @@
-Checks: [-*,
+Checks: '-*,
         bugprone-*,
-         performance-*,
-         modernize-*,
-         readability-isolate-declaration,
-         readability-container-contains,
-
-         # Enable a very limited number of the cppcoreguidelines checkers.
-         # See the notes for some of the rest of them below.
-         cppcoreguidelines-macro-usage,
-         cppcoreguidelines-misleading-capture-default-by-value,
-         cppcoreguidelines-virtual-class-destructor,
-
-         # Skipping these temporarily because they are very noisy
-         -bugprone-forward-declaration-namespace,
-         -bugprone-narrowing-conversions,
-         -bugprone-unchecked-optional-access,
-         -performance-unnecessary-value-param,
-         -modernize-use-equals-default,
-         -modernize-use-integer-sign-comparison,
-
-         # The following cause either lots of pointless or advisory warnings
-         -bugprone-easily-swappable-parameters,
-         -bugprone-nondeterministic-pointer-iteration-order,
-
-         # bifcl generates a lot of code with double underscores in their name.
-         # ZAM uses a few identifiers that start with underscores or have
-         # double-underscores in the name.
-         -bugprone-reserved-identifier,
-
-         # bifcl generates almost every switch statement without a default case
-         # and so this one generates a lot of warnings.
-         -bugprone-switch-missing-default-case,
-
-         # These report warnings that are rather difficult to fix or are things
-         # we simply don't want to fix.
-         -bugprone-undefined-memory-manipulation,
-         -bugprone-pointer-arithmetic-on-polymorphic-object,
-         -bugprone-empty-catch,
-         -bugprone-exception-escape,
-         -bugprone-suspicious-include,
-         -modernize-avoid-c-arrays,
-         -modernize-concat-nested-namespaces,
-         -modernize-raw-string-literal,
-         -modernize-use-auto,
-         -modernize-use-nodiscard,
-         -modernize-use-trailing-return-type,
-         -modernize-use-designated-initializers,
-
-         # This one returns a bunch of findings in DFA and the sqlite library.
-         # We're unlikely to fix either of them.
-         -performance-no-int-to-ptr,
-
-         # These cppcoreguidelines checkers are things we should investigate
-         # and possibly fix, but there are so many findings that we're holding
-         # off doing it for now.
-         #cppcoreguidelines-init-variables,
-         #cppcoreguidelines-prefer-member-initializer,
-         #cppcoreguidelines-pro-type-member-init,
-         #cppcoreguidelines-pro-type-cstyle-cast,
-         #cppcoreguidelines-pro-type-static-cast-downcast,
-         #cppcoreguidelines-special-member-functions,
-
-         # These are features in newer version of C++ that we don't have
-         # access to yet.
-         -modernize-use-std-format,
-         -modernize-use-std-print,
-]
-
-HeaderFilterRegex: '.h'
-ExcludeHeaderFilterRegex: '.*(auxil|3rdparty)/.*'
-SystemHeaders: false
-CheckOptions:
-    - key: modernize-use-default-member-init.UseAssignment
-      value: 'true'
-WarningsAsErrors: '*'
+	 -bugprone-easily-swappable-parameters,
+         clang-analyzer-*,
+         performance-*'
--- a/.cmake-format.json
+++ b/.cmake-format.json
@ -72,23 +72,10 @@
          "SOURCES": "*",
          "MODULES": "*"
        }
-      },
-      "zeek_add_plugin": {
-        "kwargs": {
-          "INCLUDE_DIRS": "*",
-          "DEPENDENCIES": "*",
-          "SOURCES": "*",
-          "BIFS": "*",
-          "PAC": "*"
-        }
      }
    }
  },
  "format": {
-    "always_wrap": [
-      "spicy_add_analyzer",
-      "zeek_add_plugin"
-    ],
    "line_width": 100,
    "tab_size": 4,
    "separate_ctrl_name_with_space": true,
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -33,6 +33,3 @@ f5a76c1aedc7f8886bc6abef0dfaa8065684b1f6

 # clang-format: Format JSON with clang-format
 e6256446ddef5c5d5240eefff974556f2e12ac46
-
-# analyzer/protocol: Reformat with spicy-format
-d70bcd07b9b26036b16092fe950eca40e2f5a032
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@ -10,10 +10,10 @@ permissions:
 jobs:
  scan:
    if: github.repository == 'zeek/zeek'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-20.04

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          submodules: "recursive"

@ -21,71 +21,58 @@ jobs:
        run: |
          sudo apt-get update
          sudo apt-get -y install \
-            bison \
-            bsdmainutils \
-            cmake \
-            curl \
-            flex \
-            g++ \
-            gcc \
            git \
-            jq \
-            libfl-dev \
-            libfl2 \
-            libkrb5-dev \
-            libmaxminddb-dev \
+            cmake \
+            make \
+            gcc \
+            g++ \
+            flex \
+            bison \
            libpcap-dev \
            libssl-dev \
-            libzmq3-dev \
-            make \
            python3 \
            python3-dev \
            python3-pip \
-            sqlite3 \
            swig \
-            zlib1g-dev
+            zlib1g-dev \
+            libmaxminddb-dev \
+            libkrb5-dev \
+            bsdmainutils \
+            sqlite3 \
+            curl \
+            wget

      - name: Configure
-        run: ./configure --build-type=debug --disable-broker-tests
+        run: ./configure --build-type=debug --disable-broker-tests --disable-spicy

      - name: Fetch Coverity Tools
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          curl \
-            -o coverity_tool.tgz \
-            -d token=${COVERITY_TOKEN} \
-            -d project=Bro \
-            https://scan.coverity.com/download/cxx/linux64
+          wget \
+            -nv https://scan.coverity.com/download/cxx/linux64 \
+            --post-data "token=${COVERITY_TOKEN}&project=Bro" \
+            -O coverity_tool.tgz
          tar xzf coverity_tool.tgz
          rm coverity_tool.tgz
          mv cov-analysis* coverity-tools

      - name: Build
        run: |
-          export PATH=$(pwd)/coverity-tools/bin:$PATH
-          ( cd build && cov-build --dir cov-int make -j "$(nproc)" )
+          export PATH=`pwd`/coverity-tools/bin:$PATH
+          ( cd build && cov-build --dir cov-int make -j $(nproc) )
          cat build/cov-int/build-log.txt

      - name: Submit
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          ( cd build && tar czf myproject.tgz cov-int )
-          curl -X POST \
-            -d version=$(cat VERSION) \
-            -d description=$(git rev-parse HEAD) \
-            -d email=zeek-commits-internal@zeek.org \
-            -d token=${COVERITY_TOKEN} \
-            -d file_name=myproject.tgz \
-            -o response \
-            https://scan.coverity.com/projects/641/builds/init
-          upload_url=$(jq -r '.url' response)
-          build_id=$(jq -r '.build_id' response)
-          curl -X PUT \
-            --header 'Content-Type: application/json' \
-            --upload-file build/myproject.tgz \
-            ${upload_url}
-          curl -X PUT \
-            -d token=${COVERITY_TOKEN} \
-            https://scan.coverity.com/projects/641/builds/${build_id}/enqueue
+          cd build
+          tar czf myproject.tgz cov-int
+          curl \
+            --form token=${COVERITY_TOKEN} \
+            --form email=zeek-commits-internal@zeek.org \
+            --form file=@myproject.tgz \
+            --form "version=`cat ../VERSION`" \
+            --form "description=`git rev-parse HEAD`" \
+            https://scan.coverity.com/builds?project=Bro
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@ -16,24 +16,33 @@ jobs:
  generate:
    permissions:
      contents: write  # for Git to git push
-    if: "github.repository == 'zeek/zeek' && contains(github.event.pull_request.labels.*.name, 'CI: Skip All') == false"
-    runs-on: ubuntu-24.04
+    if: github.repository == 'zeek/zeek'
+    runs-on: ubuntu-latest

    steps:
      # We only perform a push if the action was triggered via a schedule
      # event, so we only need to authenticate in that case. Use
      # unauthenticated access otherwise so this action can e.g., also run from
      # clones.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        if: github.event_name == 'schedule'
        with:
          submodules: "recursive"
          token: ${{ secrets.ZEEK_BOT_TOKEN }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        if: github.event_name != 'schedule'
        with:
          submodules: "recursive"

+      # Only reset the submodule pointer for scheduled builds. The reason to do
+      # this is to pick up any merge commits or anything that may have been
+      # missed in a merge, but not have any actual content. We don't want to do
+      # it otherwise because PRs should just use the submodule they're pointing
+      # at.
+      - name: Switch doc submodule to master
+        if: github.event_name == 'schedule'
+        run: cd doc && git checkout master
+
      - name: Fetch Dependencies
        run: |
          sudo apt-get update
@ -42,29 +51,27 @@ jobs:
            bsdmainutils \
            ccache \
            cmake \
-            cppzmq-dev \
            flex \
            g++ \
            gcc \
            git \
-            libhiredis-dev \
            libfl-dev \
            libfl2 \
            libkrb5-dev \
-            libnode-dev \
            libpcap-dev \
            libssl-dev \
            make \
            python3 \
            python3-dev \
-            python3-pip \
+            python3-pip\
            sqlite3 \
            swig \
            zlib1g-dev
-          python3 -m venv ci-docs-venv
-          source ci-docs-venv/bin/activate
-          pip3 install -r doc/requirements.txt
-          pip3 install pre-commit
+          # Many distros adhere to PEP 394's recommendation for `python` =
+          # `python2` so this is a simple workaround until we drop Python 2
+          # support and explicitly use `python3` for all invocations.
+          sudo ln -sf /usr/bin/python3 /usr/local/bin/python
+          sudo pip3 install -r doc/requirements.txt

      - name: ccache
        uses: hendrikmuhs/ccache-action@v1.2
@ -72,45 +79,25 @@ jobs:
          key: 'docs-gen-${{ github.job }}'
          max-size: '2000M'

-      # Github runners have node installed on them by default in /usr/local. This
-      # causes problems with configure finding the version from the apt package,
-      # plus gcc using it by default if we pass the right cmake variables to
-      # configure. The easiest solution is to move the directory away prior to
-      # running our build. It's moved back after just in case some workflow action
-      # expects it to exist.
-      - name: Move default node install to backup
-        run: sudo mv /usr/local/include/node /usr/local/include/node.bak
-
      - name: Configure
        run: ./configure --disable-broker-tests --disable-cpp-tests --ccache

      - name: Build
        run: cd build && make -j $(nproc)

-      - name: Move default node install to original location
-        run: sudo mv /usr/local/include/node.bak /usr/local/include/node
-
      - name: Check Spicy docs
        run: cd doc && make check-spicy-docs

-      # Cache pre-commit environment for reuse.
-      - uses: actions/cache@v4
-        with:
-          path: ~/.cache/pre-commit
-          key: doc-pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('doc/.pre-commit-config.yaml') }}
-
      - name: Generate Docs
        run: |
-          source ci-docs-venv/bin/activate
          git config --global user.name zeek-bot
          git config --global user.email info@zeek.org

          echo "*** Generating Zeekygen Docs ***"
          ./ci/update-zeekygen-docs.sh || exit 1

-          cd doc
-
          echo "*** Generating Sphinx Docs ***"
+          cd doc
          make > make.out 2>&1
          make_status=$?
          echo "*** Sphinx Build Output ***"
@ -120,21 +107,31 @@ jobs:
          grep -q WARNING make.out && exit 1
          rm make.out

-      - name: Push docs Changes
+      - name: Push zeek-docs Changes
        if: github.event_name == 'schedule'
        run: |
          cd doc
          git add scripts/ script-reference/
          git status
          # git commit errors when there's nothing to commit, so guard it
-          # with a check that detects whether there's anything staged.
-          git diff-index --cached --quiet HEAD || { git commit -m "Generate docs" && git push; }
+          # with a check that detects whether there's anything to commit/push.
+          git diff-index --quiet HEAD || { git commit -m "Generate docs" && git push; }
+
+      - name: Update zeek-docs Submodule
+        if: github.event_name == 'schedule'
+        run: |
+          git config --global user.name zeek-bot
+          git config --global user.email info@zeek.org
+          git add doc
+          git status
+          # Similar logic here: proceed only if there's a change in the submodule.
+          git diff-index --quiet HEAD || { git commit -m 'Update doc submodule [nomail] [skip ci]' && git push; }

      - name: Send email
        # Only send notifications for scheduled runs. Runs from pull requests
        # show failures in the GitHub UI.
        if: failure() && github.event_name == 'schedule'
-        uses: dawidd6/action-send-mail@v3.12.0
+        uses: dawidd6/action-send-mail@v3.7.0
        with:
          server_address: ${{secrets.SMTP_HOST}}
          server_port: ${{secrets.SMTP_PORT}}
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@ -7,8 +7,8 @@ on:

 jobs:
  pre-commit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-    - uses: pre-commit/action@v3.0.1
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v4
+    - uses: pre-commit/action@v3.0.0
--- a/.gitignore
+++ b/.gitignore
@ -3,9 +3,6 @@
 build*
 !ci/windows/build.cmd

-# Don't ignore things in the docs directory
-!doc/**
-
 tmp
 *.gcov

--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +1,9 @@
 [submodule "auxil/zeek-aux"]
 	path = auxil/zeek-aux
 	url = https://github.com/zeek/zeek-aux
+[submodule "auxil/binpac"]
+	path = auxil/binpac
+	url = https://github.com/zeek/binpac
 [submodule "auxil/zeekctl"]
 	path = auxil/zeekctl
 	url = https://github.com/zeek/zeekctl
@ -10,12 +13,21 @@
 [submodule "cmake"]
 	path = cmake
 	url = https://github.com/zeek/cmake
+[submodule "src/3rdparty"]
+	path = src/3rdparty
+	url = https://github.com/zeek/zeek-3rdparty
 [submodule "auxil/broker"]
 	path = auxil/broker
 	url = https://github.com/zeek/broker
 [submodule "auxil/netcontrol-connectors"]
 	path = auxil/netcontrol-connectors
 	url = https://github.com/zeek/zeek-netcontrol
+[submodule "auxil/bifcl"]
+	path = auxil/bifcl
+	url = https://github.com/zeek/bifcl
+[submodule "doc"]
+	path = doc
+	url = https://github.com/zeek/zeek-docs
 [submodule "auxil/paraglob"]
 	path = auxil/paraglob
 	url = https://github.com/zeek/paraglob
@ -27,13 +39,19 @@
 	url = https://github.com/zeek/libkqueue
 [submodule "auxil/highwayhash"]
 	path = auxil/highwayhash
-	url = https://github.com/google/highwayhash
+	url = https://github.com/zeek/highwayhash
+[submodule "auxil/zeek-archiver"]
+	path = auxil/zeek-archiver
+	url = https://github.com/zeek/zeek-archiver
 [submodule "auxil/package-manager"]
 	path = auxil/package-manager
 	url = https://github.com/zeek/package-manager
 [submodule "auxil/zeek-client"]
 	path = auxil/zeek-client
 	url = https://github.com/zeek/zeek-client
+[submodule "auxil/gen-zam"]
+	path = auxil/gen-zam
+	url = https://github.com/zeek/gen-zam
 [submodule "auxil/c-ares"]
 	path = auxil/c-ares
 	url = https://github.com/c-ares/c-ares
@ -43,6 +61,12 @@
 [submodule "auxil/spicy"]
 	path = auxil/spicy
 	url = https://github.com/zeek/spicy
+[submodule "auxil/filesystem"]
+	path = auxil/filesystem
+	url = https://github.com/gulrak/filesystem.git
+[submodule "auxil/zeek-af_packet-plugin"]
+	path = auxil/zeek-af_packet-plugin
+	url = https://github.com/zeek/zeek-af_packet-plugin.git
 [submodule "auxil/libunistd"]
 	path = auxil/libunistd
 	url = https://github.com/zeek/libunistd
@ -52,15 +76,3 @@
 [submodule "auxil/vcpkg"]
 	path = auxil/vcpkg
 	url = https://github.com/microsoft/vcpkg
-[submodule "auxil/prometheus-cpp"]
-	path = auxil/prometheus-cpp
-	url = https://github.com/zeek/prometheus-cpp
-[submodule "src/cluster/backend/zeromq/auxil/cppzmq"]
-	path = src/cluster/backend/zeromq/auxil/cppzmq
-	url = https://github.com/zeromq/cppzmq
-[submodule "src/cluster/websocket/auxil/IXWebSocket"]
-	path = src/cluster/websocket/auxil/IXWebSocket
-	url = https://github.com/machinezone/IXWebSocket
-[submodule "auxil/expected-lite"]
-	path = auxil/expected-lite
-	url = https://github.com/martinmoene/expected-lite.git
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -2,58 +2,34 @@
 # See https://pre-commit.com/hooks.html for more hooks
 #
 repos:
- repo: local
-  hooks:
-  - id: license
-    name: Check for license headers
-    entry: ./ci/license-header.py
-    language: python
-    files: '\.(h|c|cpp|cc|spicy|evt)$'
-    types: [file]
-    exclude: '^(testing/btest/(Baseline|plugins|spicy|scripts)/.*|testing/builtin-plugins/.*|src/3rdparty/.*|doc/.*)$'
-
-  - id: btest-command-commented
-    name: Check that all BTest command lines are commented out
-    entry: '^\s*@TEST-'
-    language: pygrep
-    files: '^testing/btest/.*$'
-
 - repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: v20.1.8
+  rev: 'v17.0.3'
  hooks:
  - id: clang-format
    types_or:
      - "c"
      - "c++"
      - "json"
-    exclude: '^src/3rdparty/.*'

 - repo: https://github.com/maxwinterstein/shfmt-py
-  rev: v3.12.0.1
+  rev: v3.7.0.1
  hooks:
    - id: shfmt
      args: ["-w", "-i", "4", "-ci"]

- repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.12.8
+- repo: https://github.com/google/yapf
+  rev: v0.40.2
  hooks:
-    - id: ruff-check
-      args: ["--fix"]
-    - id: ruff-format
+  - id: yapf

 - repo: https://github.com/cheshirekow/cmake-format-precommit
  rev: v0.6.13
  hooks:
  - id: cmake-format
+    exclude: '^auxil/.*$'

 - repo: https://github.com/crate-ci/typos
-  rev: v1.35.3
+  rev: v1.16.21
  hooks:
    - id: typos
-      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek|src/3rdparty/.*)$'
-
- repo: https://github.com/bbannier/spicy-format
-  rev: v0.27.1
-  hooks:
-    - id: spicy-format
-      exclude: '^testing/.*|doc/devel/spicy/autogen/.*.spicy'
+      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES)$'
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@ -1,16 +0,0 @@
-version: 2
-
-formats:
-  - htmlzip
-
-build:
-  os: ubuntu-24.04
-  tools:
-    python: "3.13"
-
-python:
-  install:
-    - requirements: doc/requirements.txt
-
-sphinx:
-  configuration: doc/conf.py
--- a/.style.yapf
+++ b/.style.yapf
@ -0,0 +1,2 @@
+[style]
+column_limit=100
--- a/.typos.toml
+++ b/.typos.toml
@ -6,9 +6,9 @@ extend-ignore-re = [
    # ALLO is a valid FTP command
    "\"ALLO\".*200",
    "des-ede3-cbc-Env-OID",
+    "Remove in v6.1.*SupressWeird",
+    "max_repititions:.*Remove in v6.1",
    "mis-aliasing of",
-    "mis-indexing",
-    "compilability",
    # On purpose
    "\"THE NETBIOS NAM\"",
    # NFS stuff.
@ -20,25 +20,16 @@ extend-ignore-re = [
    "ot->Tag\\(\\) == TYPE_.*",
    "auto.* ot =",
    "ot = OP_.*",
-    "ot\\[",
-    "ot.size",
-    "ot.empty",
-    "ot_i",
-    "ot.c_str",
-    "have_ot",
    "if \\( ot == OP_.*",
    "ot->Yield\\(\\)->InternalType\\(\\)",
    "switch \\( ot \\)",
    "\\(ZAMOpType ot\\)",
-    "exat", # Redis expire at
-    "EXAT",

    # News stuff
    "SupressWeirds.*deprecated",
    "\"BaR\"",
    "\"xFoObar\"",
    "\"FoO\"",
-    "Smoot",
 ]

 extend-ignore-identifiers-re = [
@ -50,17 +41,6 @@ extend-ignore-identifiers-re = [
    "ND_ROUTER_.*",
    "ND_NEIGHBOR_.*",
    ".*_ND_option.*",
-    "bck", # Used with same length as `fwd`
-    "pn", # Use for `PoolNode` variables
-    "ffrom_[ip|port|mac]", # Used in netcontrol.
-    "complte_flag", # Existing use in exported record in base.
-    "VidP(n|N)", # In SMB.
-    "iin", # In DNP3.
-    "SCN[dioux]", # sccanf fixed-width identifiers
-    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
-    "snet", # Used as shorthand for subnet in base scripts.
-    "typ",
-    "(e|i)it", # Used as name for some iterators.
 ]

 [default.extend-identifiers]
@ -73,7 +53,7 @@ ND_REDIRECT = "ND_REDIRECT"
 NED_ACK = "NED_ACK"
 NFS3ERR_ACCES = "NFS3ERR_ACCES"
 NO_SEH = "NO_SEH"
-OP_SWITCHS_Vii = "OP_SWITCHS_Vii"
+OP_SWITCHS_VVV = "OP_SWITCHS_VVV"
 O_WRONLY = "O_WRONLY"
 RPC_NT_CALL_FAILED_DNE = "RPC_NT_CALL_FAILED_DNE"
 RpcAddPrintProvidor = "RpcAddPrintProvidor"
@ -84,9 +64,6 @@ have_2nd = "have_2nd"
 ot1 = "ot1"
 ot2 = "ot2"
 uses_seh = "uses_seh"
-ect0 = "ect0"
-ect1 = "ect1"
-tpe = "tpe"

 [default.extend-words]
 caf = "caf"
--- a/8383
+++ b/8383
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -18,22 +18,6 @@ if (WIN32)
    set(CMAKE_TOOLCHAIN_FILE ${_toolchain} CACHE STRING "Vcpkg toolchain file")
 endif ()

-if (APPLE AND CMAKE_VERSION VERSION_GREATER_EQUAL 4.0.0 AND NOT CMAKE_OSX_SYSROOT)
-    # Spicy needs having CMAKE_OSX_SYSROOT point to the macOS SDK
-    # path, but starting with CMake 4.0 CMAKE_OSX_SYSROOT is not set
-    # automatically anymore. So we follow the guidance from the CMake 4.0
-    # release notes here:
-    #
-    #    Builds targeting macOS no longer choose any SDK or pass an "-isysroot"
-    #    flag to the compiler by default. [...] users must now specify
-    #    "-DCMAKE_OSX_SYSROOT=macosx" when configuring their build.
-    #
-    # Note that this needs to happen before the project() call below, meaning
-    # we cannot rely on the corresponding code inside the Spicy CMake
-    # configuration.
-    set(CMAKE_OSX_SYSROOT "macosx")
-endif ()
-
 project(Zeek C CXX)

 # We want to set ENABLE_DEBUG to ON by default if the build type is Debug.
@ -59,17 +43,15 @@ option(ENABLE_DEBUG "Build Zeek with additional debugging support." ${ENABLE_DEB
 option(ENABLE_JEMALLOC "Link against jemalloc." OFF)
 option(ENABLE_PERFTOOLS "Build with support for Google perftools." OFF)
 option(ENABLE_ZEEK_UNIT_TESTS "Build the C++ unit tests." ON)
-option(ENABLE_IWYU "Enable include-what-you-use for the main Zeek target." OFF)
-option(ENABLE_CLANG_TIDY "Enable clang-tidy for the main Zeek target." OFF)
 option(INSTALL_AUX_TOOLS "Install additional tools from auxil." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST "Install btest alongside Zeek." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST_PCAPS "Install pcap files for testing." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEKCTL "Install zeekctl." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_ZEEK_ARCHIVER "Install the zeek-archiver." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEK_CLIENT "Install the zeek-client." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZKG "Install zkg." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(PREALLOCATE_PORT_ARRAY "Pre-allocate all ports for zeek::Val." ON)
-option(ZEEK_STANDALONE "Build Zeek as stand-alone binary." ON)
-option(ZEEK_ENABLE_FUZZERS "Build Zeek fuzzing targets." OFF)
+option(ZEEK_STANDALONE "Build Zeek as stand-alone binary?" ON)

 # Non-boolean options.
 if (NOT WIN32)
@ -90,14 +72,14 @@ set(ZEEK_ETC_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/etc"
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON CACHE INTERNAL
                                           "Whether to write a JSON compile commands database")

+set(ZEEK_CXX_STD cxx_std_17 CACHE STRING "The C++ standard to use.")
+
 set(ZEEK_SANITIZERS "" CACHE STRING "Sanitizers to use when building.")

 set(CPACK_SOURCE_IGNORE_FILES "" CACHE STRING "Files to be ignored by CPack")

 set(ZEEK_INCLUDE_PLUGINS "" CACHE STRING "Extra plugins to add to the build.")

-set(ZEEK_VERSION_LOCAL "" CACHE STRING "Custom version string.")
-
 # Look into the build tree for additional CMake modules.
 list(APPEND CMAKE_MODULE_PATH ${CMAKE_BINARY_DIR})
 list(APPEND CMAKE_PREFIX_PATH ${CMAKE_BINARY_DIR})
@ -151,10 +133,7 @@ if (MSVC)
    # Set PCAP_ROOT_DIR to point at the installation from vcpkg. A later call
    # to FindPCAP.cmake will fill in the rest of the necessary variables.
    if (NOT PCAP_ROOT_DIR)
-        set(PCAP_ROOT_DIR ${VCPKG_INSTALLED_DIR}/${VCPKG_TARGET_TRIPLET})
-    else ()
-        unset(PCAP_INCLUDE_DIR CACHE)
-        unset(PCAP_LIBRARY CACHE)
+        set(PCAP_ROOT_DIR ${VCPKG_INSTALLED_DIR}/x64-windows-static)
    endif ()

    set(LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER false)
@ -192,53 +171,21 @@ if (MSVC)
        # TODO: This is disabled for now because there a bunch of known
        # compiler warnings on Windows that we don't have good fixes for.
        #set(WERROR_FLAG "/WX")
-        #set(WNOERROR_FLAG "/WX:NO")
+        #set(WERROR_FLAG "/WX")
    endif ()
-
-    # Always build binpac in static mode if building on Windows
-    set(BUILD_STATIC_BINPAC true)
-
 else ()
    include(GNUInstallDirs)
    if (BUILD_WITH_WERROR)
        set(WERROR_FLAG "-Werror")
-        set(WNOERROR_FLAG "-Wno-error")
-
-        # With versions >=13.0 GCC gained `-Warray-bounds` which reports false
-        # positives, see e.g., https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111273.
-        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 13.0)
-            list(APPEND WERROR_FLAG "-Wno-error=array-bounds")
-        endif ()
-
-        # With versions >=11.0 GCC is returning false positives for -Wrestrict. See
-        # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100366. It's more prevalent
-        # building with -std=c++20.
-        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 11.0)
-            list(APPEND WERROR_FLAG "-Wno-error=restrict")
-        endif ()
    endif ()
 endif ()

 include(cmake/CommonCMakeConfig.cmake)
+include(cmake/FindClangTidy.cmake)
 include(cmake/CheckCompilerArch.cmake)
-include(cmake/RequireCXXStd.cmake)

 string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)

-if (ENABLE_IWYU)
-    find_program(ZEEK_IWYU_PATH NAMES include-what-you-use iwyu)
-    if (NOT ZEEK_IWYU_PATH)
-        message(FATAL_ERROR "Could not find the program include-what-you-use")
-    endif ()
-endif ()
-
-if (ENABLE_CLANG_TIDY)
-    find_program(ZEEK_CLANG_TIDY_PATH NAMES clang-tidy)
-    if (NOT ZEEK_CLANG_TIDY_PATH)
-        message(FATAL_ERROR "Could not find the program clang-tidy")
-    endif ()
-endif ()
-
 # ##############################################################################
 # Main targets and utilities.

@ -250,7 +197,7 @@ set(ZEEK_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
 # zeek-plugin-create-package.sh. Needed by ZeekPluginConfig.cmake.in.
 set(ZEEK_PLUGIN_SCRIPTS_PATH "${PROJECT_SOURCE_DIR}/cmake")

-# Our C++ base target for propagating compiler and linker flags. Note: for
+# Our C++17 base target for propagating compiler and linker flags. Note: for
 # now, we only use it for passing library dependencies around.
 add_library(zeek_internal INTERFACE)
 add_library(Zeek::Internal ALIAS zeek_internal)
@ -283,10 +230,9 @@ if (ZEEK_STANDALONE)
    endif ()
    # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
    set(zeek_exe_access PRIVATE)
-
-    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-        target_link_libraries(zeek_exe PRIVATE /usr/lib/libutil.so)
-        target_link_libraries(zeek_exe PRIVATE procstat)
+    # Also build the static library when asked for via Conan.
+    if (CONAN_EXPORTED)
+        add_library(zeek_lib STATIC)
    endif ()
 else ()
    add_library(zeek_lib STATIC)
@ -297,17 +243,11 @@ if (TARGET zeek_lib)
    add_dependencies(zeek_lib zeek_autogen_files)
    set_target_properties(zeek_lib PROPERTIES RUNTIME_OUTPUT_NAME libzeek)
    if (NOT CMAKE_LIBRARY_OUTPUT_DIRECTORY)
-        set_target_properties(zeek_lib PROPERTIES LIBRARY_OUTPUT_DIRECTORY src)
+        set_target_properties(zeek_lie PROPERTIES LIBRARY_OUTPUT_DIRECTORY src)
    endif ()
    install(TARGETS zeek_lib LIBRARY DESTINATION lib)
    # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
    set(zeek_lib_access PRIVATE)
-
-    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-        target_link_libraries(zeek_lib PRIVATE /usr/lib/libutil.so)
-        target_link_libraries(zeek_lib PRIVATE procstat)
-    endif ()
-
 endif ()

 # When building our fuzzers, we also need one extra top-level target that
@ -338,16 +278,6 @@ function (zeek_target_link_libraries lib_target)
    endforeach ()
 endfunction ()

-function (zeek_target_add_linters lib_target)
-    if (ZEEK_IWYU_PATH)
-        set_target_properties(${lib_target} PROPERTIES CXX_INCLUDE_WHAT_YOU_USE ${ZEEK_IWYU_PATH})
-    endif ()
-
-    if (ZEEK_CLANG_TIDY_PATH)
-        set_target_properties(${lib_target} PROPERTIES CXX_CLANG_TIDY ${ZEEK_CLANG_TIDY_PATH})
-    endif ()
-endfunction ()
-
 function (zeek_include_directories)
    foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
        if (TARGET ${name})
@ -365,11 +295,8 @@ function (zeek_add_dependencies dep)
    endforeach ()
 endfunction ()

-# Used by library zeek_dynamic_plugin_base and for sanitizer builds.
-find_package(Threads REQUIRED)
-
 # Interface library for propagating extra flags and include paths to dynamically
-# loaded plugins. Also propagates include paths and c++ standard mode on the install
+# loaded plugins. Also propagates include paths and C++17 mode on the install
 # interface.
 add_library(zeek_dynamic_plugin_base INTERFACE)
 target_include_directories(
@ -396,20 +323,19 @@ endfunction ()

 add_zeek_dynamic_plugin_build_interface_include_directories(
    ${PROJECT_SOURCE_DIR}/src/include
-    ${PROJECT_SOURCE_DIR}/tools/binpac/lib
-    ${PROJECT_SOURCE_DIR}/auxil/broker/libbroker
+    ${PROJECT_SOURCE_DIR}/auxil/binpac/lib
+    ${PROJECT_SOURCE_DIR}/auxil/broker/include
    ${PROJECT_SOURCE_DIR}/auxil/paraglob/include
-    ${PROJECT_SOURCE_DIR}/auxil/prometheus-cpp/core/include
-    ${PROJECT_SOURCE_DIR}/auxil/expected-lite/include
+    ${PROJECT_SOURCE_DIR}/auxil/rapidjson/include
    ${CMAKE_BINARY_DIR}/src
    ${CMAKE_BINARY_DIR}/src/include
-    ${CMAKE_BINARY_DIR}/tools/binpac/lib
-    ${CMAKE_BINARY_DIR}/auxil/broker/libbroker
-    ${CMAKE_BINARY_DIR}/auxil/prometheus-cpp/core/include)
+    ${CMAKE_BINARY_DIR}/auxil/binpac/lib
+    ${CMAKE_BINARY_DIR}/auxil/broker/include)

-target_include_directories(
-    zeek_dynamic_plugin_base SYSTEM
-    INTERFACE $<INSTALL_INTERFACE:include/zeek/3rdparty/prometheus-cpp/include>)
+# threading/formatters/JSON.h includes rapidjson headers and may be used
+# by external plugins, extend the include path.
+target_include_directories(zeek_dynamic_plugin_base SYSTEM
+                           INTERFACE $<INSTALL_INTERFACE:include/zeek/3rdparty/rapidjson/include>)

 # Convenience function for adding an OBJECT library that feeds directly into the
 # main target(s).
@ -432,6 +358,7 @@ function (zeek_add_subdir_library name)
    target_compile_definitions(${target_name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
    add_dependencies(${target_name} zeek_autogen_files)
    target_link_libraries(${target_name} PRIVATE $<BUILD_INTERFACE:zeek_internal>)
+    add_clang_tidy_files(${FN_ARGS_SOURCES})
    target_compile_options(${target_name} PRIVATE ${WERROR_FLAG})

    # Take care of compiling BIFs.
@ -455,9 +382,6 @@ function (zeek_add_subdir_library name)

    # Feed into the main Zeek target(s).
    zeek_target_link_libraries(${target_name})
-
-    # Add IWYU and clang-tidy to the target if enabled.
-    zeek_target_add_linters(${target_name})
 endfunction ()

 # ##############################################################################
@ -653,20 +577,10 @@ set(VERSION_C_IDENT "${ZEEK_VERSION_FULL}_plugin_${API_VERSION}")
 string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
 string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")

-set(ZEEK_VERSION_FULL_LOCAL "${ZEEK_VERSION_FULL}")
-if (NOT ZEEK_VERSION_LOCAL STREQUAL "")
-    if (ZEEK_VERSION_LOCAL MATCHES "-")
-        message(FATAL_ERROR "ZEEK_VERSION_LOCAL can not contain dashes: ${ZEEK_VERSION_LOCAL}")
-    endif ()
-    set(ZEEK_VERSION_FULL_LOCAL "${ZEEK_VERSION_FULL_LOCAL}-${ZEEK_VERSION_LOCAL}")
-    set(VERSION_C_IDENT "${VERSION_C_IDENT}_${ZEEK_VERSION_LOCAL}")
-endif ()
-
 if (ENABLE_DEBUG)
    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
    target_compile_definitions(zeek_internal INTERFACE DEBUG)
    target_compile_definitions(zeek_dynamic_plugin_base INTERFACE DEBUG)
-    set(SPICYZ_FLAGS "-d" CACHE STRING "Additional flags to pass to spicyz for builtin analyzers")
 endif ()

 if (NOT BINARY_PACKAGING_MODE)
@ -701,6 +615,11 @@ if (NOT BINARY_PACKAGING_MODE)
 endif ()

 if (ZEEK_SANITIZERS)
+    # Check the thread library info early as setting compiler flags seems to
+    # interfere with the detection and cause CMAKE_THREAD_LIBS_INIT to not include
+    # -lpthread when it should.
+    find_package(Threads)
+
    string(REPLACE "," " " _sanitizer_args "${ZEEK_SANITIZERS}")
    separate_arguments(_sanitizer_args)
    set(ZEEK_SANITIZERS "")
@ -835,13 +754,16 @@ if (NOT SED_EXE)
    endif ()
 endif ()

-set(ZEEK_PYTHON_MIN 3.9.0)
+set(ZEEK_PYTHON_MIN 3.5.0)
 set(Python_FIND_UNVERSIONED_NAMES FIRST)
 find_package(Python ${ZEEK_PYTHON_MIN} REQUIRED COMPONENTS Interpreter)
 find_package(FLEX REQUIRED)
 find_package(BISON 2.5 REQUIRED)
 find_package(PCAP REQUIRED)
 find_package(OpenSSL REQUIRED)
+if (NOT MSVC)
+    find_package(BIND REQUIRED)
+endif ()
 find_package(ZLIB REQUIRED)

 if (NOT BINARY_PACKAGING_MODE)
@ -883,35 +805,46 @@ endif ()
 set(PY_MOD_INSTALL_DIR ${py_mod_install_dir} CACHE STRING "Installation path for Python modules"
                                                   FORCE)

-# BinPAC uses the same 'ENABLE_STATIC_ONLY' variable to define whether
-# to build statically. Save a local copy so it can be set based on the
-# configure flag before we add the subdirectory.
-set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
+if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/auxil/binpac/CMakeLists.txt)

-if (BUILD_STATIC_BINPAC)
-    set(ENABLE_STATIC_ONLY true)
+    set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
+    if (MSVC)
+        set(BUILD_STATIC_BINPAC true)
+    endif ()
+
+    if (BUILD_STATIC_BINPAC)
+        set(ENABLE_STATIC_ONLY true)
+    endif ()
+
+    add_subdirectory(auxil/binpac)
+    set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
+
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
+    set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
 endif ()

-add_subdirectory(tools/binpac)
-set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
-
-# FIXME: avoid hard-coding a path for multi-config generator support. See the
-# TODO in ZeekPluginConfig.cmake.in.
-set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/tools/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
-set(_binpac_exe_path "included")
-
-# Need to call find_package so it sets up the include paths used by plugin builds.
 find_package(BinPAC REQUIRED)
+
+# Add an alias (used by our plugin setup).
 add_executable(Zeek::BinPAC ALIAS binpac)

-add_subdirectory(tools/bifcl)
-add_executable(Zeek::BifCl ALIAS bifcl)
-# FIXME: avoid hard-coding a path for multi-config generator support. See the
-# TODO in ZeekPluginConfig.cmake.in.
-set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/tools/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
-set(_bifcl_exe_path "included")
+if (NOT BIFCL_EXE_PATH)
+    add_subdirectory(auxil/bifcl)
+    add_executable(Zeek::BifCl ALIAS bifcl)
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
+    set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
+    set(_bifcl_exe_path "included")
+else ()
+    add_executable(Zeek::BifCl IMPORTED)
+    set_property(TARGET Zeek::BifCl PROPERTY IMPORTED_LOCATION "${BIFCL_EXE_PATH}")
+    set(_bifcl_exe_path "BIFCL_EXE_PATH")
+endif ()

-add_subdirectory(tools/gen-zam)
+if (NOT GEN_ZAM_EXE_PATH)
+    add_subdirectory(auxil/gen-zam)
+endif ()

 if (ENABLE_JEMALLOC)
    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
@ -969,8 +902,8 @@ else ()
        list(APPEND zeekdeps broker)
    endif ()

-    set(broker_includes ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/libbroker
-                        ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/libbroker)
+    set(broker_includes ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/include
+                        ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/include)

    if (BUILD_STATIC_BROKER)
        set(ZEEK_HAS_STATIC_BROKER ON)
@ -1016,7 +949,6 @@ if (NOT DISABLE_SPICY)
            set(Python3_EXECUTABLE ${Python_EXECUTABLE} CACHE STRING "Python3_EXECUTABLE hint")
        endif ()

-        set(SPICY_ENABLE_TESTS OFF)
        add_subdirectory(auxil/spicy)
        include(ConfigureSpicyBuild) # set some options different for building Spicy

@ -1030,14 +962,8 @@ if (NOT DISABLE_SPICY)
            hilti_link_object_libraries_in_tree(zeek_exe PRIVATE)
            spicy_link_object_libraries_in_tree(zeek_exe PRIVATE)
        else ()
-            if (TARGET zeek_exe)
-                hilti_link_libraries_in_tree(zeek_exe PRIVATE)
-                spicy_link_libraries_in_tree(zeek_exe PRIVATE)
-            endif ()
-            if (TARGET zeek_lib)
-                hilti_link_libraries_in_tree(zeek_lib PRIVATE)
-                spicy_link_libraries_in_tree(zeek_lib PRIVATE)
-            endif ()
+            hilti_link_libraries_in_tree(zeek_exe PRIVATE)
+            spicy_link_libraries_in_tree(zeek_exe PRIVATE)
        endif ()

        set(HAVE_SPICY yes)
@ -1055,24 +981,21 @@ include(BuiltInSpicyAnalyzer)
 include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${BIND_INCLUDE_DIR} ${BinPAC_INCLUDE_DIR}
                    ${ZLIB_INCLUDE_DIR} ${JEMALLOC_INCLUDE_DIR})

-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/prometheus-cpp/core/include/prometheus
-        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/rapidjson/include/rapidjson
+        DESTINATION include/zeek/3rdparty/rapidjson/include)

-install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/auxil/prometheus-cpp/core/include/prometheus
-        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)
-
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc
        DESTINATION include/zeek/3rdparty/)

+# Create 3rdparty/ghc within the build directory so that the include for
+# "zeek/3rdparty/ghc/filesystem.hpp" works within the build tree.
 execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
                        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/")
-
-# Do the same for nonstd.
 execute_process(
    COMMAND
        "${CMAKE_COMMAND}" -E create_symlink
-        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd"
-        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/nonstd")
+        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc"
+        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/ghc")

 # Optional Dependencies

@ -1080,16 +1003,18 @@ set(USE_GEOIP false)
 find_package(LibMMDB)
 if (LIBMMDB_FOUND)
    set(USE_GEOIP true)
-    include_directories(BEFORE SYSTEM ${LibMMDB_INCLUDE_DIR})
+    include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
    list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
 endif ()

 set(USE_KRB5 false)
-find_package(LibKrb5)
-if (LIBKRB5_FOUND)
-    set(USE_KRB5 true)
-    include_directories(BEFORE SYSTEM ${LibKrb5_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    find_package(LibKrb5)
+    if (LIBKRB5_FOUND)
+        set(USE_KRB5 true)
+        include_directories(BEFORE ${LibKrb5_INCLUDE_DIR})
+        list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+    endif ()
 endif ()

 set(HAVE_PERFTOOLS false)
@ -1121,7 +1046,7 @@ endif ()
 # dependencies which tend to be in standard system locations and thus cause the
 # system OpenSSL headers to still be picked up even if one specifies
 # --with-openssl (which may be common).
-include_directories(BEFORE SYSTEM ${OPENSSL_INCLUDE_DIR})
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})

 # Determine if libfts is external to libc, i.e. musl
 find_package(FTS)
@ -1173,9 +1098,7 @@ include(GetArchitecture)
 include(FindCAres)
 include(FindKqueue)

-include(FindPrometheusCpp)
 include_directories(BEFORE "auxil/out_ptr/include")
-include_directories(BEFORE "auxil/expected-lite/include")

 if ((OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0"))
    set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
@ -1187,6 +1110,18 @@ endif ()
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)

+set(ZEEK_HAVE_AF_PACKET no)
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    if (NOT DISABLE_AF_PACKET)
+        if (NOT AF_PACKET_PLUGIN_PATH)
+            set(AF_PACKET_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeek-af_packet-plugin)
+        endif ()
+
+        list(APPEND ZEEK_INCLUDE_PLUGINS ${AF_PACKET_PLUGIN_PATH})
+        set(ZEEK_HAVE_AF_PACKET yes)
+    endif ()
+endif ()
+
 set(ZEEK_HAVE_JAVASCRIPT no)
 if (NOT DISABLE_JAVASCRIPT)
    set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${PROJECT_SOURCE_DIR}/auxil/zeekjs/cmake)
@ -1206,7 +1141,6 @@ if (NOT DISABLE_JAVASCRIPT)
    endif ()
 endif ()

-set(ZEEK_HAVE_AF_PACKET no CACHE INTERNAL "Zeek has AF_PACKET support")
 set(ZEEK_HAVE_JAVASCRIPT ${ZEEK_HAVE_JAVASCRIPT} CACHE INTERNAL "Zeek has JavaScript support")

 set(DEFAULT_ZEEKPATH_PATHS
@ -1225,7 +1159,11 @@ endif ()
 include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR})
 execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink "." "${CMAKE_CURRENT_BINARY_DIR}/zeek")

-set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+if (BinPAC_ROOT_DIR)
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+else ()
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${ZEEK_ROOT_DIR})
+endif ()

 if (BROKER_ROOT_DIR)
    set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
@ -1363,6 +1301,7 @@ checkoptionalbuildsources(auxil/btest BTest INSTALL_BTEST)
 checkoptionalbuildsources(auxil/package-manager ZKG INSTALL_ZKG)
 checkoptionalbuildsources(auxil/zeekctl ZeekControl INSTALL_ZEEKCTL)
 checkoptionalbuildsources(auxil/zeek-aux Zeek-Aux INSTALL_AUX_TOOLS)
+checkoptionalbuildsources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER)
 checkoptionalbuildsources(auxil/zeek-client ZeekClient INSTALL_ZEEK_CLIENT)

 # Generate Spicy helper scripts referenced in e.g., `zeek-path-dev.*`. These
@ -1443,6 +1382,11 @@ else ()
    set(_install_btest_tools_msg "no pcaps")
 endif ()

+set(_binpac_exe_path "included")
+if (BINPAC_EXE_PATH)
+    set(_binpac_exe_path ${BINPAC_EXE_PATH})
+endif ()
+
 set(_gen_zam_exe_path "included")
 if (GEN_ZAM_EXE_PATH)
    set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
@ -1472,118 +1416,57 @@ if (ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS)
    )
 endif ()

-set(_zeek_builtin_plugins "${ZEEK_BUILTIN_PLUGINS}")
-if (NOT ZEEK_BUILTIN_PLUGINS)
-    set(_zeek_builtin_plugins "none")
-endif ()
-
-set(_zeek_fuzzing_engine "${ZEEK_FUZZING_ENGINE}")
-if (NOT ZEEK_FUZZING_ENGINE)
-    if (ZEEK_ENABLE_FUZZERS)
-        # The default fuzzer used by gcc and clang is libFuzzer. This is if you
-        # simply pass '-fsanitize=fuzzer' to the compiler.
-        set(_zeek_fuzzing_engine "libFuzzer")
-    endif ()
-endif ()
-
-## Utility method for outputting status information for features that just have a
-## string representation. This can also take an optional second argument that is a
-## value string to print.
-function (output_summary_line what)
-    if ("${ARGV1}" MATCHES "^$")
-        message("${what}:")
-        return()
-    endif ()
-
-    set(_spaces "                                        ")
-    string(LENGTH ${what} _what_length)
-    math(EXPR _num_spaces "25 - ${_what_length}")
-    string(SUBSTRING ${_spaces} 0 ${_num_spaces} _spacing)
-    message("${what}:${_spacing}${ARGV1}")
-endfunction ()
-
-## Utility method for outputting status information for features that have an ON/OFF
-## state.
-function (output_summary_bool what state)
-    if (${state})
-        output_summary_line("${what}" "ON")
-    else ()
-        output_summary_line("${what}" "OFF")
-    endif ()
-endfunction ()
-
-message("\n====================|  Zeek Build Summary  |====================\n")
-
-output_summary_line("Build type" "${CMAKE_BUILD_TYPE}")
-output_summary_line("Build dir" "${PROJECT_BINARY_DIR}")
-message("")
-
-output_summary_line("Install prefix" "${CMAKE_INSTALL_PREFIX}")
-output_summary_line("Config file dir" "${ZEEK_ETC_INSTALL_DIR}")
-output_summary_line("Log dir" "${ZEEK_LOG_DIR}")
-output_summary_line("Plugin dir" "${ZEEK_PLUGIN_DIR}")
-output_summary_line("Python module dir" "${PY_MOD_INSTALL_DIR}")
-output_summary_line("Script dir" "${ZEEK_SCRIPT_INSTALL_PATH}")
-output_summary_line("Spool dir" "${ZEEK_SPOOL_DIR}")
-output_summary_line("State dir" "${ZEEK_STATE_DIR}")
-output_summary_line("Spicy modules dir" "${ZEEK_SPICY_MODULE_PATH}")
-message("")
-
-output_summary_bool("Debug mode" ${ENABLE_DEBUG})
-output_summary_bool("Unit tests" ${ENABLE_ZEEK_UNIT_TESTS})
-message("")
-
-output_summary_line("Builtin Plugins" "${_zeek_builtin_plugins}")
-message("")
-
-output_summary_line("CC" "${CMAKE_C_COMPILER}")
-output_summary_line("CFLAGS" "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}")
-output_summary_line("CXX" "${CMAKE_CXX_COMPILER}")
-output_summary_line("CXXFLAGS" "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}")
-output_summary_line("CPP" "${CMAKE_CXX_COMPILER}")
-message("")
-
-output_summary_bool("AF_PACKET" ${ZEEK_HAVE_AF_PACKET})
-output_summary_bool("Aux. Tools" ${INSTALL_AUX_TOOLS})
-output_summary_bool("BTest" ${INSTALL_BTEST})
-output_summary_line("BTest tooling" ${_install_btest_tools_msg})
-output_summary_bool("JavaScript" ${ZEEK_HAVE_JAVASCRIPT})
-output_summary_line("Spicy" ${_spicy})
-output_summary_bool("Spicy analyzers" ${USE_SPICY_ANALYZERS})
-output_summary_bool("zeek-client" ${INSTALL_ZEEK_CLIENT})
-output_summary_bool("ZeekControl" ${INSTALL_ZEEKCTL})
-output_summary_bool("zkg" ${INSTALL_ZKG})
-message("")
-
-output_summary_bool("libmaxminddb" ${USE_GEOIP})
-output_summary_bool("Kerberos" ${USE_KRB5})
-output_summary_bool("gperftools" ${HAVE_PERFTOOLS})
-output_summary_bool("  - tcmalloc" ${USE_PERFTOOLS_TCMALLOC})
-output_summary_bool("  - debugging" ${USE_PERFTOOLS_DEBUG})
-output_summary_bool("jemalloc" ${ENABLE_JEMALLOC})
-message("")
-
-output_summary_line("Cluster backends")
-output_summary_bool("  - Broker" ON)
-output_summary_bool("  - ZeroMQ" ${ENABLE_CLUSTER_BACKEND_ZEROMQ})
-message("")
-
-output_summary_line("Storage backends")
-output_summary_bool("  - SQLite" ON)
-output_summary_bool("  - Redis" ${ENABLE_STORAGE_BACKEND_REDIS})
-message("")
-
-output_summary_bool("Fuzz Targets" ${ZEEK_ENABLE_FUZZERS})
-output_summary_line("Fuzz Engine" "${_zeek_fuzzing_engine}")
-message("")
-
-output_summary_line("External Tools/Linters")
-output_summary_bool("  - Include What You Use" ${ENABLE_IWYU})
-output_summary_bool("  - Clang-Tidy" ${ENABLE_CLANG_TIDY})
-
-if (${_analyzer_warning})
-    message("${_analyzer_warning}\n")
-endif ()
-message("\n================================================================")
+message(
+    "\n====================|  Zeek Build Summary  |===================="
+    "\n"
+    "\nBuild type:        ${CMAKE_BUILD_TYPE}"
+    "\nBuild dir:         ${PROJECT_BINARY_DIR}"
+    "\n"
+    "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
+    "\nConfig file dir:   ${ZEEK_ETC_INSTALL_DIR}"
+    "\nLog dir:           ${ZEEK_LOG_DIR}"
+    "\nPlugin dir:        ${ZEEK_PLUGIN_DIR}"
+    "\nPython module dir: ${PY_MOD_INSTALL_DIR}"
+    "\nScript dir:        ${ZEEK_SCRIPT_INSTALL_PATH}"
+    "\nSpool dir:         ${ZEEK_SPOOL_DIR}"
+    "\nState dir:         ${ZEEK_STATE_DIR}"
+    "\nSpicy modules dir: ${ZEEK_SPICY_MODULE_PATH}"
+    "\n"
+    "\nDebug mode:        ${ENABLE_DEBUG}"
+    "\nUnit tests:        ${ENABLE_ZEEK_UNIT_TESTS}"
+    "\nBuiltin Plugins:   ${ZEEK_BUILTIN_PLUGINS}"
+    "\n"
+    "\nCC:                ${CMAKE_C_COMPILER}"
+    "\nCFLAGS:            ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}"
+    "\nCXX:               ${CMAKE_CXX_COMPILER}"
+    "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
+    "\nCPP:               ${CMAKE_CXX_COMPILER}"
+    "\n"
+    "\nAF_PACKET:         ${ZEEK_HAVE_AF_PACKET}"
+    "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
+    "\nBifCL:             ${_bifcl_exe_path}"
+    "\nBinPAC:            ${_binpac_exe_path}"
+    "\nBTest:             ${INSTALL_BTEST}"
+    "\nBTest tooling:     ${_install_btest_tools_msg}"
+    "\nGen-ZAM:           ${_gen_zam_exe_path}"
+    "\nJavaScript:        ${ZEEK_HAVE_JAVASCRIPT}"
+    "\nSpicy:             ${_spicy}"
+    "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
+    "\nzeek-client:       ${INSTALL_ZEEK_CLIENT}"
+    "\nZeekControl:       ${INSTALL_ZEEKCTL}"
+    "\nzkg:               ${INSTALL_ZKG}"
+    "\n"
+    "\nlibmaxminddb:      ${USE_GEOIP}"
+    "\nKerberos:          ${USE_KRB5}"
+    "\ngperftools found:  ${HAVE_PERFTOOLS}"
+    "\n  - tcmalloc:      ${USE_PERFTOOLS_TCMALLOC}"
+    "\n  - debugging:     ${USE_PERFTOOLS_DEBUG}"
+    "\njemalloc:          ${ENABLE_JEMALLOC}"
+    "\n"
+    "\nFuzz Targets:      ${ZEEK_ENABLE_FUZZERS}"
+    "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
+    "${_analyzer_warning}"
+    "\n"
+    "\n================================================================\n")

 include(UserChangedWarning)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -1 +0,0 @@
-Our code of conduct is published at https://zeek.org/community-code-of-conduct/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +0,0 @@
-Our contribution guide is available at https://github.com/zeek/zeek/wiki/Contribution-Guide.
-
-More information about contributing is also available at https://docs.zeek.org/en/master/devel/contributors.html.
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 1995-now, The Regents of the University of California
+Copyright (c) 1995-2023, The Regents of the University of California
 through the Lawrence Berkeley National Laboratory and the
 International Computer Science Institute. All rights reserved.

--- a/456
+++ b/456
@ -533,6 +533,32 @@ POSSIBILITY OF SUCH DAMAGE.

 ==============================================================================

+%%% auxil/filesystem
+
+==============================================================================
+
+Copyright (c) 2018, Steffen Schümann <s.schuemann@pobox.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+==============================================================================
+
 %%% auxil/highwayhash

 ==============================================================================
@ -756,433 +782,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-
-==============================================================================
-
-%%% auxil/c-ares
-
-==============================================================================
-
-MIT License
-
-Copyright (c) 1998 Massachusetts Institute of Technology
-Copyright (c) 2007 - 2023 Daniel Stenberg with many contributors, see AUTHORS
-file.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice (including the next
-paragraph) shall be included in all copies or substantial portions of the
-Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-==============================================================================
-
-%%% auxil/expected-lite
-
-==============================================================================
-
-Boost Software License - Version 1.0 - August 17th, 2003
-
-Permission is hereby granted, free of charge, to any person or organization
-obtaining a copy of the software and accompanying documentation covered by
-this license (the "Software") to use, reproduce, display, distribute,
-execute, and transmit the Software, and to prepare derivative works of the
-Software, and to permit third-parties to whom the Software is furnished to
-do so, all subject to the following:
-
-The copyright notices in the Software and this entire statement, including
-the above license grant, this restriction and the following disclaimer,
-must be included in all copies of the Software, in whole or in part, and
-all derivative works of the Software, unless such copies or derivative
-works are solely in the form of machine-executable object code generated by
-a source language processor.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
-SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
-FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
-ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% auxil/out_ptr
-
-==============================================================================
-
-                         Copyright ⓒ 2018-2021 ThePhD.
-
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-==============================================================================
-
-%%% auxil/prometheus-cpp
-
-==============================================================================
-
-MIT License
-
-Copyright (c) 2016-2021 Jupp Mueller
-Copyright (c) 2017-2022 Gregor Jasny
-
-And many contributors, see
-https://github.com/jupp0r/prometheus-cpp/graphs/contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-==============================================================================
-
-%%% auxil/rapidjson
-
-==============================================================================
-
-Tencent is pleased to support the open source community by making RapidJSON available.
-
-Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip.  All rights reserved.
-
-If you have downloaded a copy of the RapidJSON binary from Tencent, please note that the RapidJSON binary is licensed under the MIT License.
-If you have downloaded a copy of the RapidJSON source code from Tencent, please note that RapidJSON source code is licensed under the MIT License, except for the third-party components listed below which are subject to different license terms.  Your integration of RapidJSON into your own projects may require compliance with the MIT License, as well as the other licenses applicable to the third-party components included within RapidJSON. To avoid the problematic JSON license in your own projects, it's sufficient to exclude the bin/jsonchecker/ directory, as it's the only code under the JSON license.
-A copy of the MIT License is included in this file.
-
-Other dependencies and licenses:
-
-Open Source Software Licensed Under the BSD License:
--------------------------------------------------------------------
-
-The msinttypes r29
-Copyright (c) 2006-2013 Alexander Chemeris
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-* Neither the name of  copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Open Source Software Licensed Under the JSON License:
--------------------------------------------------------------------
-
-json.org
-Copyright (c) 2002 JSON.org
-All Rights Reserved.
-
-JSON_checker
-Copyright (c) 2002 JSON.org
-All Rights Reserved.
-
-
-Terms of the JSON License:
---------------------------------------------------
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-The Software shall be used for Good, not Evil.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-Terms of the MIT License:
--------------------------------------------------------------------
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% auxil/vcpkg
-
-==============================================================================
-
-MIT License
-
-Copyright (c) Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this
-software and associated documentation files (the "Software"), to deal in the Software
-without restriction, including without limitation the rights to use, copy, modify,
-merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to the following
-conditions:
-
-The above copyright notice and this permission notice shall be included in all copies
-or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
-PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
-CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
-OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% src/cluster/websocket/auxil/IXWebSocket
-
-==============================================================================
-
-Copyright (c) 2018 Machine Zone, Inc. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the
-   distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived
-   from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-==============================================================================
-
-%%% src/cluster/backend/zeromq/auxil/cppzmq
-
-==============================================================================
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.
--- a/2
+++ b/2
@ -9,7 +9,7 @@ BUILD=build
 REPO=$$(cd $(CURDIR) && basename $$(git config --get remote.origin.url | sed 's/^[^:]*://g'))
 VERSION_FULL=$(REPO)-$$(cd $(CURDIR) && cat VERSION)
 GITDIR=$$(test -f .git && echo $$(cut -d" " -f2 .git) || echo .git)
-REALPATH=$$($$(realpath --relative-to=$(shell pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath')
+REALPATH=$$($$(realpath --relative-to=$(pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath')

 all: configured
 	$(MAKE) -C $(BUILD) $@
--- a/1241
+++ b/1241
--- a/4
+++ b/4
@ -3,7 +3,7 @@ The Zeek Network Security Monitor
 =================================

 Zeek is a powerful framework for network traffic analysis and security
-monitoring.
+monitoring. Follow us on Twitter at @zeekurity.

 Key Features
 ============
@ -101,4 +101,4 @@ others.
 [4] https://www.zeek.org/community/index.html
 [5] https://clang.llvm.org/extra/clang-tidy/
 [6] https://scan.coverity.com/projects/bro
-[7] https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source
+[7] https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source
--- a/README.md
+++ b/README.md
@ -15,15 +15,14 @@ traffic analysis and security monitoring.
 [_Development_](#development) —
 [_License_](#license)

+Follow us on Twitter at [@zeekurity](https://twitter.com/zeekurity).
+
 [![Coverage Status](https://coveralls.io/repos/github/zeek/zeek/badge.svg?branch=master)](https://coveralls.io/github/zeek/zeek?branch=master)
 [![Build Status](https://img.shields.io/cirrus/github/zeek/zeek)](https://cirrus-ci.com/github/zeek/zeek)

 [![Slack](https://img.shields.io/badge/slack-@zeek-brightgreen.svg?logo=slack)](https://zeek.org/slack)
 [![Discourse](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.zeek.org)](https://community.zeek.org)

-[![Mastodon](https://img.shields.io/badge/mastodon-@zeek@infosec.exchange-brightgreen.svg?logo=mastodon)](https://infosec.exchange/@zeek)
-[![Bluesky](https://img.shields.io/badge/bluesky-@zeek-brightgreen.svg?logo=bluesky)](https://bsky.app/profile/zeek.org)
-
 </h4>


@ -52,7 +51,7 @@ Getting Started

 The best place to find information about getting started with Zeek is
 our web site [www.zeek.org](https://www.zeek.org), specifically the
-[documentation](https://docs.zeek.org/en/stable/index.html) section
+[documentation](https://www.zeek.org/documentation/index.html) section
 there. On the web site you can also find downloads for stable
 releases, tutorials on getting Zeek set up, and many other useful
 resources.
@ -105,9 +104,9 @@ you might find
 [these](https://github.com/zeek/zeek/labels/good%20first%20issue)
 to be a good place to get started. More information on Zeek's
 development can be found
-[here](https://docs.zeek.org/en/current/devel/index.html), and information
+[here](https://www.zeek.org/development/index.html), and information
 about its community and mailing lists (which are fairly active) can be
-found [here](https://www.zeek.org/community/).
+found [here](https://www.zeek.org/community/index.html).

 License
 -------
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,5 +0,0 @@
-# Security Policy
-
-Zeek's Security Policy is defined on our website at https://zeek.org/security-reporting/
-
-Our Security Release Process is further clarified at https://github.com/zeek/zeek/wiki/Security-Release-Process
--- a/2
+++ b/2
@ -1 +1 @@
-8.1.0-dev.687
+6.2.0
--- a/auxil/bifcl
+++ b/auxil/bifcl
@ -0,0 +1 @@
+Subproject commit b02c411ef0911409a125ac36ea214069963cb53d
--- a/auxil/binpac
+++ b/auxil/binpac
@ -0,0 +1 @@
+Subproject commit d8e9254a731670679d0c1d7d41a51c4fd6b44a0a
--- a/auxil/broker
+++ b/auxil/broker
@ -1 +1 @@
-Subproject commit 06d491943f4bee6c2d1e17a5c7c31836d725273d
+Subproject commit 93f8b2ca47b3659ba80b7bcf78c361597c091799
--- a/auxil/btest
+++ b/auxil/btest
@ -1 +1 @@
-Subproject commit 8c0fbfd74325b6c9be022a98bcd414b6f103d09e
+Subproject commit 46f982cd6fafd34639c2f97628a57f1457f7e56a
--- a/auxil/c-ares
+++ b/auxil/c-ares
@ -1 +1 @@
-Subproject commit d3a507e920e7af18a5efb7f9f1d8044ed4750013
+Subproject commit 0ad09d251bf01cc2b7860950527e33e22cd64256
--- a/auxil/expected-lite
+++ b/auxil/expected-lite
@ -1 +0,0 @@
-Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48
--- a/auxil/filesystem
+++ b/auxil/filesystem
@ -0,0 +1 @@
+Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9
--- a/auxil/gen-zam
+++ b/auxil/gen-zam
@ -0,0 +1 @@
+Subproject commit bbb5b3645aa7b65db9183b5fc0b3be8a952ea308
--- a/auxil/highwayhash
+++ b/auxil/highwayhash
@ -1 +1 @@
-Subproject commit 5ad3bf8444cfc663b11bf367baaa31f36e7ff7c8
+Subproject commit c13d28517a4db259d738ea4886b1f00352a3cc33
--- a/auxil/libkqueue
+++ b/auxil/libkqueue
@ -1 +1 @@
-Subproject commit cf6e9ce5071fc933afdcede0fa828cbfa037dbc8
+Subproject commit 10d93cff9fd6c8d8c3e0bae58312aed470843ff8
--- a/auxil/libunistd
+++ b/auxil/libunistd
@ -1 +1 @@
-Subproject commit 7e3670aa1f6ab7623a87ff1e770f7f6b5a1c59f1
+Subproject commit b38e9c8ebff08959a712a5663ba25e0624a3af00
--- a/auxil/package-manager
+++ b/auxil/package-manager
@ -1 +1 @@
-Subproject commit ad301651ad0a7426757f8bc94cfc8e8cd98451a8
+Subproject commit 43242657d036bdd0e1d4e25810140c6938cac646
--- a/auxil/paraglob
+++ b/auxil/paraglob
@ -1 +1 @@
-Subproject commit 4505c4323283b56ea59935210e105da26ab7bb0b
+Subproject commit 45ce017874aac9ffabac0ddc4d016f1747804234
--- a/auxil/prometheus-cpp
+++ b/auxil/prometheus-cpp
@ -1 +0,0 @@
-Subproject commit ad99e21f4706193670c42b36c9824dc997f4c475
--- a/auxil/spicy
+++ b/auxil/spicy
@ -1 +1 @@
-Subproject commit 7635e113080be6fc20cb308636c8c38565c95c8a
+Subproject commit 62066b486fdd11796fbeb2148af012eb1ab4b276
--- a/auxil/vcpkg
+++ b/auxil/vcpkg
@ -1 +1 @@
-Subproject commit ce613c41372b23b1f51333815feb3edd87ef8a8b
+Subproject commit 66b4b34d99ab272fcf21f2bd12b616e371c6bb31
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@ -0,0 +1 @@
+Subproject commit a3fe59b3f1ded5c3461995134b66c6db182fa56f
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@ -0,0 +1 @@
+Subproject commit 399b46b4045bc59ed4b8159d3d284412a07ba65a
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@ -1 +1 @@
-Subproject commit 3c5eb9be55a1055c8798f925e2497e57915702d0
+Subproject commit 07458820ae4098ab3b586f89bf07e3d9c5fdcbc0
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@ -1 +1 @@
-Subproject commit 16849ca3ec2f8637e3f8ef8ee27e2c279724387f
+Subproject commit 6c8cb3e1c475424880eae968f812805fdbd95cea
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@ -1 +1 @@
-Subproject commit 485abcad45daeea6d09680e5fc7d29e97d2e3fbe
+Subproject commit 00afdb1bcc5b213f525c7264da64f30db05fc82e
--- a/auxil/zeekjs
+++ b/auxil/zeekjs
@ -1 +1 @@
-Subproject commit e5985abfffc1ef5ead3a0bab196fa5d86bc5276f
+Subproject commit 230f53c1596ee88289e96397f0810ca60ed897e3
--- a/ci/alpine/Dockerfile
+++ b/ci/alpine/Dockerfile
@ -2,7 +2,7 @@ FROM alpine:latest

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230823

 RUN apk add --no-cache \
  bash \
@ -10,26 +10,23 @@ RUN apk add --no-cache \
  bsd-compat-headers \
  ccache \
  cmake \
-  cppzmq \
  curl \
  diffutils \
-  dnsmasq \
  flex-dev \
  musl-fts-dev \
  g++ \
  git \
-  jq \
  libpcap-dev \
  linux-headers \
  make \
  openssh-client \
-  openssl \
  openssl-dev \
  procps \
  py3-pip \
+  py3-websockets \
  python3 \
  python3-dev \
  swig \
  zlib-dev

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/centos-7/Dockerfile
+++ b/ci/centos-7/Dockerfile
@ -0,0 +1,68 @@
+FROM centos:7
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20230807
+
+ENV FLEX_VERSION=2.6.4
+ENV FLEX_DIR=/opt/flex
+
+# Disabled lookup of fastest mirror since the list seems to be outdated and no valid mirror can be detected.
+RUN sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
+
+# The version of git in the standard repos is 1.8 and CI needs 2.3+
+# for the use of GIT_SSH_COMMAND when cloning private repos.
+RUN yum -y install \
+    https://repo.ius.io/ius-release-el7.rpm \
+    https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
+  && yum -y install git236 ccache \
+  && yum clean all && rm -rf /var/cache/yum
+
+RUN yum -y install \
+    epel-release \
+  && yum clean all && rm -rf /var/cache/yum
+
+RUN yum -y install \
+    centos-release-scl \
+  && yum clean all && rm -rf /var/cache/yum
+
+RUN yum -y install \
+    devtoolset-8 \
+  && yum clean all && rm -rf /var/cache/yum
+
+RUN yum -y install \
+    bison \
+    cmake3 \
+    curl \
+    findutils \
+    libpcap-devel \
+    make \
+    openssl \
+    openssl-devel \
+    rh-python38 \
+    rh-python38-devel \
+    rh-python38-python-devel \
+    rh-python38-pip \
+    sqlite \
+    swig \
+    which \
+    zlib-devel \
+  && yum clean all && rm -rf /var/cache/yum
+
+# Install a recent flex for Spicy.
+RUN curl -sSL "https://github.com/westes/flex/releases/download/v${FLEX_VERSION}/flex-${FLEX_VERSION}.tar.gz" | tar xzf - -C /tmp \
+ && (cd /tmp/flex-${FLEX_VERSION} \
+     && ./configure --prefix=${FLEX_DIR} \
+     && make -j`nproc` install) \
+ && rm -rf /tmp/flex-${FLEX_VERSION}
+
+RUN pip3 install websockets junit2html
+
+RUN echo 'unset BASH_ENV PROMPT_COMMAND ENV' > /usr/bin/zeek-ci-env && \
+    echo 'source /opt/rh/devtoolset-8/enable' >> /usr/bin/zeek-ci-env && \
+    echo 'source /opt/rh/rh-python38/enable' >> /usr/bin/zeek-ci-env && \
+    echo 'export PATH=${PATH}:${FLEX_DIR}/bin' >> /usr/bin/zeek-ci-env
+
+ENV BASH_ENV="/usr/bin/zeek-ci-env" \
+    ENV="/usr/bin/zeek-ci-env" \
+    PROMPT_COMMAND=". /usr/bin/zeek-ci-env"
--- a/ci/centos-stream-10/Dockerfile
+++ b/ci/centos-stream-10/Dockerfile
@ -1,49 +0,0 @@
-FROM quay.io/centos/centos:stream10
-
-# A version field to invalidate Cirrus's build cache when needed, as suggested in
-# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
-
-# dnf config-manager isn't available at first, and
-# we need it to install the CRB repo below.
-RUN dnf -y install 'dnf-command(config-manager)'
-
-# What used to be powertools is now called "CRB".
-# We need it for some of the packages installed below.
-# https://docs.fedoraproject.org/en-US/epel/
-RUN dnf config-manager --set-enabled crb
-RUN dnf -y install \
-    https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
-
-# The --nobest flag is hopefully temporary. Without it we currently hit
-# package versioning conflicts around OpenSSL.
-RUN dnf -y --nobest install \
-    bison \
-    ccache \
-    cmake \
-    cppzmq-devel \
-    diffutils \
-    flex \
-    gcc \
-    gcc-c++ \
-    git \
-    jq \
-    libpcap-devel \
-    make \
-    openssl \
-    openssl-devel \
-    procps-ng \
-    python3 \
-    python3-devel \
-    python3-pip\
-    sqlite \
-    swig \
-    tar \
-    which \
-    zlib-devel \
-  && dnf clean all && rm -rf /var/cache/dnf
-
-# Set the crypto policy to allow SHA-1 certificates - which we have in our tests
-RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY
-
-RUN pip3 install websockets junit2html
--- a/ci/centos-stream-8/Dockerfile
+++ b/ci/centos-stream-8/Dockerfile
@ -0,0 +1,33 @@
+FROM quay.io/centos/centos:stream8
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20230801
+
+RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+RUN dnf config-manager --set-enabled powertools
+
+RUN dnf -y install \
+    bison \
+    ccache \
+    cmake \
+    diffutils \
+    flex \
+    gcc \
+    gcc-c++ \
+    git \
+    libpcap-devel \
+    make \
+    openssl \
+    openssl-devel \
+    procps-ng \
+    python38 \
+    python38-devel \
+    python38-pip\
+    sqlite \
+    swig \
+    which \
+    zlib-devel \
+  && dnf clean all && rm -rf /var/cache/dnf
+
+RUN pip3 install websockets junit2html
--- a/ci/centos-stream-9/Dockerfile
+++ b/ci/centos-stream-9/Dockerfile
@ -2,7 +2,7 @@ FROM quay.io/centos/centos:stream9

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 # dnf config-manager isn't available at first, and
 # we need it to install the CRB repo below.
@ -22,21 +22,19 @@ RUN dnf -y --nobest install \
    bison \
    ccache \
    cmake \
-    cppzmq-devel \
    diffutils \
    flex \
    gcc \
    gcc-c++ \
    git \
-    jq \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    procps-ng \
-    python3.13 \
-    python3.13-devel \
-    python3.13-pip\
+    python3 \
+    python3-devel \
+    python3-pip\
    sqlite \
    swig \
    tar \
@ -47,8 +45,4 @@ RUN dnf -y --nobest install \
 # Set the crypto policy to allow SHA-1 certificates - which we have in our tests
 RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY

-# Override the default python3.9 installation paths with 3.13
-RUN alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 10
-RUN alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.13 10
-
 RUN pip3 install websockets junit2html
--- a/ci/collect-repo-info.py
+++ b/ci/collect-repo-info.py
@ -12,8 +12,8 @@ import argparse
 import copy
 import json
 import logging
-import os
 import pathlib
+import os
 import subprocess
 import sys

@ -38,22 +38,14 @@ def git_available():

 def git_is_repo(d: pathlib.Path):
    try:
-        git(
-            "-C",
-            str(d),
-            "rev-parse",
-            "--is-inside-work-tree",
-            stderr=subprocess.DEVNULL,
-        )
+        git("-C", str(d), "rev-parse", "--is-inside-work-tree", stderr=subprocess.DEVNULL)
        return True
    except subprocess.CalledProcessError:
        return False


 def git_is_dirty(d: pathlib.Path):
-    return (
-        len(git("-C", str(d), "status", "--untracked=no", "--short").splitlines()) > 0
-    )
+    return (len(git("-C", str(d), "status", "--untracked=no", "--short").splitlines()) > 0)


 def git_generic_info(d: pathlib.Path):
@ -119,9 +111,7 @@ def collect_git_info(zeek_dir: pathlib.Path):
    info["name"] = "zeek"
    info["version"] = (zeek_dir / "VERSION").read_text().strip()
    info["submodules"] = collect_submodule_info(zeek_dir)
-    info["branch"] = git(
-        "-C", str(zeek_dir), "rev-parse", "--abbrev-ref", "HEAD"
-    ).strip()
+    info["branch"] = git("-C", str(zeek_dir), "rev-parse", "--abbrev-ref", "HEAD").strip()
    info["source"] = "git"

    return info
@ -166,13 +156,14 @@ def main():
        for p in [p.strip() for p in v.split(";") if p.strip()]:
            yield pathlib.Path(p)

-    parser.add_argument(
-        "included_plugin_dirs", default="", nargs="?", type=included_plugin_dir_conv
-    )
+    parser.add_argument("included_plugin_dirs",
+                        default="",
+                        nargs="?",
+                        type=included_plugin_dir_conv)
    parser.add_argument("--dir", default=".")
-    parser.add_argument(
-        "--only-git", action="store_true", help="Do not try repo-info.json fallback"
-    )
+    parser.add_argument("--only-git",
+                        action="store_true",
+                        help="Do not try repo-info.json fallback")
    args = parser.parse_args()

    logging.basicConfig(format="%(levelname)s: %(message)s")
@ -219,9 +210,7 @@ def main():

    zkg_provides_info = copy.deepcopy(included_plugins_info)
    # Hardcode the former spicy-plugin so that zkg knows Spicy is available.
-    zkg_provides_info.append(
-        {"name": "spicy-plugin", "version": info["version"].split("-")[0]}
-    )
+    zkg_provides_info.append({"name": "spicy-plugin", "version": info["version"].split("-")[0]})
    info["zkg"] = {"provides": zkg_provides_info}

    json_str = json.dumps(info, indent=2, sort_keys=True)
--- a/ci/container-images-addl-tags.sh
+++ b/ci/container-images-addl-tags.sh
@ -1,44 +0,0 @@
-#!/bin/bash
-#
-# This script produces output in the form of
-#
-#     $ REMOTE=awelzel ./ci/container-images-addl-tags.sh v7.0.5
-#     ADDITIONAL_MANIFEST_TAGS= lts 7.0 latest
-#
-# This scripts expects visibility to all tags and release branches
-# to work correctly. See the find-current-version.sh for details.
-set -eu
-
-dir="$(cd "$(dirname "$0")" && pwd)"
-
-if [ $# -ne 1 ] || [ -z "${1}" ]; then
-    echo "Usage: $0 <tag>" >&2
-    exit 1
-fi
-
-TAG="${1}"
-
-# Find current versions for lts and feature depending on branches and
-# tags in the repo. sed for escaping the dot in the version for using
-# it in the regex below to match against TAG.
-lts_ver=$(${dir}/find-current-version.sh lts)
-lts_pat="^v$(echo $lts_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
-feature_ver=$(${dir}/find-current-version.sh feature)
-feature_pat="^v$(echo $feature_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
-
-# Construct additional tags for the image. At most this will
-# be "lts x.0 feature" for an lts branch x.0 that is currently
-# also the latest feature branch.
-ADDL_MANIFEST_TAGS=
-if echo "${TAG}" | grep -q -E "${lts_pat}"; then
-    ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} lts ${lts_ver}"
-fi
-
-if echo "${TAG}" | grep -q -E "${feature_pat}"; then
-    ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} latest"
-    if [ "${feature_ver}" != "${lts_ver}" ]; then
-        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} ${feature_ver}"
-    fi
-fi
-
-echo "ADDITIONAL_MANIFEST_TAGS=${ADDL_MANIFEST_TAGS}"
--- a/ci/debian-10/Dockerfile
+++ b/ci/debian-10/Dockerfile
@ -0,0 +1,42 @@
+FROM debian:10
+
+ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20230801
+
+ENV CMAKE_DIR "/opt/cmake"
+ENV CMAKE_VERSION "3.19.1"
+ENV PATH "${CMAKE_DIR}/bin:${PATH}"
+
+RUN apt-get update && apt-get -y install \
+    bison \
+    bsdmainutils \
+    ccache \
+    curl \
+    flex \
+    g++ \
+    gcc \
+    git \
+    libkrb5-dev \
+    libpcap-dev \
+    libssl-dev \
+    make \
+    procps \
+    python3 \
+    python3-dev \
+    python3-pip\
+    sqlite3 \
+    swig \
+    wget \
+    xz-utils \
+    zlib1g-dev \
+  && apt autoclean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Install a recent CMake to build Spicy.
+RUN mkdir -p "${CMAKE_DIR}" \
+  && curl -sSL "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-Linux-x86_64.tar.gz" | tar xzf - -C "${CMAKE_DIR}" --strip-components 1
+
+RUN pip3 install websockets junit2html
--- a/ci/debian-11/Dockerfile
+++ b/ci/debian-11/Dockerfile
@ -0,0 +1,36 @@
+FROM debian:11
+
+ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20230801
+
+RUN apt-get update && apt-get -y install \
+    bison \
+    bsdmainutils \
+    ccache \
+    cmake \
+    curl \
+    flex \
+    g++ \
+    gcc \
+    git \
+    libkrb5-dev \
+    libnode-dev \
+    libpcap-dev \
+    libssl-dev \
+    libuv1-dev \
+    make \
+    python3 \
+    python3-dev \
+    python3-pip\
+    sqlite3 \
+    swig \
+    wget \
+    xz-utils \
+    zlib1g-dev \
+  && apt autoclean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install websockets junit2html
--- a/ci/debian-12/Dockerfile
+++ b/ci/debian-12/Dockerfile
@ -4,32 +4,28 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN apt-get update && apt-get -y install \
    bison \
    bsdmainutils \
    ccache \
    cmake \
-    cppzmq-dev \
    curl \
-    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
-    jq \
    libkrb5-dev \
-    libnats-dev \
    libnode-dev \
    libpcap-dev \
-    librdkafka-dev \
    libssl-dev \
    libuv1-dev \
    make \
    python3 \
    python3-dev \
    python3-pip\
+    python3-websockets \
    sqlite3 \
    swig \
    wget \
@ -40,4 +36,4 @@ RUN apt-get update && apt-get -y install \

 # Debian bookworm really doesn't like using pip to install system wide stuff, but
 # doesn't seem there's a python3-junit2html package, so not sure what we'd break.
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/fedora-38/Dockerfile
+++ b/ci/fedora-38/Dockerfile
@ -1,21 +1,19 @@
-FROM fedora:41
+FROM fedora:38

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN dnf -y install \
    bison \
    ccache \
    cmake \
-    cppzmq-devel \
    diffutils \
    findutils \
    flex \
    gcc \
    gcc-c++ \
    git \
-    jq \
    libpcap-devel \
    make \
    nodejs-devel \
@ -29,7 +27,6 @@ RUN dnf -y install \
    swig \
    which \
    zlib-devel \
-    crypto-policies-scripts \
  && dnf clean all && rm -rf /var/cache/dnf

 RUN pip3 install websockets junit2html
--- a/ci/fedora-39/Dockerfile
+++ b/ci/fedora-39/Dockerfile
@ -1,22 +1,19 @@
-FROM fedora:42
+FROM fedora:39

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20231208

 RUN dnf -y install \
    bison \
    ccache \
    cmake \
-    cppzmq-devel \
    diffutils \
    findutils \
    flex \
-    gawk \
    gcc \
    gcc-c++ \
    git \
-    jq \
    libpcap-devel \
    make \
    nodejs-devel \
@ -30,7 +27,6 @@ RUN dnf -y install \
    swig \
    which \
    zlib-devel \
-    crypto-policies-scripts \
  && dnf clean all && rm -rf /var/cache/dnf

 RUN pip3 install websockets junit2html
--- a/ci/freebsd/prepare.sh
+++ b/ci/freebsd/prepare.sh
@ -6,7 +6,7 @@ set -e
 set -x

 env ASSUME_ALWAYS_YES=YES pkg bootstrap
-pkg install -y bash cppzmq git cmake-core swig bison python3 base64 flex ccache jq dnsmasq krb5
+pkg install -y bash git cmake swig bison python3 base64 flex ccache
 pkg upgrade -y curl
 pyver=$(python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")')
 pkg install -y $pyver-sqlite3
@ -17,6 +17,3 @@ python -m pip install websockets junit2html
 # Spicy detects whether it is run from build directory via `/proc`.
 echo "proc /proc procfs rw,noauto 0 0" >>/etc/fstab
 mount /proc
-
-# dnsmasq is in /usr/local/sbin and that's not in the PATH by default
-ln -s /usr/local/sbin/dnsmasq /usr/local/bin/dnsmasq
--- a/ci/init-external-repos.sh
+++ b/ci/init-external-repos.sh
@ -51,9 +51,9 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d

    banner "Trying to clone zeek-testing-private git repo"
    echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64
-    if [[ "${CIRRUS_TASK_NAME}" =~ ^macos_ ]]; then
-        # The base64 command provided with macOS requires an argument
-        # to pass the input filename, while -i elsewhere is "ignore garbage".
+    if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" -o "${CIRRUS_TASK_NAME}" == "macos_sonoma" ]; then
+        # The base64 command provided with macOS Ventura/Sonoma requires an argument
+        # to pass the input filename
        base64 -d -i cirrus_key.b64 >cirrus_key
    else
        base64 -d cirrus_key.b64 >cirrus_key
--- a/ci/license-header.py
+++ b/ci/license-header.py
@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-
-import re
-import sys
-
-exit_code = 0
-
-copyright_pat = re.compile(
-    r"See the file \"COPYING\" in the main distribution directory for copyright."
-)
-
-
-def match_line(line):
-    m = copyright_pat.search(line)
-    if m is not None:
-        return True
-
-    return False
-
-
-for f in sys.argv[1:]:
-    has_license_header = False
-    with open(f) as fp:
-        for line in fp:
-            line = line.strip()
-            if has_license_header := match_line(line):
-                break
-
-    if not has_license_header:
-        print(f"{f}:does not seem to contain a license header", file=sys.stderr)
-        exit_code = 1
-
-sys.exit(exit_code)
--- a/ci/macos/prepare.sh
+++ b/ci/macos/prepare.sh
@ -7,9 +7,13 @@ set -x

 brew update
 brew upgrade cmake
-brew install cppzmq openssl@3 python@3 swig bison flex ccache libmaxminddb dnsmasq krb5
+brew install openssl@3 swig bison flex ccache libmaxminddb
+python3 -m pip install --user websockets

-which python3
-python3 --version
-
-python3 -m pip install --user --break-system-packages websockets
+# Brew doesn't create the /opt/homebrew/opt/openssl symlink if you install
+# openssl@1.1, only with 3.0. Create the symlink if it doesn't exist.
+#if [ ! -e /opt/homebrew/opt/openssl ]; then
+#    if [ -d /opt/homebrew/opt/openssl@1.1 ]; then
+#        ln -s /opt/homebrew/opt/openssl@1.1 /opt/homebrew/opt/openssl
+#    fi
+#fi
--- a/ci/opensuse-leap-15.5/Dockerfile
+++ b/ci/opensuse-leap-15.5/Dockerfile
@ -1,41 +1,37 @@
-FROM opensuse/leap:15.6
+FROM opensuse/leap:15.5

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230905

-RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.6:Update/standard/openSUSE:Leap:15.6:Update.repo \
+RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5:Update/standard/openSUSE:Leap:15.5:Update.repo \
 && zypper refresh \
 && zypper in -y \
    bison \
    ccache \
    cmake \
-    cppzmq-devel \
    curl \
-    dnsmasq \
    flex \
    gcc12 \
    gcc12-c++ \
    git \
    gzip \
-    jq \
    libopenssl-devel \
    libpcap-devel \
    make \
    openssh \
-    procps \
-    python312 \
-    python312-devel \
-    python312-pip \
+    python311 \
+    python311-devel \
+    python311-pip \
    swig \
    tar \
    which \
    zlib-devel \
  && rm -rf /var/cache/zypp

-RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.12 100
-RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 100
-RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.12-config 100
+RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.11 100
+RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100
+RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.11-config 100

 RUN pip3 install websockets junit2html

--- a/ci/opensuse-tumbleweed/Dockerfile
+++ b/ci/opensuse-tumbleweed/Dockerfile
@ -2,7 +2,7 @@ FROM opensuse/tumbleweed

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 # Remove the repo-openh264 repository, it caused intermittent issues
 # and we should not be needing any packages from it.
@ -14,17 +14,14 @@ RUN zypper refresh \
    bison \
    ccache \
    cmake \
-    cppzmq-devel \
    curl \
    diffutils \
-    dnsmasq \
    findutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    gzip \
-    jq \
    libopenssl-devel \
    libpcap-devel \
    make \
@ -32,6 +29,7 @@ RUN zypper refresh \
    python3 \
    python3-devel \
    python3-pip \
+    python3-websockets \
    swig \
    tar \
    util-linux \
@ -39,4 +37,4 @@ RUN zypper refresh \
    zlib-devel \
  && rm -rf /var/cache/zypp

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/opensuse-tumbleweed/prepare-weekly.sh
+++ b/ci/opensuse-tumbleweed/prepare-weekly.sh
@ -1,27 +0,0 @@
-#!/bin/sh
-
-zypper refresh
-zypper patch -y --with-update --with-optional
-
-LATEST_VERSION=$(zypper search -n ${ZEEK_CI_COMPILER} |
-    awk -F "|" "match(\$2, / ${ZEEK_CI_COMPILER}([0-9]{2})[^-]/, a) {print a[1]}" |
-    sort | tail -1)
-
-echo "Installing ${ZEEK_CI_COMPILER} ${LATEST_VERSION}"
-
-zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}"
-
-if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
-    zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}-c++"
-fi
-
-update-alternatives --install /usr/bin/cc cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}" 100
-update-alternatives --set cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}"
-
-if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
-    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/g++-${LATEST_VERSION}" 100
-    update-alternatives --set c++ "/usr/bin/g++-${LATEST_VERSION}"
-else
-    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/clang++-${LATEST_VERSION}" 100
-    update-alternatives --set c++ "/usr/bin/clang++-${LATEST_VERSION}"
-fi
--- a/ci/test.sh
+++ b/ci/test.sh
@ -7,13 +7,6 @@
 result=0
 BTEST=$(pwd)/auxil/btest/btest

-# Due to issues with DNS lookups on macOS, one of the Cirrus support people recommended we
-# run our tests as root. See https://github.com/cirruslabs/cirrus-ci-docs/issues/1302 for
-# more details.
-if [[ "${CIRRUS_OS}" == "darwin" ]]; then
-    BTEST="sudo ${BTEST}"
-fi
-
 if [[ -z "${CIRRUS_CI}" ]]; then
    # Set default values to use in place of env. variables set by Cirrus CI.
    ZEEK_CI_CPUS=1
@ -47,15 +40,10 @@ function banner {
 }

 function run_unit_tests {
-    if [[ ${ZEEK_CI_SKIP_UNIT_TESTS} -eq 1 ]]; then
-        printf "Skipping unit tests as requested by task configuration\n\n"
-        return 0
-    fi
-
    banner "Running unit tests"

    pushd build
-    (. ./zeek-path-dev.sh && TZ=UTC zeek --test --no-skip) || result=1
+    (. ./zeek-path-dev.sh && zeek --test --no-skip) || result=1
    popd
    return 0
 }
@ -72,7 +60,7 @@ function run_btests {
    pushd testing/btest

    ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \
-        ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} || result=1
+        ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} || result=1
    make coverage
    prep_artifacts
    popd
@ -80,16 +68,11 @@ function run_btests {
 }

 function run_external_btests {
-    if [[ ${ZEEK_CI_SKIP_EXTERNAL_BTESTS} -eq 1 ]]; then
-        printf "Skipping external tests as requested by task configuration\n\n"
-        return 0
-    fi
-
    local zeek_testing_pid=""
    local zeek_testing_pid_private=""
    pushd testing/external/zeek-testing
    ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \
-        ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} >btest.out 2>&1 &
+        ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} >btest.out 2>&1 &
    zeek_testing_pid=$!
    popd

--- a/ci/tsan_suppressions.txt
+++ b/ci/tsan_suppressions.txt
@ -42,20 +42,3 @@ race:zeek::threading::InputMessage<zeek::threading::MsgThread>::Object
 mutex:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::Put
 mutex:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::LocksForAllQueues
 deadlock:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::LocksForAllQueues
-
-# This only happens at shutdown. It was supposedly fixed in civetweb, but has cropped
-# up again. See https://github.com/civetweb/civetweb/issues/861 for details.
-race:mg_stop
-
-# Uninstrumented library.
-#
-# We'd need to build zmq with TSAN enabled, without it reports data races
-# as it doesn't see the synchronization done [1], but also there's reports
-# that ZeroMQ uses non-standard synchronization that may be difficult for
-# TSAN to see.
-#
-# [1] https://groups.google.com/g/thread-sanitizer/c/7UZqM02yMYg/m/KlHOv2ckr9sJ
-# [2] https://github.com/zeromq/libzmq/issues/3919
-#
-called_from_lib:libzmq.so.5
-called_from_lib:libzmq.so
--- a/ci/ubuntu-20.04/Dockerfile
+++ b/ci/ubuntu-20.04/Dockerfile
@ -1,27 +1,22 @@
-FROM ubuntu:25.04
+FROM ubuntu:20.04

 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN apt-get update && apt-get -y install \
    bc \
    bison \
    bsdmainutils \
    ccache \
-    clang-18 \
-    clang++-18 \
    cmake \
-    cppzmq-dev \
    curl \
-    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
-    jq \
    lcov \
    libkrb5-dev \
    libmaxminddb-dev \
@ -30,17 +25,15 @@ RUN apt-get update && apt-get -y install \
    make \
    python3 \
    python3-dev \
-    python3-pip \
+    python3-pip\
    ruby \
    sqlite3 \
    swig \
    unzip \
    wget \
    zlib1g-dev \
-    libc++-dev \
-    libc++abi-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install websockets junit2html
 RUN gem install coveralls-lcov
--- a/ci/ubuntu-22.04/Dockerfile
+++ b/ci/ubuntu-22.04/Dockerfile
@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN apt-get update && apt-get -y install \
    bc \
@ -17,13 +17,11 @@ RUN apt-get update && apt-get -y install \
    g++ \
    gcc \
    git \
-    jq \
    lcov \
    libkrb5-dev \
    libmaxminddb-dev \
    libpcap-dev \
    libssl-dev \
-    libzmq3-dev \
    make \
    python3 \
    python3-dev \
--- a/ci/ubuntu-23.10/Dockerfile
+++ b/ci/ubuntu-23.10/Dockerfile
@ -1,44 +1,38 @@
-FROM debian:13
+FROM ubuntu:23.10

 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230828

 RUN apt-get update && apt-get -y install \
+    bc \
    bison \
    bsdmainutils \
    ccache \
    cmake \
-    cppzmq-dev \
    curl \
-    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
-    jq \
    libkrb5-dev \
-    libnats-dev \
-    libnode-dev \
+    libmaxminddb-dev \
    libpcap-dev \
-    librdkafka-dev \
    libssl-dev \
-    libuv1-dev \
    make \
    python3 \
    python3-dev \
-    python3-pip\
+    python3-pip \
    python3-websockets \
+    ruby \
    sqlite3 \
    swig \
+    unzip \
    wget \
-    xz-utils \
    zlib1g-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*

-# Debian trixie really doesn't like using pip to install system wide stuff, but
-# doesn't seem there's a python3-junit2html package, so not sure what we'd break.
 RUN pip3 install --break-system-packages junit2html
--- a/ci/ubuntu-24.04/Dockerfile
+++ b/ci/ubuntu-24.04/Dockerfile
@ -1,77 +0,0 @@
-FROM ubuntu:24.04
-
-ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
-
-# A version field to invalidate Cirrus's build cache when needed, as suggested in
-# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
-
-RUN apt-get update && apt-get -y install \
-    bc \
-    bison \
-    bsdmainutils \
-    ccache \
-    clang-19 \
-    clang++-19 \
-    clang-tidy-19 \
-    cmake \
-    cppzmq-dev \
-    curl \
-    dnsmasq \
-    flex \
-    g++ \
-    gcc \
-    git \
-    jq \
-    lcov \
-    libkrb5-dev \
-    libhiredis-dev \
-    libmaxminddb-dev \
-    libpcap-dev \
-    libssl-dev \
-    make \
-    python3 \
-    python3-dev \
-    python3-git \
-    python3-pip \
-    python3-semantic-version \
-    redis-server \
-    ruby \
-    sqlite3 \
-    swig \
-    unzip \
-    wget \
-    zlib1g-dev \
-    libc++-dev \
-    libc++abi-dev \
-  && apt autoclean \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN pip3 install --break-system-packages websockets junit2html
-RUN gem install coveralls-lcov
-
-# Ubuntu installs clang versions with the binaries having the version number
-# appended. Create a symlink for clang-tidy so cmake finds it correctly.
-RUN update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-19 1000
-
-# Download a newer pre-built ccache version that recognizes -fprofile-update=atomic
-# which is used when building with --coverage.
-#
-# This extracts the tarball into /opt/ccache-<version>-<platform> and
-# symlinks the executable to /usr/local/bin/ccache.
-#
-# See: https://ccache.dev/download.html
-ENV CCACHE_VERSION=4.10.2
-ENV CCACHE_PLATFORM=linux-x86_64
-ENV CCACHE_URL=https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-${CCACHE_PLATFORM}.tar.xz
-ENV CCACHE_SHA256=80cab87bd510eca796467aee8e663c398239e0df1c4800a0b5dff11dca0b4f18
-RUN cd /opt \
-    && if [ "$(uname -p)" != "x86_64" ]; then echo "cannot use ccache pre-built for x86_64!" >&2; exit 1 ; fi \
-    && curl -L --fail --max-time 30 $CCACHE_URL -o ccache.tar.xz \
-    && sha256sum ./ccache.tar.xz >&2 \
-    && echo "${CCACHE_SHA256} ccache.tar.xz" | sha256sum -c - \
-    && tar xvf ./ccache.tar.xz \
-    && ln -s $(pwd)/ccache-${CCACHE_VERSION}-${CCACHE_PLATFORM}/ccache /usr/local/bin/ccache \
-    && test "$(command -v ccache)" = "/usr/local/bin/ccache" \
-    && test "$(ccache --print-version)" = "${CCACHE_VERSION}" \
-    && rm ./ccache.tar.xz
--- a/ci/update-zeekygen-docs.sh
+++ b/ci/update-zeekygen-docs.sh
@ -28,7 +28,7 @@ cd $build_dir
 export ZEEK_SEED_FILE=$source_dir/testing/btest/random.seed

 function run_zeek {
-    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen
+    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen >/dev/null

    if [ $? -ne 0 ]; then
        echo "Failed running zeek with zeekygen config file $conf_file" >&2
--- a/ci/upload-coverage.sh
+++ b/ci/upload-coverage.sh
@ -11,6 +11,11 @@ if [ "${CIRRUS_REPO_FULL_NAME}" != "zeek/zeek" ]; then
    exit 0
 fi

+if [ "${CIRRUS_BRANCH}" != "master" ]; then
+    echo "Coverage upload skipped for non-master branches"
+    exit 0
+fi
+
 cd testing/coverage
 make coverage
 make coveralls
--- a/ci/windows/Dockerfile
+++ b/ci/windows/Dockerfile
@ -5,7 +5,7 @@ SHELL [ "powershell" ]

 # A version field to invalidatea Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN Set-ExecutionPolicy Unrestricted -Force

@ -14,8 +14,8 @@ RUN [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePoin
    iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

 # Install prerequisites
-RUN choco install -y --no-progress visualstudio2022buildtools --version=117.14.1
-RUN choco install -y --no-progress visualstudio2022-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
+RUN choco install -y --no-progress visualstudio2019buildtools --version=16.11.11.0
+RUN choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
 RUN choco install -y --no-progress sed
 RUN choco install -y --no-progress winflexbison3
 RUN choco install -y --no-progress msysgit
@ -30,4 +30,4 @@ RUN mkdir C:\build
 WORKDIR C:\build

 # This entry point starts the developer command prompt and launches the PowerShell shell.
-ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
+ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
--- a/ci/windows/build.cmd
+++ b/ci/windows/build.cmd
@ -2,7 +2,7 @@
 :: cmd current shell. This path is hard coded to the one on the CI image, but
 :: can be adjusted if running builds locally. Unfortunately, the initial path
 :: isn't in the environment so we have to hardcode the whole path.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64

 mkdir build
 cd build
--- a/ci/windows/test.cmd
+++ b/ci/windows/test.cmd
@ -1,5 +1,5 @@
 :: See build.cmd for documentation on this call.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64

 cd build

--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit d51c6990446cf70cb9c01bca17dad171a1db05d3
+Subproject commit 50e3d75cc2fd06e5d274244aba0d40db7d9a960b
--- a/cmake_templates/hilti-cxx-include-dirs.in
+++ b/cmake_templates/hilti-cxx-include-dirs.in
@ -15,6 +15,6 @@ PATHS=$PATHS:@CMAKE_BINARY_DIR@/src
 PATHS=$PATHS:@CMAKE_BINARY_DIR@/src/include
 PATHS=$PATHS:@CMAKE_SOURCE_DIR@/src
 PATHS=$PATHS:@CMAKE_SOURCE_DIR@/src/include
-PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/broker/libbroker
+PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/broker/include/

 echo $PATHS
--- a/cmake_templates/zeek-config-paths.h.in
+++ b/cmake_templates/zeek-config-paths.h.in
@ -2,9 +2,10 @@

 #pragma once

-constexpr char ZEEK_SCRIPT_INSTALL_PATH[] = "@ZEEK_SCRIPT_INSTALL_PATH@";
-constexpr char ZEEK_PLUGIN_INSTALL_PATH[] = "@ZEEK_PLUGIN_DIR@";
-constexpr char DEFAULT_ZEEKPATH[] = "@DEFAULT_ZEEKPATH@";
-constexpr char ZEEK_SPICY_MODULE_PATH[] = "@ZEEK_SPICY_MODULE_PATH@";
-constexpr char ZEEK_SPICY_LIBRARY_PATH[] = "@ZEEK_SPICY_LIBRARY_PATH@";
-constexpr char ZEEK_SPICY_DATA_PATH[] = "@ZEEK_SPICY_DATA_PATH@";
+#define ZEEK_SCRIPT_INSTALL_PATH "@ZEEK_SCRIPT_INSTALL_PATH@"
+#define BRO_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define ZEEK_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define DEFAULT_ZEEKPATH "@DEFAULT_ZEEKPATH@"
+#define ZEEK_SPICY_MODULE_PATH "@ZEEK_SPICY_MODULE_PATH@"
+#define ZEEK_SPICY_LIBRARY_PATH "@ZEEK_SPICY_LIBRARY_PATH@"
+#define ZEEK_SPICY_DATA_PATH "@ZEEK_SPICY_DATA_PATH@"
--- a/cmake_templates/zeek-config.h.in
+++ b/cmake_templates/zeek-config.h.in
@ -1,6 +1,4 @@
 // See the file "COPYING" in the main distribution directory for copyright.
-// NOLINTBEGIN(modernize-macro-to-enum)
-// NOLINTBEGIN(cppcoreguidelines-macro-usage)

 #pragma once

@ -243,12 +241,6 @@
 /* Spicy analyzers built in. */
 #cmakedefine01 USE_SPICY_ANALYZERS

-/* Enable/disable ZAM profiling capability */
-#cmakedefine ENABLE_ZAM_PROFILE
-
-/* Enable/disable the Spicy SSL analyzer */
-#cmakedefine ENABLE_SPICY_SSL
-
 /* String with host architecture (e.g., "linux-x86_64") */
 #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"

@ -308,6 +300,3 @@

 /* compiled with Spicy support */
 #cmakedefine HAVE_SPICY
-
-// NOLINTEND(cppcoreguidelines-macro-usage)
-// NOLINTEND(modernize-macro-to-enum)
--- a/cmake_templates/zeek-config.in
+++ b/cmake_templates/zeek-config.in
@ -17,7 +17,7 @@ prefix="@CMAKE_INSTALL_PREFIX@"
 python_dir="@PY_MOD_INSTALL_DIR@"
 script_dir="@ZEEK_SCRIPT_INSTALL_PATH@"
 site_dir="@ZEEK_SCRIPT_INSTALL_PATH@/site"
-version="@ZEEK_VERSION_FULL_LOCAL@"
+version="@ZEEK_VERSION_FULL@"
 zeek_dist="@ZEEK_DIST@"
 zeekpath="@DEFAULT_ZEEKPATH@"

--- a/cmake_templates/zeek-version.h.in
+++ b/cmake_templates/zeek-version.h.in
@ -3,7 +3,7 @@
 #pragma once

 /* Version number of package */
-#define VERSION "@ZEEK_VERSION_FULL_LOCAL@"
+#define VERSION "@ZEEK_VERSION_FULL@"

 // Zeek version number.
 // This is the result of (major * 10000 + minor * 100 + patch)
--- a/99
+++ b/99
@ -33,9 +33,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --sanitizers=LIST           comma-separated list of sanitizer names to enable
    --include-plugins=PATHS     paths containing plugins to build directly into Zeek
                                (semicolon delimited and quoted when multiple)
-    --localversion=version      version contains an additional, custom version string
-                                that is appended to the standard Zeek version string,
-                                with a dash [-] separating the two.

  Installation Directories:
    --prefix=PREFIX        installation directory [/usr/local/zeek]
@ -68,18 +65,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
    --enable-werror        build with -Werror
-    --enable-ZAM-profiling build with ZAM profiling enabled (--enable-debug implies this)
-    --enable-spicy-ssl     build with spicy SSL/TLS analyzer (conflicts with --disable-spicy)
-    --enable-iwyu          build with include-what-you-use enabled for the main Zeek target.
-                           Requires include-what-you-use binary to be in the PATH.
-    --enable-clang-tidy    build with clang-tidy enabled for the main Zeek target.
-                           Requires clang-tidy binary to be in the PATH.
    --disable-af-packet    don't include native AF_PACKET support (Linux only)
+    --disable-archiver     don't build or install zeek-archiver tool
    --disable-auxtools     don't build or install auxiliary tools
    --disable-broker-tests don't try to build Broker unit tests
    --disable-btest        don't install BTest
    --disable-btest-pcaps  don't install Zeek's BTest input pcaps
-    --disable-cluster-backend-zeromq don't build Zeek's ZeroMQ cluster backend
    --disable-cpp-tests    don't build Zeek's C++ unit tests
    --disable-javascript   don't build Zeek's JavaScript support
    --disable-port-prealloc disable pre-allocating the PortVal array in ValManager
@ -90,9 +81,16 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --disable-zkg          don't install zkg

  Required Packages in Non-Standard Locations:
+    --with-bifcl=PATH      path to Zeek BIF compiler executable
+                           (useful for cross-compiling)
+    --with-bind=PATH       path to BIND install root
+    --with-binpac=PATH     path to BinPAC executable
+                           (useful for cross-compiling)
    --with-bison=PATH      path to bison executable
    --with-broker=PATH     path to Broker install root
                           (Zeek uses an embedded version by default)
+    --with-gen-zam=PATH    path to Gen-ZAM code generator
+                           (Zeek uses an embedded version by default)
    --with-flex=PATH       path to flex executable
    --with-libkqueue=PATH  path to libkqueue install root
                           (Zeek uses an embedded version by default)
@ -134,9 +132,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...

 sourcedir="$(cd "$(dirname "$0")" && pwd)"

-if [ ! -e "$sourcedir/cmake/COPYING" ]; then
-    if [ -d "$sourcedir/.git" ]; then
-        echo "\
+if [ ! -e "$sourcedir/cmake/COPYING" ] && [ -d "$sourcedir/.git" ]; then
+    echo "\
 You seem to be missing the content of the cmake directory.

 This typically means that you performed a non-recursive git clone of
@ -144,23 +141,6 @@ Zeek. To check out the required subdirectories, please execute:

  ( cd $sourcedir && git submodule update --recursive --init )
 " >&2
-    else
-        echo "\
-You seem to be missing the content of the cmake directory.
-
-This typically means that you downloaded a non-release archive from github.
-These archives do not contain all required files.
-
-If you want to download the current release of Zeek, please download a full
-archive using one of the links at https://zeek.org/get-zeek/.
-
-If you want to get the current development version of Zeek, please use git to
-clone our repository.
-
-See https://docs.zeek.org/en/master/install.html#retrieving-the-sources for
-instructions.
-" >&2
-    fi
    exit 1
 fi

@ -177,7 +157,6 @@ append_cache_entry() {
 builddir=build
 CMakeCacheEntries=""
 display_cmake=0
-has_disable_archiver=0

 # parse arguments
 while [ $# -ne 0 ]; do
@ -231,9 +210,6 @@ while [ $# -ne 0 ]; do
        --include-plugins=*)
            append_cache_entry ZEEK_INCLUDE_PLUGINS STRING \"$optarg\"
            ;;
-        --localversion=*)
-            append_cache_entry ZEEK_VERSION_LOCAL STRING \"$optarg\"
-            ;;
        --prefix=*)
            append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
            ;;
@ -278,11 +254,9 @@ while [ $# -ne 0 ]; do
        --enable-coverage)
            append_cache_entry ENABLE_COVERAGE BOOL true
            append_cache_entry ENABLE_DEBUG BOOL true
-            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
            ;;
        --enable-debug)
            append_cache_entry ENABLE_DEBUG BOOL true
-            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
            ;;
        --enable-fuzzers)
            append_cache_entry ZEEK_ENABLE_FUZZERS BOOL true
@ -306,21 +280,12 @@ while [ $# -ne 0 ]; do
        --enable-werror)
            append_cache_entry BUILD_WITH_WERROR BOOL true
            ;;
-        --enable-ZAM-profiling)
-            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
-            ;;
-        --enable-spicy-ssl)
-            append_cache_entry ENABLE_SPICY_SSL BOOL true
-            ;;
-        --enable-iwyu)
-            append_cache_entry ENABLE_IWYU BOOL true
-            ;;
-        --enable-clang-tidy)
-            append_cache_entry ENABLE_CLANG_TIDY BOOL true
-            ;;
        --disable-af-packet)
            append_cache_entry DISABLE_AF_PACKET BOOL true
            ;;
+        --disable-archiver)
+            append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL false
+            ;;
        --disable-auxtools)
            append_cache_entry INSTALL_AUX_TOOLS BOOL false
            ;;
@ -334,9 +299,6 @@ while [ $# -ne 0 ]; do
        --disable-btest-pcaps)
            append_cache_entry INSTALL_BTEST_PCAPS BOOL false
            ;;
-        --disable-cluster-backend-zeromq)
-            append_cache_entry ENABLE_CLUSTER_BACKEND_ZEROMQ BOOL false
-            ;;
        --disable-cpp-tests)
            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL false
            ;;
@ -361,9 +323,15 @@ while [ $# -ne 0 ]; do
        --disable-zkg)
            append_cache_entry INSTALL_ZKG BOOL false
            ;;
+        --with-bifcl=*)
+            append_cache_entry BIFCL_EXE_PATH PATH $optarg
+            ;;
        --with-bind=*)
            append_cache_entry BIND_ROOT_DIR PATH $optarg
            ;;
+        --with-binpac=*)
+            append_cache_entry BINPAC_EXE_PATH PATH $optarg
+            ;;
        --with-bison=*)
            append_cache_entry BISON_EXECUTABLE PATH $optarg
            ;;
@ -376,6 +344,9 @@ while [ $# -ne 0 ]; do
        --with-flex=*)
            append_cache_entry FLEX_EXECUTABLE PATH $optarg
            ;;
+        --with-gen-zam=*)
+            append_cache_entry GEN_ZAM_EXE_PATH PATH $optarg
+            ;;
        --with-geoip=*)
            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
            ;;
@ -457,19 +428,6 @@ if [ -z "$CMakeCommand" ]; then
    fi
 fi

-echo "Using $(cmake --version | head -1)"
-echo
-if [ -n "$CMakeGenerator" ]; then
-    cmake="${CMakeCommand} -G ${CMakeGenerator} ${CMakeCacheEntries} ${sourcedir}"
-else
-    cmake="${CMakeCommand} ${CMakeCacheEntries} ${sourcedir}"
-fi
-
-if [ "${display_cmake}" = 1 ]; then
-    echo "${cmake}"
-    exit 0
-fi
-
 if [ -d $builddir ]; then
    # If build directory exists, check if it has a CMake cache
    if [ -f $builddir/CMakeCache.txt ]; then
@ -486,6 +444,19 @@ echo "Build Directory : $builddir"
 echo "Source Directory: $sourcedir"
 cd $builddir

+echo "Using $(cmake --version | head -1)"
+echo
+if [ -n "$CMakeGenerator" ]; then
+    cmake="${CMakeCommand} -G ${CMakeGenerator} ${CMakeCacheEntries} ${sourcedir}"
+else
+    cmake="${CMakeCommand} ${CMakeCacheEntries} ${sourcedir}"
+fi
+
+if [ "${display_cmake}" = 1 ]; then
+    echo "${cmake}"
+    exit 0
+fi
+
 eval ${cmake} 2>&1

 echo "# This is the command used to configure this build" >config.status
--- a/1
+++ b/1
@ -0,0 +1 @@
+Subproject commit bdc3f5d5df510ba466b5fe90a556ae0d56738ec2
--- a/doc/.gitignore
+++ b/doc/.gitignore
@ -1,2 +0,0 @@
-build
-*.pyc
--- a/doc/.typos.toml
+++ b/doc/.typos.toml
@ -1,66 +0,0 @@
-[default]
-extend-ignore-re = [
-    # seh too close to she
-    "registered SEH to support IDL",
-    # ALLO is a valid FTP command
-    "\"ALLO\".*[0-9]{3}",
-    "des-ede3-cbc-Env-OID",
-    # On purpose
-    "\"THE NETBIOS NAM\"",
-    # NFS stuff.
-    "commited :zeek:type:`NFS3::stable_how_t`",
-    "\\/fo\\(o",
-    "  nd\\.<br",
-    "\"BaR\"",
-    "Not-ECT",
-    "Ninteenth: Ninteenth",
-
-    # Connecton and file UIDs
-    "[CF][a-zA-Z0-9]{17}",
-
-    # Smoot
-    "Smoot",
-
-    "SIEM",
-]
-
-extend-ignore-identifiers-re = [
-    "TLS_.*_EDE.*_.*",
-    "SSL.*_EDE.*_.*",
-    "_3DES_EDE_CBC_SHA",
-    "GOST_R_.*",
-    "icmp6_nd_.*",
-    "pn", # Use for `PoolNode` variables
-    "complte_flag", # Existing use in exported record in base.
-    "VidP(n|N)", # In SMB.
-    "iin", # In DNP3.
-    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
-    "snet", # Used as shorthand for subnet in base scripts.
-    "typ",
-    "tpe",
-]
-
-[default.extend-identifiers]
-MCA_OCCURED = "MCA_OCCURED"
-MNT3ERR_ACCES = "MNT3ERR_ACCES"
-ND_QUEUE_OVERFLOW = "ND_QUEUE_OVERFLOW"
-ND_REDIRECT = "ND_REDIRECT"
-NFS3ERR_ACCES = "NFS3ERR_ACCES"
-NO_SEH = "NO_SEH"
-RPC_NT_CALL_FAILED_DNE = "RPC_NT_CALL_FAILED_DNE"
-RpcAddPrintProvidor = "RpcAddPrintProvidor"
-RpcDeletePrintProvidor = "RpcDeletePrintProvidor"
-THA = "THA"
-tha = "tha"
-uses_seh = "uses_seh"
-exat = "exat"
-EXAT = "EXAT"
-tpe = "tpe"
-
-[default.extend-words]
-caf = "caf"
-helo = "helo"
-# Seems we use this in the management framework
-requestor = "requestor"
-# `inout` is used as a keyword in Spicy, but looks like a typo of `input`.
-inout = "inout"
--- a/doc/LICENSE
+++ b/doc/LICENSE
@ -1,5 +0,0 @@
-This work is licensed under the Creative Commons
-Attribution 4.0 International License. To view a copy of this
-license, visit https://creativecommons.org/licenses/by/4.0/ or send
-a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
-View, California, 94041, USA.
--- a/doc/Makefile
+++ b/doc/Makefile
@ -1,37 +0,0 @@
-SPHINXOPTS =
-
-NUMJOBS ?= auto
-
-all: html
-
-doc: html
-
-builddir:
-	mkdir -p build/html
-
-clean:
-	rm -rf build/html
-
-html: builddir
-	sphinx-build -j $(NUMJOBS) -b html $(SPHINXOPTS) . ./build/html
-
-livehtml: builddir
-	sphinx-autobuild --ignore "*.git/*" --ignore "*.lock" --ignore "*.pyc" --ignore "*.swp" --ignore "*.swpx" --ignore "*.swx" -b html $(SPHINXOPTS) . ./build/html
-
-commit:
-	git add * && git commit -m 'Update generated docs'
-
-spicy-%:
-	git clone https://github.com/zeek/$@
-
-check-spicy-docs: spicy-tftp
-	@echo Refreshing checkouts
-	@for REPO in $^; do (cd $$REPO && git pull && git reset HEAD --hard)>/dev/null; done
-	@
-	@echo Checking whether docs for Spicy integration are up-to-date
-	@./devel/spicy/autogen-spicy-docs spicy-tftp
-	@
-	@git diff --quiet devel/spicy/autogen/ \
-		|| (echo "Spicy docs are not up-to-date, rerun './devel/spicy/autogen-spicy-docs'." && exit 1)
-
-.PHONY : all doc builddir clean html livehtml
--- a/doc/README
+++ b/doc/README
@ -1,132 +0,0 @@
-.. _zeek-docs: https://github.com/zeek/zeek-docs
-.. _Read the Docs: https://docs.readthedocs.io/en/stable/index.html
-.. _Zeek repo: https://github.com/zeek/zeek
-.. _Sphinx: https://www.sphinx-doc.org/en/master
-.. _pip: https://pypi.org/project/pip
-
-Zeek Documentation
-==================
-
-The documentation repo at zeek-docs_
-contains version-specific Zeek documentation source files that are ultimately
-used as the basis for content hosted at https://docs.zeek.org.
-
-Markup Format, Style, and Conventions
-------------------------------------
-
-For general guidance on the basics of how the documentation is written,
-consult this Zeek wiki:
-
-https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions
-
-Source-Tree Organization
------------------------
-
-The zeek-docs_ repo containing this README file is the root of a Sphinx_ source
-tree and can be modified to add more documentation, style sheets, JavaScript,
-etc.  The Sphinx config file is ``conf.py``.  The typical way new documents get
-integrated is from them being referenced directly in ``index.rst`` or
-indirectly from something in the ``toctree`` (Table of Contents Tree) specified
-in that main index.
-
-There is also a custom Sphinx domain implemented in ``ext/zeek.py`` which adds
-some reStructureText (reST) directives and roles that aid in generating useful
-index entries and cross-references. This primarily supports integration with
-the script-reference sections, some of which are auto-generated by Zeek's
-Doxygen-like feature, named "Zeekygen".  The bulk of auto-generated content
-lives under the ``scripts/`` directory or has a file name starting with
-"autogenerated", so if you find yourself wanting to change those, you should
-actually look at at doing those changes within the `Zeek repo`_ itself rather
-than here, so see the next section for how Zeekygen docs can be (re)generated.
-
-Generating Zeekygen Reference Docs
----------------------------------
-
-All Zeekygen-generated docs get committed into Git, so if you don't have to
-perform any changes on it and just want to preview what's already existing,
-you can skip down to the next :ref:`Local Previewing <local-doc-preview>` section.
-
-The Zeekygen documentation-generation feature is a part of Zeek itself, so
-you'll want to obtain the `Zeek repo`_ from Git, read the :doc:`INSTALL
-</install>` file directions to install required dependencies, and build Zeek::
-
-  git clone --recursive https://github.com/zeek/zeek
-  cd zeek
-  # Read INSTALL file and get dependencies here
-  ./configure && make -j $(nproc)
-  # Make desired edits to scripts/, src/, etc.
-  ./ci/update-zeekygen-docs.sh
-
-The last command runs a script to generate documentation, which will end up in
-the ``doc/`` subdirectory.  Note that ``doc/`` is just a Git submodule of this
-this zeek-docs_ repository, so you can run ``git status`` there to find exactly
-what changed.
-
-Also note that the documentation-generation script is run automatically
-on a daily basis to incorporate up any documentation changes that people make
-in Zeek itself without them having to necessarily be aware of the full
-documentation process.  The GitHub Action that does that daily task is
-located in the Zeek repo's ``.github/workflows/generate-docs.yml`` file.
-
-.. _local-doc-preview:
-
-Local Previewing (How To Build)
-------------------------------
-
-First make sure you have the required dependencies used for building docs:
-
-* Python interpreter >= 3.9
-* Sphinx: https://www.sphinx-doc.org/en/master/
-* Read the Docs Sphinx Theme: https://github.com/rtfd/sphinx_rtd_theme
-* GitPython: https://github.com/gitpython-developers/GitPython
-
-If you have pip_, you may just use the command ``pip3 install -r
-requirements.txt`` to install all the dependencies using the
-``requirements.txt`` from zeek-docs_.
-
-Now run ``make`` within the zeek-docs_ repository's top-level to locally render
-its reST files into HTML. After the build completes, HTML documentation is
-symlinked in ``build/html`` and you can open the ``index.html`` found there in
-your web browser.
-
-There's also a ``make livehtml`` (requires ``pip3 install sphinx-autobuild``)
-target in the top-level Makefile that is useful for editing the reST files and
-seeing changes rendered out live to a separate browser.
-
-Hosting
-------
-
-Documentation is hosted by `Read the Docs`_ (RTD), so you can generally read
-about how it works there.  The web-interface is accessible via
-https://readthedocs.org/projects/zeek-docs.
-
-How zeek-docs_ is configured to use RTD is a combination of some custom
-settings in its ``.readthedocs.yml`` file and others only accessible through
-RTD's web-interface (e.g. domain and subproject settings).  Most config
-settings are likely understandable just by browsing the web-interface and
-RTD's guides, but a few particular points to mention:
-
-* There is an associated, always-failing project at
-  https://readthedocs.org/projects/zeek.  It's always-failing because
-  RTD redirects only activate when pages 404 and this project exists so that
-  all attempts to use https://zeek.rtfd.io or https://zeek.readthedocs.io
-  get redirected to https://docs.zeek.org.  Those would have been the project
-  URLs if ownership of the RTD 'zeek' project was had from the start, but
-  it was only obtained later, after documentation already started development
-  in the 'zeek-docs' RTD project slug.
-
-* Over time, page redirects have accrued into ``redirects.yml`` as a way to
-  help document what they are and why they happened and also as a potential
-  way to automate addition/reinstantiation of a large number of redirects,
-  but typically redirects can be manually added via the RTD web interface
-  first and then noted in ``redirects.yml``
-
-* There are RTD subprojects for things like Broker, Package Manager,
-  and Spicy.  The use of subprojects simply allows access to their RTD
-  docs via the custom domain of https://docs.zeek.org
-
-* RTD will auto-build any newly-pushed commits to zeek-docs_ (i.e. a webhook is
-  configured), but if a tag is changed to point somewhere different, you'll
-  typically have to go into the RTD web interface, "Edit" the associated
-  version under "Versions", "wipe" the existing docs, and then manually trigger
-  a rebuild of that version tag under "Builds".
--- a/doc/README.rst
+++ b/doc/README.rst
@ -1,132 +0,0 @@
-.. _zeek-docs: https://github.com/zeek/zeek-docs
-.. _Read the Docs: https://docs.readthedocs.io/en/stable/index.html
-.. _Zeek repo: https://github.com/zeek/zeek
-.. _Sphinx: https://www.sphinx-doc.org/en/master
-.. _pip: https://pypi.org/project/pip
-
-Zeek Documentation
-==================
-
-The documentation repo at zeek-docs_
-contains version-specific Zeek documentation source files that are ultimately
-used as the basis for content hosted at https://docs.zeek.org.
-
-Markup Format, Style, and Conventions
-------------------------------------
-
-For general guidance on the basics of how the documentation is written,
-consult this Zeek wiki:
-
-https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions
-
-Source-Tree Organization
------------------------
-
-The zeek-docs_ repo containing this README file is the root of a Sphinx_ source
-tree and can be modified to add more documentation, style sheets, JavaScript,
-etc.  The Sphinx config file is ``conf.py``.  The typical way new documents get
-integrated is from them being referenced directly in ``index.rst`` or
-indirectly from something in the ``toctree`` (Table of Contents Tree) specified
-in that main index.
-
-There is also a custom Sphinx domain implemented in ``ext/zeek.py`` which adds
-some reStructureText (reST) directives and roles that aid in generating useful
-index entries and cross-references. This primarily supports integration with
-the script-reference sections, some of which are auto-generated by Zeek's
-Doxygen-like feature, named "Zeekygen".  The bulk of auto-generated content
-lives under the ``scripts/`` directory or has a file name starting with
-"autogenerated", so if you find yourself wanting to change those, you should
-actually look at at doing those changes within the `Zeek repo`_ itself rather
-than here, so see the next section for how Zeekygen docs can be (re)generated.
-
-Generating Zeekygen Reference Docs
----------------------------------
-
-All Zeekygen-generated docs get committed into Git, so if you don't have to
-perform any changes on it and just want to preview what's already existing,
-you can skip down to the next :ref:`Local Previewing <local-doc-preview>` section.
-
-The Zeekygen documentation-generation feature is a part of Zeek itself, so
-you'll want to obtain the `Zeek repo`_ from Git, read the :doc:`INSTALL
-</install>` file directions to install required dependencies, and build Zeek::
-
-  git clone --recursive https://github.com/zeek/zeek
-  cd zeek
-  # Read INSTALL file and get dependencies here
-  ./configure && make -j $(nproc)
-  # Make desired edits to scripts/, src/, etc.
-  ./ci/update-zeekygen-docs.sh
-
-The last command runs a script to generate documentation, which will end up in
-the ``doc/`` subdirectory.  Note that ``doc/`` is just a Git submodule of this
-this zeek-docs_ repository, so you can run ``git status`` there to find exactly
-what changed.
-
-Also note that the documentation-generation script is run automatically
-on a daily basis to incorporate up any documentation changes that people make
-in Zeek itself without them having to necessarily be aware of the full
-documentation process.  The GitHub Action that does that daily task is
-located in the Zeek repo's ``.github/workflows/generate-docs.yml`` file.
-
-.. _local-doc-preview:
-
-Local Previewing (How To Build)
-------------------------------
-
-First make sure you have the required dependencies used for building docs:
-
-* Python interpreter >= 3.9
-* Sphinx: https://www.sphinx-doc.org/en/master/
-* Read the Docs Sphinx Theme: https://github.com/rtfd/sphinx_rtd_theme
-* GitPython: https://github.com/gitpython-developers/GitPython
-
-If you have pip_, you may just use the command ``pip3 install -r
-requirements.txt`` to install all the dependencies using the
-``requirements.txt`` from zeek-docs_.
-
-Now run ``make`` within the zeek-docs_ repository's top-level to locally render
-its reST files into HTML. After the build completes, HTML documentation is
-symlinked in ``build/html`` and you can open the ``index.html`` found there in
-your web browser.
-
-There's also a ``make livehtml`` (requires ``pip3 install sphinx-autobuild``)
-target in the top-level Makefile that is useful for editing the reST files and
-seeing changes rendered out live to a separate browser.
-
-Hosting
-------
-
-Documentation is hosted by `Read the Docs`_ (RTD), so you can generally read
-about how it works there.  The web-interface is accessible via
-https://readthedocs.org/projects/zeek-docs.
-
-How zeek-docs_ is configured to use RTD is a combination of some custom
-settings in its ``.readthedocs.yml`` file and others only accessible through
-RTD's web-interface (e.g. domain and subproject settings).  Most config
-settings are likely understandable just by browsing the web-interface and
-RTD's guides, but a few particular points to mention:
-
-* There is an associated, always-failing project at
-  https://readthedocs.org/projects/zeek.  It's always-failing because
-  RTD redirects only activate when pages 404 and this project exists so that
-  all attempts to use https://zeek.rtfd.io or https://zeek.readthedocs.io
-  get redirected to https://docs.zeek.org.  Those would have been the project
-  URLs if ownership of the RTD 'zeek' project was had from the start, but
-  it was only obtained later, after documentation already started development
-  in the 'zeek-docs' RTD project slug.
-
-* Over time, page redirects have accrued into ``redirects.yml`` as a way to
-  help document what they are and why they happened and also as a potential
-  way to automate addition/reinstantiation of a large number of redirects,
-  but typically redirects can be manually added via the RTD web interface
-  first and then noted in ``redirects.yml``
-
-* There are RTD subprojects for things like Broker, Package Manager,
-  and Spicy.  The use of subprojects simply allows access to their RTD
-  docs via the custom domain of https://docs.zeek.org
-
-* RTD will auto-build any newly-pushed commits to zeek-docs_ (i.e. a webhook is
-  configured), but if a tag is changed to point somewhere different, you'll
-  typically have to go into the RTD web interface, "Edit" the associated
-  version under "Versions", "wipe" the existing docs, and then manually trigger
-  a rebuild of that version tag under "Builds".
--- a/doc/_static/theme_overrides.css
+++ b/doc/_static/theme_overrides.css
@ -1,32 +0,0 @@
-/* override table width restrictions */
-@media screen and (min-width: 767px) {
-
-   .wy-table-responsive table td {
-      /* !important prevents the common CSS stylesheets from overriding
-         this as on RTD they are loaded after this stylesheet */
-      white-space: normal !important;
-   }
-
-   .wy-table-responsive {
-      overflow: visible !important;
-   }
-}
-
-h1, h2, h3, h4, h5, h6 {
-  color: #294488;
-  font-family: 'Open Sans',Helvetica,Arial,Lucida,sans-serif!important;
-}
-
-a {
-  color: #2ea3f2;
-}
-
-body {
-  font-family: "Open Sans",Arial,sans-serif;
-  color: #666;
-}
-
-div.highlight pre strong {
-  font-weight: 800;
-  background-color: #ffffcc;
-}
--- a/doc/_templates/breadcrumbs.html
+++ b/doc/_templates/breadcrumbs.html
@ -1,15 +0,0 @@
-{% extends "!breadcrumbs.html" %}
-
-{% block breadcrumbs_aside %}
-<li class="wy-breadcrumbs-aside">
-{% if pagename != "search" %}
-  {% if display_github %}
-    {% if github_version == "master" %}
-      <a href="https://{{ github_host|default("github.com") }}/{{ github_user }}/{{ github_repo }}/edit/{{ github_version }}{{ conf_py_path }}{{ pagename }}{{ page_source_suffix }}" class="fa fa-github"> {{ _('Edit on GitHub') }}</a>
-    {% endif %}
-  {% elif show_source and has_source and sourcename %}
-    <a href="{{ pathto('_sources/' + sourcename, true)|e }}" rel="nofollow"> {{ _('View page source') }}</a>
-  {% endif %}
-{% endif %}
-</li>
-{% endblock %}
--- a/doc/_templates/layout.html
+++ b/doc/_templates/layout.html
@ -1,14 +0,0 @@
-{% extends "!layout.html" %}
-
-{% if READTHEDOCS and current_version %}
-  {% if current_version == "latest" or current_version == "stable"
-     or current_version == "master" or current_version == "current"
-     or current_version == "lts" or current_version == "LTS" %}
-    {% set current_version = current_version ~ " (" ~ version ~ ")" %}
-  {% endif %}
-{% endif %}
-
-{% block menu %}
-  {{ super() }}
-  <a href="{{pathto('genindex.html', 1)}}">Index</a>
-{% endblock %}
--- a/doc/about.rst
+++ b/doc/about.rst
@ -1,256 +0,0 @@
-==========
-About Zeek
-==========
-
-What Is Zeek?
-=============
-
-Zeek is a passive, open-source network traffic analyzer. Many operators use
-Zeek as a network security monitor (NSM) to support investigations of
-suspicious or malicious activity. Zeek also supports a wide range of traffic
-analysis tasks beyond the security domain, including performance measurement
-and troubleshooting.
-
-The first benefit a new user derives from Zeek is the extensive set of logs
-describing network activity. These logs include not only a comprehensive record
-of every connection seen on the wire, but also application-layer transcripts.
-These include all HTTP sessions with their requested URIs, key headers, MIME
-types, and server responses; DNS requests with replies; SSL certificates; key
-content of SMTP sessions; and much more. By default, Zeek writes all this
-information into well-structured tab-separated or JSON log files suitable for
-post-processing with external software. Users can also choose to have external
-databases or SIEM products consume, store, process, and present the data for
-querying.
-
-In addition to the logs, Zeek comes with built-in functionality for a range of
-analysis and detection tasks, including extracting files from HTTP sessions,
-detecting malware by interfacing to external registries, reporting vulnerable
-versions of software seen on the network, identifying popular web applications,
-detecting SSH brute-forcing, validating SSL certificate chains, and much more.
-
-In addition to shipping such powerful functionality “out of the box,” Zeek is a
-fully customizable and extensible platform for traffic analysis. Zeek provides
-users a domain-specific, Turing-complete scripting language for expressing
-arbitrary analysis tasks. Think of the Zeek language as a “domain-specific
-Python” (or Perl): just like Python, the system comes with a large set of
-pre-built functionality (the “standard library”), yet users can also put Zeek
-to use in novel ways by writing custom code. Indeed, all of Zeek’s default
-analyses, including logging, are done via scripts; no specific analysis is
-hard-coded into the core of the system.
-
-Zeek runs on commodity hardware and hence provides a low-cost alternative to
-expensive proprietary solutions. In many ways Zeek exceeds the capabilities of
-other network monitoring tools, which typically remain limited to a small set
-of hard-coded analysis tasks. Zeek is not a classic signature-based intrusion
-detection system (IDS); while it supports such standard functionality as well,
-Zeek’s scripting language facilitates a much broader spectrum of very different
-approaches to finding malicious activity. These include semantic misuse
-detection, anomaly detection, and behavioral analysis.
-
-A large variety of sites deploy Zeek to protect their infrastructure, including
-many universities, research labs, supercomputing centers, open-science
-communities, major corporations, and government agencies. Zeek specifically
-targets high-speed, high-volume network monitoring, and an increasing number of
-sites are now using the system to monitor their 10GE networks, with some
-already moving on to 100GE links.
-
-Zeek accommodates high-performance settings by supporting scalable
-load-balancing. Large sites typically run “Zeek Clusters” in which a high-speed
-front end load balancer distributes the traffic across an appropriate number of
-back end PCs, all running dedicated Zeek instances on their individual traffic
-slices. A central manager system coordinates the process, synchronizing state
-across the back ends and providing the operators with a central management
-interface for configuration and access to aggregated logs. Zeek’s integrated
-management framework, ZeekControl, supports such cluster setups out-of-the-box.
-
-Zeek’s cluster features support single-system and multi-system setups. That's
-part of Zeek’s scalability advantages. For example, administrators can scale
-Zeek within one system for as long as possible, and then transparently add more
-systems when necessary.
-
-In brief, Zeek is optimized for interpreting network traffic and generating
-logs based on that traffic. It is not optimized for byte matching, and users
-seeking signature detection approaches would be better served by trying
-intrusion detection systems such as Suricata. Zeek is also not a protocol
-analyzer in the sense of Wireshark, seeking to depict every element of network
-traffic at the frame level, or a system for storing traffic in packet capture
-(PCAP) form. Rather, Zeek sits at the “happy medium” representing compact yet
-high fidelity network logs, generating better understanding of network traffic
-and usage.
-
-Why Zeek?
-=========
-
-Zeek offers many advantages for security and network teams who want to better
-understand how their infrastructure is being used.
-
-Security teams generally depend upon four sorts of data sources when trying to
-detect and respond to suspicious and malicious activity. These include *third
-party* sources such as law enforcement, peers, and commercial or nonprofit
-threat intelligence organizations; *network data*; *infrastructure and
-application data*, including logs from cloud environments; and *endpoint data*.
-Zeek is primarily a platform for collecting and analyzing the second form of
-data -- network data. All four are important elements of any security team’s
-program, however.
-
-When looking at data derived from the network, there are four types of data
-available to analysts. As defined by the `network security monitoring paradigm
-<https://corelight.blog/2019/04/30/do-you-know-your-nsm-data-types/>`_, these
-four data types are *full content*, *transaction data*, *extracted content*,
-and *alert data*. Using these data types, one can record traffic, summarize
-traffic, extract traffic (or perhaps more accurately, extract content
-in the form of files), and judge traffic, respectively.
-
-It’s critical to collect and analyze the four types of network security
-monitoring data. The question becomes one of determining the best way to
-accomplish this goal. Thankfully, Zeek as a NSM platform enables collection of
-at least two, and in some ways three, of these data forms, namely transaction
-data, extracted content, and alert data.
-
-Zeek is best known for its transaction data. By default, when run and told to
-watch a network interface, Zeek will generate a collection of compact,
-high-fidelity, richly-annotated set of transaction logs. These logs describe
-the protocols and activity seen on the wire, in a judgement-free,
-policy-neutral manner. This documentation will spend a considerable amount of
-time describing the most common Zeek log files such that readers will become
-comfortable with the format and learn to apply them to their environment.
-
-Zeek can also easily carve files from network traffic, thanks to its file
-extraction capabilities. Analysts can then send those files to execution
-sandboxes or other file examination tools for additional investigation. Zeek
-has some capability to perform classical byte-centric intrusion detection, but
-that job is best suited for packages like the open source Snort or Suricata
-engines. Zeek has other capabilities however that are capable of providing
-judgements in the form of alerts, through its notice mechanism.
-
-Zeek is not optimized for writing traffic to disk in the spirit of a full
-content data collection, and that task is best handled by software written to
-fulfill that requirement.
-
-Beyond the forms of network data that Zeek can natively collect and generate,
-Zeek has advantages that appeared in the `What Is Zeek?`_ section. These
-include its built-in functionality for a range of analysis and detection
-tasks, and its status as a fully customizable and extensible platform for
-traffic analysis.  Zeek is also attractive because of its ability to run on
-commodity hardware, giving users of all types the ability to at least try Zeek
-in a low-cost manner.
-
-History
-=======
-
-Zeek has a rich history stretching back to the 1990s. `Vern Paxson
-<http://www.icir.org/vern/>`_ designed and implemented the initial version in
-1995 as a researcher at the `Lawrence Berkeley National Laboratory (LBNL)
-<http://www.lbl.gov/>`_. The original software was called “Bro,” as an
-“Orwellian reminder that monitoring comes hand in hand with the potential
-for privacy violations”.
-
-LBNL first deployed Zeek in 1996, and the USENIX Security Symposium published
-Vern’s original paper on Zeek in 1998, and awarded it the Best Paper Award that
-year He published a refined version of the paper in 1999 as `Bro: A System for
-Detecting Network Intruders in Real-Time
-<http://www.icir.org/vern/papers/bro-CN99.pdf>`_.
-
-In 2003, the `National Science Foundation (NSF) <http://www.nsf.gov/>`_ began
-supporting research and advanced development on Bro at the `International
-Computer Science Institute (ICSI) <http://www.icsi.berkeley.edu/>`_. (Vern
-still leads the ICSI `Networking and Security group <http://www.icir.org/>`_.)
-
-Over the years, a growing team of ICSI researchers and students kept adding
-novel functions to Zeek, while LBNL continued its support with funding from the
-`Department of Energy (DOE) <http://www.doe.gov/>`_. Much of Zeek’s
-capabilities originate in academic research projects, with results often
-published at top-tier conferences. A key to Zeek’s success was the project’s
-ability to bridge the gap between academia and operations. This relationship
-helped ground research on Zeek in real-world challenges.
-
-With a growing operational user community, the research-centric development
-model eventually became a bottleneck to the system’s evolution.  Research
-grants did not support the more mundane parts of software development and
-maintenance. However, those elements were crucial for the end-user experience.
-As a result, deploying Zeek required overcoming a steep learning curve.
-
-In 2010, NSF sought to address this challenge by awarding ICSI a grant from its
-Software Development for Cyberinfrastructure fund. The `National Center for
-Supercomputing Applications (NCSA) <http://www.ncsa.illinois.edu/>`_ joined the
-team as a core partner, and the Zeek project began to overhaul many of the
-user-visible parts of the system for the 2.0 release in 2012.
-
-After Zeek 2.0, the project enjoyed tremendous growth in new deployments across
-a diverse range of settings, and the ongoing collaboration between ICSI (co-PI
-Robin Sommer) and NCSA (co-PI Adam Slagell) brought a number of important
-features.  In 2012, Zeek added native IPv6 support, long before many enterprise
-networking monitoring tools. In 2013, NSF renewed its support with a second
-grant that established the Bro Center of Expertise at ICSI and NCSA, promoting
-Zeek as a comprehensive, low-cost security capability for research and
-education communities. To facilitate both debugging and education,
-`try.zeek.org <https://try.zeek.org>`_ (formerly try.bro.org) was launched in
-2014.  This provided an interactive way for users to test a script with their
-own packet captures against a variety of Zeek versions and easily share
-sample code with others.  For Zeek clusters and external communication,
-the Broker communication framework was added.  Last, but not least, the
-Zeek package manager was created in 2016, funded by an additional grant
-from the Mozilla Foundation.
-
-In the fall of 2018, the project leadership team decided to change the name of
-the software from Bro to Zeek. The leadership team desired a name that better
-reflected the values of the community while avoiding the negative connotations
-of so-called “bro culture” outside the computing world. The project released
-version 3.0 in the fall of 2019, the first release bearing the name Zeek. The
-year 2020 saw a renewed focus on community and growing the Zeek community, with
-increased interaction via social media, webinars, Slack channels, and related
-outreach efforts.
-
-For a history of the project from 1995 to 2015, see Vern Paxson’s talk from
-BroCon 2015, `Reflecting on Twenty Years of Bro
-<https://www.youtube.com/watch?v=pb9HlmV0s2A>`_.
-
-For background on the decision to rename Bro to Zeek, see Vern Paxson’s talk
-from BroCon 2018, `Renaming Bro
-<https://www.youtube.com/watch?v=L88ZYfjPzyk>`_.
-
-Architecture
-============
-
-.. image:: /images/architecture.png
-   :align: center
-   :scale: 75%
-
-At a very high level, Zeek is architecturally layered into two major
-components. Its *event engine* (or *core*) reduces the incoming packet stream
-into a series of higher-level *events*. These events reflect network activity
-in policy-neutral terms, i.e., they describe *what* has been seen, but not
-*why*, or whether it is significant.
-
-For example, every HTTP request on the wire turns into a corresponding
-:zeek:see:`http_request` event that carries with it the involved IP addresses
-and ports, the URI being requested, and the HTTP version in use. The event
-however does not convey any further *interpretation*, such as whether that URI
-corresponds to a known malware site.
-
-The event engine component comprises a number of subcomponents, including in
-particular the packet processing pipeline consisting of: input sources,
-packet analysis, session analysis, and file analysis. Input sources ingest
-incoming network traffic from network interfaces. Packet analysis processes
-lower-level protocols, starting all the way down at the link layer. Session
-analysis handles application-layer protocols, such as HTTP, FTP, etc. File
-analysis dissects the content of files transferred over sessions. The event
-engine provides a plugin architecture for adding any of these from outside
-of the core Zeek code base, allowing to expand Zeek’s capabilities as
-needed.
-
-Semantics related to the events are derived by Zeek’s second main component,
-the *script interpreter*, which executes a set of *event handlers* written in
-Zeek’s custom scripting language. These scripts can express a site’s
-security policy, such as what actions to take when the monitor detects
-different types of activity.
-
-More generally scripts can derive any desired properties and statistics from
-the input traffic. In fact, all of Zeek’s default output comes from scripts
-included in the distribution. Zeek’s language comes with extensive
-domain-specific types and support functionality. Crucially, Zeek’s language
-allows scripts to maintain state over time, enabling them to track and
-correlate the evolution of what they observe across connection and host
-boundaries. Zeek scripts can generate real-time alerts and also execute
-arbitrary external programs on demand. One might use this functionality to
-trigger an active response to an attack.
--- a/doc/acknowledgements.rst
+++ b/doc/acknowledgements.rst
@ -1,22 +0,0 @@
-================
-Acknowledgements
-================
-
-Thanks to everyone who contributed in making Zeek's documentation
-(alphabetically):
-
-* Johanna Amann
-* Richard Bejtlich
-* Michael Dopheide
-* Amber Graner
-* Jan Grashöfer
-* Christian Kreibich
-* Terry Leach
-* Aashish Sharma
-* Jon Siwek
-* Stephen Smoot
-* Robin Sommer
-* Aaron Soto
-* Nick Turley
-* Fatema Bannat Wala
-* Tim Wojtulewicz
--- a/doc/building-from-source.rst
+++ b/doc/building-from-source.rst
@ -1,389 +0,0 @@
-
-.. _CMake: https://www.cmake.org
-.. _SWIG: https://www.swig.org
-.. _Xcode: https://developer.apple.com/xcode/
-.. _MacPorts: https://www.macports.org
-.. _Fink: https://www.finkproject.org
-.. _Homebrew: https://brew.sh
-.. _downloads page: https://zeek.org/get-zeek
-.. _devtoolset: https://developers.redhat.com/products/developertoolset/hello-world
-.. _zkg package manager: https://docs.zeek.org/projects/package-manager/en/stable/
-.. _crosstool-NG: https://crosstool-ng.github.io/
-.. _CMake toolchain: https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
-.. _contribute: https://github.com/zeek/zeek/wiki/Contribution-Guide
-.. _Chocolatey: https://chocolatey.org
-.. _Npcap: https://npcap.com/
-
-.. _building-from-source:
-
-====================
-Building from Source
-====================
-
-Building Zeek from source provides the most control over your build and is the
-preferred approach for advanced users. We support a wide range of operating
-systems and distributions. Our `support policy
-<https://github.com/zeek/zeek/wiki/Platform-Support-Policy>`_ is informed by
-what we can run in our CI pipelines with reasonable effort, with the current
-status captured in our `support matrix
-<https://github.com/zeek/zeek/wiki/Zeek-Operating-System-Support-Matrix>`_.
-
-Required Dependencies
---------------------
-
-Building Zeek from source requires the following dependencies, including
-development headers for libraries:
-
-    * Bash (for ZeekControl and BTest)
-    * BIND8 library or greater (if not covered by system's libresolv)
-    * Bison 3.3 or greater (https://www.gnu.org/software/bison/)
-    * C/C++ compiler with C++17 support (GCC 8+ or Clang 9+)
-    * CMake 3.15 or greater (https://www.cmake.org)
-    * Flex (lexical analyzer generator) 2.6 or greater (https://github.com/westes/flex)
-    * Libpcap (https://www.tcpdump.org)
-    * Make
-    * OpenSSL (https://www.openssl.org)
-    * Python 3.9 or greater (https://www.python.org/)
-    * SWIG (https://www.swig.org)
-    * ZeroMQ (https://zeromq.org)
-    * Zlib (https://zlib.net/)
-
-To install these, you can use:
-
-* RPM/RedHat-based Linux:
-
-  .. code-block:: console
-
-     sudo dnf install bison cmake cppzmq-devel gcc gcc-c++ flex libpcap-devel make openssl-devel python3 python3-devel swig zlib-devel
-
-  On pre-``dnf`` systems, use ``yum`` instead.  Additionally, on RHEL/CentOS 7,
-  you can install and activate a devtoolset_ to get access to recent GCC
-  versions. You will also have to install and activate CMake 3.  For example:
-
-  .. code-block:: console
-
-     sudo yum install cmake3 devtoolset-7
-     scl enable devtoolset-7 bash
-
-* DEB/Debian-based Linux:
-
-  .. code-block:: console
-
-     sudo apt-get install bison cmake cppzmq-dev gcc g++ flex libfl-dev libpcap-dev libssl-dev make python3 python3-dev swig zlib1g-dev
-
-  If your platform doesn't offer ``cppzmq-dev``, try ``libzmq3-dev``
-  instead. Zeek's build will fall back to an in-tree version of C++
-  bindings to ZeroMQ in that case.
-
-* FreeBSD:
-
-  Most required dependencies should come with a minimal FreeBSD install
-  except for the following.
-
-  .. code-block:: console
-
-      sudo pkg install -y base64 bash bison cmake cppzmq git python3 swig
-      pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
-      sudo pkg install -y $pyver-sqlite3
-
-* macOS:
-
-  Compiling source code on Macs requires first installing either Xcode_
-  or the "Command Line Tools" (which is a much smaller download).  To check
-  if either is installed, run the ``xcode-select -p`` command.  If you see
-  an error message, then neither is installed and you can then run
-  ``xcode-select --install`` which will prompt you to either get Xcode (by
-  clicking "Get Xcode") or to install the command line tools (by
-  clicking "Install").
-
-  macOS comes with all required dependencies except for CMake_, SWIG_,
-  Bison, Flex, and OpenSSL (OpenSSL headers were removed in macOS 10.11,
-  therefore OpenSSL must be installed manually for macOS versions 10.11
-  or newer).
-
-  Distributions of these dependencies can likely be obtained from your
-  preferred macOS package management system (e.g. Homebrew_,
-  MacPorts_, or Fink_). Specifically for Homebrew, the ``bison``, ``cmake``,
-  ``cppzmq``, ``flex``, ``swig``, and ``openssl`` packages
-  provide the required dependencies.  For MacPorts, use the ``bison``, ``cmake``,
-  ``cppzmq``, ``flex``, ``swig``, ``swig-python``, and ``openssl`` packages.
-
-* Windows
-
-  Windows support is experimental. These instructions are meant as a starting
-  point for development on that platform, and might have issues or be missing
-  steps. Notify the Zeek team if any such problems arise.
-
-  Compiling on Windows requires the installation of a development environment.
-  Zeek currently builds on Visual Studio 2019, and you can either install the
-  full version including the UI tools or you can install the command-line tools
-  and build from a shell. The instructions below describe how to install the
-  command-line tools, but are not necessary if you install the full VS2019
-  package. You will need to install Chocolatey_ in order to install the
-  dependencies as instructed below. It's possible to install them from other
-  sources (msys2, cygwin, etc), which we leave to the reader.
-
-  Cloning the repository will also require Developer Mode to be enabled in
-  Windows. This is due to the existence of a number of symbolic links in the
-  repository. Without Developer Mode, ``git`` on Windows will ignore these
-  links and builds will fail. There are a couple of different ways to enable
-  it, and the settings may differ depending on the version of Windows.
-
-  .. code-block:: console
-
-     choco install -y --no-progress visualstudio2019buildtools --version=16.11.11.0
-     choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
-     choco install -y --no-progress sed
-     choco install -y --no-progress winflexbison3
-     choco install -y --no-progress msysgit
-     choco install -y --no-progress python
-     choco install -y --no-progress openssl --version=3.1.1
-
-  Once the dependencies are installed, you will need to add the Git installation
-  to your PATH (``C:\Program Files\Git\bin`` by default). This is needed for the
-  ``sh`` command to be available during the build. Once all of the dependencies
-  are in place, you will need to open a shell (PowerShell or cmd) and add the
-  development environment to it. The following command is for running on an
-  x86_64 host.
-
-  .. code-block:: console
-
-     C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat x86_amd64
-
-  Now you can build via cmake:
-
-  .. code-block:: console
-
-     mkdir build
-     cd build
-     cmake.exe .. -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -DENABLE_CLUSTER_BACKEND_ZEROMQ=no -DVCPKG_TARGET_TRIPLET="x64-windows-static" -G Ninja
-     cmake.exe --build .
-
-  All of this is duplicated in the CI configuration for Windows which lives in
-  the ``ci/windows`` directory, and can be used as a reference for running the
-  commands by hand.
-
-  Note: By default, Windows links against the standard libpcap library from
-  vcpkg. This version of libpcap does not support packet capture on Windows,
-  unlike other platforms. In order to capture packets from live interfaces on
-  Windows, you will need to link against the Npcap_ library. This library is free
-  for personal use, but requires a paid license for commercial use or
-  redistribution. To link against Npcap, download the SDK from their website,
-  unzip it, and then pass ``-DPCAP_ROOT_DIR="<path to npcap sdk>"`` to the
-  initial CMake invocation for Zeek.
-
-  Note also that the ZeroMQ cluster backend is not yet supported on Windows.
-
-Optional Dependencies
---------------------
-
-Zeek can make use of some optional libraries and tools if they are found at
-build time:
-
-    * libmaxminddb (for geolocating IP addresses)
-    * sendmail (enables Zeek and ZeekControl to send mail)
-    * curl (used by a Zeek script that implements active HTTP)
-    * gperftools (tcmalloc is used to improve memory and CPU usage)
-    * jemalloc (https://github.com/jemalloc/jemalloc)
-    * PF_RING (Linux only, see :ref:`pf-ring-config`)
-    * krb5 libraries and headers
-    * ipsumdump (for trace-summary; https://github.com/kohler/ipsumdump)
-    * hiredis (for the Redis storage backend)
-
-Geolocation is probably the most interesting and can be installed on most
-platforms by following the instructions for :ref:`address geolocation and AS
-lookups <geolocation>`.
-
-The `zkg package manager`_, included in the Zeek installation, requires
-two external Python modules:
-
-    * GitPython: https://pypi.org/project/GitPython/
-    * semantic-version: https://pypi.org/project/semantic-version/
-
-These install easily via pip (``pip3 install GitPython
-semantic-version``) and also ship with some distributions:
-
-* RPM/RedHat-based Linux:
-
-  .. code-block:: console
-
-     sudo yum install python3-GitPython python3-semantic_version
-
-* DEB/Debian-based Linux:
-
-  .. code-block:: console
-
-     sudo apt-get install python3-git python3-semantic-version
-
-``zkg`` also requires a ``git`` installation, which the above system packages
-pull in as a dependency. If you install via pip, remember that you also need
-``git`` itself.
-
-Retrieving the Sources
----------------------
-
-Zeek releases are bundled into source packages for convenience and are
-available on the `downloads page`_. The source code can be manually downloaded
-from the link in the ``.tar.gz`` format to the target system for installation.
-
-If you plan to `contribute`_ to Zeek or just want to try out the latest
-features under development, you should obtain Zeek's source code through its
-Git repositories hosted at https://github.com/zeek:
-
-.. code-block:: console
-
-    git clone --recurse-submodules https://github.com/zeek/zeek
-
-.. note:: If you choose to clone the ``zeek`` repository
-   non-recursively for a "minimal Zeek experience", be aware that
-   compiling it depends on several of the other submodules as well, so
-   you'll likely have to build/install those independently first.
-
-Configuring and Building
------------------------
-
-The typical way to build and install from source is as follows:
-
-.. code-block:: console
-
-    ./configure
-    make
-    make install
-
-If the ``configure`` script fails, then it is most likely because it either
-couldn't find a required dependency or it couldn't find a sufficiently new
-version of a dependency.  Assuming that you already installed all required
-dependencies, then you may need to use one of the ``--with-*`` options
-that can be given to the ``configure`` script to help it locate a dependency.
-To find out what all different options ``./configure`` supports, run
-``./configure --help``.
-
-The default installation path is ``/usr/local/zeek``, which would typically
-require root privileges when doing the ``make install``.  A different
-installation path can be chosen by specifying the ``configure`` script
-``--prefix`` option.  Note that ``/usr``, ``/opt/bro/``, and ``/opt/zeek`` are
-the standard prefixes for binary Zeek packages to be installed, so those are
-typically not good choices unless you are creating such a package.
-
-Depending on the Zeek package you downloaded, there may be auxiliary
-tools and libraries available in the ``auxil/`` directory. Some of them
-will be automatically built and installed along with Zeek. There are
-``--disable-*`` options that can be given to the configure script to
-turn off unwanted auxiliary projects that would otherwise be installed
-automatically.  Finally, use ``make install-aux`` to install some of
-the other programs that are in the ``auxil/zeek-aux`` directory.
-
-Finally, if you want to build the Zeek documentation (not required, because
-all of the documentation for the latest Zeek release is available at
-https://docs.zeek.org), there are instructions in ``doc/README`` in the source
-distribution.
-
-Cross Compiling
---------------
-
-Prerequisites
-~~~~~~~~~~~~~
-
-You need three things on the host system:
-
-1. The Zeek source tree.
-2. A cross-compilation toolchain, such as one built via crosstool-NG_.
-3. Pre-built Zeek dependencies from the target system.  This usually
-   includes libpcap, zlib, OpenSSL, and Python development headers
-   and libraries.
-
-Configuration and Compiling
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-You first need to compile a few build tools native to the host system
-for use during the later cross-compile build.  In the root of your
-Zeek source tree:
-
-.. code-block:: console
-
-   ./configure --builddir=../zeek-buildtools
-   ( cd ../zeek-buildtools && make binpac bifcl )
-
-Next configure Zeek to use your cross-compilation toolchain (this example
-uses a Raspberry Pi as the target system):
-
-.. code-block:: console
-
-   ./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../zeek-buildtools/auxil/binpac/src/binpac --with-bifcl=$(pwd)/../zeek-buildtools/src/bifcl
-
-Here, the :file:`RaspberryPi-toolchain.cmake` file specifies a `CMake
-toolchain`_.  In the toolchain file, you need to point the toolchain and
-compiler at the cross-compilation toolchain.  It might look something the
-following:
-
-.. code-block:: cmake
-
-  # Operating System on which CMake is targeting.
-  set(CMAKE_SYSTEM_NAME Linux)
-
-  # The CMAKE_STAGING_PREFIX option may not work.
-  # Given that Zeek is configured:
-  #
-  #   ``./configure --prefix=<dir>``
-  #
-  # The options are:
-  #
-  #   (1) ``make install`` and then copy over the --prefix dir from host to
-  #       target system.
-  #
-  #   (2) ``DESTDIR=<staging_dir> make install`` and then copy over the
-  #       contents of that staging directory.
-
-  set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
-  set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
-  set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)
-
-  # The cross-compiler/linker will use these paths to locate dependencies.
-  set(CMAKE_FIND_ROOT_PATH
-      /home/jon/x-tools/zeek-rpi-deps
-      ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
-  )
-
-  set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
-  set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
-  set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
-
-If that configuration succeeds you are ready to build:
-
-.. code-block:: console
-
-   make
-
-And if that works, install on your host system:
-
-.. code-block:: console
-
-   make install
-
-Once installed, you can copy/move the files from the installation prefix on the
-host system to the target system and start running Zeek as usual.
-
-Configuring the Run-Time Environment
-====================================
-
-You may want to adjust your :envvar:`PATH` environment variable
-according to the platform/shell/package you're using since
-neither :file:`/usr/local/zeek/bin/` nor :file:`/opt/zeek/bin/`
-will reside in the default :envvar:`PATH`. For example:
-
-Bourne-Shell Syntax:
-
-.. code-block:: console
-
-   export PATH=/usr/local/zeek/bin:$PATH
-
-C-Shell Syntax:
-
-.. code-block:: console
-
-   setenv PATH /usr/local/zeek/bin:$PATH
-
-Or substitute ``/opt/zeek/bin`` instead if you installed from a binary package.
-
-Zeek supports several environment variables to adjust its behavior. Take a look
-at the ``zeek --help`` output for details.
--- a/doc/cluster-setup.rst
+++ b/doc/cluster-setup.rst
@ -1,507 +0,0 @@
-
-.. _ZeekControl documentation: https://github.com/zeek/zeekctl
-
-==================
-Zeek Cluster Setup
-==================
-
-.. TODO: integrate BoZ revisions
-
-A *Zeek Cluster* is a set of systems jointly analyzing the traffic of
-a network link in a coordinated fashion.  You can operate such a setup from
-a central manager system easily using ZeekControl because it
-hides much of the complexity of the multi-machine installation.
-
-Cluster Architecture
-====================
-
-Zeek is not multithreaded, so once the limitations of a single processor core
-are reached the only option currently is to spread the workload across many
-cores, or even many physical computers. The cluster deployment scenario for
-Zeek is the current solution to build these larger systems. The tools and
-scripts that accompany Zeek provide the structure to easily manage many Zeek
-processes examining packets and doing correlation activities but acting as
-a singular, cohesive entity.  This section describes the Zeek cluster
-architecture.  For information on how to configure a Zeek cluster,
-see the documentation for `ZeekControl <https://github.com/zeek/zeekctl>`_.
-
-Architecture
------------
-
-The figure below illustrates the main components of a Zeek cluster.
-
-.. image:: /images/deployment.png
-
-For more specific information on the way Zeek processes are connected,
-how they function, and how they communicate with each other, see the
-:ref:`Broker Framework Documentation <broker-framework>`.
-
-Tap
-***
-The tap is a mechanism that splits the packet stream in order to make a copy
-available for inspection. Examples include the monitoring port on a switch
-and an optical splitter on fiber networks.
-
-Frontend
-********
-The frontend is a discrete hardware device or on-host technique that splits
-traffic into many streams or flows. The Zeek binary does not do this job.
-There are numerous ways to accomplish this task, some of which are described
-below in `Frontend Options`_.
-
-Manager
-*******
-The manager is a Zeek process that has two primary jobs.  It receives log
-messages and notices from the rest of the nodes in the cluster using the Zeek
-communications protocol (note that if you use a separate logger node, then the
-logger receives all logs instead of the manager).  The result
-is a single log instead of many discrete logs that you have to
-combine in some manner with post-processing.
-The manager also supports other functionality and analysis which
-requires a centralized, global view of events or data.
-
-Logger
-******
-A logger is an optional Zeek process that receives log messages from the
-rest of the nodes in the cluster using the Zeek communications protocol.
-The purpose of having a logger receive logs instead of the manager is
-to reduce the load on the manager.  If no logger is needed, then the
-manager will receive logs instead.
-
-Proxy
-*****
-A proxy is a Zeek process that may be used to offload data storage or
-any arbitrary workload.  A cluster may contain multiple proxy nodes.
-The default scripts that come with Zeek make minimal use of proxies, so
-a single one may be sufficient, but customized use of them to partition
-data or workloads provides greater cluster scalability potential than
-just doing similar tasks on a single, centralized Manager node.
-
-Zeek processes acting as proxies don't tend to be extremely hard on CPU
-or memory and users frequently run proxy processes on the same physical
-host as the manager.
-
-Worker
-******
-The worker is the Zeek process that sniffs network traffic and does protocol
-analysis on the reassembled traffic streams.  Most of the work of an active
-cluster takes place on the workers and as such, the workers typically
-represent the bulk of the Zeek processes that are running in a cluster.
-The fastest memory and CPU core speed you can afford is recommended
-since all of the protocol parsing and most analysis will take place here.
-There are no particular requirements for the disks in workers since almost all
-logging is done remotely to the manager, and normally very little is written
-to disk.
-
-Frontend Options
----------------
-
-There are many options for setting up a frontend flow distributor.  In many
-cases it is beneficial to do multiple stages of flow distribution
-on the network and on the host.
-
-Discrete hardware flow balancers
-********************************
-
-cPacket
-^^^^^^^
-
-If you are monitoring one or more 10G physical interfaces, the recommended
-solution is to use either a cFlow or cVu device from cPacket because they
-are used successfully at a number of sites.  These devices will perform
-layer-2 load balancing by rewriting the destination Ethernet MAC address
-to cause each packet associated with a particular flow to have the same
-destination MAC.  The packets can then be passed directly to a monitoring
-host where each worker has a BPF filter to limit its visibility to only that
-stream of flows, or onward to a commodity switch to split the traffic out to
-multiple 1G interfaces for the workers.  This greatly reduces
-costs since workers can use relatively inexpensive 1G interfaces.
-
-On host flow balancing
-**********************
-
-PF_RING
-^^^^^^^
-
-The PF_RING software for Linux has a "clustering" feature which will do
-flow-based load balancing across a number of processes that are sniffing the
-same interface.  This allows you to easily take advantage of multiple
-cores in a single physical host because Zeek's main event loop is single
-threaded and can't natively utilize all of the cores.  If you want to use
-PF_RING, see the documentation on :ref:`how to configure Zeek with PF_RING
-<pf-ring-config>`.
-
-
-AF_PACKET
-^^^^^^^^^
-
-On Linux, Zeek supports `AF_PACKET sockets <https://docs.kernel.org/networking/packet_mmap.html>`_ natively.
-Currently, this is provided by including the `external Zeek::AF_Packet plugin <https://github.com/zeek/zeek-af_packet-plugin>`_
-in default builds of Zeek for Linux. Additional information can be found in
-the project's README file.
-
-To check the availability of the ``af_packet`` packet source, print its information using ``zeek -N``::
-
-    zeek -N Zeek::AF_Packet
-    Zeek::AF_Packet - Packet acquisition via AF_Packet (dynamic, version 3.2.0)
-
-On FreeBSD, MacOSX, or if Zeek was built with ``--disable-af-packet``, the
-plugin won't be available.
-
-Single worker mode
-""""""""""""""""""
-
-For the most basic usage, prefix the interface with ``af_packet::`` when invoking Zeek::
-
-    zeek -i af_packet::eth0
-
-Generally, running Zeek this way requires a privileged user with CAP_NET_RAW
-and CAP_NET_ADMIN capabilities. Linux supports file-based capabilities: A
-process executing an executable with capabilities will receive these.
-Using this mechanism allows to run Zeek as an unprivileged user once the file
-capabilities have been added::
-
-    sudo setcap cap_net_raw,cap_net_admin=+eip /path/to/zeek
-
-Offloading and ethtool tuning
-"""""""""""""""""""""""""""""
-
-While not specific to AF_PACKET, it is recommended to disable any offloading
-features provided by the network card or Linux networking stack when running
-Zeek. This allows to see network packets as they arrive on the wire.
-See this `blog post <https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html>`_
-for more background
-
-Toggling these features can be done with the ``ethtool -K`` command, for example::
-
-    IFACE=eth0
-    for offload in rx tx sg tso ufo gso gro lro; do
-      ethtool -K $IFACE $offload off
-    done
-
-Detailed statistics about the interface can be gathered via ``ethtool -S``.
-
-For more details around the involved offloads consult the
-`ethtool manpage <https://man7.org/linux/man-pages/man8/ethtool.8.html>`_.
-
-Load balancing
-""""""""""""""
-
-The more interesting use-case is to use AF_PACKET to run multiple Zeek workers
-and have their packet sockets join what is called a fanout group.
-In such a setup, the network traffic is load-balanced across Zeek workers.
-By default load balancing is based on symmetric flow hashes [#]_.
-
-For example, running two Zeek workers listening on the same network interface,
-each worker analyzing approximately half of the network traffic, can be done
-as follows::
-
-    zeek -i af_packet::eth0 &
-    zeek -i af_packet::eth0 &
-
-The fanout group is identified by an id and configurable using the
-``AF_Packet::fanout_id`` constant which defaults to 23. In the example
-above, both Zeek workers join the same fanout group.
-
-
-.. note::
-
-  As a caveat, within the same Linux network namespace, two Zeek processes can
-  not use the same fanout group id for listening on different network interfaces.
-  If this is a setup you're planning on running, configure the fanout group
-  ids explicitly.
-  For illustration purposes, the following starts two Zeek workers each using
-  a different network interface and fanout group id::
-
-    zeek -i af_packet::eth0 AF_Packet::fanout_id=23 &
-    zeek -i af_packet::eth1 AF_Packet::fanout_id=24 &
-
-.. warning::
-
-  Zeek workers crashing or restarting due to running out of memory can,
-  for a short period of time, disturb load balancing due to their packet
-  sockets being removed and later rejoining the fanout group.
-  This may be visible in Zeek logs as gaps and/or duplicated connection
-  entries produced by different Zeek workers.
-
-See :ref:`cluster-configuration` for instructions how to configure AF_PACKET
-with ZeekControl.
-
-
-Netmap
-^^^^^^
-
-`Netmap <https://github.com/luigirizzo/netmap>`_ is a framework for fast
-packet I/O that is natively supported on FreeBSD since version 10.
-On Linux it can be installed as an out-of-tree kernel module.
-
-FreeBSD
-"""""""
-FreeBSD's libpcap library supports netmap natively. This allows to prefix
-interface names with ``netmap:`` to instruct libpcap to open the interface
-in netmap mode. For example, a single Zeek worker can leverage netmap
-transparently using Zeek's default packet source as follows::
-
-    zeek -i netmap:em0
-
-.. warning::
-
-  Above command will put the em0 interface into kernel-bypass mode. Network
-  packets will pass directly to Zeek without being interpreted by the kernel.
-  If em0 is your primary network interface, this effectively disables
-  networking, including SSH connectivity.
-
-If your network card supports multiple rings, individual Zeek workers can be
-attached to these as well (this assumes the NIC does proper flow hashing in hardware)::
-
-    zeek -i netmap:em0-0
-    zeek -i netmap:em0-1
-
-For software load balancing support, the FreeBSD source tree includes the
-``lb`` tool to distribute packets into netmap pipes doing flow hashing
-in user-space.
-
-To compile and install ``lb``, ensure ``/usr/src`` is available on your
-FreeBSD system, then run the following commands::
-
-    cd /usr/src/tools/tools/netmap/
-    make
-    # Installs lb into /usr/local/bin
-    cp /usr/obj/usr/src/`uname -m`.`uname -m`/tools/tools/netmap/lb /usr/local/bin/
-
-
-To load-balance packets arriving on em0 into 4 different netmap pipes named
-``zeek}0`` through ``zeek}3``, run ``lb`` as follows::
-
-    lb -i em0 -p zeek:4
-    410.154166 main [634] interface is em0
-    411.377220 main [741] successfully opened netmap:em0
-    411.377243 main [812] opening pipe named netmap:zeek{0/xT@1
-    411.379200 main [829] successfully opened pipe #1 netmap:zeek{0/xT@1 (tx slots: 1024)
-    411.379242 main [838] zerocopy enabled
-    ...
-
-Now, Zeek workers can attach to these four netmap pipes. When starting Zeek
-workers manually, the respective invocations would be as follows. The ``/x``
-suffix specifies exclusive mode to prevent two Zeek processes consuming packets
-from the same netmap pipe::
-
-    zeek -i netmap:zeek}0/x
-    zeek -i netmap:zeek}1/x
-    zeek -i netmap:zeek}2/x
-    zeek -i netmap:zeek}3/x
-
-For packet-level debugging, you can attach ``tcpdump`` to any of the netmap
-pipes in read monitor mode even while Zeek workers are consuming from them::
-
-    tcpdump -i netmap:zeek}1/r
-
-In case libpcap's netmap support is insufficient, the external
-`Zeek netmap plugin <https://github.com/zeek/zeek-netmap>`_ can be installed.
-
-.. warning::
-
-  When using the zeek-netmap plugin on FreeBSD, the interface specification given to Zeek
-  needs to change from ``netmap:zeek}0/x`` to ``netmap::zeek}0/x`` - a single colon more.
-  In the first case, Zeek uses the default libpcap packet source and passes ``netmap:zeek}0``
-  as interface name. In the second case, ``netmap::`` is interpreted by Zeek and
-  the netmap packet source is instantiated. The ``zeek}0/x`` part is used as
-  interface name.
-
-Linux
-"""""
-
-While netmap isn't included in the Linux kernel, it can be installed as
-an out-of-tree kernel module.
-See the project's `GitHub repository <https://github.com/luigirizzo/netmap>`_
-for detailed instructions. This includes the ``lb`` tool for load balancing.
-
-On Linux, the external `zeek-netmap <https://github.com/zeek/zeek-netmap>`_
-packet source plugin is required, or the system's libpcap library as used by
-Zeek needs to be recompiled with native netmap support. With the netmap kernel
-module loaded and the Zeek plugin installed, running a Zeek worker as follows
-will leverage netmap on Linux::
-
-    zeek -i netmap::eth1
-
-For using ``lb`` or libpcap with netmap support, refer to the commands shown
-in the FreeBSD section - these are essentially the same.
-
-
-.. _cluster-configuration:
-
-Cluster Configuration
-=====================
-
-A *Zeek Cluster* is a set of systems jointly analyzing the traffic of
-a network link in a coordinated fashion.  You can operate such a setup from
-a central manager system easily using ZeekControl because it
-hides much of the complexity of the multi-machine installation.
-
-This section gives examples of how to setup common cluster configurations
-using ZeekControl.  For a full reference on ZeekControl, see the
-`ZeekControl documentation`_.
-
-Preparing to Setup a Cluster
----------------------------
-
-We refer to the user account used to set up the cluster
-as the "Zeek user".  When setting up a cluster the Zeek user must be set up
-on all hosts, and this user must have ssh access from the manager to all
-machines in the cluster, and it must work without being prompted for a
-password/passphrase (for example, using ssh public key authentication).
-Also, on the worker nodes this user must have access to the target
-network interface in promiscuous mode.
-
-Additional storage must be available on all hosts under the same path,
-which we will call the cluster's prefix path.  We refer to this directory
-as ``<prefix>``.  If you build Zeek from source, then ``<prefix>`` is
-the directory specified with the ``--prefix`` configure option,
-or ``/usr/local/zeek`` by default.  The Zeek user must be able to either
-create this directory or, where it already exists, must have write
-permission inside this directory on all hosts.
-
-When trying to decide how to configure the Zeek nodes, keep in mind that
-there can be multiple Zeek instances running on the same host.  For example,
-it's possible to run a proxy and the manager on the same host.  However, it is
-recommended to run workers on a different machine than the manager because
-workers can consume a lot of CPU resources.  The maximum recommended
-number of workers to run on a machine should be one or two less than
-the number of CPU cores available on that machine.  Using a load-balancing
-method (such as PF_RING) along with CPU pinning can decrease the load on
-the worker machines.  Also, in order to reduce the load on the manager
-process, it is recommended to have a logger in your configuration.  If a
-logger is defined in your cluster configuration, then it will receive logs
-instead of the manager process.
-
-Basic Cluster Configuration
---------------------------
-
-With all prerequisites in place, perform the following steps to setup
-a Zeek cluster (do this as the Zeek user on the manager host only):
-
- Edit the ZeekControl configuration file, ``<prefix>/etc/zeekctl.cfg``,
-  and change the value of any options to be more suitable for
-  your environment.  You will most likely want to change the value of
-  the ``MailTo`` and ``LogRotationInterval`` options.  A complete
-  reference of all ZeekControl options can be found in the
-  `ZeekControl documentation`_.
-
- Edit the ZeekControl node configuration file, ``<prefix>/etc/node.cfg``
-  to define where logger, manager, proxies, and workers are to run.  For a
-  cluster configuration, you must comment-out (or remove) the standalone node
-  in that file, and either uncomment or add node entries for each node
-  in your cluster (logger, manager, proxy, and workers).  For example, if you
-  wanted to run five Zeek nodes (two workers, one proxy, a logger, and a
-  manager) on a cluster consisting of three machines, your cluster
-  configuration would look like this::
-
-    [logger]
-    type=logger
-    host=10.0.0.10
-
-    [manager]
-    type=manager
-    host=10.0.0.10
-
-    [proxy-1]
-    type=proxy
-    host=10.0.0.10
-
-    [worker-1]
-    type=worker
-    host=10.0.0.11
-    interface=eth0
-
-    [worker-2]
-    type=worker
-    host=10.0.0.12
-    interface=eth0
-
-  For a complete reference of all options that are allowed in the ``node.cfg``
-  file, see the `ZeekControl documentation`_.
-
- Edit the network configuration file ``<prefix>/etc/networks.cfg``.  This
-  file lists all of the networks which the cluster should consider as local
-  to the monitored environment.
-
- Install Zeek on all machines in the cluster using ZeekControl::
-
-    > zeekctl install
-
- See the `ZeekControl documentation`_
-  for information on setting up a cron job on the manager host that can
-  monitor the cluster.
-
-AF_PACKET Cluster Configuration
-------------------------------
-
-Since version 5.2, Zeek includes AF_PACKET as a native packet source. This
-provides an easy and efficient capture mechanism for Linux users.
-
-Adapt the worker section in ZeekControl's ``node.cfg`` file with the
-following entries, assuming running four worker processes listening on ``eth0`` ::
-
-    [worker-1]
-    type=worker
-    host=10.0.0.11
-    interface=eth0
-    lb_method=af_packet
-    lb_procs=4
-
-The specific options are ``lb_method=af_packet`` and ``lb_procs=4``.
-If listening on two or more interfaces on the same host is a requirement,
-remember to set a unique ``fanout_id`` using the node option ``af_packet_fanout_id``::
-
-    [worker-1-eth0]
-    type=worker
-    host=10.0.0.11
-    interface=eth0
-    lb_method=af_packet
-    lb_procs=4
-    af_packet_fanout_id=20
-
-    [worker-1-eth1]
-    type=worker
-    host=10.0.0.11
-    interface=eth1
-    lb_method=af_packet
-    lb_procs=4
-    af_packet_fanout_id=21
-
-Pinning the worker processes to individual CPU cores can improve performance.
-Use the node's option ``pin_cpus=4,5,6,7``, listing as many CPU numbers as
-processes at appropriate offsets.
-
-.. _pf-ring-config:
-
-PF_RING Cluster Configuration
-----------------------------
-
-`PF_RING <http://www.ntop.org/products/pf_ring/>`_ allows speeding up the
-packet capture process by installing a new type of socket in Linux systems.
-It supports 10Gbit hardware packet filtering using standard network adapters,
-and user-space DNA (Direct NIC Access) for fast packet capture/transmission.
-
-.. note::
-
-   Unless you have evaluated to specifically require PF_RING, consider using
-   AF_PACKET first and test if it fulfills your requirements. AF_PACKET has
-   been integrated into Zeek since version 5.2. It's a bit easier to get
-   started with as it does not require an out of tree Linux kernel module.
-
-Head over to :ref:`cluster-pf-ring` for more details.
-
-.. toctree::
-   :hidden:
-
-   cluster/pf_ring
-
-
-.. [#] Some Linux kernel versions between 3.10 and 4.7 might exhibit
-       a bug that prevents the required symmetric hashing. The script available
-       in the GitHub project `can-i-use-afpacket-fanout <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>`_
-       can be used to verify whether ``PACKET_FANOUT`` works as expected.
-
-       This issue has been fixed in all stable kernels for at least 5 years.
-       You're unlikely to be affected.
--- a/doc/cluster/pf_ring.rst
+++ b/doc/cluster/pf_ring.rst
@ -1,141 +0,0 @@
-.. _cluster-pf-ring:
-
-===================
-PF_RING Setup Guide
-===================
-
-Installing PF_RING
-******************
-
-1. Download and install PF_RING for your system following the instructions
-   `here <http://www.ntop.org/get-started/download/#PF_RING>`_.  The following
-   commands will install the PF_RING libraries and kernel module (replace
-   the version number 5.6.2 in this example with the version that you
-   downloaded)::
-
-     cd /usr/src
-     tar xvzf PF_RING-5.6.2.tar.gz
-     cd PF_RING-5.6.2/userland/lib
-     ./configure --prefix=/opt/pfring
-     make install
-
-     cd ../libpcap
-     ./configure --prefix=/opt/pfring
-     make install
-
-     cd ../tcpdump-4.1.1
-     ./configure --prefix=/opt/pfring
-     make install
-
-     cd ../../kernel
-     make
-     make install
-
-     modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
-
-   Refer to the documentation for your Linux distribution on how to load the
-   pf_ring module at boot time.  You will need to install the PF_RING
-   library files and kernel module on all of the workers in your cluster.
-
-2. Download the Zeek source code.
-
-3. Configure and install Zeek using the following commands::
-
-     ./configure --with-pcap=/opt/pfring
-     make
-     make install
-
-4. Make sure Zeek is correctly linked to the PF_RING libpcap libraries::
-
-     ldd /usr/local/zeek/bin/zeek | grep pcap
-           libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)
-
-5. Configure ZeekControl to use PF_RING (explained below).
-
-6. Run "zeekctl install" on the manager.  This command will install Zeek and
-   required scripts to all machines in your cluster.
-
-Using PF_RING
-*************
-
-In order to use PF_RING, you need to specify the correct configuration
-options for your worker nodes in ZeekControl's node configuration file.
-Edit the ``node.cfg`` file and specify ``lb_method=pf_ring`` for each of
-your worker nodes.  Next, use the ``lb_procs`` node option to specify how
-many Zeek processes you'd like that worker node to run, and optionally pin
-those processes to certain CPU cores with the ``pin_cpus`` option (CPU
-numbering starts at zero).  The correct ``pin_cpus`` setting to use is
-dependent on your CPU architecture (Intel and AMD systems enumerate
-processors in different ways).  Using the wrong ``pin_cpus`` setting
-can cause poor performance.  Here is what a worker node entry should
-look like when using PF_RING and CPU pinning::
-
-   [worker-1]
-   type=worker
-   host=10.0.0.50
-   interface=eth0
-   lb_method=pf_ring
-   lb_procs=10
-   pin_cpus=2,3,4,5,6,7,8,9,10,11
-
-
-Using PF_RING+DNA with symmetric RSS
-************************************
-
-You must have a PF_RING+DNA license in order to do this.  You can sniff
-each packet only once.
-
-1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
-
-2. Run "ethtool -L dna0 combined 10" (this will establish 10 RSS queues
-   on your NIC) on each worker host.  You must make sure that you set the
-   number of RSS queues to the same as the number you specify for the
-   lb_procs option in the node.cfg file.
-
-3. On the manager, configure your worker(s) in node.cfg::
-
-       [worker-1]
-       type=worker
-       host=10.0.0.50
-       interface=dna0
-       lb_method=pf_ring
-       lb_procs=10
-
-
-Using PF_RING+DNA with pfdnacluster_master
-******************************************
-
-You must have a PF_RING+DNA license and a libzero license in order to do
-this.  You can load balance between multiple applications and sniff the
-same packets multiple times with different tools.
-
-1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
-
-2. Run "ethtool -L dna0 1" (this will establish 1 RSS queues on your NIC)
-   on each worker host.
-
-3. Run the pfdnacluster_master command on each worker host.  For example::
-
-       pfdnacluster_master -c 21 -i dna0 -n 10
-
-   Make sure that your cluster ID (21 in this example) matches the interface
-   name you specify in the node.cfg file.  Also make sure that the number
-   of processes you're balancing across (10 in this example) matches
-   the lb_procs option in the node.cfg file.
-
-4. If you are load balancing to other processes, you can use the
-   pfringfirstappinstance variable in zeekctl.cfg to set the first
-   application instance that Zeek should use.  For example, if you are running
-   pfdnacluster_master with "-n 10,4" you would set
-   pfringfirstappinstance=4.  Unfortunately that's still a global setting
-   in zeekctl.cfg at the moment but we may change that to something you can
-   set in node.cfg eventually.
-
-5. On the manager, configure your worker(s) in node.cfg::
-
-       [worker-1]
-       type=worker
-       host=10.0.0.50
-       interface=dnacluster:21
-       lb_method=pf_ring
-       lb_procs=10
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Tim Wojtulewicz	e90c6e4d0b	Updating CHANGES and VERSION.	2024-03-13 11:02:11 -07:00
Tim Wojtulewicz	bb686e7f2b	Update docs submodule [nomail] [skip ci]	2024-03-13 10:53:51 -07:00
Tim Wojtulewicz	242cb3ed91	Merge remote-tracking branch 'origin/topic/christian/news-contributors' * origin/topic/christian/news-contributors: Add community contributions for the 6.2 timeframe to NEWS. [skip ci] (cherry picked from commit `6fa34c202f`)	2024-03-13 10:19:42 -07:00
Tim Wojtulewicz	4902daa523	Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy-6.2' into release/6.2 * origin/topic/bbannier/bump-spicy-6.2: Bump Spicy to latest release.	2024-03-04 13:11:25 -07:00
Tim Wojtulewicz	ccdab84dad	Move bifcl/binpac/broker to zeek-6.2 release branches	2024-03-04 13:04:32 -07:00
Tim Wojtulewicz	011ca37d63	Merge remote-tracking branch 'origin/topic/timw/ci-freebsd-13' * origin/topic/timw/ci-freebsd-13: CI: Bump FreeBSD 13 build to 13.3 (cherry picked from commit `ce8310ec89`)	2024-03-04 12:47:23 -07:00
Arne Welzel	6b6942f9b2	Merge remote-tracking branch 'origin/topic/awelzel/fix-assert-cond-twice' * origin/topic/awelzel/fix-assert-cond-twice: Stmt: Fix assert evaluating cond twice (cherry picked from commit `6867eda621`)	2024-03-04 12:47:02 -07:00
Benjamin Bannier	5e264d3987	Bump Spicy to latest release.	2024-03-04 19:26:33 +01:00
Arne Welzel	1d381b264b	Merge remote-tracking branch 'origin/topic/awelzel/zeekjs-0.12.0' * origin/topic/awelzel/zeekjs-0.12.0: Bump zeekjs to 0.12.0 (cherry picked from commit `724daa2792`)	2024-02-28 09:59:13 -07:00
Tim Wojtulewicz	f2ab820c88	Merge remote-tracking branch 'origin/topic/johanna/update-tls-ca-stuff' * origin/topic/johanna/update-tls-ca-stuff: Update Mozilla CA and Google CT list and related tests. (cherry picked from commit `c315202ece`)	2024-02-26 11:13:42 -07:00
Tim Wojtulewicz	6fba0f7ce9	Update cmake submodule [nomail]	2024-02-21 12:20:45 -07:00
Tim Wojtulewicz	e8b8733de0	Update cmake submodule [nomail]	2024-02-21 11:12:50 -07:00
Tim Wojtulewicz	91152c8722	Point cmake submodule at master branch	2024-02-21 11:09:20 -07:00
Tim Wojtulewicz	3a4d106892	Updating CHANGES and VERSION.	2024-02-20 12:59:33 -07:00
Tim Wojtulewicz	818cd0e049	Switch docs submodule to release/6.2 branch	2024-02-20 12:59:01 -07:00
				`@ -1 +0,0 @@`
				`Our code of conduct is published at https://zeek.org/community-code-of-conduct/`
				`@ -0,0 +1 @@`
				`Subproject commit b02c411ef0911409a125ac36ea214069963cb53d`
				`@ -0,0 +1 @@`
				`Subproject commit d8e9254a731670679d0c1d7d41a51c4fd6b44a0a`
				`@ -1 +0,0 @@`
				`Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48`
				`@ -0,0 +1 @@`
				`Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9`
				`@ -0,0 +1 @@`
				`Subproject commit bbb5b3645aa7b65db9183b5fc0b3be8a952ea308`
				`@ -1 +0,0 @@`
				`Subproject commit ad99e21f4706193670c42b36c9824dc997f4c475`
				`@ -0,0 +1 @@`
				`Subproject commit a3fe59b3f1ded5c3461995134b66c6db182fa56f`
				`@ -0,0 +1 @@`
				`Subproject commit 399b46b4045bc59ed4b8159d3d284412a07ba65a`