Updating CHANGES and VERSION.

Merge remote-tracking branch 'origin/topic/christian/news-7-1-contribs'
* origin/topic/christian/news-7-1-contribs: Add 7.1 contributors to NEWS file [skip ci] (cherry picked from commit f1c054f8f3)
2025-10-11 19:18:19 +00:00 · 2025-01-07 11:45:10 -07:00 · 2025-01-07 11:43:07 -07:00 · 2025-01-07 10:08:48 -07:00 · 2025-01-07 10:07:31 -07:00 · 2025-01-07 10:06:41 -07:00
3242 changed files with 117051 additions and 460327 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -18,8 +18,6 @@ spicy_ssl_config: &SPICY_SSL_CONFIG --build-type=release --disable-broker-tests
 asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
 ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
 tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
-macos_config: &MACOS_CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --with-krb5=/opt/homebrew/opt/krb5
-clang_tidy_config: &CLANG_TIDY_CONFIG --build-type=debug --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --enable-clang-tidy

 resources_template: &RESOURCES_TEMPLATE
  cpu: *CPUS
@ -35,7 +33,6 @@ macos_environment: &MACOS_ENVIRONMENT
    ZEEK_CI_BTEST_JOBS: 12
    # No permission to write to default location of /zeek
    CIRRUS_WORKING_DIR: /tmp/zeek
-    ZEEK_CI_CONFIGURE_FLAGS: *MACOS_CONFIG

 freebsd_resources_template: &FREEBSD_RESOURCES_TEMPLATE
  cpu: 8
@ -48,108 +45,48 @@ freebsd_environment: &FREEBSD_ENVIRONMENT
    ZEEK_CI_CPUS: 8
    ZEEK_CI_BTEST_JOBS: 8

-only_if_pr_master_release: &ONLY_IF_PR_MASTER_RELEASE
+builds_only_if_template: &BUILDS_ONLY_IF_TEMPLATE
+  # Rules for skipping builds:
+  # - Do not run builds for anything that's cron triggered
+  # - Don't do darwin builds on zeek-security repo because they use up a ton of compute credits.
+  # - Always build PRs, but not if they come from dependabot
+  # - Always build master and release/* builds from the main repo
  only_if: >
+    ( $CIRRUS_CRON == '' ) &&
+    ( ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH == 'master' ||
-        $CIRRUS_BRANCH =~ 'release/.*'
+      (
+      $CIRRUS_BRANCH == 'master' ||
+      $CIRRUS_BRANCH =~ 'release/.*'
      )
-    )
+    ) )

-only_if_pr_master_release_nightly: &ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
+skip_task_on_pr: &SKIP_TASK_ON_PR
+  # Skip this task on PRs if it does not have the fullci label,
+  # it continues to run for direct pushes to master/release.
+  skip: >
+    ! ( $CIRRUS_PR == '' || $CIRRUS_PR_LABELS =~ '.*fullci.*' )
+
+zam_skip_task_on_pr: &ZAM_SKIP_TASK_ON_PR
+  # Skip this task on PRs unless it has the `fullci` or `zamci` label
+  # or files in src/script_opt/** were modified.
+  # It continues to run for direct pushes to master/release, as
+  # CIRRUS_PR will be empty.
+  skip: >
+    ! ( $CIRRUS_PR == '' || $CIRRUS_PR_LABELS =~ '.*fullci.*' || $CIRRUS_PR_LABELS =~ '.*zamci.*' || changesInclude('src/script_opt/**') )
+
+benchmark_only_if_template: &BENCHMARK_ONLY_IF_TEMPLATE
+  # only_if condition for cron-triggered benchmarking tests.
+  # These currently do not run for release/.*
  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH == 'master' ||
-        $CIRRUS_BRANCH =~ 'release/.*' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_pr_release_and_nightly: &ONLY_IF_PR_RELEASE_AND_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        $CIRRUS_BRANCH =~ 'release/.*' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_pr_nightly: &ONLY_IF_PR_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( $CIRRUS_PR != '' ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_release_tag_nightly: &ONLY_IF_RELEASE_TAG_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
-      ( ( $CIRRUS_BRANCH =~ 'release/.*' && $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$' ) ||
-        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-      )
-    )
-
-only_if_nightly: &ONLY_IF_NIGHTLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
-      ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
-    )
-
-only_if_weekly: &ONLY_IF_WEEKLY
-  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON == 'weekly' && $CIRRUS_BRANCH == 'master' )
-    )
-
-skip_if_pr_skip_all: &SKIP_IF_PR_SKIP_ALL
-  skip: >
-    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-
-skip_if_pr_not_full_ci: &SKIP_IF_PR_NOT_FULL_CI
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: Full.*") ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_benchmark: &SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Benchmark).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_cluster_test: &SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Cluster Test).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_zam: &SKIP_IF_PR_NOT_FULL_OR_ZAM
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|ZAM).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_zeekctl: &SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Zeekctl).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
-
-skip_if_pr_not_full_or_windows: &SKIP_IF_PR_NOT_FULL_OR_WINDOWS
-  skip: >
-    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Windows).*" ) ||
-      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
-    )
+    ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+    ( $CIRRUS_CRON == 'benchmark-nightly' ||
+      $CIRRUS_PR_LABELS =~ '.*fullci.*' ||
+      $CIRRUS_PR_LABELS =~ '.*benchmark.*' )

 ci_template: &CI_TEMPLATE
+  << : *BUILDS_ONLY_IF_TEMPLATE
+
  # Default timeout is 60 minutes, Cirrus hard limit is 120 minutes for free
  # tasks, so may as well ask for full time.
  timeout_in: 120m
@ -193,7 +130,6 @@ ci_template: &CI_TEMPLATE

 env:
  CIRRUS_WORKING_DIR: /zeek
-  CIRRUS_LOG_TIMESTAMP: true
  ZEEK_CI_CPUS: *CPUS
  ZEEK_CI_BTEST_JOBS: *BTEST_JOBS
  ZEEK_CI_BTEST_RETRIES: *BTEST_RETRIES
@ -238,88 +174,27 @@ env:
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle

-fedora42_task:
-  container:
-    # Fedora 42 EOL: Around May 2026
-    dockerfile: ci/fedora-42/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
-
 fedora41_task:
  container:
    # Fedora 41 EOL: Around Nov 2025
    dockerfile: ci/fedora-41/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+
+fedora40_task:
+  container:
+    # Fedora 40 EOL: Around May 2025
+    dockerfile: ci/fedora-40/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR

 centosstream9_task:
  container:
-    # Stream 9 EOL: 31 May 2027
+    # Stream 9 EOL: Around Dec 2027
    dockerfile: ci/centos-stream-9/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-
-centosstream10_task:
-  container:
-    # Stream 10 EOL: 01 January 2030
-    dockerfile: ci/centos-stream-10/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-
-debian13_task:
-  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-
-arm_debian13_task:
-  arm_container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
-
-debian13_static_task:
-  container:
-    # Just use a recent/common distro to run a static compile test.
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
-
-debian13_binary_task:
-  container:
-    # Just use a recent/common distro to run binary mode compile test.
-    # As of 2024-03, the used configure flags are equivalent to the flags
-    # that we use to create binary packages.
-    # Just use a recent/common distro to run a static compile test.
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG

 debian12_task:
  container:
@ -327,8 +202,56 @@ debian12_task:
    dockerfile: ci/debian-12/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+
+arm_debian12_task:
+  arm_container:
+    # Debian 12 (bookworm) EOL: TBD
+    dockerfile: ci/debian-12/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
+
+debian12_static_task:
+  container:
+    # Just use a recent/common distro to run a static compile test.
+    # Debian 12 (bookworm) EOL: TBD
+    dockerfile: ci/debian-12/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
+
+debian12_binary_task:
+  container:
+    # Just use a recent/common distro to run binary mode compile test.
+    # As of 2024-03, the used configure flags are equivalent to the flags
+    # that we use to create binary packages.
+    # Just use a recent/common distro to run a static compile test.
+    # Debian 12 (bookworm) EOL: TBD
+    dockerfile: ci/debian-12/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
+
+debian11_task:
+  container:
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+
+opensuse_leap_15_5_task:
+  container:
+    # Opensuse Leap 15.5 EOL: ~Dec 2024
+    dockerfile: ci/opensuse-leap-15.5/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR

 opensuse_leap_15_6_task:
  container:
@ -336,8 +259,6 @@ opensuse_leap_15_6_task:
    dockerfile: ci/opensuse-leap-15.6/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

 opensuse_tumbleweed_task:
  container:
@ -346,106 +267,62 @@ opensuse_tumbleweed_task:
    << : *RESOURCES_TEMPLATE
  prepare_script: ./ci/opensuse-tumbleweed/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+#  << : *SKIP_TASK_ON_PR

-weekly_current_gcc_task:
+ubuntu24_10_task:
  container:
-    # Opensuse Tumbleweed has no EOL
-    dockerfile: ci/opensuse-tumbleweed/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_WEEKLY
-  env:
-    ZEEK_CI_COMPILER: gcc
-
-weekly_current_clang_task:
-  container:
-    # Opensuse Tumbleweed has no EOL
-    dockerfile: ci/opensuse-tumbleweed/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_WEEKLY
-  env:
-    ZEEK_CI_COMPILER: clang
-
-ubuntu25_04_task:
-  container:
-    # Ubuntu 25.04 EOL: 2026-01-31
-    dockerfile: ci/ubuntu-25.04/Dockerfile
+    # Ubuntu 24.10 EOL: 2025-07-30
+    dockerfile: ci/ubuntu-24.10/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR

-ubuntu24_04_task:
+ubuntu24_task:
  container:
    # Ubuntu 24.04 EOL: Jun 2029
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
+
+# Same as above, but using Clang and libc++
+ubuntu24_clang_libcpp_task:
+  container:
+    # Ubuntu 24.04 EOL: Jun 2029
+    dockerfile: ci/ubuntu-24.04/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  << : *SKIP_TASK_ON_PR
+  env:
+    CC: clang-18
+    CXX: clang++-18
+    CXXFLAGS: -stdlib=libc++
+
+ubuntu22_task:
+  container:
+    # Ubuntu 22.04 EOL: June 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
-
-# Same as above, but running the ZAM tests instead of the regular tests.
-ubuntu24_04_zam_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
-  env:
-    ZEEK_CI_SKIP_UNIT_TESTS: 1
-    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
-    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
-
-# Same as above, but using Clang and libc++
-ubuntu24_04_clang_libcpp_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    CXXFLAGS: -stdlib=libc++
-
-ubuntu24_04_clang_tidy_task:
-  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
-  env:
-    CC: clang-19
-    CXX: clang++-19
-    ZEEK_CI_CONFIGURE_FLAGS: *CLANG_TIDY_CONFIG
+  # Run on PRs, merges to master and release/.* and benchmark-nightly cron.
+  only_if: >
+    ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
+    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+        $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_BRANCH =~ 'release/.*' ||
+        $CIRRUS_CRON == 'benchmark-nightly' )

 # Also enable Spicy SSL for this
-ubuntu24_04_spicy_task:
+ubuntu22_spicy_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
@ -453,33 +330,34 @@ ubuntu24_04_spicy_task:
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
+  << : *BENCHMARK_ONLY_IF_TEMPLATE

-ubuntu24_04_spicy_head_task:
+ubuntu22_spicy_head_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
-    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
    # Pull auxil/spicy to the latest head version. May or may not build.
    ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
+  # Don't run this job on release branches. It tests against spicy HEAD, which
+  # will frequently require other fixes that won't be in a release branch.
+  skip: $CIRRUS_BRANCH =~ 'release/.*'
+  << : *BENCHMARK_ONLY_IF_TEMPLATE

-ubuntu22_04_task:
+ubuntu20_task:
  container:
-    # Ubuntu 22.04 EOL: June 2027
-    dockerfile: ci/ubuntu-22.04/Dockerfile
+    # Ubuntu 20.04 EOL: April 2025
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR

 alpine_task:
  container:
@ -489,47 +367,40 @@ alpine_task:
    dockerfile: ci/alpine/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI

 # Cirrus only supports the following macos runner currently, selecting
 # anything else automatically upgrades to this one.
 #
-#    ghcr.io/cirruslabs/macos-runner:sequoia
+#    ghcr.io/cirruslabs/macos-runner:sonoma
 #
 # See also: https://cirrus-ci.org/guide/macOS/
-macos_sequoia_task:
+macos_sonoma_task:
  macos_instance:
-    image: ghcr.io/cirruslabs/macos-runner:sequoia
+    image: ghcr.io/cirruslabs/macos-runner:sonoma
  prepare_script: ./ci/macos/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  << : *MACOS_ENVIRONMENT

 # FreeBSD EOL timelines: https://www.freebsd.org/security/#sup
 freebsd14_task:
  freebsd_instance:
    # FreeBSD 14 EOL: Nov 30 2028
-    image_family: freebsd-14-2
+    image_family: freebsd-14-1
    << : *FREEBSD_RESOURCES_TEMPLATE

  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  << : *FREEBSD_ENVIRONMENT

 freebsd13_task:
  freebsd_instance:
    # FreeBSD 13 EOL: January 31, 2026
-    image_family: freebsd-13-5
+    image_family: freebsd-13-4
    << : *FREEBSD_RESOURCES_TEMPLATE

  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  << : *FREEBSD_ENVIRONMENT

 asan_sanitizer_task:
@ -539,8 +410,6 @@ asan_sanitizer_task:
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_SKIP_ALL
  test_fuzzers_script: ./ci/test-fuzzers.sh
  coverage_script: ./ci/upload-coverage.sh
  env:
@ -557,16 +426,13 @@ asan_sanitizer_zam_task:
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
    ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0
    ZEEK_CI_SKIP_UNIT_TESTS: 1
    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
+  << : *ZAM_SKIP_TASK_ON_PR

 ubsan_sanitizer_task:
  container:
@ -575,12 +441,11 @@ ubsan_sanitizer_task:
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  test_fuzzers_script: ./ci/test-fuzzers.sh
  env:
-    CC: clang-19
-    CXX: clang++-19
+    CC: clang-18
+    CXX: clang++-18
    CXXFLAGS: -DZEEK_DICT_DEBUG
    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
    ZEEK_TAILORED_UB_CHECKS: 1
@ -592,19 +457,16 @@ ubsan_sanitizer_zam_task:
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
  env:
-    CC: clang-19
-    CXX: clang++-19
+    CC: clang-18
+    CXX: clang++-18
    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
    ZEEK_TAILORED_UB_CHECKS: 1
    UBSAN_OPTIONS: print_stacktrace=1
    ZEEK_CI_SKIP_UNIT_TESTS: 1
    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
-    # Use a lower number of jobs due to OOM issues with ZAM tasks
-    ZEEK_CI_BTEST_JOBS: 3
+  << : *ZAM_SKIP_TASK_ON_PR

 tsan_sanitizer_task:
  container:
@ -613,11 +475,10 @@ tsan_sanitizer_task:
    << : *RESOURCES_TEMPLATE

  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
  env:
-    CC: clang-19
-    CXX: clang++-19
+    CC: clang-18
+    CXX: clang++-18
    ZEEK_CI_CONFIGURE_FLAGS: *TSAN_SANITIZER_CONFIG
    ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
    # If this is defined directly in the environment, configure fails to find
@ -638,12 +499,11 @@ windows_task:
  prepare_script: ci/windows/prepare.cmd
  build_script: ci/windows/build.cmd
  test_script: ci/windows/test.cmd
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_WINDOWS
  env:
    ZEEK_CI_CPUS: 8
    # Give verbose error output on a test failure.
    CTEST_OUTPUT_ON_FAILURE: 1
+  << : *BUILDS_ONLY_IF_TEMPLATE


 # Container images
@ -724,18 +584,22 @@ arm64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: arm64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  << : *SKIP_TASK_ON_PR

 amd64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: amd64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
+  << : *SKIP_TASK_ON_PR

 container_image_manifest_docker_builder:
  cpu: 1
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  # Push master builds to zeek/zeek-dev, or tagged release branches to zeek/zeek
+  only_if: >
+    ( $CIRRUS_CRON == '' ) &&
+    ( $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' &&
+      ( $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$' ) )
  env:
    DOCKER_USERNAME: ENCRYPTED[!505b3dee552a395730a7e79e6aab280ffbe1b84ec62ae7616774dfefe104e34f896d2e20ce3ad701f338987c13c33533!]
    DOCKER_PASSWORD: ENCRYPTED[!6c4b2f6f0e5379ef1091719cc5d2d74c90cfd2665ac786942033d6d924597ffb95dbbc1df45a30cc9ddeec76c07ac620!]
@ -814,7 +678,8 @@ container_image_manifest_docker_builder:
 # images from the public ECR repository to stay within free-tier bounds.
 public_ecr_cleanup_docker_builder:
  cpu: 1
-  << : *ONLY_IF_NIGHTLY
+  only_if: >
+    $CIRRUS_CRON == '' && $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' && $CIRRUS_BRANCH == 'master'
  env:
    AWS_ACCESS_KEY_ID: ENCRYPTED[!eff52f6442e1bc78bce5b15a23546344df41bf519f6201924cb70c7af12db23f442c0e5f2b3687c2d856ceb11fcb8c49!]
    AWS_SECRET_ACCESS_KEY: ENCRYPTED[!748bc302dd196140a5fa8e89c9efd148882dc846d4e723787d2de152eb136fa98e8dea7e6d2d6779d94f72dd3c088228!]
@ -854,23 +719,27 @@ cluster_testing_docker_builder:
      path: "testing/external/zeek-testing-cluster/.tmp/**"
  depends_on:
    - amd64_container_image
-  << : *ONLY_IF_PR_RELEASE_AND_NIGHTLY
-  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
+  << : *SKIP_TASK_ON_PR


 # Test zeekctl upon master and release pushes and also when
-# a PR has a "CI: Zeekctl" or "CI: Full" label.
+# a PR has a zeekctlci or fullci label.
 #
 # Also triggers on CIRRUS_CRON == 'zeekctl-nightly' if that is configured
 # through the Cirrus Web UI.
-zeekctl_debian12_task:
+zeekctl_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
+  only_if: >
+    ( $CIRRUS_CRON == 'zeekctl-nightly' ) ||
+    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ '.*(zeekctlci|fullci).*' ) ||
+    ( $CIRRUS_REPO_NAME == 'zeek' && (
+        $CIRRUS_BRANCH == 'master' ||
+        $CIRRUS_BRANCH =~ 'release/.*' )
+    )
  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
  always:
@ -884,46 +753,31 @@ zeekctl_debian12_task:
  build_script:
    - cd auxil/zeekctl/testing && ./Scripts/build-zeek
  test_script:
-    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${ZEEK_CI_BTEST_JOBS}
+    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${BTEST_JOBS}
  on_failure:
    upload_zeekctl_testing_artifacts:
      path: "auxil/zeekctl/testing/.tmp/**"

-include_plugins_debian12_task:
+# Test building Zeek with builtin plugins available in
+# testing/builtin-plugins/Files/
+include_plugins_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
  container:
-    # Debian 13 (trixie) EOL: TBD
-    dockerfile: ci/debian-13/Dockerfile
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
-  fetch_external_plugins_script:
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-perf-support.git
-    - cd zeek-perf-support && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-more-hashes.git
-    - cd zeek-more-hashes && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-cluster-backend-nats.git
-    - cd zeek-cluster-backend-nats && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
-    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/SeisoLLC/zeek-kafka.git
-    - cd zeek-kafka && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
  always:
    ccache_cache:
      folder: /tmp/ccache
      fingerprint_script: echo builtin-plugins-ccache-$ZEEK_CCACHE_EPOCH-$CIRRUS_TASK_NAME-$CIRRUS_OS
      reupload_on_changes: true
-  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin;/zeek/testing/builtin-plugins/external/zeek-perf-support;/zeek/testing/builtin-plugins/external/zeek-more-hashes;/zeek/testing/builtin-plugins/external/zeek-cluster-backend-nats;/zeek/testing/builtin-plugins/external/zeek-kafka'" ./ci/build.sh
+  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin'" ./ci/build.sh
  test_script:
    - cd testing/builtin-plugins && ../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
-  test_external_plugins_script: |
-    . /zeek/build/zeek-path-dev.sh
-    set -ex
-    # For now, just check if the external plugins are available.
-    zeek -N Zeek::PerfSupport
-    zeek -N Zeek::MoreHashes
-    zeek -N Zeek::Cluster_Backend_NATS
-    zeek -N Seiso::Kafka
  on_failure:
    upload_include_plugins_testing_artifacts:
      path: "testing/builtin-plugins/.tmp/**"
-  << : *ONLY_IF_PR_MASTER_RELEASE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *BUILDS_ONLY_IF_TEMPLATE
+  << : *SKIP_TASK_ON_PR
--- a/.clang-format
+++ b/.clang-format
@ -1,4 +1,4 @@
-# See the file "COPYING" in the main distribution directory for copyright.
+# Copyright (c) 2020-2023 by the Zeek Project. See LICENSE for details.

 ---
 Language:        Cpp
--- a/.clang-tidy
+++ b/.clang-tidy
@ -1,76 +1,5 @@
-Checks: [-*,
+Checks: '-*,
         bugprone-*,
-         performance-*,
-         modernize-*,
-         readability-isolate-declaration,
-         readability-container-contains,
-
-         # Enable a very limited number of the cppcoreguidelines checkers.
-         # See the notes for some of the rest of them below.
-         cppcoreguidelines-macro-usage,
-         cppcoreguidelines-misleading-capture-default-by-value,
-         cppcoreguidelines-virtual-class-destructor,
-
-         # Skipping these temporarily because they are very noisy
-         -bugprone-forward-declaration-namespace,
-         -bugprone-narrowing-conversions,
-         -bugprone-unchecked-optional-access,
-         -performance-unnecessary-value-param,
-         -modernize-use-equals-default,
-         -modernize-use-integer-sign-comparison,
-
-         # The following cause either lots of pointless or advisory warnings
-         -bugprone-easily-swappable-parameters,
-         -bugprone-nondeterministic-pointer-iteration-order,
-
-         # bifcl generates a lot of code with double underscores in their name.
-         # ZAM uses a few identifiers that start with underscores or have
-         # double-underscores in the name.
-         -bugprone-reserved-identifier,
-
-         # bifcl generates almost every switch statement without a default case
-         # and so this one generates a lot of warnings.
-         -bugprone-switch-missing-default-case,
-
-         # These report warnings that are rather difficult to fix or are things
-         # we simply don't want to fix.
-         -bugprone-undefined-memory-manipulation,
-         -bugprone-pointer-arithmetic-on-polymorphic-object,
-         -bugprone-empty-catch,
-         -bugprone-exception-escape,
-         -bugprone-suspicious-include,
-         -modernize-avoid-c-arrays,
-         -modernize-concat-nested-namespaces,
-         -modernize-raw-string-literal,
-         -modernize-use-auto,
-         -modernize-use-nodiscard,
-         -modernize-use-trailing-return-type,
-         -modernize-use-designated-initializers,
-
-         # This one returns a bunch of findings in DFA and the sqlite library.
-         # We're unlikely to fix either of them.
-         -performance-no-int-to-ptr,
-
-         # These cppcoreguidelines checkers are things we should investigate
-         # and possibly fix, but there are so many findings that we're holding
-         # off doing it for now.
-         #cppcoreguidelines-init-variables,
-         #cppcoreguidelines-prefer-member-initializer,
-         #cppcoreguidelines-pro-type-member-init,
-         #cppcoreguidelines-pro-type-cstyle-cast,
-         #cppcoreguidelines-pro-type-static-cast-downcast,
-         #cppcoreguidelines-special-member-functions,
-
-         # These are features in newer version of C++ that we don't have
-         # access to yet.
-         -modernize-use-std-format,
-         -modernize-use-std-print,
-]
-
-HeaderFilterRegex: '.h'
-ExcludeHeaderFilterRegex: '.*(auxil|3rdparty)/.*'
-SystemHeaders: false
-CheckOptions:
-    - key: modernize-use-default-member-init.UseAssignment
-      value: 'true'
-WarningsAsErrors: '*'
+	 -bugprone-easily-swappable-parameters,
+         clang-analyzer-*,
+         performance-*'
--- a/.cmake-format.json
+++ b/.cmake-format.json
@ -72,23 +72,10 @@
          "SOURCES": "*",
          "MODULES": "*"
        }
-      },
-      "zeek_add_plugin": {
-        "kwargs": {
-          "INCLUDE_DIRS": "*",
-          "DEPENDENCIES": "*",
-          "SOURCES": "*",
-          "BIFS": "*",
-          "PAC": "*"
-        }
      }
    }
  },
  "format": {
-    "always_wrap": [
-      "spicy_add_analyzer",
-      "zeek_add_plugin"
-    ],
    "line_width": 100,
    "tab_size": 4,
    "separate_ctrl_name_with_space": true,
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -33,6 +33,3 @@ f5a76c1aedc7f8886bc6abef0dfaa8065684b1f6

 # clang-format: Format JSON with clang-format
 e6256446ddef5c5d5240eefff974556f2e12ac46
-
-# analyzer/protocol: Reformat with spicy-format
-d70bcd07b9b26036b16092fe950eca40e2f5a032
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@ -10,7 +10,7 @@ permissions:
 jobs:
  scan:
    if: github.repository == 'zeek/zeek'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04

    steps:
      - uses: actions/checkout@v4
@ -21,29 +21,26 @@ jobs:
        run: |
          sudo apt-get update
          sudo apt-get -y install \
-            bison \
-            bsdmainutils \
-            cmake \
-            curl \
-            flex \
-            g++ \
-            gcc \
            git \
-            jq \
-            libfl-dev \
-            libfl2 \
-            libkrb5-dev \
-            libmaxminddb-dev \
+            cmake \
+            make \
+            gcc \
+            g++ \
+            flex \
+            bison \
            libpcap-dev \
            libssl-dev \
-            libzmq3-dev \
-            make \
            python3 \
            python3-dev \
            python3-pip \
-            sqlite3 \
            swig \
-            zlib1g-dev
+            zlib1g-dev \
+            libmaxminddb-dev \
+            libkrb5-dev \
+            bsdmainutils \
+            sqlite3 \
+            curl \
+            wget

      - name: Configure
        run: ./configure --build-type=debug --disable-broker-tests
@ -52,18 +49,17 @@ jobs:
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          curl \
-            -o coverity_tool.tgz \
-            -d token=${COVERITY_TOKEN} \
-            -d project=Bro \
-            https://scan.coverity.com/download/cxx/linux64
+          wget \
+            -nv https://scan.coverity.com/download/cxx/linux64 \
+            --post-data "token=${COVERITY_TOKEN}&project=Bro" \
+            -O coverity_tool.tgz
          tar xzf coverity_tool.tgz
          rm coverity_tool.tgz
          mv cov-analysis* coverity-tools

      - name: Build
        run: |
-          export PATH=$(pwd)/coverity-tools/bin:$PATH
+          export PATH="$PWD/coverity-tools/bin":$PATH
          ( cd build && cov-build --dir cov-int make -j "$(nproc)" )
          cat build/cov-int/build-log.txt

@ -71,21 +67,12 @@ jobs:
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          ( cd build && tar czf myproject.tgz cov-int )
-          curl -X POST \
-            -d version=$(cat VERSION) \
-            -d description=$(git rev-parse HEAD) \
-            -d email=zeek-commits-internal@zeek.org \
-            -d token=${COVERITY_TOKEN} \
-            -d file_name=myproject.tgz \
-            -o response \
-            https://scan.coverity.com/projects/641/builds/init
-          upload_url=$(jq -r '.url' response)
-          build_id=$(jq -r '.build_id' response)
-          curl -X PUT \
-            --header 'Content-Type: application/json' \
-            --upload-file build/myproject.tgz \
-            ${upload_url}
-          curl -X PUT \
-            -d token=${COVERITY_TOKEN} \
-            https://scan.coverity.com/projects/641/builds/${build_id}/enqueue
+          cd build
+          tar czf myproject.tgz cov-int
+          curl \
+            --form token="${COVERITY_TOKEN}" \
+            --form email=zeek-commits-internal@zeek.org \
+            --form file=@myproject.tgz \
+            --form "version=$(cat ../VERSION)" \
+            --form "description=$(git rev-parse HEAD)" \
+            https://scan.coverity.com/builds?project=Bro
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@ -16,7 +16,7 @@ jobs:
  generate:
    permissions:
      contents: write  # for Git to git push
-    if: "github.repository == 'zeek/zeek' && contains(github.event.pull_request.labels.*.name, 'CI: Skip All') == false"
+    if: github.repository == 'zeek/zeek'
    runs-on: ubuntu-24.04

    steps:
@ -56,24 +56,23 @@ jobs:
            g++ \
            gcc \
            git \
-            libhiredis-dev \
            libfl-dev \
            libfl2 \
            libkrb5-dev \
-            libnode-dev \
            libpcap-dev \
            libssl-dev \
            make \
            python3 \
            python3-dev \
-            python3-pip \
+            python3-pip\
            sqlite3 \
            swig \
            zlib1g-dev
-          python3 -m venv ci-docs-venv
-          source ci-docs-venv/bin/activate
-          pip3 install -r doc/requirements.txt
-          pip3 install pre-commit
+          # Many distros adhere to PEP 394's recommendation for `python` =
+          # `python2` so this is a simple workaround until we drop Python 2
+          # support and explicitly use `python3` for all invocations.
+          sudo ln -sf /usr/bin/python3 /usr/local/bin/python
+          sudo pip3 install --break-system-packages -r doc/requirements.txt

      - name: ccache
        uses: hendrikmuhs/ccache-action@v1.2
@ -81,48 +80,25 @@ jobs:
          key: 'docs-gen-${{ github.job }}'
          max-size: '2000M'

-      # Github runners have node installed on them by default in /usr/local. This
-      # causes problems with configure finding the version from the apt package,
-      # plus gcc using it by default if we pass the right cmake variables to
-      # configure. The easiest solution is to move the directory away prior to
-      # running our build. It's moved back after just in case some workflow action
-      # expects it to exist.
-      - name: Move default node install to backup
-        run: sudo mv /usr/local/include/node /usr/local/include/node.bak
-
      - name: Configure
        run: ./configure --disable-broker-tests --disable-cpp-tests --ccache

      - name: Build
        run: cd build && make -j $(nproc)

-      - name: Move default node install to original location
-        run: sudo mv /usr/local/include/node.bak /usr/local/include/node
-
      - name: Check Spicy docs
        run: cd doc && make check-spicy-docs

-      # Cache pre-commit environment for reuse.
-      - uses: actions/cache@v4
-        with:
-          path: ~/.cache/pre-commit
-          key: doc-pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('doc/.pre-commit-config.yaml') }}
-
      - name: Generate Docs
        run: |
-          source ci-docs-venv/bin/activate
          git config --global user.name zeek-bot
          git config --global user.email info@zeek.org

          echo "*** Generating Zeekygen Docs ***"
          ./ci/update-zeekygen-docs.sh || exit 1

-          cd doc
-
-          echo "*** Running pre-commit ***"
-          pre-commit run -a --show-diff-on-failure --color=always
-
          echo "*** Generating Sphinx Docs ***"
+          cd doc
          make > make.out 2>&1
          make_status=$?
          echo "*** Sphinx Build Output ***"
--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +1,9 @@
 [submodule "auxil/zeek-aux"]
 	path = auxil/zeek-aux
 	url = https://github.com/zeek/zeek-aux
+[submodule "auxil/binpac"]
+	path = auxil/binpac
+	url = https://github.com/zeek/binpac
 [submodule "auxil/zeekctl"]
 	path = auxil/zeekctl
 	url = https://github.com/zeek/zeekctl
@ -10,12 +13,18 @@
 [submodule "cmake"]
 	path = cmake
 	url = https://github.com/zeek/cmake
+[submodule "src/3rdparty"]
+	path = src/3rdparty
+	url = https://github.com/zeek/zeek-3rdparty
 [submodule "auxil/broker"]
 	path = auxil/broker
 	url = https://github.com/zeek/broker
 [submodule "auxil/netcontrol-connectors"]
 	path = auxil/netcontrol-connectors
 	url = https://github.com/zeek/zeek-netcontrol
+[submodule "auxil/bifcl"]
+	path = auxil/bifcl
+	url = https://github.com/zeek/bifcl
 [submodule "doc"]
 	path = doc
 	url = https://github.com/zeek/zeek-docs
@ -37,6 +46,9 @@
 [submodule "auxil/zeek-client"]
 	path = auxil/zeek-client
 	url = https://github.com/zeek/zeek-client
+[submodule "auxil/gen-zam"]
+	path = auxil/gen-zam
+	url = https://github.com/zeek/gen-zam
 [submodule "auxil/c-ares"]
 	path = auxil/c-ares
 	url = https://github.com/c-ares/c-ares
@ -46,6 +58,12 @@
 [submodule "auxil/spicy"]
 	path = auxil/spicy
 	url = https://github.com/zeek/spicy
+[submodule "auxil/filesystem"]
+	path = auxil/filesystem
+	url = https://github.com/gulrak/filesystem.git
+[submodule "auxil/zeek-af_packet-plugin"]
+	path = auxil/zeek-af_packet-plugin
+	url = https://github.com/zeek/zeek-af_packet-plugin.git
 [submodule "auxil/libunistd"]
 	path = auxil/libunistd
 	url = https://github.com/zeek/libunistd
@ -61,9 +79,3 @@
 [submodule "src/cluster/backend/zeromq/auxil/cppzmq"]
 	path = src/cluster/backend/zeromq/auxil/cppzmq
 	url = https://github.com/zeromq/cppzmq
-[submodule "src/cluster/websocket/auxil/IXWebSocket"]
-	path = src/cluster/websocket/auxil/IXWebSocket
-	url = https://github.com/machinezone/IXWebSocket
-[submodule "auxil/expected-lite"]
-	path = auxil/expected-lite
-	url = https://github.com/martinmoene/expected-lite.git
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -8,37 +8,31 @@ repos:
    name: Check for license headers
    entry: ./ci/license-header.py
    language: python
-    files: '\.(h|c|cpp|cc|spicy|evt)$'
-    types: [file]
-    exclude: '^(testing/btest/(Baseline|plugins|spicy|scripts)/.*|testing/builtin-plugins/.*|src/3rdparty/.*)$'
-
-  - id: btest-command-commented
-    name: Check that all BTest command lines are commented out
-    entry: '^\s*@TEST-'
-    language: pygrep
-    files: '^testing/btest/.*$'
+    types_or:
+      - "c"
+      - "c++"
+    exclude: '^(testing/btest/plugins/.*|testing/builtin-plugins/.*)$'

 - repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: v20.1.8
+  rev: 'v19.1.4'
  hooks:
  - id: clang-format
    types_or:
      - "c"
      - "c++"
      - "json"
-    exclude: '^src/3rdparty/.*'

 - repo: https://github.com/maxwinterstein/shfmt-py
-  rev: v3.12.0.1
+  rev: v3.7.0.1
  hooks:
    - id: shfmt
      args: ["-w", "-i", "4", "-ci"]

 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.12.8
+  rev: v0.8.1
  hooks:
-    - id: ruff-check
-      args: ["--fix"]
+    - id: ruff
+      args: [--fix]
    - id: ruff-format

 - repo: https://github.com/cheshirekow/cmake-format-precommit
@ -47,13 +41,14 @@ repos:
  - id: cmake-format

 - repo: https://github.com/crate-ci/typos
-  rev: v1.35.3
+  rev: v1.28.2
  hooks:
    - id: typos
-      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek|src/3rdparty/.*)$'
+      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$'

 - repo: https://github.com/bbannier/spicy-format
-  rev: v0.26.0
+  rev: v0.23.0
  hooks:
    - id: spicy-format
-      exclude: '^testing/.*'
+      # TODO: Reformat existing large analyzers just before 8.0.
+      exclude: '(^testing/.*)|(protocol/ldap/.*)|(protocol/quic/.*)|(protocol/websocket/.*)'
--- a/.typos.toml
+++ b/.typos.toml
@ -30,15 +30,12 @@ extend-ignore-re = [
    "ot->Yield\\(\\)->InternalType\\(\\)",
    "switch \\( ot \\)",
    "\\(ZAMOpType ot\\)",
-    "exat", # Redis expire at
-    "EXAT",

    # News stuff
    "SupressWeirds.*deprecated",
    "\"BaR\"",
    "\"xFoObar\"",
    "\"FoO\"",
-    "Smoot",
 ]

 extend-ignore-identifiers-re = [
@ -56,10 +53,8 @@ extend-ignore-identifiers-re = [
    "complte_flag", # Existing use in exported record in base.
    "VidP(n|N)", # In SMB.
    "iin", # In DNP3.
-    "SCN[dioux]", # sccanf fixed-width identifiers
    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
    "snet", # Used as shorthand for subnet in base scripts.
-    "typ",
    "(e|i)it", # Used as name for some iterators.
 ]

@ -84,9 +79,6 @@ have_2nd = "have_2nd"
 ot1 = "ot1"
 ot2 = "ot2"
 uses_seh = "uses_seh"
-ect0 = "ect0"
-ect1 = "ect1"
-tpe = "tpe"

 [default.extend-words]
 caf = "caf"
--- a/4574
+++ b/4574
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -18,22 +18,6 @@ if (WIN32)
    set(CMAKE_TOOLCHAIN_FILE ${_toolchain} CACHE STRING "Vcpkg toolchain file")
 endif ()

-if (APPLE AND CMAKE_VERSION VERSION_GREATER_EQUAL 4.0.0 AND NOT CMAKE_OSX_SYSROOT)
-    # Spicy needs having CMAKE_OSX_SYSROOT point to the macOS SDK
-    # path, but starting with CMake 4.0 CMAKE_OSX_SYSROOT is not set
-    # automatically anymore. So we follow the guidance from the CMake 4.0
-    # release notes here:
-    #
-    #    Builds targeting macOS no longer choose any SDK or pass an "-isysroot"
-    #    flag to the compiler by default. [...] users must now specify
-    #    "-DCMAKE_OSX_SYSROOT=macosx" when configuring their build.
-    #
-    # Note that this needs to happen before the project() call below, meaning
-    # we cannot rely on the corresponding code inside the Spicy CMake
-    # configuration.
-    set(CMAKE_OSX_SYSROOT "macosx")
-endif ()
-
 project(Zeek C CXX)

 # We want to set ENABLE_DEBUG to ON by default if the build type is Debug.
@ -59,8 +43,6 @@ option(ENABLE_DEBUG "Build Zeek with additional debugging support." ${ENABLE_DEB
 option(ENABLE_JEMALLOC "Link against jemalloc." OFF)
 option(ENABLE_PERFTOOLS "Build with support for Google perftools." OFF)
 option(ENABLE_ZEEK_UNIT_TESTS "Build the C++ unit tests." ON)
-option(ENABLE_IWYU "Enable include-what-you-use for the main Zeek target." OFF)
-option(ENABLE_CLANG_TIDY "Enable clang-tidy for the main Zeek target." OFF)
 option(INSTALL_AUX_TOOLS "Install additional tools from auxil." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST "Install btest alongside Zeek." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST_PCAPS "Install pcap files for testing." ${ZEEK_INSTALL_TOOLS_DEFAULT})
@ -68,8 +50,7 @@ option(INSTALL_ZEEKCTL "Install zeekctl." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEK_CLIENT "Install the zeek-client." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZKG "Install zkg." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(PREALLOCATE_PORT_ARRAY "Pre-allocate all ports for zeek::Val." ON)
-option(ZEEK_STANDALONE "Build Zeek as stand-alone binary." ON)
-option(ZEEK_ENABLE_FUZZERS "Build Zeek fuzzing targets." OFF)
+option(ZEEK_STANDALONE "Build Zeek as stand-alone binary?" ON)

 # Non-boolean options.
 if (NOT WIN32)
@ -90,6 +71,8 @@ set(ZEEK_ETC_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/etc"
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON CACHE INTERNAL
                                           "Whether to write a JSON compile commands database")

+set(ZEEK_CXX_STD cxx_std_17 CACHE STRING "The C++ standard to use.")
+
 set(ZEEK_SANITIZERS "" CACHE STRING "Sanitizers to use when building.")

 set(CPACK_SOURCE_IGNORE_FILES "" CACHE STRING "Files to be ignored by CPack")
@ -192,53 +175,21 @@ if (MSVC)
        # TODO: This is disabled for now because there a bunch of known
        # compiler warnings on Windows that we don't have good fixes for.
        #set(WERROR_FLAG "/WX")
-        #set(WNOERROR_FLAG "/WX:NO")
+        #set(WERROR_FLAG "/WX")
    endif ()
-
-    # Always build binpac in static mode if building on Windows
-    set(BUILD_STATIC_BINPAC true)
-
 else ()
    include(GNUInstallDirs)
    if (BUILD_WITH_WERROR)
        set(WERROR_FLAG "-Werror")
-        set(WNOERROR_FLAG "-Wno-error")
-
-        # With versions >=13.0 GCC gained `-Warray-bounds` which reports false
-        # positives, see e.g., https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111273.
-        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 13.0)
-            list(APPEND WERROR_FLAG "-Wno-error=array-bounds")
-        endif ()
-
-        # With versions >=11.0 GCC is returning false positives for -Wrestrict. See
-        # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100366. It's more prevalent
-        # building with -std=c++20.
-        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 11.0)
-            list(APPEND WERROR_FLAG "-Wno-error=restrict")
-        endif ()
    endif ()
 endif ()

 include(cmake/CommonCMakeConfig.cmake)
+include(cmake/FindClangTidy.cmake)
 include(cmake/CheckCompilerArch.cmake)
-include(cmake/RequireCXXStd.cmake)

 string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)

-if (ENABLE_IWYU)
-    find_program(ZEEK_IWYU_PATH NAMES include-what-you-use iwyu)
-    if (NOT ZEEK_IWYU_PATH)
-        message(FATAL_ERROR "Could not find the program include-what-you-use")
-    endif ()
-endif ()
-
-if (ENABLE_CLANG_TIDY)
-    find_program(ZEEK_CLANG_TIDY_PATH NAMES clang-tidy)
-    if (NOT ZEEK_CLANG_TIDY_PATH)
-        message(FATAL_ERROR "Could not find the program clang-tidy")
-    endif ()
-endif ()
-
 # ##############################################################################
 # Main targets and utilities.

@ -250,7 +201,7 @@ set(ZEEK_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
 # zeek-plugin-create-package.sh. Needed by ZeekPluginConfig.cmake.in.
 set(ZEEK_PLUGIN_SCRIPTS_PATH "${PROJECT_SOURCE_DIR}/cmake")

-# Our C++ base target for propagating compiler and linker flags. Note: for
+# Our C++17 base target for propagating compiler and linker flags. Note: for
 # now, we only use it for passing library dependencies around.
 add_library(zeek_internal INTERFACE)
 add_library(Zeek::Internal ALIAS zeek_internal)
@ -338,16 +289,6 @@ function (zeek_target_link_libraries lib_target)
    endforeach ()
 endfunction ()

-function (zeek_target_add_linters lib_target)
-    if (ZEEK_IWYU_PATH)
-        set_target_properties(${lib_target} PROPERTIES CXX_INCLUDE_WHAT_YOU_USE ${ZEEK_IWYU_PATH})
-    endif ()
-
-    if (ZEEK_CLANG_TIDY_PATH)
-        set_target_properties(${lib_target} PROPERTIES CXX_CLANG_TIDY ${ZEEK_CLANG_TIDY_PATH})
-    endif ()
-endfunction ()
-
 function (zeek_include_directories)
    foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
        if (TARGET ${name})
@ -369,7 +310,7 @@ endfunction ()
 find_package(Threads REQUIRED)

 # Interface library for propagating extra flags and include paths to dynamically
-# loaded plugins. Also propagates include paths and c++ standard mode on the install
+# loaded plugins. Also propagates include paths and C++17 mode on the install
 # interface.
 add_library(zeek_dynamic_plugin_base INTERFACE)
 target_include_directories(
@ -396,14 +337,13 @@ endfunction ()

 add_zeek_dynamic_plugin_build_interface_include_directories(
    ${PROJECT_SOURCE_DIR}/src/include
-    ${PROJECT_SOURCE_DIR}/tools/binpac/lib
+    ${PROJECT_SOURCE_DIR}/auxil/binpac/lib
    ${PROJECT_SOURCE_DIR}/auxil/broker/libbroker
    ${PROJECT_SOURCE_DIR}/auxil/paraglob/include
    ${PROJECT_SOURCE_DIR}/auxil/prometheus-cpp/core/include
-    ${PROJECT_SOURCE_DIR}/auxil/expected-lite/include
    ${CMAKE_BINARY_DIR}/src
    ${CMAKE_BINARY_DIR}/src/include
-    ${CMAKE_BINARY_DIR}/tools/binpac/lib
+    ${CMAKE_BINARY_DIR}/auxil/binpac/lib
    ${CMAKE_BINARY_DIR}/auxil/broker/libbroker
    ${CMAKE_BINARY_DIR}/auxil/prometheus-cpp/core/include)

@ -432,6 +372,7 @@ function (zeek_add_subdir_library name)
    target_compile_definitions(${target_name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
    add_dependencies(${target_name} zeek_autogen_files)
    target_link_libraries(${target_name} PRIVATE $<BUILD_INTERFACE:zeek_internal>)
+    add_clang_tidy_files(${FN_ARGS_SOURCES})
    target_compile_options(${target_name} PRIVATE ${WERROR_FLAG})

    # Take care of compiling BIFs.
@ -455,9 +396,6 @@ function (zeek_add_subdir_library name)

    # Feed into the main Zeek target(s).
    zeek_target_link_libraries(${target_name})
-
-    # Add IWYU and clang-tidy to the target if enabled.
-    zeek_target_add_linters(${target_name})
 endfunction ()

 # ##############################################################################
@ -666,7 +604,6 @@ if (ENABLE_DEBUG)
    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
    target_compile_definitions(zeek_internal INTERFACE DEBUG)
    target_compile_definitions(zeek_dynamic_plugin_base INTERFACE DEBUG)
-    set(SPICYZ_FLAGS "-d" CACHE STRING "Additional flags to pass to spicyz for builtin analyzers")
 endif ()

 if (NOT BINARY_PACKAGING_MODE)
@ -842,6 +779,9 @@ find_package(FLEX REQUIRED)
 find_package(BISON 2.5 REQUIRED)
 find_package(PCAP REQUIRED)
 find_package(OpenSSL REQUIRED)
+if (NOT MSVC)
+    find_package(BIND REQUIRED)
+endif ()
 find_package(ZLIB REQUIRED)

 if (NOT BINARY_PACKAGING_MODE)
@ -883,35 +823,46 @@ endif ()
 set(PY_MOD_INSTALL_DIR ${py_mod_install_dir} CACHE STRING "Installation path for Python modules"
                                                   FORCE)

-# BinPAC uses the same 'ENABLE_STATIC_ONLY' variable to define whether
-# to build statically. Save a local copy so it can be set based on the
-# configure flag before we add the subdirectory.
-set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
+if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/auxil/binpac/CMakeLists.txt)

-if (BUILD_STATIC_BINPAC)
-    set(ENABLE_STATIC_ONLY true)
+    set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
+    if (MSVC)
+        set(BUILD_STATIC_BINPAC true)
+    endif ()
+
+    if (BUILD_STATIC_BINPAC)
+        set(ENABLE_STATIC_ONLY true)
+    endif ()
+
+    add_subdirectory(auxil/binpac)
+    set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
+
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
+    set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
 endif ()

-add_subdirectory(tools/binpac)
-set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
-
-# FIXME: avoid hard-coding a path for multi-config generator support. See the
-# TODO in ZeekPluginConfig.cmake.in.
-set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/tools/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
-set(_binpac_exe_path "included")
-
-# Need to call find_package so it sets up the include paths used by plugin builds.
 find_package(BinPAC REQUIRED)
+
+# Add an alias (used by our plugin setup).
 add_executable(Zeek::BinPAC ALIAS binpac)

-add_subdirectory(tools/bifcl)
-add_executable(Zeek::BifCl ALIAS bifcl)
-# FIXME: avoid hard-coding a path for multi-config generator support. See the
-# TODO in ZeekPluginConfig.cmake.in.
-set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/tools/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
-set(_bifcl_exe_path "included")
+if (NOT BIFCL_EXE_PATH)
+    add_subdirectory(auxil/bifcl)
+    add_executable(Zeek::BifCl ALIAS bifcl)
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
+    set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
+    set(_bifcl_exe_path "included")
+else ()
+    add_executable(Zeek::BifCl IMPORTED)
+    set_property(TARGET Zeek::BifCl PROPERTY IMPORTED_LOCATION "${BIFCL_EXE_PATH}")
+    set(_bifcl_exe_path "BIFCL_EXE_PATH")
+endif ()

-add_subdirectory(tools/gen-zam)
+if (NOT GEN_ZAM_EXE_PATH)
+    add_subdirectory(auxil/gen-zam)
+endif ()

 if (ENABLE_JEMALLOC)
    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
@ -1016,7 +967,6 @@ if (NOT DISABLE_SPICY)
            set(Python3_EXECUTABLE ${Python_EXECUTABLE} CACHE STRING "Python3_EXECUTABLE hint")
        endif ()

-        set(SPICY_ENABLE_TESTS OFF)
        add_subdirectory(auxil/spicy)
        include(ConfigureSpicyBuild) # set some options different for building Spicy

@ -1055,24 +1005,24 @@ include(BuiltInSpicyAnalyzer)
 include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${BIND_INCLUDE_DIR} ${BinPAC_INCLUDE_DIR}
                    ${ZLIB_INCLUDE_DIR} ${JEMALLOC_INCLUDE_DIR})

+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc
+        DESTINATION include/zeek/3rdparty/)
+
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/prometheus-cpp/core/include/prometheus
        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)

 install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/auxil/prometheus-cpp/core/include/prometheus
        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)

-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd
-        DESTINATION include/zeek/3rdparty/)
-
+# Create 3rdparty/ghc within the build directory so that the include for
+# "zeek/3rdparty/ghc/filesystem.hpp" works within the build tree.
 execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
                        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/")
-
-# Do the same for nonstd.
 execute_process(
    COMMAND
        "${CMAKE_COMMAND}" -E create_symlink
-        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd"
-        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/nonstd")
+        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc"
+        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/ghc")

 # Optional Dependencies

@ -1080,16 +1030,18 @@ set(USE_GEOIP false)
 find_package(LibMMDB)
 if (LIBMMDB_FOUND)
    set(USE_GEOIP true)
-    include_directories(BEFORE SYSTEM ${LibMMDB_INCLUDE_DIR})
+    include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
    list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
 endif ()

 set(USE_KRB5 false)
-find_package(LibKrb5)
-if (LIBKRB5_FOUND)
-    set(USE_KRB5 true)
-    include_directories(BEFORE SYSTEM ${LibKrb5_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    find_package(LibKrb5)
+    if (LIBKRB5_FOUND)
+        set(USE_KRB5 true)
+        include_directories(BEFORE ${LibKrb5_INCLUDE_DIR})
+        list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+    endif ()
 endif ()

 set(HAVE_PERFTOOLS false)
@ -1121,7 +1073,7 @@ endif ()
 # dependencies which tend to be in standard system locations and thus cause the
 # system OpenSSL headers to still be picked up even if one specifies
 # --with-openssl (which may be common).
-include_directories(BEFORE SYSTEM ${OPENSSL_INCLUDE_DIR})
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})

 # Determine if libfts is external to libc, i.e. musl
 find_package(FTS)
@ -1175,7 +1127,6 @@ include(FindKqueue)

 include(FindPrometheusCpp)
 include_directories(BEFORE "auxil/out_ptr/include")
-include_directories(BEFORE "auxil/expected-lite/include")

 if ((OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0"))
    set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
@ -1187,6 +1138,18 @@ endif ()
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)

+set(ZEEK_HAVE_AF_PACKET no)
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    if (NOT DISABLE_AF_PACKET)
+        if (NOT AF_PACKET_PLUGIN_PATH)
+            set(AF_PACKET_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeek-af_packet-plugin)
+        endif ()
+
+        list(APPEND ZEEK_INCLUDE_PLUGINS ${AF_PACKET_PLUGIN_PATH})
+        set(ZEEK_HAVE_AF_PACKET yes)
+    endif ()
+endif ()
+
 set(ZEEK_HAVE_JAVASCRIPT no)
 if (NOT DISABLE_JAVASCRIPT)
    set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${PROJECT_SOURCE_DIR}/auxil/zeekjs/cmake)
@ -1206,7 +1169,6 @@ if (NOT DISABLE_JAVASCRIPT)
    endif ()
 endif ()

-set(ZEEK_HAVE_AF_PACKET no CACHE INTERNAL "Zeek has AF_PACKET support")
 set(ZEEK_HAVE_JAVASCRIPT ${ZEEK_HAVE_JAVASCRIPT} CACHE INTERNAL "Zeek has JavaScript support")

 set(DEFAULT_ZEEKPATH_PATHS
@ -1225,7 +1187,11 @@ endif ()
 include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR})
 execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink "." "${CMAKE_CURRENT_BINARY_DIR}/zeek")

-set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+if (BinPAC_ROOT_DIR)
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+else ()
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${ZEEK_ROOT_DIR})
+endif ()

 if (BROKER_ROOT_DIR)
    set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
@ -1443,6 +1409,11 @@ else ()
    set(_install_btest_tools_msg "no pcaps")
 endif ()

+set(_binpac_exe_path "included")
+if (BINPAC_EXE_PATH)
+    set(_binpac_exe_path ${BINPAC_EXE_PATH})
+endif ()
+
 set(_gen_zam_exe_path "included")
 if (GEN_ZAM_EXE_PATH)
    set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
@ -1472,118 +1443,61 @@ if (ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS)
    )
 endif ()

-set(_zeek_builtin_plugins "${ZEEK_BUILTIN_PLUGINS}")
-if (NOT ZEEK_BUILTIN_PLUGINS)
-    set(_zeek_builtin_plugins "none")
-endif ()
-
-set(_zeek_fuzzing_engine "${ZEEK_FUZZING_ENGINE}")
-if (NOT ZEEK_FUZZING_ENGINE)
-    if (ZEEK_ENABLE_FUZZERS)
-        # The default fuzzer used by gcc and clang is libFuzzer. This is if you
-        # simply pass '-fsanitize=fuzzer' to the compiler.
-        set(_zeek_fuzzing_engine "libFuzzer")
-    endif ()
-endif ()
-
-## Utility method for outputting status information for features that just have a
-## string representation. This can also take an optional second argument that is a
-## value string to print.
-function (output_summary_line what)
-    if ("${ARGV1}" MATCHES "^$")
-        message("${what}:")
-        return()
-    endif ()
-
-    set(_spaces "                                        ")
-    string(LENGTH ${what} _what_length)
-    math(EXPR _num_spaces "25 - ${_what_length}")
-    string(SUBSTRING ${_spaces} 0 ${_num_spaces} _spacing)
-    message("${what}:${_spacing}${ARGV1}")
-endfunction ()
-
-## Utility method for outputting status information for features that have an ON/OFF
-## state.
-function (output_summary_bool what state)
-    if (${state})
-        output_summary_line("${what}" "ON")
-    else ()
-        output_summary_line("${what}" "OFF")
-    endif ()
-endfunction ()
-
-message("\n====================|  Zeek Build Summary  |====================\n")
-
-output_summary_line("Build type" "${CMAKE_BUILD_TYPE}")
-output_summary_line("Build dir" "${PROJECT_BINARY_DIR}")
-message("")
-
-output_summary_line("Install prefix" "${CMAKE_INSTALL_PREFIX}")
-output_summary_line("Config file dir" "${ZEEK_ETC_INSTALL_DIR}")
-output_summary_line("Log dir" "${ZEEK_LOG_DIR}")
-output_summary_line("Plugin dir" "${ZEEK_PLUGIN_DIR}")
-output_summary_line("Python module dir" "${PY_MOD_INSTALL_DIR}")
-output_summary_line("Script dir" "${ZEEK_SCRIPT_INSTALL_PATH}")
-output_summary_line("Spool dir" "${ZEEK_SPOOL_DIR}")
-output_summary_line("State dir" "${ZEEK_STATE_DIR}")
-output_summary_line("Spicy modules dir" "${ZEEK_SPICY_MODULE_PATH}")
-message("")
-
-output_summary_bool("Debug mode" ${ENABLE_DEBUG})
-output_summary_bool("Unit tests" ${ENABLE_ZEEK_UNIT_TESTS})
-message("")
-
-output_summary_line("Builtin Plugins" "${_zeek_builtin_plugins}")
-message("")
-
-output_summary_line("CC" "${CMAKE_C_COMPILER}")
-output_summary_line("CFLAGS" "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}")
-output_summary_line("CXX" "${CMAKE_CXX_COMPILER}")
-output_summary_line("CXXFLAGS" "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}")
-output_summary_line("CPP" "${CMAKE_CXX_COMPILER}")
-message("")
-
-output_summary_bool("AF_PACKET" ${ZEEK_HAVE_AF_PACKET})
-output_summary_bool("Aux. Tools" ${INSTALL_AUX_TOOLS})
-output_summary_bool("BTest" ${INSTALL_BTEST})
-output_summary_line("BTest tooling" ${_install_btest_tools_msg})
-output_summary_bool("JavaScript" ${ZEEK_HAVE_JAVASCRIPT})
-output_summary_line("Spicy" ${_spicy})
-output_summary_bool("Spicy analyzers" ${USE_SPICY_ANALYZERS})
-output_summary_bool("zeek-client" ${INSTALL_ZEEK_CLIENT})
-output_summary_bool("ZeekControl" ${INSTALL_ZEEKCTL})
-output_summary_bool("zkg" ${INSTALL_ZKG})
-message("")
-
-output_summary_bool("libmaxminddb" ${USE_GEOIP})
-output_summary_bool("Kerberos" ${USE_KRB5})
-output_summary_bool("gperftools" ${HAVE_PERFTOOLS})
-output_summary_bool("  - tcmalloc" ${USE_PERFTOOLS_TCMALLOC})
-output_summary_bool("  - debugging" ${USE_PERFTOOLS_DEBUG})
-output_summary_bool("jemalloc" ${ENABLE_JEMALLOC})
-message("")
-
-output_summary_line("Cluster backends")
-output_summary_bool("  - Broker" ON)
-output_summary_bool("  - ZeroMQ" ${ENABLE_CLUSTER_BACKEND_ZEROMQ})
-message("")
-
-output_summary_line("Storage backends")
-output_summary_bool("  - SQLite" ON)
-output_summary_bool("  - Redis" ${ENABLE_STORAGE_BACKEND_REDIS})
-message("")
-
-output_summary_bool("Fuzz Targets" ${ZEEK_ENABLE_FUZZERS})
-output_summary_line("Fuzz Engine" "${_zeek_fuzzing_engine}")
-message("")
-
-output_summary_line("External Tools/Linters")
-output_summary_bool("  - Include What You Use" ${ENABLE_IWYU})
-output_summary_bool("  - Clang-Tidy" ${ENABLE_CLANG_TIDY})
-
-if (${_analyzer_warning})
-    message("${_analyzer_warning}\n")
-endif ()
-message("\n================================================================")
+message(
+    "\n====================|  Zeek Build Summary  |===================="
+    "\n"
+    "\nBuild type:        ${CMAKE_BUILD_TYPE}"
+    "\nBuild dir:         ${PROJECT_BINARY_DIR}"
+    "\n"
+    "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
+    "\nConfig file dir:   ${ZEEK_ETC_INSTALL_DIR}"
+    "\nLog dir:           ${ZEEK_LOG_DIR}"
+    "\nPlugin dir:        ${ZEEK_PLUGIN_DIR}"
+    "\nPython module dir: ${PY_MOD_INSTALL_DIR}"
+    "\nScript dir:        ${ZEEK_SCRIPT_INSTALL_PATH}"
+    "\nSpool dir:         ${ZEEK_SPOOL_DIR}"
+    "\nState dir:         ${ZEEK_STATE_DIR}"
+    "\nSpicy modules dir: ${ZEEK_SPICY_MODULE_PATH}"
+    "\n"
+    "\nDebug mode:        ${ENABLE_DEBUG}"
+    "\nUnit tests:        ${ENABLE_ZEEK_UNIT_TESTS}"
+    "\nBuiltin Plugins:   ${ZEEK_BUILTIN_PLUGINS}"
+    "\n"
+    "\nCC:                ${CMAKE_C_COMPILER}"
+    "\nCFLAGS:            ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}"
+    "\nCXX:               ${CMAKE_CXX_COMPILER}"
+    "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
+    "\nCPP:               ${CMAKE_CXX_COMPILER}"
+    "\n"
+    "\nAF_PACKET:         ${ZEEK_HAVE_AF_PACKET}"
+    "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
+    "\nBifCL:             ${_bifcl_exe_path}"
+    "\nBinPAC:            ${_binpac_exe_path}"
+    "\nBTest:             ${INSTALL_BTEST}"
+    "\nBTest tooling:     ${_install_btest_tools_msg}"
+    "\nGen-ZAM:           ${_gen_zam_exe_path}"
+    "\nJavaScript:        ${ZEEK_HAVE_JAVASCRIPT}"
+    "\nSpicy:             ${_spicy}"
+    "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
+    "\nzeek-client:       ${INSTALL_ZEEK_CLIENT}"
+    "\nZeekControl:       ${INSTALL_ZEEKCTL}"
+    "\nzkg:               ${INSTALL_ZKG}"
+    "\n"
+    "\nlibmaxminddb:      ${USE_GEOIP}"
+    "\nKerberos:          ${USE_KRB5}"
+    "\ngperftools found:  ${HAVE_PERFTOOLS}"
+    "\n  - tcmalloc:      ${USE_PERFTOOLS_TCMALLOC}"
+    "\n  - debugging:     ${USE_PERFTOOLS_DEBUG}"
+    "\njemalloc:          ${ENABLE_JEMALLOC}"
+    "\n"
+    "\nCluster backends:"
+    "\n  - Broker:        ON"
+    "\n  - ZeroMQ:        ${ENABLE_CLUSTER_BACKEND_ZEROMQ}"
+    "\n"
+    "\nFuzz Targets:      ${ZEEK_ENABLE_FUZZERS}"
+    "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
+    "${_analyzer_warning}"
+    "\n"
+    "\n================================================================\n")

 include(UserChangedWarning)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -1 +0,0 @@
-Our code of conduct is published at https://zeek.org/community-code-of-conduct/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +0,0 @@
-Our contribution guide is available at https://github.com/zeek/zeek/wiki/Contribution-Guide.
-
-More information about contributing is also available at https://docs.zeek.org/en/master/devel/contributors.html.
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 1995-now, The Regents of the University of California
+Copyright (c) 1995-2023, The Regents of the University of California
 through the Lawrence Berkeley National Laboratory and the
 International Computer Science Institute. All rights reserved.

--- a/456
+++ b/456
@ -533,6 +533,32 @@ POSSIBILITY OF SUCH DAMAGE.

 ==============================================================================

+%%% auxil/filesystem
+
+==============================================================================
+
+Copyright (c) 2018, Steffen Schümann <s.schuemann@pobox.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+==============================================================================
+
 %%% auxil/highwayhash

 ==============================================================================
@ -756,433 +782,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-
-==============================================================================
-
-%%% auxil/c-ares
-
-==============================================================================
-
-MIT License
-
-Copyright (c) 1998 Massachusetts Institute of Technology
-Copyright (c) 2007 - 2023 Daniel Stenberg with many contributors, see AUTHORS
-file.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice (including the next
-paragraph) shall be included in all copies or substantial portions of the
-Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-==============================================================================
-
-%%% auxil/expected-lite
-
-==============================================================================
-
-Boost Software License - Version 1.0 - August 17th, 2003
-
-Permission is hereby granted, free of charge, to any person or organization
-obtaining a copy of the software and accompanying documentation covered by
-this license (the "Software") to use, reproduce, display, distribute,
-execute, and transmit the Software, and to prepare derivative works of the
-Software, and to permit third-parties to whom the Software is furnished to
-do so, all subject to the following:
-
-The copyright notices in the Software and this entire statement, including
-the above license grant, this restriction and the following disclaimer,
-must be included in all copies of the Software, in whole or in part, and
-all derivative works of the Software, unless such copies or derivative
-works are solely in the form of machine-executable object code generated by
-a source language processor.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
-SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
-FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
-ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% auxil/out_ptr
-
-==============================================================================
-
-                         Copyright ⓒ 2018-2021 ThePhD.
-
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-==============================================================================
-
-%%% auxil/prometheus-cpp
-
-==============================================================================
-
-MIT License
-
-Copyright (c) 2016-2021 Jupp Mueller
-Copyright (c) 2017-2022 Gregor Jasny
-
-And many contributors, see
-https://github.com/jupp0r/prometheus-cpp/graphs/contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-==============================================================================
-
-%%% auxil/rapidjson
-
-==============================================================================
-
-Tencent is pleased to support the open source community by making RapidJSON available.
-
-Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip.  All rights reserved.
-
-If you have downloaded a copy of the RapidJSON binary from Tencent, please note that the RapidJSON binary is licensed under the MIT License.
-If you have downloaded a copy of the RapidJSON source code from Tencent, please note that RapidJSON source code is licensed under the MIT License, except for the third-party components listed below which are subject to different license terms.  Your integration of RapidJSON into your own projects may require compliance with the MIT License, as well as the other licenses applicable to the third-party components included within RapidJSON. To avoid the problematic JSON license in your own projects, it's sufficient to exclude the bin/jsonchecker/ directory, as it's the only code under the JSON license.
-A copy of the MIT License is included in this file.
-
-Other dependencies and licenses:
-
-Open Source Software Licensed Under the BSD License:
--------------------------------------------------------------------
-
-The msinttypes r29
-Copyright (c) 2006-2013 Alexander Chemeris
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-* Neither the name of  copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Open Source Software Licensed Under the JSON License:
--------------------------------------------------------------------
-
-json.org
-Copyright (c) 2002 JSON.org
-All Rights Reserved.
-
-JSON_checker
-Copyright (c) 2002 JSON.org
-All Rights Reserved.
-
-
-Terms of the JSON License:
---------------------------------------------------
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-The Software shall be used for Good, not Evil.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-Terms of the MIT License:
--------------------------------------------------------------------
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% auxil/vcpkg
-
-==============================================================================
-
-MIT License
-
-Copyright (c) Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this
-software and associated documentation files (the "Software"), to deal in the Software
-without restriction, including without limitation the rights to use, copy, modify,
-merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to the following
-conditions:
-
-The above copyright notice and this permission notice shall be included in all copies
-or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
-PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
-CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
-OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-==============================================================================
-
-%%% src/cluster/websocket/auxil/IXWebSocket
-
-==============================================================================
-
-Copyright (c) 2018 Machine Zone, Inc. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the
-   distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived
-   from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-==============================================================================
-
-%%% src/cluster/backend/zeromq/auxil/cppzmq
-
-==============================================================================
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.
--- a/791
+++ b/791
@ -3,791 +3,6 @@ This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)

-Zeek 8.1.0
-==========
-
-We would like to thank @chrisjlly, Klemens Nanni (@klemensn), and Klemens Nanni
-(@klemens-ya) for their contributions to this release.
-
-Breaking Changes
----------------
-
- Python 3.10 is now required for Zeek and all of its associated subprojects.
-
- The ``&optional`` script attribute will now error when applied to anything that's
-  not a record field. Previously, this would have surprising behavior.
-
- The BinPAC, Bifcl, and Gen-ZAM tools have all moved directly into the Zeek repo, which
-  should ease maintenance on them a bit. They were moved from the ``auxil`` directory to the
-  tools directory. Along with this, the ``--gen-zam`` argument for ``configure`` was
-  removed and the internal version will always be used.
-
- The zeek-af_packet-plugin git submodule was moved directly into the Zeek repo. This used
-  to live in the ``auxil`` directory, after having moved there from an external plugin.
-  It is now built as part of main Zeek build whenever building on Linux.
-
-New Functionality
-----------------
-
- A new TapAnalyzer class was added allowing to tap into all packets delivered
-  to child analyzers attached to session adapters.
-
- Two new hooks, ``Cluster::on_subscribe()`` and ``Cluster::on_unsubscribe()`` have
-  been added to allow observing ``Subscribe()`` and ``Unsubscribe()`` calls on
-  backends by Zeek scripts.
-
- The ability to control the length of strings and containers in log output was added. The
-  maximum length of individual log fields can be set, as well as the total length of all
-  string or container fields in a single log record. This feature is controlled via four
-  new script-level variables:
-
-	Log::default_max_field_string_bytes
-	Log::default_max_total_string_bytes
-	Log::default_max_field_container_elements
-	Log::default_max_total_container_elements
-
-  When one of the ``field`` limits is reached, the individual field is truncated. When one
-  of the ``total`` limits is reached, all further strings will returned as empty and all
-  further container elements will not be output. See the documentation for those variables
-  for more detail.
-
-  The above variables control the truncation globally, but they can also be set for log
-  streams individually. This is controlled by variables with the same names that can be
-  set when the log stream is created.
-
-  Two new weirds were added to report the truncation: ``log_string_field_truncated`` and
-  ``log_container_field_truncated``. New metrics were added to track how many truncations
-  have occurred: ``zeek_log_writer_truncated_string_fields_total`` and
-  ``zeek_log_writer_truncated_containers_total``. The metrics are reported for each log
-  stream.
-
- The DNS analyzer now returns the set of parameters for SVCB data. It previously handled
-  SVCB packets, but omitted the parameters while parsing.
-
- The QUIC analyzer now raises QUIC::discarded_packet() when a packet with fixed_bit
-  set to 0 is encountered. Such an occurrence is included in the QUIC history as ``X``.
-  This functionality can be controlled with ``QUIC::max_discarded_packet_events``,
-  setting this variable to -1 disabled the ``QUIC::discarded_packet`` event.
-
- Added SHA256 calculation BiFs: ``sha512_hash``, ``sha512_hash_init`, ``sha512_hash_update``,
-  and ``sha512_hash_finish``.
-
-Changed Functionality
---------------------
-
- The var-extraction-uri.zeek policy does not include the path in the ``uri_vars``
-  field anymore.
-
- The ``get_current_packet_header()`` now populates the returned record also for
-  fragmented IP datagrams.
-
- The QUIC parser discards packets with the fixed_bit field set to 0, rather than
-  continuing to parse potentially running into analyzer violations.
-
-Removed Functionality
---------------------
-
-Deprecated Functionality
------------------------
-
-
-Zeek 8.0.0
-==========
-
-We would like to thank @aidans111, Anthony Verez (@netantho), Baa (@Baa14453),
-Bhaskar Bhar (@bhaskarbhar), @dwhitemv25, EdKo (@ephikos), @edoardomich, Fupeng
-Zhao (@AmazingPP), hendrik.schwartke@os-s.de (@hendrikschwartke), @i2z1, Jan
-Grashöfer (@J-Gras) Jean-Samuel Marier, Justin Azoff (@JustinAzoff), Mario D
-(@mari0d), Markus Elfring (@elfring), Peter Cullen (@pbcullen), Sean Donaghy,
-Simeon Miteff (@simeonmiteff), Steve Smoot (@stevesmoot), @timo-mue,
-@wojciech-graj, and Xiaochuan Ye (@XueSongTap) for their contributions to this
-release.
-
-Breaking Changes
----------------
-
- Zeek by default now depends on the availability of the ZeroMQ library for building
-  and running. This is in preparation of switching to the ZeroMQ-based cluster backend
-  by default in future Zeek versions. On an Ubuntu based system, the required system
-  packages are ``libzmq5``, ``libzmq3-dev`` and ``cppzmq-dev``. See the Dockerfiles
-  in the ``ci/`` directory for other supported platforms.
-
- Zeek and all of its associated submodules now require C++20-capable compilers to
-  build. This will let us move forward in using more modern C++ features and replace some
-  workarounds that we have been carrying. Minimum recommended versions of compilers are
-  GCC 10, Clang 8, and Visual Studio 2022.
-
- The ``zeek::Span`` class has been deprecated and the APIs in the telemetry subsystem
-  switched to use ``std::span`` instead of ``zeek::Span``. If your plugin instantiates
-  counter or gauge instances using the telemetry subsystem and you've previously used
-  ``zeek::Span`` explicitly, updates may be needed.
-
- The code base underwent a big cleanup of #include usage, across almost all of the
-  files. We tested builds of all of the existing third-party packages and only noticed one
-  or two failures, but there is a possibility for breakage related to this cleanup.
-
- The ``lookup_connection()`` and ``connection_exists()`` builtin functions
-  now require ``conn_id`` instances as argument, rather than internally supporting
-  duck type matching ``conn_id``-like records.
-
- Network timestamps are not added to events by default anymore. Use the following
-  redef line to enable them:
-
-	redef EventMetadata::add_network_timestamp = T;
-
-  The background is that event metadata has become more generic and may incur
-  a small overhead when enabled. There's not enough users of network timestamp
-  metadata to justify the complexity of treating it separate.
-
- The ASCII writer's ``JSON::TS_MILLIS`` timestamp format was changed to produce
-  signed integers. This matters for the representation for timestamps that are
-  before the UNIX epoch. These are now written as negative values, while previously
-  the negative value was interpreted as an unsigned integer, resulting in very large
-  timestamps, potentially causing issues for downstream consumers.
-
-  If you prefer to always have unsigned values, it's possible to revert to the previous
-  behavior by setting:
-
-	redef LogAscii::json_timestamps = JSON::TS_MILLIS_UNSIGNED;
-
- The "endpoint" label of metrics exposed via Prometheus or the ``telemetry.log``
-  was renamed to "node". This is done for consistency with cluster terminology:
-  The label values have always been the value of ``Cluster::node`, so it's more intuitive
-  to call it. The "endpoint" name originated from a time when the telemetry framework
-  was implemented in Broker.
-
-  To revert to the "endpoint" label, you can do the following, but we strongly
-  suggest to migrate to the new default "node" instead:
-
-	redef Telemetry::metrics_endpoint_label = "endpoint";
-
- The ``current_event_time()`` builtin function as well as ``Event::Time()``
-  and ``EventMgr::CurrentEventTime()`` now return ``-1.0`` if no timestamp
-  metadata is available for the current event, or if no event is being
-  dispatched. Previously this would've been 0.0, or the timestamp of the previously
-  dispatched event.
-
- Missing network timestamp metadata on remote events is not set to the local
-  network time anymore by default. This potentially hid useful debugging information
-  about another node not sending timestamp metadata. The old behavior can be
-  re-enabled as follows:
-
-	redef EventMetadata::add_missing_remote_network_timestamp = T;
-
- The ``IsPacketSource()`` method on ``IOSource`` was removed. It was unused
-  and incorrectly returned ``false`` on all packet sources.
-
- The ``--with-binpac`` and ``--with-bifcl`` arguments for ``configure`` are now
-  deprecated.  Both arguments have for a long time just used the internal version of the
-  tooling even if something was passed, so they were mostly useless. This may cause
-  breakage of cross-compiling, where the ``binpac`` and ``bifcl`` tooling needs to be run
-  on the host machine. We haven't heard from anyone that this is the case with the
-  arguments in their currently-broken state.
-
- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
-  In the past, the data contained two extra bytes before the session ticket
-  data. The event now contains only the session ticket data. You might have to
-  adjust your scripts if you manually worked around this bug in the past.
-
-New Functionality
-----------------
-
- Zeek now supports pluggable and customizable connection tracking. The default
-  behavior remains unchanged and uses a connection's five tuple based on the
-  IP/port pairs and proto field. Zeek 8 ships with one additional implementation,
-  to factor VLAN tags into the connection tracking. To switch to VLAN-aware
-  connection tracking:
-
-	@load frameworks/conn_key/vlan_fivetuple
-
-  By convention, additional fields used by alternative ConnKey implementations are
-  added into the new ``ctx`` field of ``conn_id``. The type of ``ctx`` is ``conn_id_ctx``.
-
-  The ``vlan_fivetuple`` script adds two additional fields to the ``conn_id_ctx``
-  record type, representing any VLAN tags involved. Accordingly, every log
-  using ``conn_id`` reflects the change as well as ``ctx`` and the VLAN fields have
-  the ``&log`` attribute. The columns used for logging will be named ``id.ctx.vlan``
-  and ``id.ctx.inner_vlan``.
-
-  This feature does not automatically provide a notion of endpoint that
-  corresponds with the effective connection tuple. For example, applications tracking
-  endpoints by IP address do not somehow become VLAN-aware when enabling
-  VLAN-aware tracking.
-
-  Users may experiment with their own notion of endpoint by combining the ``orig_h``
-  or ``resp_h`` field of ``conn_id`` with the new ``ctx`` field. For example, tracking
-  the number of connections from a given host in a VLAN-aware fashion can be done
-  as follows:
-
-	global connection_counts: table[conn_id_ctx, addr] of count &default=0;
-
-	event new_connection(c: connection) {
-		++connection_counts[c$id$ctx, c$id$orig_h];
-	}
-
-  Note that this script snippet isn't VLAN-specific, yet it is VLAN-aware if the
-  ``vlan_fivetuple`` script is loaded. In future Zeek versions, this pattern is
-  likely to be used to adapt base and policy scripts for more "context awareness".
-
-  Users may add their own plugins (for example via a zkg package) to provide
-  alternative implementations. This involves implementing a factory for
-  connection "keys" that factor in additional flow information. See the VLAN
-  implementation in the ``src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple``
-  directory for an example.
-
- Added support to ZeekControl for seamlessly switching to ZeroMQ as cluster
-  backend by adding the following settings to zeekctl.cfg:
-
-	ClusterBackend = ZeroMQ
-	UseWebSocket = 1
-
-  With the ZeroMQ cluster backend, Zeekctl requires to use Zeek's WebSocket API
-  to communicate with individual nodes for the ``print`` and ``netstats`` commands.
-  Setting the ``UseWebSocket`` option enables a WebSocket server on the manager
-  node, listening on 127.0.0.1:27759 by default (this is configurable with using
-  the newly introduced ``WebSocketHost`` and ``WebSocketPort`` options).
-  The ``UseWebSocket`` option can also be used when ``ClusterBackend`` is set
-  to ``Broker``, but isn't strictly required.
-
-  For ZeroMQ (or other future cluster backends), setting ``UseWebSocket`` is a
-  requirement as Zeekctl does not speak the native ZeroMQ protocol to communicate
-  with cluster nodes for executing commands. This functionality requires the
-  ``websockets`` Python package with version 11.0 or higher.
-
- Cluster telemetry improvements. Zeek now exposes a configurable number of
-  metrics regarding outgoing and incoming cluster events. By default, the number
-  of events sent and received by a Zeek cluster node and any attached WebSocket
-  clients is tracked as four individual counters. It's possible to gather more
-  detailed information by adding ``Cluster::Telemetry::VERBOSE`` and
-  ``Cluster::Telemetry::DEBUG`` to the variables ``Cluster::core_metrics`` and
-  ``Cluster::webscoket_metrics``:
-
-	redef Cluster::core_metrics += { Cluster::Telemetry::VERBOSE };
-	redef Cluster::websocket_metrics += { Cluster::Telemetry::DEBUG };
-
-  Configuring verbose, adds metrics that are labeled with the event handler
-  and topic name. Configuring debug, uses histogram metrics to additionally track
-  the distribution of the serialized event size. Additionally, when debug is selected,
-  outgoing events are labeled with the script location from where they were published.
-
- Support for the X-Application-Name HTTP header was added to the WebSocket API at
-  ``v1/messages/json``. A WebSocket application connecting to Zeek may set the
-  X-Application-Name header to a descriptive identifier. The value of this header
-  will be added to the cluster metrics as ``app`` label. This allows to gather
-  incoming and outgoing event metrics of a specific WebSocket application, simply
-  by setting the X-Application-Name header.
-
- The SMTP analyzer can now optionally forward the top-level RFC 822 message individual
-  SMTP transactions to the file analysis framework. This can be leveraged to extract
-  emails in form of ``.eml`` files from SMTP traffic to disk.
-
-  To enable this feature, set the ``SMTP::enable_rfc822_msg_file_analysis`` option
-  and implement an appropriate ``file_new()`` or ``file_over_new_connection()`` handler:
-
-	redef SMTP::enable_rfc822_msg_file_analysis = T;
-
-	event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) {
-		if ( f$id == c$smtp$rfc822_msg_fuid )
-			Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename="email"]);
-	}
-
-
- Generic event metadata support. A new ``EventMetadata`` module was added allowing
-  to register generic event metadata types and accessing the current event's metadata
-  using the functions ``current()`` and ``current_all()`` of this module.
-
- A new plugin hook, ``HookPublishEvent()``, has been added for intercepting
-  publishing of Zeek events. This hook may be used for monitoring purposes,
-  modifying or rerouting remote events.
-
-  Plugins can implement and enable this hook by calling the following method
-  within their Configure() implementation.
-
-	EnableHook(HOOK_PUBLISH_EVENT)
-
-  The signature of ``HookPublishEvent()`` is as follows.
-
-	bool HookPublishEvent(zeek::cluster::Backend& backend,
-	                      const std::string& topic,
-	                      zeek::cluster::detail::Event& event);
-
- Zeek now includes the Redis protocol analyzer from the evantypanski/spicy-redis
-  project (https://github.com/evantypanski/spicy-redis). This analyzer is enabled
-  by default. This analyzer logs Redis commands and their associated replies in
-  ``redis.log``.
-
-  To disable the analyzer in case of issues, use the following snippet:
-
-	redef Analyzer::disabled_analyzers += {
-		Analyzer::ANALYZER_REDIS,
-	};
-
- The FTP analyzer now supports explicit TLS via AUTH TLS.
-
- Two new script-level hooks in the Intel framework have been added.
-
-	hook indicator_inserted(indicator_value: string, indicator_type: Intel::Type)
-
-	hook indicator_removed(indicator_value: string, indicator_type: Intel::Type)
-
-  These are reliably invoked on worker and manager nodes the first time an
-  indicator value is inserted into the store and once it has been completely
-  removed from the store.
-
- The ``frameworks/intel/seen`` scripts have been annotated with event groups
-  and a new ``frameworks/intel/seen/manage-event-groups`` policy script added.
-
-  The motivation is to allow Zeek distributors to load the ``intel/seen`` scripts
-  by default without incurring their event overhead when no Intel indicators are
-  loaded. Corresponding event handlers are enabled once the first Intel indicator
-  of a given ``Intel::Type`` is added. Event handlers are disabled when the last
-  indicator is removed, again.
-
-  Note that the ``manage-event-groups`` script interacts with the ``Intel::seen_policy``
-  hook: If no indicators for a given ``Intel::Type`` are loaded, the ``Intel::seen_policy``
-  will not be invoked as the event handlers extracting indicators aren't executed.
-
-  If you rely on the ``Intel::seen_policy`` hook to be invoked regardless of the
-  contents of the Intel store, do not load the ``manage-event-groups`` or set:
-
-	redef Intel::manage_seen_event_groups = F;
-
- The DNS analyzer was extended to support NAPTR RRs (RFC 2915, RFC 3403).
-  A corresponding ``dns_NAPTR_reply`` event was added.
-
- A new ``get_tags_by_category`` BIF method was added that returns a list of tags for a
-  specified plugin category. This can be used in lieu of calling ``zeek -NN`` and
-  parsing the output. For example, this will return the list of all analyzer plugins
-  currently loaded:
-
-    get_tags_by_category("ANALYZER");
-
- A new ``conn_generic_packet_threshold_crossed`` event was introduced. The event triggers
-  for any IP-based session that reaches a given threshold. Multiple packet thresholds can
-  be defined in ``ConnThreshold::generic_packet_thresholds``. The generic thresholds refer
-  to the total number of packets on a connection without taking direction into account
-  (i.e. the event also triggers on one-sided connections).
-
-  The event is intended as an alternative to the ``new_connection`` event that allows for
-  ignoring short-lived connections like DNS or scans. For example, it can be used to set
-  up traditional connection monitoring without introducing overhead for connections that
-  would never reach a larger threshold anyway.
-
- Zeek now supports extracting the PPPoE session ID. The ``PacketAnalyzer::PPPoE::session_id``
-  BiF can be used to get the session ID of the current packet.
-
-  The ``conn/pppoe-session-id-logging.zeek`` policy script adds pppoe session IDs to the
-  connection log.
-
-  The ``get_conn_stats()`` function's return value now includes the number of packets
-  that have not been processed by any analyzer. Using data from ``get_conn_stats()`` and
-  ``get_net_stats()``, it's possible to determine the number of packets that have
-  been received and accepted by Zeek, but eventually discarded without processing.
-
-Changed Functionality
---------------------
-
- The `Conn::set_conn` function is now always run in `new_connection`, instead of only
-  being run in `connection_state_remove`.
-
- Logging of failed analyzers has been overhauled. `dpd.log` was replaced
-  by a new `analyzer.log` that presents a more unified and consistent view
-  of failed analyzers. The previous `analyzer.log` was renamed to `analyzer-debug.log`;
-  see below for more details.
-
-  For protocol analyzers, `analyzer.log` now reports initially confirmed analyzers that
-  Zeek subsequently removed from the connection due to a protocol violation.
-
-  For file and packet analyzers, all errors will be logged to `analyzer.log`.
-
-  As part of this work, a new `analyzer_failed` event has been introduced. This event
-  is raised when an analyzer is removed because of raising a violation.
-
- `analyzer.log` was renamed to `analyzer_debug.log`, and is no longer created
-  by default. The log file will be created if the `frameworks/analyzer/debug-logging.zeek`
-  policy script is loaded.
-
-  Note that the namespace for options in the script changed to
-  `Analyzer::DebugLogging`. Furthermore the default options changed to enable
-  more detailed output by default.
-
- Record fields with a ``&default`` attribute are now consistently re-initialized
-  after deleting such fields. Previously, this would only work for constant
-  expressions, but has been extended to apply to arbitrary expressions.
-
- Publishing remote events with vector arguments that contain holes is now
-  rejected. The receiver side never had a chance to figure out where these
-  holes would have been. There's a chance this breaks scripts that accidentally
-  published vectors with holes. A reporter error is produced at runtime when
-  serialization of vectors with holes is attempted.
-
- Kerberos support on macOS has been enabled. Due to incompatibilities, the system
-  provided libkrb5 is ignored, however. Only versions from homebrew are supported and
-  found/picked-up by default. Use --with-krb5 for pointing at a custom librkb5
-  installation.
-
- The ``$listen_host`` configuration for ``Cluster::listen_websocket()``'s
-  ``WebSocketServerOptions`` was deprecated. Use the new ``$listen_addr`` field
-  instead.
-
- The `service_violation` field of the connection record was marked as deprecated.
-  Consider using the new `failed_analyzers` field of the connection record instead.
-
- `detect-protocol.zeek was the last non-deprecated policy script left in
-  `frameworks/dpd`.  It was moved to `frameworks/analyzer/detect-protocol.zeek`.
-
- Running Zeek with Zeekygen for documentation extraction (-X|--zeekygen
-  <cfgfile>) now implies -a, i.e., parse-only mode.
-
- The `not_valid_before` and `not_valid_after` times of X509 certificates are
-  now logged as GMT timestamps. Before, they were logged as local times; thus
-  the output was dependent on the timezone that your system is set to.
-  Similarly, the related events and the Zeek data structures all interpreted
-  times in X509 certificates as local times.
-
- The PPPoE parser now respects the size value given in the PPPoE header. Data
-  beyond the size given in the header will be truncated.
-
- Record fields with ``&default`` attributes initializing empty ``vector``, ``table``
-  or ``set`` instances are now deferred until they are accessed, potentially
-  improving memory usage when such fields are never accessed.
-
-Removed Functionality
---------------------
-
- The ``--with-bind`` argument for ``configure`` was removed. We removed the need for the
-  BIND library from our CMake setup in the v7.2 release, but this non-functional argument
-  was left behind.
-
- The ``--disable-archiver`` argument for ``configure`` was removed. This was deprecated
-  and scheduled to be removed in v7.1, but we apparently missed it during the cleanup for
-  that release.
-
-Deprecated Functionality
------------------------
-
- The `dpd.log` is now deprecated and replaced by `analyzer.log` (see above).
-  `dpd.log` is no longer created by default, but can be loaded using the
-  `frameworks/analyzer/deprecated-dpd-log.zeek` policy script.
-
-  Relatedly, the `service_violation` field of the connection record is
-  deprecated and will only be present if the
-  `frameworks/analyzer/deprecated-dpd-log.zeek` policy script is loaded.
-
- The ``protocols/http/detect-sqli.zeek`` script has been deprecated in favor of a
-  new ``protocols/http/detect-sql-injection.zeek`` script to switch from the victim
-  host being placed into the ``src`` field of a notice to instead use ``dst``.
-  The attacker host is now placed into ``src``. Further, notices hold the first
-  sampled connection uid.
-
-  Note that the ``Notice::Type`` enumeration names remain the same. You can determine
-  which script was used by the presence of populated ``uid`` and ``dst`` fields in the
-  ``notice.log`` entries.
-
-  The replacement script doesn't populate the ``email_body_sections`` anymore either.
-
- Using ``&default`` and ``&optional`` together on a record field has been deprecated
-  as it would only result in ``&default`` behavior. This will become an error starting
-  with Zeek 8.1.
-
- The ``zeek::Event()`` constructor was deprecated. Use ``event_mgr::Enqueue()``
-  or ``event_mgr::Dispatch()`` instead.
-
- Passing ``ts`` as the last argument to ``EventMgr::Enqueue()`` has been deprecated
-  and will lead to compile time warnings. Use ``EventMgr::Enqueue(detail::MetadataVectorPtr meta, ...)``
-  for populating ``meta`` accordingly.
-
- For plugin authors: in the core, the constructor for Connection instances has
-  been deprecated in favor of a new one to support pluggable connection
-  tuples. The ConnTuple struct, used by this deprecated Connection constructor,
-  is now deprecated as well.
-
-
- The ``zeek::filesystem`` namespace alias is deprecated in favor of using
-  ``std::filesystem`` directly. Similarly, the ``ghc::filesystem`` submodule stored in
-  ``auxil/filessytem`` has been removed and the files included from it in the Zeek
-  installation will no longer be installed. Builds won't warn about the deprecation of
-  ``zeek::filesystem`` due to limitations of how we can mark deprecations in C++.
-
- The ``zeek::util::starts_with`` and ``zeek::util::ends_with`` functions are deprecated.
-  ``std::string`` and ``std::string_view`` added ``begins_with`` and ``ends_with`` methods
-  in C++ 20, and those should be used instead.
-
- The ``record_type_to_vector`` BIF is deprecated in favor of using the newly ordered
-  ``record_fields`` BIF.
-
-Zeek 7.2.0
-==========
-
-We would like to thank Aashish Sharma (@initconf), Anthony Verez (@netantho), Anthony
-Kasza (@anthonykasza), @biswajitutil, Brendan Kapp (@BrendanKapp), Carlos Lopez, Chris
-Hinshaw (@MMChrisHinshaw), Faan Rossouw (@faanross), @FishyFluffer, Fupeng Zhao
-(@AmazingPP), Herbert (@Herbert-Karl), @jbaggs, Jan Grashöfer (@J-Gras), Julian Krieger
-(@juliankrieger), Justin Azoff (@JustinAzoff), Kshitiz Bartariya (@kshitiz56), @Laotree,
-Mark Overholser (@markoverholser), Mike Dopheide (@dopheide-esnet), @mnhsrj, Mohan Dhawan
-(@Mohan-Dhawan), @philipp-tg, Seth Hall (@sethhall), and @timo-mue for their contributions
-to this release.
-
-Breaking Changes
----------------
-
- The ``is_remote_event()``, ``current_analyzer()`` and ``current_event_time()`` builtin
-  functions do not return the previous event's values anymore when event draining has
-  completed. The same applies to the corresponding C++ accessors on the ``EventMgr``
-  class. The functions now return false, 0 or the zero time instead.
-
- The ``to_int()`` built-in function was changed to match the return behavior of
-  ``to_count()``. Previously, ``to_int()`` would silently ignore invalid inputs and return a
-  ``0``. It now returns an error instead.
-
-New Functionality
-----------------
-
- The following dependencies have had updates:
-
-  - The bundled version of c-ares has been updated to v1.34.5.
-
-  - The bundled version of ZeekJS has been updated to v0.17.0.
-
- Some DNS events are not raised when ``dns_skip_all_addl`` is set to true.  Zeek now
-  raises a warning when a script declares these events while this option is set to true.
-
- Types can now be used as constants in Zeek script. This allows types to be directly
-  passed into BIFs without aliasing.
-
- A new ``enc_part`` field was added to the Kerberos ``KRB_Response`` record passed as
-  part of the ``krb_as_response`` event. This field contains the encrypted session
-  information from a Kerberos response, including the cipher and encrypted data.
-
- Geneve tunnel options of the current packet can be extracted from scripts using the new
-  ``PacketAnalyzer::Geneve::get_options()`` builtin function.
-
- The new ``is_valid_subnet()`` function mirrors ``is_valid_ip()``, for subnets.
-
- A new Storage framework was merged into the Zeek tree. The intention with this framework
-  is to eventually replace the storage functionality that Broker provides, including
-  direct storage via calls such as ``Cluster::create_store`` and ``Broker::put_unique`` as
-  well as storage-backed tables via the ``&backend`` attribute. This is an initial version
-  for testing, and will be expanded upon in the future. The current state of the framework
-  is as follows:
-
-  - A new API was added for storage backend plugins.
-
-  - Script-level functions for opening and closing backends, and insertion, retrieval, and
-    erasure of elements are available.
-
-  - Backends can support both asynchronous mode (using ``when`` statements) and
-    synchronous mode (blocking until the operation completes). BIF methods were added
-    under new ``Storage::Async`` and ``Storage::Sync`` modules for these two modes. The
-    modes can be used interchangeably with the same backend handle.
-
-  - SQLite and Redis backends exist in the Zeek tree by default. We are working on a
-    backend for NATS that will be available as an external plugin, but it is not quite
-    ready yet. Both of the existing backends support usage in a cluster environment.
-
- Improved alternative cluster backend support.
-
-  The ZeroMQ cluster backend added in Zeek 7.1 has received various correctness,
-  performance and robustness fixes, particularly concerning shutdown and high-load
-  scenarios.
-
-  Initial performance testing indicates less CPU time used on a large single node
-  instance with high logging and eventing rates.
-
-  We're evaluating switching the default cluster backend from Broker to ZeroMQ With
-  Zeek 8.1. Therefore, we welcome early adopters and testers to validate ZeroMQ as an
-  alternative to Broker. If you're not using Broker specific integrations (e.g. Broker's
-  Python or C++ bindings) and run a single-node Zeek cluster, switching to ZeroMQ
-  should be as simple as loading the following script on each of cluster node.
-
-	@load frameworks/cluster/backend/zeromq/connect
-
-  A proof-of-concept plugin for the open-source NATS messaging system is available at
-  https://github.com/zeek/zeek-cluster-backend-nats for testing and experimentation.
-
- Broker now exposes more information through ``broker.log``. Broker generated log
-  messages are now propagated as events to Zeek. This allows exposing more information for
-  debugging and operational behavior of Broker via Zeek logs.  Two new script-level
-  options ``Broker::log_severity_level`` and ``Broker::log_stderr_severity_level`` have
-  been introduced to control the which events to expose by default.
-
- Broker's new per-peer send buffer backpressure handling, introduced in 7.1,
-  has received several updates. We've increased the default buffer sizes to 8192
-  messages for both peers and websockets, and switched the default overflow
-  handling policy to "drop_oldest", meaning that in a full buffer the oldest
-  message enqueued gets dropped to allow enqueuing a new one. Three additional
-  metrics are available to understand the health of each peering's buffer,
-  regardless of the overflow policy active. These are:
-
-  - zeek_broker_peer_buffer_messages: a gauge of the current buffer fill level,
-
-  - zeek_broker_peer_buffer_recent_max_messages: a gauge that tracks the maximum
-    buffer fill level seen over the last ``Broker::buffer_stats_reset_interval`.
-
-  - zeek_broker_peer_buffer_overflows_total: a counter that tracks the number
-    of times a given peering's send buffer has overflowed. For the "drop_oldest"
-    and "drop_newest" policies, this is the count of messages dropped.
-
-  Each of these is labeled with the current endpoint and the peer's, as provided
-  by the cluster topology.
-
- New WebSocket functionality was added to Zeek's cluster component.
-
-  Users of Broker's WebSocket interface should replace their ``Broker::listen_websocket()``
-  usage with ``Cluster::listen_websocket()``. The latter will support any cluster
-  backends, while ``Broker::listen_websocket()`` is specific to Broker.
-
-  A crucial difference between these two methods is that ``Cluster::listen_websocket()``
-  will have TLS disabled by default, while Broker usually defaults to TLS enabled.
-  If you require a TLS configuration for your WebSocket deployment, pass an appropriate
-  ``WebSocketTLSOptions`` record or setup a TLS reverse proxy in front of Zeek.
-
-  For WebSocket clients, there should not be an observable difference in behavior
-  regarding the handshake and publishing of events. However, the implementation uses
-  a different code path and supporting library (machinezone/IXWebSocket). If you
-  observe any differences in behavior, please report these as regressions.
-  Note that the new ``Cluster::listen_websocket()`` API will only become stable
-  with Zeek 8.0.
-
-  Two new events, ``Cluster::websocket_client_added()`` and ``Cluster::websocket_client_lost()``,
-  have been added for WebSocket clients connecting and disconnecting. Note that
-  currently, even after ``Cluster::websocket_client_lost()`` ran, events sent from
-  that client may still be in transit and later executed, even on the node running
-  the WebSocket server.
-
- Vectors containing ``pattern`` values can now be compared using ``==`` and ``!=`` in
-  scripts. This previously resulted in a fatal error.
-
- The set of non-routable subnets defined in ``Site::private_address_space`` was expanded
-  to include ``239.0.0.0/8``, ``224.0.0.0/24`, ``[2002:e000::]/40``, ``[2002:ef00::]/24``,
-  and ``[fec0::]/10`. These addresses come from RFCs 2365, 3058, 3879, and 5771. This may
-  result in traffic being considered as local traffic that wasn't previously.
-
- The ``to_count()`` and ``to_int()`` built-in functions now trim trailing spaces passed
-  in the argument. They were already trimming leading spaces.
-
- The ``ip_proto`` field is now populated for a connection encapsulated in a tunnel.
-
- The documentation for ZeekJS is now included in the main Zeek documentation (as seen on
-  https://docs.zeek.org) by default.
-
- Searching for the headers for libkrb5 was made more robust. Additionally, the
-  restrictions on using libkrb5 only on Linux platforms was removed. CMake will now search
-  for it on all platforms as expected.
-
- The HTTP analyzer now checks for the HTTP-name field to be case-insensitive, even though
-  the spec specifies that field must be uppercase. If a non-uppercase string is
-  encountered, a new ``lowercase_HTTP_keyword`` weird is emitted.
-
-Changed Functionality
---------------------
-
- The ``service`` field in the connection log is now sorted in the order that protocol
-  analyzers raise their confirmation events.  Since the time at which the protocol
-  confirmation is raised depends on the individual implementation of each analyzer, there
-  is no specific meaning to the order that the services appear. However, the order should
-  be deterministic between runs. It also will in many cases represent the order in which
-  layered protocols are parsed (e.g. "quic,ssl").
-
- The way that protocol violations are handled by the dynamic protocol detection (DPD)
-  changed. Now, a violation that is raised by an analyzer before it is confirmed will
-  immediately disable the analyzer. This adjusts the behavior back to the historically
-  desired state, and aligns it with the treatment of confirmed analyzers.
-
-  As a consequence of this, the option ``DPD::max_violations`` is no longer used.
-  It will be retained till Zeek 8.1 to prevent script errors, and raises a
-  deprecation warning.
-
-  To extend the visibility of protocol violations, a new option
-  ``DPD::track_removed_services_in_connection`` was added. Enabling it causes failed
-  analyzers to no longer be removed from the ``service`` field of the connection
-  log. Instead, analyzers are never removed after they are confirmed.  Instead, failed
-  analyzers are logged by additionally adding an entry with a prepended "-". So a
-  connection that attached the ``ssl`` analyzer which later failed due to a protocol error
-  will be logged as ``ssl,-ssl``.
-
-  This change also adds a new policy script,
-  ``protocols/conn/failed-service-logging.zeek``. Loading this script adds the column
-  ``failed_service`` to the connection.log. This column contains the list of protocol
-  analyzers that failed due to a protocol error.
-
- Command line options processing will no longer print usage whenever there is an
-  error. Instead, issues in command line processing will print an error, then prompt to
-  use --help. The --help usage will now print to standard output rather than standard
-  error.
-
- Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode.  A
-  subsequent ``--load-seeds`` run with the same scripts and traces will produce identical
-  UID values as the original ``--save-seeds` run.
-
- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs names
-  that were found in mDNS broadcasts by default. This is configurable with the new
-  `DNS::skip_resp_host_port_pairs` option.
-
-  Furthermore, the script now supports and logs IPv6 results.
-
- The ``mkdir()``, ``rmdir()``, ``unlink()``, and ``rename()`` functions now trigger
-  reporter warnings instead of builtin errors when hitting trouble. This allows Zeek to
-  continue gracefully in case of such problems, particularly during ``zeek_init()``.
-
- The RDP analyzer now also parses connections that do not contain the cookie field, which
-  were previously rejected.
-
- An enum's zeek::detail::ID instance now holds its ``EnumVal``. For example, looking up
-  the "Conn::LOG" identifier allows to directly query the ``EnumVal`` using
-  ``ID::GetVal()``.
-
- When the send buffer to a Broker peer overflows and the "disconnect" overflow policy is
-  in use, Zeek now only attempts to re-establish peerings when the node observing the
-  overflow originally established the peering. That is, re-peering is now only attempted
-  in consistency with the underlying Broker peering topology. This avoids pointless
-  connection attempts to ephemeral TCP client-side ports, which could clutter the Broker
-  logs.
-
- The connect and listen retry intervals of Broker and the Cluster framework
-  have all been reduced to one second, from previously 30s/60s.
-
- The protocol confirmation for IRC was made more robust. It now checks for valid commands
-  before confirming a connection as IRC.
-
- Packet dumping now properly handles both the inner and outer packets of a tunneled
-  connection, ensuring that the outer packets are always dumped correctly alongside the
-  inner packets.
-
- SSH banner parsing was previously a bit too strict in some ways and too permissive in
-  others. This has been changed to be more robust, now accepting text before the SSH
-  banner starts. This was previously a protocol violation but is actually allowed by the
-  spec. This should help prevent non-ssh traffic on port 22 from causing an ssh.log to be
-  created. A new event called ``ssh_server_pre_banner_data`` was added, and is set When
-  this kind of text data is encountered.
-
- The SNAP analyzer now uses both the OUI and protocol identifier in forwarding
-  decisions. Previously it only used the identifier, which lead to some packets not being
-  handled at all and also not being logged in ``unknown_protocols.log``.
-
- The BIND library is no longer required for building Zeek. It hasn't been required since
-  our switch to use the C-Ares library back in the 5.0 release, but we never removed the
-  requirement from CMake.
-
-Removed Functionality
---------------------
-
- Broker's broker_buffered_messages metric has been removed, since the
-  backpressure handling introduced in 7.1 rendered it obsolete. Use the new
-  per-peering metrics described above instead.
-
-Deprecated Functionality
------------------------
-
- Support for DNS resolution of hostname literals in Zeek scripts has been deprecated. If
-  you've used this feature, use the new ``blocking_lookup_hostname()`` builtin function to
-  populate sets or tables in a ``zeek_init()`` handler, or with top-level statements.
-
- ``Broker::listen_websocket()`` was deprecated in favor of ``Cluster::listen_websocket()`.
-
- The ``Broker::congestion_queue_size`` tunable has had no effect since Zeek 5.0
-  and is slated for removal without replacement.
-
 Zeek 7.1.0
 ==========

@ -838,7 +53,7 @@ New Functionality
    some updates to Zeek's internal DNS resolver due to changes in the c-ares
    API. At least version v1.28.0 is now required to build Zeek.

-  - Python 3.9 is now required for Zeek and all of its associated subprojects.
+  - Python 3.9 is now required for Zeek and all of it's associated subprojects.

 - IP-based connections that were previously not logged due to using an unknown
  IP protocol (e.g. not TCP, UDP, or ICMP) now appear in conn.log. All conn.log
@ -929,7 +144,7 @@ New Functionality
  analyzer used for processing the packet when the event is raised. The
  ``unknown_protocol.log`` file was extended to include this information.

- The MySQL analyzer now generates a ``mysql_change_user()`` event when the user
+- The MySQL analyzer now generates a ``mysql_user_change()`` event when the user
  changes mid-session via the ``COM_USER_CHANGE`` command.

 - The DNS analyzer was extended to support TKEY RRs (RFC 2390). A corresponding
@ -984,7 +199,7 @@ New Functionality

 - Zeek now ships with an experimental Spicy-based SSL analyzer, which is
  disabled by default. This analyzer can be enabled using the
-  ``--enable-spicy-ssl`` configure-time option. The Spicy-based analyzer has
+  ``--enable-spicy-ssl`` conifgure-time option. The Spicy-based analyzer has
  full support for SSL and TLS, just like the current binpac analyzer. It does,
  however, not support any version of DTLS. Enabling it will disable DTLS
  parsing in Zeek.
--- a/4
+++ b/4
@ -3,7 +3,7 @@ The Zeek Network Security Monitor
 =================================

 Zeek is a powerful framework for network traffic analysis and security
-monitoring.
+monitoring. Follow us on Twitter at @zeekurity.

 Key Features
 ============
@ -101,4 +101,4 @@ others.
 [4] https://www.zeek.org/community/index.html
 [5] https://clang.llvm.org/extra/clang-tidy/
 [6] https://scan.coverity.com/projects/bro
-[7] https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source
+[7] https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source
--- a/README.md
+++ b/README.md
@ -15,15 +15,14 @@ traffic analysis and security monitoring.
 [_Development_](#development) —
 [_License_](#license)

+Follow us on Twitter at [@zeekurity](https://twitter.com/zeekurity).
+
 [![Coverage Status](https://coveralls.io/repos/github/zeek/zeek/badge.svg?branch=master)](https://coveralls.io/github/zeek/zeek?branch=master)
 [![Build Status](https://img.shields.io/cirrus/github/zeek/zeek)](https://cirrus-ci.com/github/zeek/zeek)

 [![Slack](https://img.shields.io/badge/slack-@zeek-brightgreen.svg?logo=slack)](https://zeek.org/slack)
 [![Discourse](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.zeek.org)](https://community.zeek.org)

-[![Mastodon](https://img.shields.io/badge/mastodon-@zeek@infosec.exchange-brightgreen.svg?logo=mastodon)](https://infosec.exchange/@zeek)
-[![Bluesky](https://img.shields.io/badge/bluesky-@zeek-brightgreen.svg?logo=bluesky)](https://bsky.app/profile/zeek.org)
-
 </h4>


@ -52,7 +51,7 @@ Getting Started

 The best place to find information about getting started with Zeek is
 our web site [www.zeek.org](https://www.zeek.org), specifically the
-[documentation](https://docs.zeek.org/en/stable/index.html) section
+[documentation](https://www.zeek.org/documentation/index.html) section
 there. On the web site you can also find downloads for stable
 releases, tutorials on getting Zeek set up, and many other useful
 resources.
@ -105,9 +104,9 @@ you might find
 [these](https://github.com/zeek/zeek/labels/good%20first%20issue)
 to be a good place to get started. More information on Zeek's
 development can be found
-[here](https://docs.zeek.org/en/current/devel/index.html), and information
+[here](https://www.zeek.org/development/index.html), and information
 about its community and mailing lists (which are fairly active) can be
-found [here](https://www.zeek.org/community/).
+found [here](https://www.zeek.org/community/index.html).

 License
 -------
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,5 +0,0 @@
-# Security Policy
-
-Zeek's Security Policy is defined on our website at https://zeek.org/security-reporting/
-
-Our Security Release Process is further clarified at https://github.com/zeek/zeek/wiki/Security-Release-Process
--- a/2
+++ b/2
@ -1 +1 @@
-8.1.0-dev.671
+7.1.0
--- a/auxil/bifcl
+++ b/auxil/bifcl
@ -0,0 +1 @@
+Subproject commit 60f6fd2c8a8d274006dfdbedd75272789a59d84b
--- a/auxil/binpac
+++ b/auxil/binpac
@ -0,0 +1 @@
+Subproject commit 965ec030ab2f769a8a9af9fe2fa33de85ce946c0
--- a/auxil/broker
+++ b/auxil/broker
@ -1 +1 @@
-Subproject commit 06d491943f4bee6c2d1e17a5c7c31836d725273d
+Subproject commit 5847b2a5458d03d56654e19b6b51a182476d36e5
--- a/auxil/btest
+++ b/auxil/btest
@ -1 +1 @@
-Subproject commit 8c0fbfd74325b6c9be022a98bcd414b6f103d09e
+Subproject commit 9590947dc1d4e8096af21e344311c6b1d188d197
--- a/auxil/c-ares
+++ b/auxil/c-ares
@ -1 +1 @@
-Subproject commit d3a507e920e7af18a5efb7f9f1d8044ed4750013
+Subproject commit a57ff692eeab8d21c853dc1ddaf0164f517074c3
--- a/auxil/expected-lite
+++ b/auxil/expected-lite
@ -1 +0,0 @@
-Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48
--- a/auxil/filesystem
+++ b/auxil/filesystem
@ -0,0 +1 @@
+Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9
--- a/auxil/gen-zam
+++ b/auxil/gen-zam
@ -0,0 +1 @@
+Subproject commit 517bf6a5c8dc6afdee2b854d575dbdd15736afc5
--- a/auxil/libkqueue
+++ b/auxil/libkqueue
@ -1 +1 @@
-Subproject commit ea30540c77679ced3ce7886199384e8743628921
+Subproject commit 10d93cff9fd6c8d8c3e0bae58312aed470843ff8
--- a/auxil/libunistd
+++ b/auxil/libunistd
@ -1 +1 @@
-Subproject commit 7e3670aa1f6ab7623a87ff1e770f7f6b5a1c59f1
+Subproject commit b38e9c8ebff08959a712a5663ba25e0624a3af00
--- a/auxil/package-manager
+++ b/auxil/package-manager
@ -1 +1 @@
-Subproject commit ad301651ad0a7426757f8bc94cfc8e8cd98451a8
+Subproject commit ab6aff89296d11363427beab34f88258c0abd467
--- a/auxil/paraglob
+++ b/auxil/paraglob
@ -1 +1 @@
-Subproject commit 4505c4323283b56ea59935210e105da26ab7bb0b
+Subproject commit 45ce017874aac9ffabac0ddc4d016f1747804234
--- a/auxil/spicy
+++ b/auxil/spicy
@ -1 +1 @@
-Subproject commit 7635e113080be6fc20cb308636c8c38565c95c8a
+Subproject commit 0e1959acaeb17eceeeb2f03e9c2f8b9240c785e1
--- a/auxil/vcpkg
+++ b/auxil/vcpkg
@ -1 +1 @@
-Subproject commit ce613c41372b23b1f51333815feb3edd87ef8a8b
+Subproject commit fb5e0ed3b3632abbd889ccd8579b76cf980d88c1
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@ -0,0 +1 @@
+Subproject commit a3fe59b3f1ded5c3461995134b66c6db182fa56f
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@ -1 +1 @@
-Subproject commit 3c5eb9be55a1055c8798f925e2497e57915702d0
+Subproject commit 5e67276aa7544d96c4092ac6e1d3fdeec17df01d
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@ -1 +1 @@
-Subproject commit 16849ca3ec2f8637e3f8ef8ee27e2c279724387f
+Subproject commit 0aa6f278e8873cea02171e08224084990d0c9a4f
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@ -1 +1 @@
-Subproject commit 485abcad45daeea6d09680e5fc7d29e97d2e3fbe
+Subproject commit c469297bed62674be53071d5276255ba7dd904cb
--- a/auxil/zeekjs
+++ b/auxil/zeekjs
@ -1 +1 @@
-Subproject commit e5985abfffc1ef5ead3a0bab196fa5d86bc5276f
+Subproject commit 79b0c2126fa0178dbc2e37536588fcd1db9f4443
--- a/ci/alpine/Dockerfile
+++ b/ci/alpine/Dockerfile
@ -2,7 +2,7 @@ FROM alpine:latest

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN apk add --no-cache \
  bash \
@ -23,13 +23,13 @@ RUN apk add --no-cache \
  linux-headers \
  make \
  openssh-client \
-  openssl \
  openssl-dev \
  procps \
  py3-pip \
+  py3-websockets \
  python3 \
  python3-dev \
  swig \
  zlib-dev

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/centos-stream-10/Dockerfile
+++ b/ci/centos-stream-10/Dockerfile
@ -1,49 +0,0 @@
-FROM quay.io/centos/centos:stream10
-
-# A version field to invalidate Cirrus's build cache when needed, as suggested in
-# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
-
-# dnf config-manager isn't available at first, and
-# we need it to install the CRB repo below.
-RUN dnf -y install 'dnf-command(config-manager)'
-
-# What used to be powertools is now called "CRB".
-# We need it for some of the packages installed below.
-# https://docs.fedoraproject.org/en-US/epel/
-RUN dnf config-manager --set-enabled crb
-RUN dnf -y install \
-    https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
-
-# The --nobest flag is hopefully temporary. Without it we currently hit
-# package versioning conflicts around OpenSSL.
-RUN dnf -y --nobest install \
-    bison \
-    ccache \
-    cmake \
-    cppzmq-devel \
-    diffutils \
-    flex \
-    gcc \
-    gcc-c++ \
-    git \
-    jq \
-    libpcap-devel \
-    make \
-    openssl \
-    openssl-devel \
-    procps-ng \
-    python3 \
-    python3-devel \
-    python3-pip\
-    sqlite \
-    swig \
-    tar \
-    which \
-    zlib-devel \
-  && dnf clean all && rm -rf /var/cache/dnf
-
-# Set the crypto policy to allow SHA-1 certificates - which we have in our tests
-RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY
-
-RUN pip3 install websockets junit2html
--- a/ci/centos-stream-9/Dockerfile
+++ b/ci/centos-stream-9/Dockerfile
@ -2,7 +2,7 @@ FROM quay.io/centos/centos:stream9

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 # dnf config-manager isn't available at first, and
 # we need it to install the CRB repo below.
@ -34,9 +34,9 @@ RUN dnf -y --nobest install \
    openssl \
    openssl-devel \
    procps-ng \
-    python3.13 \
-    python3.13-devel \
-    python3.13-pip\
+    python3 \
+    python3-devel \
+    python3-pip\
    sqlite \
    swig \
    tar \
@ -47,8 +47,4 @@ RUN dnf -y --nobest install \
 # Set the crypto policy to allow SHA-1 certificates - which we have in our tests
 RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY

-# Override the default python3.9 installation paths with 3.13
-RUN alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 10
-RUN alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.13 10
-
 RUN pip3 install websockets junit2html
--- a/ci/debian-11/Dockerfile
+++ b/ci/debian-11/Dockerfile
@ -1,36 +1,32 @@
-FROM debian:13
+FROM debian:11

 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN apt-get update && apt-get -y install \
    bison \
    bsdmainutils \
    ccache \
    cmake \
-    cppzmq-dev \
    curl \
-    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
    jq \
    libkrb5-dev \
-    libnats-dev \
    libnode-dev \
    libpcap-dev \
-    librdkafka-dev \
    libssl-dev \
    libuv1-dev \
+    libzmq3-dev \
    make \
    python3 \
    python3-dev \
    python3-pip\
-    python3-websockets \
    sqlite3 \
    swig \
    wget \
@ -39,6 +35,4 @@ RUN apt-get update && apt-get -y install \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*

-# Debian trixie really doesn't like using pip to install system wide stuff, but
-# doesn't seem there's a python3-junit2html package, so not sure what we'd break.
-RUN pip3 install --break-system-packages junit2html
+RUN pip3 install websockets junit2html
--- a/ci/debian-12/Dockerfile
+++ b/ci/debian-12/Dockerfile
@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN apt-get update && apt-get -y install \
    bison \
@ -20,16 +20,15 @@ RUN apt-get update && apt-get -y install \
    git \
    jq \
    libkrb5-dev \
-    libnats-dev \
    libnode-dev \
    libpcap-dev \
-    librdkafka-dev \
    libssl-dev \
    libuv1-dev \
    make \
    python3 \
    python3-dev \
    python3-pip\
+    python3-websockets \
    sqlite3 \
    swig \
    wget \
@ -40,4 +39,4 @@ RUN apt-get update && apt-get -y install \

 # Debian bookworm really doesn't like using pip to install system wide stuff, but
 # doesn't seem there's a python3-junit2html package, so not sure what we'd break.
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/fedora-40/Dockerfile
+++ b/ci/fedora-40/Dockerfile
@ -1,8 +1,8 @@
-FROM fedora:42
+FROM fedora:40

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN dnf -y install \
    bison \
@ -10,9 +10,8 @@ RUN dnf -y install \
    cmake \
    cppzmq-devel \
    diffutils \
-    findutils \
+    dnsmasq \
    flex \
-    gawk \
    gcc \
    gcc-c++ \
    git \
@ -23,14 +22,12 @@ RUN dnf -y install \
    openssl \
    openssl-devel \
    procps-ng \
-    python3 \
    python3-devel \
    python3-pip\
    sqlite \
    swig \
    which \
    zlib-devel \
-    crypto-policies-scripts \
  && dnf clean all && rm -rf /var/cache/dnf

 RUN pip3 install websockets junit2html
--- a/ci/fedora-41/Dockerfile
+++ b/ci/fedora-41/Dockerfile
@ -2,7 +2,7 @@ FROM fedora:41

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241115

 RUN dnf -y install \
    bison \
@ -33,3 +33,7 @@ RUN dnf -y install \
  && dnf clean all && rm -rf /var/cache/dnf

 RUN pip3 install websockets junit2html
+
+# Required to allow validation of certificates with SHA1 signatures
+# See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+RUN update-crypto-policies --set FEDORA40
--- a/ci/freebsd/prepare.sh
+++ b/ci/freebsd/prepare.sh
@ -6,7 +6,7 @@ set -e
 set -x

 env ASSUME_ALWAYS_YES=YES pkg bootstrap
-pkg install -y bash cppzmq git cmake-core swig bison python3 base64 flex ccache jq dnsmasq krb5
+pkg install -y bash cppzmq git cmake swig bison python3 base64 flex ccache jq dnsmasq
 pkg upgrade -y curl
 pyver=$(python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")')
 pkg install -y $pyver-sqlite3
--- a/ci/init-external-repos.sh
+++ b/ci/init-external-repos.sh
@ -51,9 +51,9 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d

    banner "Trying to clone zeek-testing-private git repo"
    echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64
-    if [[ "${CIRRUS_TASK_NAME}" =~ ^macos_ ]]; then
-        # The base64 command provided with macOS requires an argument
-        # to pass the input filename, while -i elsewhere is "ignore garbage".
+    if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" -o "${CIRRUS_TASK_NAME}" == "macos_sonoma" ]; then
+        # The base64 command provided with macOS Ventura/Sonoma requires an argument
+        # to pass the input filename
        base64 -d -i cirrus_key.b64 >cirrus_key
    else
        base64 -d cirrus_key.b64 >cirrus_key
--- a/ci/license-header.py
+++ b/ci/license-header.py
@ -5,15 +5,20 @@ import sys

 exit_code = 0

-copyright_pat = re.compile(
+pat1 = re.compile(
    r"See the file \"COPYING\" in the main distribution directory for copyright."
 )

+# This is the copyright line used within Spicy plugin and popular in
+# Spicy analyzers.
+pat2 = re.compile(r"Copyright \(c\) 2... by the Zeek Project. See COPYING for details.")
+

 def match_line(line):
-    m = copyright_pat.search(line)
-    if m is not None:
-        return True
+    for pat in [pat1, pat2]:
+        m = pat.search(line)
+        if m is not None:
+            return True

    return False

--- a/ci/macos/prepare.sh
+++ b/ci/macos/prepare.sh
@ -7,9 +7,10 @@ set -x

 brew update
 brew upgrade cmake
-brew install cppzmq openssl@3 python@3 swig bison flex ccache libmaxminddb dnsmasq krb5
+brew install cppzmq openssl@3 swig bison flex ccache libmaxminddb dnsmasq

-which python3
-python3 --version
+if [ $(sw_vers -productVersion | cut -d '.' -f 1) -lt 14 ]; then
+    python3 -m pip install --upgrade pip
+fi

 python3 -m pip install --user --break-system-packages websockets
--- a/ci/opensuse-leap-15.5/Dockerfile
+++ b/ci/opensuse-leap-15.5/Dockerfile
@ -0,0 +1,42 @@
+FROM opensuse/leap:15.5
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20241024
+
+RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5:Update/standard/openSUSE:Leap:15.5:Update.repo \
+ && zypper refresh \
+ && zypper in -y \
+    bison \
+    ccache \
+    cmake \
+    cppzmq-devel \
+    curl \
+    flex \
+    gcc12 \
+    gcc12-c++ \
+    git \
+    gzip \
+    jq \
+    libopenssl-devel \
+    libpcap-devel \
+    make \
+    openssh \
+    procps \
+    python311 \
+    python311-devel \
+    python311-pip \
+    swig \
+    tar \
+    which \
+    zlib-devel \
+  && rm -rf /var/cache/zypp
+
+RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.11 100
+RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100
+RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.11-config 100
+
+RUN pip3 install websockets junit2html
+
+RUN update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-12 100
+RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-12 100
--- a/ci/opensuse-leap-15.6/Dockerfile
+++ b/ci/opensuse-leap-15.6/Dockerfile
@ -2,7 +2,7 @@ FROM opensuse/leap:15.6

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.6:Update/standard/openSUSE:Leap:15.6:Update.repo \
 && zypper refresh \
--- a/ci/opensuse-tumbleweed/Dockerfile
+++ b/ci/opensuse-tumbleweed/Dockerfile
@ -2,7 +2,7 @@ FROM opensuse/tumbleweed

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 # Remove the repo-openh264 repository, it caused intermittent issues
 # and we should not be needing any packages from it.
@ -32,6 +32,7 @@ RUN zypper refresh \
    python3 \
    python3-devel \
    python3-pip \
+    python3-websockets \
    swig \
    tar \
    util-linux \
@ -39,4 +40,4 @@ RUN zypper refresh \
    zlib-devel \
  && rm -rf /var/cache/zypp

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/opensuse-tumbleweed/prepare-weekly.sh
+++ b/ci/opensuse-tumbleweed/prepare-weekly.sh
@ -1,27 +0,0 @@
-#!/bin/sh
-
-zypper refresh
-zypper patch -y --with-update --with-optional
-
-LATEST_VERSION=$(zypper search -n ${ZEEK_CI_COMPILER} |
-    awk -F "|" "match(\$2, / ${ZEEK_CI_COMPILER}([0-9]{2})[^-]/, a) {print a[1]}" |
-    sort | tail -1)
-
-echo "Installing ${ZEEK_CI_COMPILER} ${LATEST_VERSION}"
-
-zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}"
-
-if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
-    zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}-c++"
-fi
-
-update-alternatives --install /usr/bin/cc cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}" 100
-update-alternatives --set cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}"
-
-if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
-    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/g++-${LATEST_VERSION}" 100
-    update-alternatives --set c++ "/usr/bin/g++-${LATEST_VERSION}"
-else
-    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/clang++-${LATEST_VERSION}" 100
-    update-alternatives --set c++ "/usr/bin/clang++-${LATEST_VERSION}"
-fi
--- a/ci/test.sh
+++ b/ci/test.sh
@ -7,13 +7,6 @@
 result=0
 BTEST=$(pwd)/auxil/btest/btest

-# Due to issues with DNS lookups on macOS, one of the Cirrus support people recommended we
-# run our tests as root. See https://github.com/cirruslabs/cirrus-ci-docs/issues/1302 for
-# more details.
-if [[ "${CIRRUS_OS}" == "darwin" ]]; then
-    BTEST="sudo ${BTEST}"
-fi
-
 if [[ -z "${CIRRUS_CI}" ]]; then
    # Set default values to use in place of env. variables set by Cirrus CI.
    ZEEK_CI_CPUS=1
--- a/ci/ubuntu-20.04/Dockerfile
+++ b/ci/ubuntu-20.04/Dockerfile
@ -0,0 +1,40 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20241024
+
+RUN apt-get update && apt-get -y install \
+    bc \
+    bison \
+    bsdmainutils \
+    ccache \
+    cmake \
+    curl \
+    flex \
+    g++ \
+    gcc \
+    git \
+    jq \
+    lcov \
+    libkrb5-dev \
+    libmaxminddb-dev \
+    libpcap-dev \
+    libssl-dev \
+    libzmq3-dev \
+    make \
+    python3.9 \
+    python3.9-dev \
+    python3-pip\
+    ruby \
+    sqlite3 \
+    swig \
+    unzip \
+    wget \
+    zlib1g-dev \
+  && apt autoclean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install websockets junit2html
--- a/ci/ubuntu-22.04/Dockerfile
+++ b/ci/ubuntu-22.04/Dockerfile
@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN apt-get update && apt-get -y install \
    bc \
--- a/ci/ubuntu-24.04/Dockerfile
+++ b/ci/ubuntu-24.04/Dockerfile
@ -4,16 +4,15 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241024

 RUN apt-get update && apt-get -y install \
    bc \
    bison \
    bsdmainutils \
    ccache \
-    clang-19 \
-    clang++-19 \
-    clang-tidy-19 \
+    clang-18 \
+    clang++-18 \
    cmake \
    cppzmq-dev \
    curl \
@ -25,17 +24,14 @@ RUN apt-get update && apt-get -y install \
    jq \
    lcov \
    libkrb5-dev \
-    libhiredis-dev \
    libmaxminddb-dev \
    libpcap-dev \
    libssl-dev \
    make \
    python3 \
    python3-dev \
-    python3-git \
    python3-pip \
-    python3-semantic-version \
-    redis-server \
+    python3-websockets \
    ruby \
    sqlite3 \
    swig \
@ -47,13 +43,9 @@ RUN apt-get update && apt-get -y install \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
 RUN gem install coveralls-lcov

-# Ubuntu installs clang versions with the binaries having the version number
-# appended. Create a symlink for clang-tidy so cmake finds it correctly.
-RUN update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-19 1000
-
 # Download a newer pre-built ccache version that recognizes -fprofile-update=atomic
 # which is used when building with --coverage.
 #
--- a/ci/ubuntu-24.10/Dockerfile
+++ b/ci/ubuntu-24.10/Dockerfile
@ -1,10 +1,10 @@
-FROM ubuntu:25.04
+FROM ubuntu:24.10

 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"

 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20241115

 RUN apt-get update && apt-get -y install \
    bc \
@ -31,6 +31,7 @@ RUN apt-get update && apt-get -y install \
    python3 \
    python3-dev \
    python3-pip \
+    python3-websockets \
    ruby \
    sqlite3 \
    swig \
@ -42,5 +43,5 @@ RUN apt-get update && apt-get -y install \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*

-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
 RUN gem install coveralls-lcov
--- a/ci/update-zeekygen-docs.sh
+++ b/ci/update-zeekygen-docs.sh
@ -28,7 +28,7 @@ cd $build_dir
 export ZEEK_SEED_FILE=$source_dir/testing/btest/random.seed

 function run_zeek {
-    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen
+    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen >/dev/null

    if [ $? -ne 0 ]; then
        echo "Failed running zeek with zeekygen config file $conf_file" >&2
--- a/ci/windows/Dockerfile
+++ b/ci/windows/Dockerfile
@ -5,7 +5,7 @@ SHELL [ "powershell" ]

 # A version field to invalidatea Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801

 RUN Set-ExecutionPolicy Unrestricted -Force

@ -14,8 +14,8 @@ RUN [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePoin
    iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

 # Install prerequisites
-RUN choco install -y --no-progress visualstudio2022buildtools --version=117.14.1
-RUN choco install -y --no-progress visualstudio2022-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
+RUN choco install -y --no-progress visualstudio2019buildtools --version=16.11.11.0
+RUN choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
 RUN choco install -y --no-progress sed
 RUN choco install -y --no-progress winflexbison3
 RUN choco install -y --no-progress msysgit
@ -30,4 +30,4 @@ RUN mkdir C:\build
 WORKDIR C:\build

 # This entry point starts the developer command prompt and launches the PowerShell shell.
-ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
+ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
--- a/ci/windows/build.cmd
+++ b/ci/windows/build.cmd
@ -2,7 +2,7 @@
 :: cmd current shell. This path is hard coded to the one on the CI image, but
 :: can be adjusted if running builds locally. Unfortunately, the initial path
 :: isn't in the environment so we have to hardcode the whole path.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64

 mkdir build
 cd build
--- a/ci/windows/test.cmd
+++ b/ci/windows/test.cmd
@ -1,5 +1,5 @@
 :: See build.cmd for documentation on this call.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64

 cd build

--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit d51c6990446cf70cb9c01bca17dad171a1db05d3
+Subproject commit 85c6f90f238b5851edbd6b6962f44de34833a76c
--- a/cmake_templates/zeek-config-paths.h.in
+++ b/cmake_templates/zeek-config-paths.h.in
@ -2,9 +2,10 @@

 #pragma once

-constexpr char ZEEK_SCRIPT_INSTALL_PATH[] = "@ZEEK_SCRIPT_INSTALL_PATH@";
-constexpr char ZEEK_PLUGIN_INSTALL_PATH[] = "@ZEEK_PLUGIN_DIR@";
-constexpr char DEFAULT_ZEEKPATH[] = "@DEFAULT_ZEEKPATH@";
-constexpr char ZEEK_SPICY_MODULE_PATH[] = "@ZEEK_SPICY_MODULE_PATH@";
-constexpr char ZEEK_SPICY_LIBRARY_PATH[] = "@ZEEK_SPICY_LIBRARY_PATH@";
-constexpr char ZEEK_SPICY_DATA_PATH[] = "@ZEEK_SPICY_DATA_PATH@";
+#define ZEEK_SCRIPT_INSTALL_PATH "@ZEEK_SCRIPT_INSTALL_PATH@"
+#define BRO_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define ZEEK_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define DEFAULT_ZEEKPATH "@DEFAULT_ZEEKPATH@"
+#define ZEEK_SPICY_MODULE_PATH "@ZEEK_SPICY_MODULE_PATH@"
+#define ZEEK_SPICY_LIBRARY_PATH "@ZEEK_SPICY_LIBRARY_PATH@"
+#define ZEEK_SPICY_DATA_PATH "@ZEEK_SPICY_DATA_PATH@"
--- a/cmake_templates/zeek-config.h.in
+++ b/cmake_templates/zeek-config.h.in
@ -1,6 +1,4 @@
 // See the file "COPYING" in the main distribution directory for copyright.
-// NOLINTBEGIN(modernize-macro-to-enum)
-// NOLINTBEGIN(cppcoreguidelines-macro-usage)

 #pragma once

@ -308,6 +306,3 @@

 /* compiled with Spicy support */
 #cmakedefine HAVE_SPICY
-
-// NOLINTEND(cppcoreguidelines-macro-usage)
-// NOLINTEND(modernize-macro-to-enum)
--- a/34
+++ b/34
@ -70,10 +70,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --enable-werror        build with -Werror
    --enable-ZAM-profiling build with ZAM profiling enabled (--enable-debug implies this)
    --enable-spicy-ssl     build with spicy SSL/TLS analyzer (conflicts with --disable-spicy)
-    --enable-iwyu          build with include-what-you-use enabled for the main Zeek target.
-                           Requires include-what-you-use binary to be in the PATH.
-    --enable-clang-tidy    build with clang-tidy enabled for the main Zeek target.
-                           Requires clang-tidy binary to be in the PATH.
    --disable-af-packet    don't include native AF_PACKET support (Linux only)
    --disable-auxtools     don't build or install auxiliary tools
    --disable-broker-tests don't try to build Broker unit tests
@ -90,9 +86,16 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --disable-zkg          don't install zkg

  Required Packages in Non-Standard Locations:
+    --with-bifcl=PATH      path to Zeek BIF compiler executable
+                           (useful for cross-compiling)
+    --with-bind=PATH       path to BIND install root
+    --with-binpac=PATH     path to BinPAC executable
+                           (useful for cross-compiling)
    --with-bison=PATH      path to bison executable
    --with-broker=PATH     path to Broker install root
                           (Zeek uses an embedded version by default)
+    --with-gen-zam=PATH    path to Gen-ZAM code generator
+                           (Zeek uses an embedded version by default)
    --with-flex=PATH       path to flex executable
    --with-libkqueue=PATH  path to libkqueue install root
                           (Zeek uses an embedded version by default)
@ -312,15 +315,12 @@ while [ $# -ne 0 ]; do
        --enable-spicy-ssl)
            append_cache_entry ENABLE_SPICY_SSL BOOL true
            ;;
-        --enable-iwyu)
-            append_cache_entry ENABLE_IWYU BOOL true
-            ;;
-        --enable-clang-tidy)
-            append_cache_entry ENABLE_CLANG_TIDY BOOL true
-            ;;
        --disable-af-packet)
            append_cache_entry DISABLE_AF_PACKET BOOL true
            ;;
+        --disable-archiver)
+            has_disable_archiver=1
+            ;;
        --disable-auxtools)
            append_cache_entry INSTALL_AUX_TOOLS BOOL false
            ;;
@ -361,9 +361,15 @@ while [ $# -ne 0 ]; do
        --disable-zkg)
            append_cache_entry INSTALL_ZKG BOOL false
            ;;
+        --with-bifcl=*)
+            append_cache_entry BIFCL_EXE_PATH PATH $optarg
+            ;;
        --with-bind=*)
            append_cache_entry BIND_ROOT_DIR PATH $optarg
            ;;
+        --with-binpac=*)
+            append_cache_entry BINPAC_EXE_PATH PATH $optarg
+            ;;
        --with-bison=*)
            append_cache_entry BISON_EXECUTABLE PATH $optarg
            ;;
@ -376,6 +382,9 @@ while [ $# -ne 0 ]; do
        --with-flex=*)
            append_cache_entry FLEX_EXECUTABLE PATH $optarg
            ;;
+        --with-gen-zam=*)
+            append_cache_entry GEN_ZAM_EXE_PATH PATH $optarg
+            ;;
        --with-geoip=*)
            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
            ;;
@ -491,3 +500,8 @@ eval ${cmake} 2>&1
 echo "# This is the command used to configure this build" >config.status
 echo $command >>config.status
 chmod u+x config.status
+
+if [ $has_disable_archiver -eq 1 ]; then
+    echo
+    echo "NOTE: The --disable-archiver argument no longer has any effect and will be removed in v7.1. zeek-archiver is now part of zeek-aux, so consider --disable-auxtools instead."
+fi
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 99e6942efec5feff50523f6b2a1f5868f19ab638
+Subproject commit 039fbc7f273643947b5c153bbe6df1eb6981a3a8
--- a/docker/builder.Dockerfile
+++ b/docker/builder.Dockerfile
@ -1,7 +1,7 @@
 # See the file "COPYING" in the main distribution directory for copyright.

 # Layer to build Zeek.
-FROM debian:13-slim
+FROM debian:bookworm-slim

 # Make the shell split commands in the log so we can determine reasons for
 # failures more easily.
@ -16,7 +16,6 @@ RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts

 # Configure system for build.
 RUN apt-get -q update \
- && apt-get upgrade -q -y \
 && apt-get install -q -y --no-install-recommends \
     bind9 \
     bison \
@ -37,7 +36,7 @@ RUN apt-get -q update \
     libz-dev \
     make \
     python3-minimal \
-     python3-dev \
+     python3.11-dev \
     swig \
     ninja-build \
     python3-pip \
--- a/docker/final.Dockerfile
+++ b/docker/final.Dockerfile
@ -1,7 +1,7 @@
 # See the file "COPYING" in the main distribution directory for copyright.

 # Final layer containing all artifacts.
-FROM debian:13-slim
+FROM debian:bookworm-slim

 # Make the shell split commands in the log so we can determine reasons for
 # failures more easily.
@ -15,21 +15,18 @@ RUN echo 'Acquire::http::timeout "180";' > /etc/apt/apt.conf.d/99-timeouts
 RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts

 RUN apt-get -q update \
- && apt-get upgrade -q -y \
 && apt-get install -q -y --no-install-recommends \
     ca-certificates \
     git \
     jq \
     libmaxminddb0 \
-     libnode115 \
+     libnode108 \
     libpcap0.8 \
-     libpython3.13 \
+     libpython3.11 \
     libssl3 \
     libuv1 \
     libz1 \
     libzmq5 \
-     net-tools \
-     procps \
     python3-git \
     python3-minimal \
     python3-semantic-version \
--- a/scripts/base/files/pe/main.zeek
+++ b/scripts/base/files/pe/main.zeek
@ -60,13 +60,13 @@ const pe_mime_types = { "application/x-dosexec" };
 event zeek_init() &priority=5
 	{
 	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_pe, $path="pe", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]);
 	}

 hook set_file(f: fa_file) &priority=5
 	{
 	if ( ! f?$pe )
-		f$pe = PE::Info($ts=f$info$ts, $id=f$id);
+		f$pe = [$ts=f$info$ts, $id=f$id];
 	}

 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
--- a/scripts/base/files/x509/log-ocsp.zeek
+++ b/scripts/base/files/x509/log-ocsp.zeek
@ -40,7 +40,7 @@ export {

 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}

--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@ -105,29 +105,6 @@ export {

 	## Event for accessing logged records.
 	global log_x509: event(rec: Info);
-
-	## The maximum number of bytes that a single string field can contain when
-	## logging. If a string reaches this limit, the log output for the field will be
-	## truncated. Setting this to zero disables the limiting.
-	##
-	## .. zeek:see:: Log::default_max_field_string_bytes
-	const default_max_field_string_bytes = Log::default_max_field_string_bytes &redef;
-
-	## The maximum number of elements a single container field can contain when
-	## logging. If a container reaches this limit, the log output for the field will
-	## be truncated. Setting this to zero disables the limiting.
-	##
-	## .. zeek:see:: Log::default_max_field_container_elements
-	const default_max_field_container_elements = 500 &redef;
-
-	## The maximum total number of container elements a record may log. This is the
-	## sum of all container elements logged for the record. If this limit is reached,
-	## all further containers will be logged as empty containers. If the limit is
-	## reached while processing a container, the container will be truncated in the
-	## output. Setting this to zero disables the limiting.
-	##
-	## .. zeek:see:: Log::default_max_total_container_elements
-	const default_max_total_container_elements = 1500 &redef;
 }

 global known_log_certs_with_broker: set[LogCertHash] &create_expire=relog_known_certificates_after &backend=Broker::MEMORY;
@ -140,12 +117,7 @@ redef record Files::Info += {

 event zeek_init() &priority=5
 	{
-	# x509 can have some very large certificates and very large sets of URIs. Expand the log size filters
-	# so that we're not truncating those.
-	Log::create_stream(X509::LOG, Log::Stream($columns=Info, $ev=log_x509, $path="x509", $policy=log_policy,
-	                                          $max_field_string_bytes=X509::default_max_field_string_bytes,
-	                                          $max_field_container_elements=X509::default_max_field_container_elements,
-	                                          $max_total_container_elements=X509::default_max_total_container_elements));
+	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]);

 	# We use MIME types internally to distinguish between user and CA certificates.
 	# The first certificate in a connection always gets tagged as user-cert, all
@ -195,7 +167,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 	{
 	local der_cert = x509_get_certificate_string(cert_ref);
 	local fp = hash_function(der_cert);
-	f$info$x509 = X509::Info($ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref);
+	f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref];
 	if ( f$info$mime_type == "application/x-x509-user-cert" )
 		f$info$x509$host_cert = T;
 	if ( f$is_orig )
@ -253,3 +225,4 @@ event file_state_remove(f: fa_file) &priority=5

 	Log::write(LOG, f$info$x509);
 	}
+
--- a/scripts/base/frameworks/analyzer/dpd.zeek
+++ b/scripts/base/frameworks/analyzer/dpd.zeek
@ -1,33 +1,61 @@
-##! Disables analyzers if protocol violations occur, and adds service information
-##! to connection log.
-
-@load ./main
+##! Activates port-independent protocol detection and selectively disables
+##! analyzers if protocol violations occur.

 module DPD;

 export {
-	## Analyzers which you don't want to remove on violations.
+	## Add the DPD logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
+	## The record type defining the columns to log in the DPD logging stream.
+	type Info: record {
+		## Timestamp for when protocol analysis failed.
+		ts:             time            &log;
+		## Connection unique ID.
+		uid:            string          &log;
+		## Connection ID containing the 4-tuple which identifies endpoints.
+		id:             conn_id         &log;
+		## Transport protocol for the violation.
+		proto:          transport_proto &log;
+		## The analyzer that generated the violation.
+		analyzer:       string          &log;
+		## The textual reason for the analysis failure.
+		failure_reason: string          &log;
+	};
+
+	## Ongoing DPD state tracking information.
+	type State: record {
+		## Current number of protocol violations seen per analyzer instance.
+		violations: table[count] of count;
+	};
+
+	## Number of protocol violations to tolerate before disabling an analyzer.
+	option max_violations: table[Analyzer::Tag] of count = table() &default = 5;
+
+	## Analyzers which you don't want to throw
 	option ignore_violations: set[Analyzer::Tag] = set();

 	## Ignore violations which go this many bytes into the connection.
 	## Set to 0 to never ignore protocol violations.
 	option ignore_violations_after = 10 * 1024;
-
-	## Change behavior of service field in conn.log:
-	## Failed services are no longer removed. Instead, for a failed
-	## service, a second entry with a "-" in front of it is added.
-	## E.g. a http connection with a violation would be logged as
-	## "http,-http".
-	option track_removed_services_in_connection = F;
 }

 redef record connection += {
-	## The set of prototol analyzers that were removed due to a protocol
-	## violation after the same analyzer had previously been confirmed.
-	failed_analyzers: set[string] &default=set() &ordered;
+	dpd: Info &optional;
+	dpd_state: State &optional;
+	## The set of services (analyzers) for which Zeek has observed a
+	## violation after the same service had previously been confirmed.
+	service_violation: set[string] &default=set();
 };

-# Add confirmed protocol analyzers to conn.log service field
+event zeek_init() &priority=5
+	{
+	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
+	}
+
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@ -41,11 +69,9 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 	add c$service[analyzer];
 	}

-# Remove failed analyzers from service field and add them to c$failed_analyzers
-# Low priority to allow other handlers to check if the analyzer was confirmed
-event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=-5
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=10
 	{
-	if ( ! is_protocol_analyzer(atype) )
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;

 	if ( ! info?$c )
@ -53,32 +79,38 @@ event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolatio

 	local c = info$c;
 	local analyzer = Analyzer::name(atype);
-	# If the service hasn't been confirmed yet, or already failed,
-	# don't generate a log message for the protocol violation.
+	# If the service hasn't been confirmed yet, don't generate a log message
+	# for the protocol violation.
 	if ( analyzer !in c$service )
 		return;

-	# If removed service tracking is active, don't delete the service here.
-	if ( ! track_removed_services_in_connection )
-		delete c$service[analyzer];
+	delete c$service[analyzer];
+	add c$service_violation[analyzer];

-	# if statement is separate, to allow repeated removal of service, in case there are several
-	# confirmation and violation events
-	if ( analyzer !in c$failed_analyzers )
-		add c$failed_analyzers[analyzer];
+	local dpd: Info;
+	dpd$ts = network_time();
+	dpd$uid = c$uid;
+	dpd$id = c$id;
+	dpd$proto = get_port_transport_proto(c$id$orig_p);
+	dpd$analyzer = analyzer;

-	# add "-service" to the list of services on removal due to violation, if analyzer was confirmed before
-	if ( track_removed_services_in_connection && Analyzer::name(atype) in c$service )
+	# Encode data into the reason if there's any as done for the old
+	# analyzer_violation event, previously.
+	local reason = info$reason;
+	if ( info?$data )
 		{
-		local rname = cat("-", Analyzer::name(atype));
-		if ( rname !in c$service )
-			add c$service[rname];
+		local ellipsis = |info$data| > 40 ? "..." : "";
+		local data = info$data[0:40];
+		reason = fmt("%s [%s%s]", reason, data, ellipsis);
 		}
+
+	dpd$failure_reason = reason;
+	c$dpd = dpd;
 	}

 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=5
 	{
-	if ( ! is_protocol_analyzer(atype) )
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;

 	if ( ! info?$c || ! info?$aid )
@ -93,17 +125,37 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	if ( ignore_violations_after > 0 && size > ignore_violations_after )
 		return;

-	# analyzer already was removed or connection finished
-	# let's still log this.
-	if ( lookup_connection_analyzer_id(c$id, atype) == 0 )
+	if ( ! c?$dpd_state )
 		{
-		event analyzer_failed(network_time(), atype, info);
-		return;
+		local s: State;
+		c$dpd_state = s;
 		}

-	local disabled = disable_analyzer(c$id, aid, F);
+	if ( aid in c$dpd_state$violations )
+		++c$dpd_state$violations[aid];
+	else
+		c$dpd_state$violations[aid] = 1;

-	# If analyzer was disabled, send failed event
-	if ( disabled )
-		event analyzer_failed(network_time(), atype, info);
+	if ( c?$dpd || c$dpd_state$violations[aid] > max_violations[atype] )
+		{
+		# Disable an analyzer we've previously confirmed, but is now in
+		# violation, or else any analyzer in excess of the max allowed
+		# violations, regardless of whether it was previously confirmed.
+		disable_analyzer(c$id, aid, F);
+		}
+	}
+
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
+	{
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
+		return;
+
+	if ( ! info?$c )
+		return;
+
+	if ( info$c?$dpd )
+		{
+		Log::write(DPD::LOG, info$c$dpd);
+		delete info$c$dpd;
+		}
 	}
--- a/scripts/base/frameworks/analyzer/logging.zeek
+++ b/scripts/base/frameworks/analyzer/logging.zeek
@ -1,6 +1,8 @@
-##! Logging analyzer  violations into analyzer.log
+##! Logging analyzer confirmations and violations into analyzer.log

+@load base/frameworks/config
@load base/frameworks/logging
+
@load ./main

 module Analyzer::Logging;
@ -9,10 +11,16 @@ export {
 	## Add the analyzer logging stream identifier.
 	redef enum Log::ID += { LOG };

+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type defining the columns to log in the analyzer logging stream.
 	type Info: record {
-		## Timestamp of the violation.
+		## Timestamp of confirmation or violation.
 		ts:             time              &log;
+		## What caused this log entry to be produced. This can
+		## currently be "violation" or "confirmation".
+		cause:          string            &log;
 		## The kind of analyzer involved. Currently "packet", "file"
 		## or "protocol".
 		analyzer_kind:  string            &log;
@ -23,64 +31,163 @@ export {
 		uid:            string            &log &optional;
 		## File UID if available.
 		fuid:           string            &log &optional;
-		## Connection identifier if available.
+		## Connection identifier if available
 		id:             conn_id           &log &optional;
-		## Transport protocol for the violation, if available.
-		proto:          transport_proto   &log &optional;
+
 		## Failure or violation reason, if available.
-		failure_reason: string            &log;
+		failure_reason: string            &log &optional;
+
 		## Data causing failure or violation if available. Truncated
 		## to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
 		failure_data:   string            &log &optional;
 	};

+	## Enable logging of analyzer violations and optionally confirmations
+	## when :zeek:see:`Analyzer::Logging::include_confirmations` is set.
+	option enable = T;
+
+	## Enable analyzer_confirmation. They are usually less interesting
+	## outside of development of analyzers or troubleshooting scenarios.
+	## Setting this option may also generated multiple log entries per
+	## connection, minimally one for each conn.log entry with a populated
+	## service field.
+	option include_confirmations = F;
+
+	## Enable tracking of analyzers getting disabled. This is mostly
+	## interesting for troubleshooting of analyzers in DPD scenarios.
+	## Setting this option may also generated multiple log entries per
+	## connection.
+	option include_disabling = F;
+
 	## If a violation contains information about the data causing it,
 	## include at most this many bytes of it in the log.
 	option failure_data_max_size = 40;

-	## An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
-	## record as it is sent on to the logging framework.
-	global log_analyzer: event(rec: Info);
-
-	## A default logging policy hook for the stream.
-	global log_policy: Log::PolicyHook;
+	## Set of analyzers for which to not log confirmations or violations.
+	option ignore_analyzers: set[AllAnalyzers::Tag] = set();
 }

+
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $path="analyzer", $policy=log_policy,
+	                         $event_groups=set("Analyzer::Logging")]);
+
+	local enable_handler = function(id: string, new_value: bool): bool {
+		if ( new_value )
+		    Log::enable_stream(LOG);
+		else
+		    Log::disable_stream(LOG);
+
+		return new_value;
+	};
+	Option::set_change_handler("Analyzer::Logging::enable", enable_handler);
+
+	local include_confirmations_handler = function(id: string, new_value: bool): bool {
+		if ( new_value )
+		    enable_event_group("Analyzer::Logging::include_confirmations");
+		else
+		    disable_event_group("Analyzer::Logging::include_confirmations");
+
+		return new_value;
+	};
+	Option::set_change_handler("Analyzer::Logging::include_confirmations",
+	                           include_confirmations_handler);
+
+	local include_disabling_handler = function(id: string, new_value: bool): bool {
+		if ( new_value )
+		    enable_event_group("Analyzer::Logging::include_disabling");
+		else
+		    disable_event_group("Analyzer::Logging::include_disabling");
+
+		return new_value;
+	};
+	Option::set_change_handler("Analyzer::Logging::include_disabling",
+	                           include_disabling_handler);
+
+	# Call the handlers directly with the current values to avoid config
+	# framework interactions like creating entries in config.log.
+	enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
+	include_confirmations_handler("Analyzer::Logging::include_confirmations",
+	                              Analyzer::Logging::include_confirmations);
+	include_disabling_handler("Analyzer::Logging::include_disabling",
+	                          Analyzer::Logging::include_disabling);
+
 	}

-function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
+function analyzer_kind(atype: AllAnalyzers::Tag): string
 	{
+	if ( is_protocol_analyzer(atype) )
+		return "protocol";
+	else if ( is_packet_analyzer(atype) )
+		return "packet";
+	else if ( is_file_analyzer(atype) )
+		return "file";
+
+	Reporter::warning(fmt("Unknown kind of analyzer %s", atype));
+	return "unknown";
+	}
+
+function populate_from_conn(rec: Info, c: connection)
+	{
+	rec$id = c$id;
+	rec$uid = c$uid;
+	}
+
+function populate_from_file(rec: Info, f: fa_file)
+	{
+	rec$fuid = f$id;
+	# If the confirmation didn't have a connection, but the
+	# fa_file object has exactly one, use it.
+	if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
+		{
+		for ( _, c in f$conns )
+			{
+			rec$id = c$id;
+			rec$uid = c$uid;
+			}
+		}
+	}
+
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &group="Analyzer::Logging::include_confirmations"
+	{
+	if ( atype in ignore_analyzers )
+		return;
+
 	local rec = Info(
-		$ts=ts,
-		$analyzer_kind=Analyzer::kind(atype),
+		$ts=network_time(),
+		$cause="confirmation",
+		$analyzer_kind=analyzer_kind(atype),
 		$analyzer_name=Analyzer::name(atype),
-		$failure_reason=info$reason
 	);

 	if ( info?$c )
-		{
-		rec$id = info$c$id;
-		rec$uid = info$c$uid;
-		rec$proto = get_port_transport_proto(info$c$id$orig_p);
-		}
+		populate_from_conn(rec, info$c);

 	if ( info?$f )
-		{
-		rec$fuid = info$f$id;
-		# If the confirmation didn't have a connection, but the
-		# fa_file object has exactly one, use it.
-		if ( ! rec?$uid && info$f?$conns && |info$f$conns| == 1 )
-			{
-			for ( _, c in info$f$conns )
-				{
-				rec$id = c$id;
-				rec$uid = c$uid;
-				}
-			}
-		}
+		populate_from_file(rec, info$f);
+
+	Log::write(LOG, rec);
+	}
+
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=6
+	{
+	if ( atype in ignore_analyzers )
+		return;
+
+	local rec = Info(
+		$ts=network_time(),
+		$cause="violation",
+		$analyzer_kind=analyzer_kind(atype),
+		$analyzer_name=Analyzer::name(atype),
+		$failure_reason=info$reason,
+	);
+
+	if ( info?$c )
+		populate_from_conn(rec, info$c);
+
+	if ( info?$f )
+		populate_from_file(rec, info$f);

 	if ( info?$data )
 		{
@ -93,31 +200,24 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer
 	Log::write(LOG, rec);
 	}

-# event currently is only raised for protocol analyzers; we do not fail packet and file analyzers
-event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000 &group="Analyzer::Logging::include_disabling"
 	{
-	if ( ! is_protocol_analyzer(atype) )
+	if ( atype in ignore_analyzers )
 		return;

-	if ( ! info?$c )
-		return;
+	local rec = Info(
+		$ts=network_time(),
+		$cause="disabled",
+		$analyzer_kind=analyzer_kind(atype),
+		$analyzer_name=Analyzer::name(atype),
+	);

-	# log only for previously confirmed service that did not already log violation
-	# note that analyzers can fail repeatedly in some circumstances - e.g. when they
-	# are re-attached by the dynamic protocol detection due to later data.
-	local analyzer_name = Analyzer::name(atype);
-	if ( analyzer_name !in info$c$service || analyzer_name in info$c$failed_analyzers )
-		return;
+	populate_from_conn(rec, c);

-	log_analyzer_failure(ts, atype, info);
+	if ( c?$dpd_state && aid in c$dpd_state$violations )
+		{
+		rec$failure_data = fmt("Disabled after %d violations", c$dpd_state$violations[aid]);
+		}
+
+	Log::write(LOG, rec);
 	}
-
-# log packet and file analyzers here separately
-event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo )
-	{
-	if ( is_protocol_analyzer(atype) )
-		return;
-
-	log_analyzer_failure(network_time(), atype, info);
-	}
-
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@ -88,15 +88,6 @@ export {
 	## Returns: The analyzer name corresponding to the tag.
 	global name: function(tag: Analyzer::Tag) : string;

-	## Translates an analyzer type to a string with the analyzer's type.
-	##
-	## Possible values are "protocol", "packet", "file", or "unknown".
-	##
-	## tag: The analyzer tag.
-	##
-	## Returns: The analyzer kind corresponding to the tag.
-	global kind: function(tag: Analyzer::Tag) : string;
-
 	## Check whether the given analyzer name exists.
 	##
 	## This can be used before calling :zeek:see:`Analyzer::get_tag` to
@ -109,10 +100,6 @@ export {

 	## Translates an analyzer's name to a tag enum value.
 	##
-	## The analyzer is assumed to exist; call
-	## :zeek:see:`Analyzer::has_tag` first to verify that name is a
-	## valid analyzer name.
-	##
 	## name: The analyzer name.
 	##
 	## Returns: The analyzer tag corresponding to the name.
@ -172,23 +159,6 @@ export {
 	##
 	## This set can be added to via :zeek:see:`redef`.
 	global requested_analyzers: set[AllAnalyzers::Tag] = {} &redef;
-
-	## Event that is raised when an analyzer raised a service violation and was
-	## removed.
-	##
-	## The event is also raised if the analyzer already was no longer active by
-	## the time that the violation was handled - so if it happens at the very
-	## end of a connection.
-	##
-	## Currently this event is only raised for protocol analyzers, as packet
-	## and file analyzers are never actively removed/disabled.
-	##
-	## ts: time at which the violation occurred
-	##
-	## atype: atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
-	##
-	##info: Details about the violation. This record should include a :zeek:type:`connection`
-	global analyzer_failed: event(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo);
 }

@load base/bif/analyzer.bif
@ -272,19 +242,6 @@ function name(atype: AllAnalyzers::Tag) : string
 	return __name(atype);
 	}

-function kind(atype: AllAnalyzers::Tag): string
-	{
-	if ( is_protocol_analyzer(atype) )
-		return "protocol";
-	else if ( is_packet_analyzer(atype) )
-		return "packet";
-	else if ( is_file_analyzer(atype) )
-		return "file";
-
-	Reporter::warning(fmt("Unknown kind of analyzer %s", atype));
-	return "unknown";
-	}
-
 function has_tag(name: string): bool
 	{
 	return __has_tag(name);
--- a/scripts/base/frameworks/broker/backpressure.zeek
+++ b/scripts/base/frameworks/broker/backpressure.zeek
@ -10,22 +10,26 @@
 ##! - In cluster.log, with a higher-level message indicating the node names involved.
 ##! - Via telemetry, using a labeled counter.

-event Broker::peer_removed(ep: Broker::EndpointInfo, msg: string)
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	if ( "caf::sec::backpressure_overflow" !in msg ) {
 		return;
 	}

-	if ( ! ep?$network ) {
-		Reporter::error(fmt("Missing network info to re-peer with %s", ep$id));
+	if ( ! endpoint?$network ) {
+		Reporter::error(fmt("Missing network info to re-peer with %s", endpoint$id));
 		return;
 	}

-	# Re-establish the peering. Broker will periodically re-try connecting
-	# as necessary. Do this only if the local node originally established
-	# the peering, otherwise we would connect to an ephemeral client-side
-	# TCP port that doesn't listen. If we didn't originally establish the
-	# peering, the other side will retry anyway.
-	if ( Broker::is_outbound_peering(ep$network$address, ep$network$bound_port) )
-		Broker::peer(ep$network$address, ep$network$bound_port);
+	# Re-establish the peering so Broker's reconnect behavior kicks in once
+	# the other endpoint catches up. Broker will periodically re-try
+	# connecting as necessary. If the other endpoint originally connected to
+	# us, our attempt will fail (since we attempt to connect to the peer's
+	# ephemeral port), but in that case the peer will reconnect with us once
+	# it recovers.
+	#
+	# We could do this more cleanly by leveraging information from the
+	# cluster framework (since it knows who connects to whom), but that
+	# would further entangle Broker into it.
+	Broker::peer(endpoint$network$address, endpoint$network$bound_port);
 }
--- a/scripts/base/frameworks/broker/log.zeek
+++ b/scripts/base/frameworks/broker/log.zeek
@ -14,19 +14,7 @@ export {
 		## An informational status update.
 		STATUS,
 		## An error situation.
-		ERROR,
-		## Fatal event, normal operation has most likely broken down.
-		CRITICAL_EVENT,
-		## Unrecoverable event that imparts at least part of the system.
-		ERROR_EVENT,
-		## Unexpected or conspicuous event that may still be recoverable.
-		WARNING_EVENT,
-		## Noteworthy event during normal operation.
-		INFO_EVENT,
-		## Information that might be relevant for a user to understand system behavior.
-		VERBOSE_EVENT,
-		## An event that is relevant only for troubleshooting and debugging.
-		DEBUG_EVENT,
+		ERROR
 	};

 	## A record type containing the column fields of the Broker log.
@ -47,17 +35,17 @@ export {

 event zeek_init() &priority=5
 	{
-	Log::create_stream(Broker::LOG, Log::Stream($columns=Info, $path="broker", $policy=log_policy));
+	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker", $policy=log_policy]);
 	}

 function log_status(ev: string, endpoint: EndpointInfo, msg: string)
 	{
 	local r: Info;

-	r = Broker::Info($ts = network_time(),
-	                 $ev = ev,
-	                 $ty = STATUS,
-	                 $message = msg);
+	r = [$ts = network_time(),
+	     $ev = ev,
+	     $ty = STATUS,
+	     $message = msg];

 	if ( endpoint?$network )
 		r$peer = endpoint$network;
@ -87,36 +75,11 @@ event Broker::error(code: ErrorCode, msg: string)
 	ev = subst_string(ev, "_", "-");
 	ev = to_lower(ev);

-	Log::write(Broker::LOG, Info($ts = network_time(),
+	Log::write(Broker::LOG, [$ts = network_time(),
 	           $ev = ev,
 	           $ty = ERROR,
-	           $message = msg));
+	           $message = msg]);

 	Reporter::error(fmt("Broker error (%s): %s", code, msg));
 	}

-event Broker::internal_log_event(lvl: LogSeverityLevel, id: string, description: string)
-	{
-	local severity = Broker::CRITICAL_EVENT;
-	switch lvl {
-		case Broker::LOG_ERROR:
-			severity = Broker::ERROR_EVENT;
-			break;
-		case Broker::LOG_WARNING:
-			severity = Broker::WARNING_EVENT;
-			break;
-		case Broker::LOG_INFO:
-			severity = Broker::INFO_EVENT;
-			break;
-		case Broker::LOG_VERBOSE:
-			severity = Broker::VERBOSE_EVENT;
-			break;
-		case Broker::LOG_DEBUG:
-			severity = Broker::DEBUG_EVENT;
-			break;
-	}
-	Log::write(Broker::LOG, Info($ts = network_time(),
-	           $ty = severity,
-	           $ev = id,
-	           $message = description));
-	}
--- a/scripts/base/frameworks/broker/main.zeek
+++ b/scripts/base/frameworks/broker/main.zeek
@ -19,7 +19,7 @@ export {
 	## use already.  Use of the ZEEK_DEFAULT_LISTEN_RETRY environment variable
 	## (set as a number of seconds) will override this option and also
 	## any values given to :zeek:see:`Broker::listen`.
-	const default_listen_retry = 1sec &redef;
+	const default_listen_retry = 30sec &redef;

 	## Default address on which to listen.
 	##
@ -28,7 +28,7 @@ export {

 	## Default address on which to listen for WebSocket connections.
 	##
-	## .. zeek:see:: Cluster::listen_websocket
+	## .. zeek:see:: Broker::listen_websocket
 	const default_listen_address_websocket = getenv("ZEEK_DEFAULT_LISTEN_ADDRESS") &redef;

 	## Default interval to retry connecting to a peer if it cannot be made to
@ -36,7 +36,7 @@ export {
 	## ZEEK_DEFAULT_CONNECT_RETRY environment variable (set as number of
 	## seconds) will override this option and also any values given to
 	## :zeek:see:`Broker::peer`.
-	const default_connect_retry = 1sec &redef;
+	const default_connect_retry = 30sec &redef;

 	## If true, do not use SSL for network connections. By default, SSL will
 	## even be used if no certificates / CAs have been configured. In that case
@ -69,6 +69,11 @@ export {
 	## all peers.
 	const ssl_keyfile = "" &redef;

+	## The number of buffered messages at the Broker/CAF layer after which
+	## a subscriber considers themselves congested (i.e. tune the congestion
+	## control mechanisms).
+	const congestion_queue_size = 200 &redef;
+
 	## The max number of log entries per log stream to batch together when
 	## sending log messages to a remote logger.
 	const log_batch_size = 400 &redef;
@ -78,30 +83,26 @@ export {
 	const log_batch_interval = 1sec &redef;

 	## Max number of threads to use for Broker/CAF functionality.  The
-	## ``ZEEK_BROKER_MAX_THREADS`` environment variable overrides this setting.
+	## ZEEK_BROKER_MAX_THREADS environment variable overrides this setting.
 	const max_threads = 1 &redef;

 	## Max number of items we buffer at most per peer. What action to take when
 	## the buffer reaches its maximum size is determined by
-	## :zeek:see:`Broker::peer_overflow_policy`.
-	const peer_buffer_size = 8192 &redef;
+	## `peer_overflow_policy`.
+	const peer_buffer_size = 2048 &redef;

 	## Configures how Broker responds to peers that cannot keep up with the
 	## incoming message rate. Available strategies:
 	## - disconnect: drop the connection to the unresponsive peer
 	## - drop_newest: replace the newest message in the buffer
 	## - drop_oldest: removed the olsted message from the buffer, then append
-	const peer_overflow_policy = "drop_oldest" &redef;
+	const peer_overflow_policy = "disconnect" &redef;

-	## Same as :zeek:see:`Broker::peer_buffer_size` but for WebSocket clients.
-	const web_socket_buffer_size = 8192 &redef;
+	## Same as `peer_buffer_size` but for WebSocket clients.
+	const web_socket_buffer_size = 512 &redef;

-	## Same as :zeek:see:`Broker::peer_overflow_policy` but for WebSocket clients.
-	const web_socket_overflow_policy = "drop_oldest" &redef;
-
-	## How frequently Zeek resets some peering/client buffer statistics,
-	## such as ``max_queued_recently`` in :zeek:see:`BrokerPeeringStats`.
-	const buffer_stats_reset_interval = 1min &redef;
+	## Same as `peer_overflow_policy` but for WebSocket clients.
+	const web_socket_overflow_policy = "disconnect" &redef;

 	## The CAF scheduling policy to use.  Available options are "sharing" and
 	## "stealing".  The "sharing" policy uses a single, global work queue along
@ -175,28 +176,6 @@ export {
 	##          will be sent.
 	const log_topic: function(id: Log::ID, path: string): string = default_log_topic &redef;

-	## The possible log event severity levels for Broker.
-	type LogSeverityLevel: enum {
-		## Fatal event, normal operation has most likely broken down.
-		LOG_CRITICAL,
-		## Unrecoverable event that imparts at least part of the system.
-		LOG_ERROR,
-		## Unexpected or conspicuous event that may still be recoverable.
-		LOG_WARNING,
-		## Noteworthy event during normal operation.
-		LOG_INFO,
-		## Information that might be relevant for a user to understand system behavior.
-		LOG_VERBOSE,
-		## An event that is relevant only for troubleshooting and debugging.
-		LOG_DEBUG,
-	};
-
-	## The log event severity level for the Broker log output.
-	const log_severity_level = LOG_WARNING &redef;
-
-	## Event severity level for also printing the Broker log output to stderr.
-	const log_stderr_severity_level = LOG_CRITICAL &redef;
-
 	type ErrorCode: enum {
 		## The unspecified default error code.
 		UNSPECIFIED = 1,
@ -206,26 +185,24 @@ export {
 		PEER_INVALID = 3,
 		## Remote peer not listening.
 		PEER_UNAVAILABLE = 4,
-		## Remote peer disconnected during the handshake.
-		PEER_DISCONNECT_DURING_HANDSHAKE = 5,
 		## A peering request timed out.
-		PEER_TIMEOUT = 6,
+		PEER_TIMEOUT = 5,
 		## Master with given name already exists.
-		MASTER_EXISTS = 7,
+		MASTER_EXISTS = 6,
 		## Master with given name does not exist.
-		NO_SUCH_MASTER = 8,
+		NO_SUCH_MASTER = 7,
 		## The given data store key does not exist.
-		NO_SUCH_KEY = 9,
+		NO_SUCH_KEY = 8,
 		## The store operation timed out.
-		REQUEST_TIMEOUT = 10,
+		REQUEST_TIMEOUT = 9,
 		## The operation expected a different type than provided.
-		TYPE_CLASH = 11,
+		TYPE_CLASH = 10,
 		## The data value cannot be used to carry out the desired operation.
-		INVALID_DATA = 12,
+		INVALID_DATA = 11,
 		## The storage backend failed to execute the operation.
-		BACKEND_FAILURE = 13,
+		BACKEND_FAILURE = 12,
 		## The storage backend failed to execute the operation.
-		STALE_DATA = 14,
+		STALE_DATA = 13,
 		## Catch-all for a CAF-level problem.
 		CAF_ERROR = 100
 	};
@ -263,10 +240,6 @@ export {
 	type PeerInfo: record {
 		peer: EndpointInfo;
 		status: PeerStatus;
-
-		## Whether the local node created the peering, as opposed to a
-		## remote establishing it by connecting to us.
-		is_outbound: bool;
 	};

 	type PeerInfos: vector of PeerInfo;
@ -314,6 +287,26 @@ export {
 	                        p: port &default = default_port,
 	                        retry: interval &default = default_listen_retry): port;

+	## Listen for remote connections using WebSocket.
+	##
+	## a: an address string on which to accept connections, e.g.
+	##    "127.0.0.1".  An empty string refers to INADDR_ANY.
+	##
+	## p: the TCP port to listen on. The value 0 means that the OS should choose
+	##    the next available free port.
+	##
+	## retry: If non-zero, retries listening in regular intervals if the port cannot be
+	##        acquired immediately. 0 disables retries.  If the
+	##        ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
+	##
+	## Returns: the bound port or 0/? on failure.
+	##
+	## .. zeek:see:: Broker::status
+	global listen_websocket: function(a: string &default = default_listen_address_websocket,
+	                                  p: port &default = default_port_websocket,
+	                                  retry: interval &default = default_listen_retry): port;
+
 	## Initiate a remote connection.
 	##
 	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
@ -350,16 +343,6 @@ export {
 	## TODO: We do not have a function yet to terminate a connection.
 	global unpeer: function(a: string, p: port): bool;

-	## Whether the local node originally initiated the peering with the
-	## given endpoint.
-	##
-	## a: the address used in previous successful call to :zeek:see:`Broker::peer`.
-	##
-	## p: the port used in previous successful call to :zeek:see:`Broker::peer`.
-	##
-	## Returns:: True if this node initiated the peering.
-	global is_outbound_peering: function(a: string, p: port): bool;
-
 	## Get a list of all peer connections.
 	##
 	## Returns: a list of all peer connections.
@ -370,12 +353,6 @@ export {
 	## Returns: a unique identifier for the local broker endpoint.
 	global node_id: function(): string;

-	## Obtain each peering's send-buffer statistics. The keys are Broker
-	## endpoint IDs.
-	##
-	## Returns: per-peering statistics.
-	global peering_stats: function(): table[string] of BrokerPeeringStats;
-
 	## Sends all pending log messages to remote peers.  This normally
 	## doesn't need to be used except for test cases that are time-sensitive.
 	global flush_logs: function(): count;
@ -424,6 +401,29 @@ export {
 	##
 	## Returns: true if a new event forwarding/subscription is now registered.
 	global forward: function(topic_prefix: string): bool;
+
+	## Automatically send an event to any interested peers whenever it is
+	## locally dispatched. (For example, using "event my_event(...);" in a
+	## script.)
+	##
+	## topic: a topic string associated with the event message.
+	##        Peers advertise interest by registering a subscription to some
+	##        prefix of this topic name.
+	##
+	## ev: a Zeek event value.
+	##
+	## Returns: true if automatic event sending is now enabled.
+	global auto_publish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. Switch to explicit Broker::publish() calls. Auto-publish won't work with all cluster backends.";
+
+	## Stop automatically sending an event to peers upon local dispatch.
+	##
+	## topic: a topic originally given to :zeek:see:`Broker::auto_publish`.
+	##
+	## ev: an event originally given to :zeek:see:`Broker::auto_publish`.
+	##
+	## Returns: true if automatic events will not occur for the topic/event
+	##          pair.
+	global auto_unpublish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. See Broker::auto_publish()";
 }

@load base/bif/comm.bif
@ -465,6 +465,29 @@ function listen(a: string, p: port, retry: interval): port
 	return bound;
 	}

+event retry_listen_websocket(a: string, p: port, retry: interval)
+	{
+	listen_websocket(a, p, retry);
+	}
+
+function listen_websocket(a: string, p: port, retry: interval): port
+	{
+	local bound = __listen(a, p, Broker::WEBSOCKET);
+
+	if ( bound == 0/tcp )
+		{
+		local e = getenv("ZEEK_DEFAULT_LISTEN_RETRY");
+
+		if ( e != "" )
+			retry = double_to_interval(to_double(e));
+
+		if ( retry != 0secs )
+			schedule retry { retry_listen_websocket(a, p, retry) };
+		}
+
+	return bound;
+	}
+
 function peer(a: string, p: port, retry: interval): bool
 	{
 	return __peer(a, p, retry);
@ -475,11 +498,6 @@ function unpeer(a: string, p: port): bool
 	return __unpeer(a, p);
 	}

-function is_outbound_peering(a: string, p: port): bool
-	{
-	return __is_outbound_peering(a, p);
-	}
-
 function peers(): vector of PeerInfo
 	{
 	return __peers();
@ -490,11 +508,6 @@ function node_id(): string
 	return __node_id();
 	}

-function peering_stats(): table[string] of BrokerPeeringStats
-	{
-	return __peering_stats();
-	}
-
 function flush_logs(): count
 	{
 	return __flush_logs();
@ -519,3 +532,13 @@ function unsubscribe(topic_prefix: string): bool
 	{
 	return __unsubscribe(topic_prefix);
 	}
+
+function auto_publish(topic: string, ev: any): bool
+	{
+	return __auto_publish(topic, ev);
+	}
+
+function auto_unpublish(topic: string, ev: any): bool
+	{
+	return __auto_unpublish(topic, ev);
+	}
--- a/scripts/base/frameworks/cluster/load.zeek
+++ b/scripts/base/frameworks/cluster/load.zeek
@ -1,7 +1,6 @@
 # Load the core cluster support.
@load ./main
@load ./pools
-@load ./telemetry

@if ( Cluster::is_enabled() )

@ -15,11 +14,8 @@ redef Broker::log_topic = Cluster::rr_log_topic;
 # Add a cluster prefix.
@prefixes += cluster

-# Broker-specific additions:
-@if ( Cluster::backend == Cluster::CLUSTER_BACKEND_BROKER )
+# This should soon condition on loading only when Broker is in use.
@load ./broker-backpressure
-@load ./broker-telemetry
-@endif

@if ( Supervisor::is_supervised() )
 # When running a supervised cluster, populate Cluster::nodes from the node table
--- a/scripts/base/frameworks/cluster/broker-backpressure.zeek
+++ b/scripts/base/frameworks/cluster/broker-backpressure.zeek
@ -5,13 +5,13 @@

 module Cluster;

-global broker_backpressure_disconnects_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
+global broker_backpressure_disconnects_cf = Telemetry::register_counter_family([
    $prefix="zeek",
    $name="broker-backpressure-disconnects",
    $unit="",
    $label_names=vector("peer"),
    $help_text="Number of Broker peerings dropped due to a neighbor falling behind in message I/O",
-));
+]);

 event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
 	{
--- a/scripts/base/frameworks/cluster/broker-telemetry.zeek
+++ b/scripts/base/frameworks/cluster/broker-telemetry.zeek
@ -1,104 +0,0 @@
-# Additional Broker-specific metrics that use Zeek cluster-level node names.
-
-@load base/frameworks/telemetry
-
-module Cluster;
-
-## This gauge tracks the current number of locally queued messages in each
-## Broker peering's send buffer. The "peer" label identifies the remote side of
-## the peering, containing a Zeek cluster node name.
-global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
-    $prefix="zeek",
-    $name="broker-peer-buffer-messages",
-    $unit="",
-    $label_names=vector("peer"),
-    $help_text="Number of messages queued in Broker's send buffers",
-));
-
-## This gauge tracks recent maximum queue lengths for each Broker peering's send
-## buffer. Most of the time the send buffers are nearly empty, so this gauge
-## helps understand recent bursts of messages.  "Recent" here means
-## :zeek:see:`Broker::buffer_stats_reset_interval`. The time window advances in
-## increments of at least the stats interval, not incrementally with every new
-## observed message. That is, Zeek keeps a timestamp of when the window started,
-## and once it notices that the interval has passed, it moves the start of the
-## window to current time.
-global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
-    $prefix="zeek",
-    $name="broker-peer-buffer-recent-max-messages",
-    $unit="",
-    $label_names=vector("peer"),
-    $help_text="Maximum number of messages recently queued in Broker's send buffers",
-));
-
-## This counter tracks for each Broker peering the number of times its send
-## buffer has overflowed. For the "disconnect" policy this can at most be 1,
-## since Broker stops the peering at this time. For the "drop_oldest" and
-## "drop_newest" policies (see :zeek:see:`Broker:peer_overflow_policy`) the count
-## instead reflects the number of messages lost.
-global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
-    $prefix="zeek",
-    $name="broker-peer-buffer-overflows",
-    $unit="",
-    $label_names=vector("peer"),
-    $help_text="Number of overflows in Broker's send buffers",
-));
-
-
-# A helper to track overflow counts over past peerings as well as the current
-# one.  The peer_id field allows us to identify when the counter has reset: a
-# Broker ID different from the one on file means it's a new peering.
-type EpochData: record {
-	peer_id: string;
-	num_overflows: count &default=0;
-	num_past_overflows: count &default=0;
-};
-
-# This maps from a cluster node name to its EpochData.
-global peering_epoch_data: table[string] of EpochData;
-
-hook Telemetry::sync()
-	{
-	local peers = Broker::peering_stats();
-	local nn: NamedNode;
-	local labels: vector of string;
-	local ed: EpochData;
-
-	for ( peer_id, stats in peers )
-		{
-		# Translate the Broker IDs to Zeek-level node names. We skip
-		# telemetry for peers where this mapping fails, i.e. ones for
-		# connections to external systems.
-		nn = nodeid_to_node(peer_id);
-
-		if ( |nn$name| == 0 )
-			next;
-
-		labels = vector(nn$name);
-
-		Telemetry::gauge_family_set(broker_peer_buffer_messages_gf,
-		    labels, stats$num_queued);
-		Telemetry::gauge_family_set(broker_peer_buffer_recent_max_messages_gf,
-		    labels, stats$max_queued_recently);
-
-		if ( nn$name !in peering_epoch_data )
-			peering_epoch_data[nn$name] = EpochData($peer_id=peer_id);
-
-		ed = peering_epoch_data[nn$name];
-
-		if ( peer_id != ed$peer_id )
-			{
-			# A new peering. Ensure that we account for overflows in
-			# past ones. There is a risk here that we might have
-			# missed a peering altogether if we scrape infrequently,
-			# but re-peering should be a rare event.
-			ed$peer_id = peer_id;
-			ed$num_past_overflows += ed$num_overflows;
-			}
-
-		ed$num_overflows = stats$num_overflows;
-
-		Telemetry::counter_family_set(broker_peer_buffer_overflows_cf,
-		    labels, ed$num_past_overflows + ed$num_overflows);
-		}
-	}
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@ -75,19 +75,6 @@ export {
 	## :zeek:see:`Cluster::create_store` with the *persistent* argument set true.
 	const default_persistent_backend = Broker::SQLITE &redef;

-	## The default maximum queue size for WebSocket event dispatcher instances.
-	##
-	## If the maximum queue size is reached, events from external WebSocket
-	## clients will be stalled and processed once the queue has been drained.
-	##
-	## An internal metric named ``cluster_onloop_queue_stalls`` and
-	## labeled with a ``WebSocketEventDispatcher:<host>:<port>`` tag
-	## is incremented when the maximum queue size is reached.
-	const default_websocket_max_event_queue_size = 32 &redef;
-
-	## The default ping interval for WebSocket clients.
-	const default_websocket_ping_interval = 5 sec &redef;
-
 	## Setting a default dir will, for persistent backends that have not
 	## been given an explicit file path via :zeek:see:`Cluster::stores`,
 	## automatically create a path within this dir that is based on the name of
@ -265,7 +252,7 @@ export {
 	## Interval for retrying failed connections between cluster nodes.
 	## If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds)
 	## environment variable overrides this option.
-	const retry_interval = 1sec &redef;
+	const retry_interval = 1min &redef;

 	## When using broker-enabled cluster framework, nodes broadcast this event
 	## to exchange their user-defined name along with a string that uniquely
@ -340,84 +327,11 @@ export {
 		## The arguments for the event.
 		args: vector of any;
 	};
-
-	## The TLS options for a WebSocket server.
-	##
-	## If cert_file and key_file are set, TLS is enabled. If both
-	## are unset, TLS is disabled. Any other combination is an error.
-	type WebSocketTLSOptions: record {
-		## The cert file to use.
-		cert_file: string &optional;
-		## The key file to use.
-		key_file: string &optional;
-		## Expect peers to send client certificates.
-		enable_peer_verification: bool &default=F;
-		## The CA certificate or CA bundle used for peer verification.
-		## Empty will use the implementations's default when
-		## ``enable_peer_verification`` is T.
-		ca_file: string &default="";
-		## The ciphers to use. Empty will use the implementation's defaults.
-		ciphers: string &default="";
-	};
-
-	## WebSocket server options to pass to :zeek:see:`Cluster::listen_websocket`.
-	type WebSocketServerOptions: record {
-		## The address to listen on, cannot be used together with ``listen_host``.
-		listen_addr: addr &optional;
-		## The port the WebSocket server is supposed to listen on.
-		listen_port: port;
-		## The maximum event queue size for this server.
-		max_event_queue_size: count &default=default_websocket_max_event_queue_size;
-		## Ping interval to use. A WebSocket client not responding to
-		## the pings will be disconnected. Set to a negative value to
-		## disable pings. Subsecond intervals are currently not supported.
-		ping_interval: interval &default=default_websocket_ping_interval;
-		## The TLS options used for this WebSocket server. By default,
-		## TLS is disabled. See also :zeek:see:`Cluster::WebSocketTLSOptions`.
-		tls_options: WebSocketTLSOptions &default=WebSocketTLSOptions();
-	};
-
-	## Start listening on a WebSocket address.
-	##
-	## options: The server :zeek:see:`Cluster::WebSocketServerOptions` to use.
-	##
-	## Returns: T on success, else F.
-	global listen_websocket: function(options: WebSocketServerOptions): bool;
-
-	## Network information of an endpoint.
-	type NetworkInfo: record {
-		## The IP address or hostname where the endpoint listens.
-		address: string;
-		## The port where the endpoint is bound to.
-		bound_port: port;
-	};
-
-	## Information about a WebSocket endpoint.
-	type EndpointInfo: record {
-		id: string;
-		network: NetworkInfo;
-		## The value of the X-Application-Name HTTP header, if any.
-		application_name: string &optional;
-	};
-
-	## A hook invoked for every :zeek:see:`Cluster::subscribe` call.
-	##
-	## Breaking from this hook has no effect.
-	##
-	## topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
-	global on_subscribe: hook(topic: string);
-
-	## A hook invoked for every :zeek:see:`Cluster::subscribe` call.
-	##
-	## Breaking from this hook has no effect.
-	##
-	## topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
-	global on_unsubscribe: hook(topic: string);
 }

 # Needs declaration of Cluster::Event type.
@load base/bif/cluster.bif
-@load base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek
+

 # Track active nodes per type.
 global active_node_ids: table[NodeType] of set[string];
@ -504,7 +418,7 @@ function nodeid_to_node(id: string): NamedNode
 			return NamedNode($name=name, $node=n);
 		}

-	return NamedNode($name="", $node=Node($node_type=NONE, $ip=0.0.0.0));
+	return NamedNode($name="", $node=[$node_type=NONE, $ip=0.0.0.0]);
 	}

 event Cluster::hello(name: string, id: string) &priority=10
@ -584,7 +498,7 @@ event zeek_init() &priority=5
 		terminate();
 		}

-	Log::create_stream(Cluster::LOG, Log::Stream($columns=Info, $path="cluster", $policy=log_policy));
+	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]);
 	}

 function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
@ -666,12 +580,12 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store

 function log(msg: string)
 	{
-	Log::write(Cluster::LOG, Info($ts = network_time(), $node = node, $message = msg));
+	Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]);
 	}

 function init(): bool
 	{
-	return Cluster::Backend::__init(Cluster::node_id());
+	return Cluster::Backend::__init();
 	}

 function subscribe(topic: string): bool
@ -683,38 +597,3 @@ function unsubscribe(topic: string): bool
 	{
 	return Cluster::__unsubscribe(topic);
 	}
-
-function listen_websocket(options: WebSocketServerOptions): bool
-	{
-	return Cluster::__listen_websocket(options);
-	}
-
-function format_endpoint_info(ei: EndpointInfo): string
-	{
-	local s = fmt("'%s' (%s:%d)", ei$id, ei$network$address, ei$network$bound_port);
-	if ( ei?$application_name )
-		s += fmt(" application_name=%s", ei$application_name);
-	return s;
-	}
-
-event websocket_client_added(endpoint: EndpointInfo, subscriptions: string_vec)
-	{
-	local msg = fmt("WebSocket client %s subscribed to %s",
-	                format_endpoint_info(endpoint), subscriptions);
-	Cluster::log(msg);
-	}
-
-event websocket_client_lost(endpoint: EndpointInfo, code: count, reason: string)
-	{
-	local msg = fmt("WebSocket client %s gone with code %d%s",
-	                format_endpoint_info(endpoint), code,
-	                |reason| > 0 ? fmt(" and reason '%s'", reason) : "");
-	Cluster::log(msg);
-	}
-
-# If a backend reports an error, propagate it via a reporter error message.
-event Cluster::Backend::error(tag: string, message: string)
-	{
-	local msg = fmt("Cluster::Backend::error: %s (%s)", tag, message);
-	Reporter::error(msg);
-	}
--- a/scripts/base/frameworks/cluster/supervisor.zeek
+++ b/scripts/base/frameworks/cluster/supervisor.zeek
@ -42,7 +42,7 @@ function __init_cluster_nodes(): bool
 		if ( endp$role in rolemap )
 			typ = rolemap[endp$role];

-		cnode = Cluster::Node($node_type=typ, $ip=endp$host, $p=endp$p);
+		cnode = [$node_type=typ, $ip=endp$host, $p=endp$p];
 		if ( |manager_name| > 0 && cnode$node_type != Cluster::MANAGER )
 			cnode$manager = manager_name;
 		if ( endp?$metrics_port )
--- a/scripts/base/frameworks/cluster/telemetry.zeek
+++ b/scripts/base/frameworks/cluster/telemetry.zeek
@ -1,39 +0,0 @@
-## Module for cluster telemetry.
-module Cluster::Telemetry;
-
-export {
-	type Type: enum {
-		## Creates counter metrics for incoming and for outgoing
-		## events without labels.
-		INFO,
-		## Creates counter metrics for incoming and outgoing events
-		## labeled with handler and normalized topic names.
-		VERBOSE,
-		## Creates histogram metrics using the serialized message size
-		## for events, labeled by topic, handler and script location
-		## (outgoing only).
-		DEBUG,
-	};
-
-	## The telemetry types to enable for the core backend.
-	const core_metrics: set[Type] = {
-		INFO,
-	} &redef;
-
-	## The telemetry types to enable for WebSocket backends.
-	const websocket_metrics: set[Type] = {
-		INFO,
-	} &redef;
-
-	## Table used for normalizing topic names that contain random parts.
-	## Map to an empty string to skip recording a specific metric
-	## completely.
-	const topic_normalizations: table[pattern] of string = {
-		[/^zeek\/cluster\/nodeid\/.*/] = "zeek/cluster/nodeid/__normalized__",
-	} &ordered &redef;
-
-	## For the DEBUG metrics, the histogram buckets to use.
-	const message_size_bounds: vector of double = {
-		10.0, 50.0, 100.0, 500.0, 1000.0, 5000.0, 10000.0, 50000.0,
-	} &redef;
-}
--- a/scripts/base/frameworks/config/input.zeek
+++ b/scripts/base/frameworks/config/input.zeek
@ -40,14 +40,14 @@ event zeek_init() &priority=5
 		return;

 	for ( fi in config_files )
-		Input::add_table(Input::TableDescription($reader=Input::READER_CONFIG,
+		Input::add_table([$reader=Input::READER_CONFIG,
 			$mode=Input::REREAD,
 			$source=fi,
 			$name=cat("config-", fi),
 			$idx=ConfigItem,
 			$val=ConfigItem,
 			$want_record=F,
-			$destination=current_config));
+			$destination=current_config]);
 	}

 event InputConfig::new_value(name: string, source: string, id: string, value: any)
@ -67,11 +67,11 @@ function read_config(filename: string)

 	local iname = cat("config-oneshot-", filename);

-	Input::add_event(Input::EventDescription($reader=Input::READER_CONFIG,
+	Input::add_event([$reader=Input::READER_CONFIG,
 		$mode=Input::MANUAL,
 		$source=filename,
 		$name=iname,
 		$fields=EventFields,
-		$ev=config_line));
+		$ev=config_line]);
 	Input::remove(iname);
 	}
--- a/scripts/base/frameworks/config/main.zeek
+++ b/scripts/base/frameworks/config/main.zeek
@ -153,7 +153,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an

 event zeek_init() &priority=10
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_config, $path="config", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config", $policy=log_policy]);

 	# Limit logging to the manager - everyone else just feeds off it.
@if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
--- a/scripts/base/frameworks/files/main.zeek
+++ b/scripts/base/frameworks/files/main.zeek
@ -341,7 +341,7 @@ global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: A

 event zeek_init() &priority=5
 	{
-	Log::create_stream(Files::LOG, Log::Stream($columns=Info, $ev=log_files, $path="files", $policy=log_policy));
+	Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files", $policy=log_policy]);
 	}

 function set_info(f: fa_file)
--- a/scripts/base/frameworks/input/main.zeek
+++ b/scripts/base/frameworks/input/main.zeek
@ -24,10 +24,10 @@ export {
 		STREAM = 2
 	};

-	## The default input reader used. Defaults to :zeek:see:`Input::READER_ASCII`.
+	## The default input reader used. Defaults to `READER_ASCII`.
 	option default_reader = READER_ASCII;

-	## The default reader mode used. Defaults to :zeek:see:`Input::MANUAL`.
+	## The default reader mode used. Defaults to `MANUAL`.
 	option default_mode = MANUAL;

 	## Separator between fields.
@ -60,7 +60,7 @@ export {
 		# Common definitions for tables and events

 		## String that allows the reader to find the source of the data.
-		## For :zeek:see:`Input::READER_ASCII`, this is the filename.
+		## For `READER_ASCII`, this is the filename.
 		source: string;

 		## Reader to use for this stream.
@ -112,7 +112,7 @@ export {
 		##
 		## The event is raised like if it had been declared as follows:
 		## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;

 		## A key/value table that will be passed to the reader.
@ -126,7 +126,7 @@ export {
 		# Common definitions for tables and events

 		## String that allows the reader to find the source.
-		## For :zeek:see:`Input::READER_ASCII`, this is the filename.
+		## For `READER_ASCII`, this is the filename.
 		source: string;

 		## Reader to use for this stream.
@ -151,8 +151,8 @@ export {
 		want_record: bool &default=T;

 		## The event that is raised each time a new line is received from the
-		## reader. The event will receive an :zeek:see:`Input::EventDescription` record
-		## as the first argument, an :zeek:see:`Input::Event` enum as the second
+		## reader. The event will receive an Input::EventDescription record
+		## as the first argument, an Input::Event enum as the second
 		## argument, and the fields (as specified in *fields*) as the following
 		## arguments (this will either be a single record value containing
 		## all fields, or each field value as a separate argument).
@ -161,12 +161,12 @@ export {
 		## Error event that is raised when an information, warning or error
 		## is raised by the input stream. If the level is error, the stream will automatically
 		## be closed.
-		## The event receives the :zeek:see:`Input::EventDescription` as the first argument, the
-		## message as the second argument and the :zeek:see:`Reporter::Level` as the third argument.
+		## The event receives the Input::EventDescription as the first argument, the
+		## message as the second argument and the Reporter::Level as the third argument.
 		##
 		## The event is raised like it had been declared as follows:
 		## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;

 		## A key/value table that will be passed to the reader.
@ -179,7 +179,7 @@ export {
 	## file analysis framework.
 	type AnalysisDescription: record {
 		## String that allows the reader to find the source.
-		## For :zeek:see:`Input::READER_ASCII`, this is the filename.
+		## For `READER_ASCII`, this is the filename.
 		source: string;

 		## Reader to use for this stream.  Compatible readers must be
@ -205,14 +205,14 @@ export {

 	## Create a new table input stream from a given source.
 	##
-	## description: :zeek:see:`Input::TableDescription` record describing the source.
+	## description: `TableDescription` record describing the source.
 	##
 	## Returns: true on success.
 	global add_table: function(description: Input::TableDescription) : bool;

 	## Create a new event input stream from a given source.
 	##
-	## description: :zeek:see:`Input::EventDescription` record describing the source.
+	## description: `EventDescription` record describing the source.
 	##
 	## Returns: true on success.
 	global add_event: function(description: Input::EventDescription) : bool;
@ -278,3 +278,4 @@ function force_update(id: string) : bool
 	{
 	return __force_update(id);
 	}
+
--- a/scripts/base/frameworks/intel/cluster.zeek
+++ b/scripts/base/frameworks/intel/cluster.zeek
@ -105,30 +105,10 @@ event Intel::insert_indicator(item: Intel::Item) &priority=5
 	Intel::_insert(item, F);
 	}

-function invoke_indicator_hook(store: MinDataStore, h: hook(v: string, t: Intel::Type))
-	{
-	for ( a in store$host_data )
-		hook h(cat(a), Intel::ADDR);
-
-	for ( sn in store$subnet_data)
-		hook h(cat(sn), Intel::SUBNET);
-
-	for ( [indicator_value, indicator_type] in store$string_data )
-		hook h(indicator_value, indicator_type);
-	}
-
 # Handling of a complete MinDataStore snapshot
-#
-# Invoke the removed and inserted hooks using the old and new min data store
-# instances, respectively. The way this event is used, the original
-# min_data_store should essentially be empty.
 event new_min_data_store(store: MinDataStore)
 	{
-	invoke_indicator_hook(min_data_store, Intel::indicator_removed);
-
 	min_data_store = store;
-
-	invoke_indicator_hook(min_data_store, Intel::indicator_inserted);
 	}
@endif

--- a/scripts/base/frameworks/intel/input.zeek
+++ b/scripts/base/frameworks/intel/input.zeek
@ -68,13 +68,13 @@ event zeek_init() &priority=5
 			if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" )
 				source = cat(rstrip(path_prefix, "/"), "/", a_file);

-			Input::add_event(Input::EventDescription($source=source,
-			                                         $reader=Input::READER_ASCII,
-			                                         $mode=Input::REREAD,
-			                                         $name=cat("intel-", a_file),
-			                                         $fields=Intel::Item,
-			                                         $ev=Intel::read_entry,
-			                                         $error_ev=Intel::read_error));
+			Input::add_event([$source=source,
+			                  $reader=Input::READER_ASCII,
+			                  $mode=Input::REREAD,
+			                  $name=cat("intel-", a_file),
+			                  $fields=Intel::Item,
+			                  $ev=Intel::read_entry,
+			                  $error_ev=Intel::read_error]);
 			}
 		}
 	}
--- a/scripts/base/frameworks/intel/main.zeek
+++ b/scripts/base/frameworks/intel/main.zeek
@ -207,35 +207,6 @@ export {
 	## item: The intel item that should be inserted.
 	global filter_item: hook(item: Intel::Item);

-	## This hook is invoked when a new indicator has been inserted into
-	## the min data store for the first time.
-	##
-	## Calls to :zeek:see:`Intel::seen` with a matching indicator value
-	## and type will result in matches.
-	##
-	## Subsequent inserts of the same indicator type and value do not
-	## invoke this hook. Breaking from this hook has no effect.
-	##
-	## indicator: The indicator value.
-	##
-	## indicator_type: The indicator type.
-	##
-	## .. zeek::see:: Intel::indicator_removed
-	global indicator_inserted: hook(indicator: string, indiator_type: Type);
-
-	## This hook is invoked when an indicator has been removed from
-	## the min data store.
-	##
-	## After this hooks runs, :zeek:see:`Intel::seen` for the indicator
-	## will not return any matches. Breaking from this hook has no effect.
-	##
-	## indicator: The indicator value.
-	##
-	## indicator_type: The indicator type.
-	##
-	## .. zeek::see:: Intel::indicator_inserted
-	global indicator_removed: hook(indicator: string, indiator_type: Type);
-
 	global log_intel: event(rec: Info);
 }

@ -280,7 +251,7 @@ global min_data_store: MinDataStore &redef;

 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_intel, $path="intel", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel", $policy=log_policy]);
 	}

 # Function that abstracts expiration of different types.
@ -289,7 +260,7 @@ function expire_item(indicator: string, indicator_type: Type, metas: set[MetaDat
 	if ( hook item_expired(indicator, indicator_type, metas) )
 		return item_expiration;
 	else
-		remove(Item($indicator=indicator, $indicator_type=indicator_type, $meta=MetaData($source="")), T);
+		remove([$indicator=indicator, $indicator_type=indicator_type, $meta=[$source=""]], T);
 	return 0 sec;
 	}

@ -536,44 +507,18 @@ function _insert(item: Item, first_dispatch: bool &default = T)
 	# All intelligence is case insensitive at the moment.
 	local lower_indicator = to_lower(item$indicator);

-	# Track if the indicator was inserted into the min_data_store.
-	# It's tempting to just use is_new above, but it seems that only works
-	# correctly on a worker if the manager never spuriously sends a
-	# Intel::insert_item(), so better to determine this locally based
-	# on the actual contents of the min_data_store.
-	local inserted = F;
-	local inserted_value = "";
-
 	# Insert indicator into MinDataStore (might exist already).
 	switch ( item$indicator_type )
 		{
 		case ADDR:
 			local host = to_addr(item$indicator);
-			if ( host !in min_data_store$host_data )
-				{
-				inserted = T;
-				inserted_value = cat(host);
-				}
-
 			add min_data_store$host_data[host];
 			break;
 		case SUBNET:
 			local net = to_subnet(item$indicator);
-			if ( net !in min_data_store$subnet_data )
-				{
-				inserted = T;
-				inserted_value = cat(net);
-				}
-
 			add min_data_store$subnet_data[net];
 			break;
 		default:
-			if ( [lower_indicator, item$indicator_type] !in min_data_store$string_data )
-				{
-				inserted = T;
-				inserted_value = lower_indicator;
-				}
-
 			add min_data_store$string_data[lower_indicator, item$indicator_type];
 			break;
 		}
@ -588,9 +533,6 @@ function _insert(item: Item, first_dispatch: bool &default = T)
 		# Announce a (possibly) new item if this is the first dispatch and
 		# we know it is new or have to assume that on a worker.
 		event Intel::new_item(item);
-
-	if ( inserted )
-		hook Intel::indicator_inserted(inserted_value, item$indicator_type);
 	}

 function insert(item: Item)
@ -690,43 +632,18 @@ function remove(item: Item, purge_indicator: bool)
 # Handling of indicator removal in minimal data stores.
 event remove_indicator(item: Item)
 	{
-	local removed = F;
-	local removed_value = "";
-
 	switch ( item$indicator_type )
 		{
 		case ADDR:
 			local host = to_addr(item$indicator);
-			if ( host in min_data_store$host_data )
-				{
-				removed = T;
-				removed_value = cat(host);
-				}
-
 			delete min_data_store$host_data[host];
 			break;
 		case SUBNET:
 			local net = to_subnet(item$indicator);
-			if ( net in min_data_store$subnet_data )
-				{
-				removed = T;
-				removed_value = cat(net);
-				}
-
 			delete min_data_store$subnet_data[net];
 			break;
 		default:
-			local indicator_value = to_lower(item$indicator);
-			if ( [indicator_value, item$indicator_type] in min_data_store$string_data )
-				{
-				removed = T;
-				removed_value = indicator_value;
-				}
-
-			delete min_data_store$string_data[indicator_value, item$indicator_type];
+			delete min_data_store$string_data[to_lower(item$indicator), item$indicator_type];
 			break;
 		}
-
-	if ( removed )
-		hook Intel::indicator_removed(removed_value, item$indicator_type);
 	}
--- a/scripts/base/frameworks/logging/main.zeek
+++ b/scripts/base/frameworks/logging/main.zeek
@ -198,12 +198,12 @@ export {

 	## Default separator for log field scopes when logs are unrolled and
 	## flattened.  This will be the string between field name components.
-	## For example, setting this to ``_`` will cause the typical field
-	## ``id.orig_h`` to turn into ``id_orig_h``.
+	## For example, setting this to "_" will cause the typical field
+	## "id.orig_h" to turn into "id_orig_h".
 	const default_scope_sep = "." &redef;

 	## A prefix for extension fields which can be optionally prefixed
-	## on all log lines by setting the ``ext_func`` field in the
+	## on all log lines by setting the `ext_func` field in the
 	## log filter.
 	const Log::default_ext_prefix: string = "_" &redef;

@ -422,30 +422,10 @@ export {
 		## .. :zeek:see:`Log::default_max_delay_queue_size`
 		## .. :zeek:see:`Log::set_max_delay_queue_size`
 		max_delay_queue_size: count &default=default_max_delay_queue_size;
-
-		## Maximum string size for field in a log record from this stream.
-		##
-		## .. :zeek:see:`Log::default_max_field_string_bytes`
-		max_field_string_bytes: count &default=Log::default_max_field_string_bytes;
-
-		## Maximum total string size in a log record from this stream.
-		##
-		## .. :zeek:see:`Log::default_max_total_string_bytes`
-		max_total_string_bytes: count &default=Log::default_max_total_string_bytes;
-
-		## Maximum container elements for field in a log record from this stream.
-		##
-		## .. :zeek:see:`Log::default_max_field_container_elements`
-		max_field_container_elements: count &default=Log::default_max_field_container_elements;
-
-		## Maximum total container elements in a log record from this stream.
-		##
-		## .. :zeek:see:`Log::default_max_total_container_elements`
-		max_total_container_elements: count &default=Log::default_max_total_container_elements;
 	};

 	## Sentinel value for indicating that a filter was not found when looked up.
-	const no_filter = Filter($name="<not found>");
+	const no_filter: Filter = [$name="<not found>"];

 	## Creates a new logging stream with the default filter.
 	##
@ -1017,7 +997,7 @@ function flush(id: ID): bool

 function add_default_filter(id: ID) : bool
 	{
-	return add_filter(id, Filter($name="default"));
+	return add_filter(id, [$name="default"]);
 	}

 function remove_default_filter(id: ID) : bool
@ -1028,7 +1008,7 @@ function remove_default_filter(id: ID) : bool
 event zeek_init() &priority=5
 	{
 	if ( print_to_log != REDIRECT_NONE )
-		Log::create_stream(PRINTLOG, Log::Stream($columns=PrintLogInfo, $ev=log_print, $path=print_log_path));
+		Log::create_stream(PRINTLOG, [$columns=PrintLogInfo, $ev=log_print, $path=print_log_path]);
 	}

 function empty_post_delay_cb(rec: any, id: ID): bool {
--- a/scripts/base/frameworks/logging/writers/ascii.zeek
+++ b/scripts/base/frameworks/logging/writers/ascii.zeek
@ -7,9 +7,9 @@
 ##! names is printed out as meta information, with no "# fields" prepended; no
 ##! other meta data gets included in that mode.  Example filter using this::
 ##!
-##!    local f = Log::Filter($name = "my-filter",
-##!                          $writer = Log::WRITER_ASCII,
-##!                          $config = table(["tsv"] = "T"));
+##!    local f: Log::Filter = [$name = "my-filter",
+##!                            $writer = Log::WRITER_ASCII,
+##!                            $config = table(["tsv"] = "T")];
 ##!

 module LogAscii;
--- a/scripts/base/frameworks/netcontrol/drop.zeek
+++ b/scripts/base/frameworks/netcontrol/drop.zeek
@ -59,13 +59,13 @@ export {

 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::DROP_LOG, Log::Stream($columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop));
+	Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop]);
 	}

 function drop_connection(c: conn_id, t: interval, location: string &default="") : string
 	{
-	local e = Entity($ty=CONNECTION, $conn=c);
-	local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
+	local e: Entity = [$ty=CONNECTION, $conn=c];
+	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];

 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
@ -88,8 +88,8 @@ function drop_connection(c: conn_id, t: interval, location: string &default="")

 function drop_address(a: addr, t: interval, location: string &default="") : string
 	{
-	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
-	local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
+	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];

 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
--- a/scripts/base/frameworks/netcontrol/main.zeek
+++ b/scripts/base/frameworks/netcontrol/main.zeek
@ -383,7 +383,7 @@ global rule_entities: table[Entity, RuleType] of Rule;

 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::LOG, Log::Stream($columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy));
+	Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy]);
 	}

 function entity_to_info(info: Info, e: Entity)
@ -489,22 +489,22 @@ function rule_to_info(info: Info, r: Rule)

 function log_msg(msg: string, p: PluginState)
 	{
-	Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)));
+	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]);
 	}

 function log_error(msg: string, p: PluginState)
 	{
-	Log::write(LOG, Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)));
+	Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]);
 	}

 function log_msg_no_plugin(msg: string)
 	{
-	Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg));
+	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg]);
 	}

 function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: string &default="")
 	{
-	local info = Info($ts=network_time());
+	local info: Info = [$ts=network_time()];
 	info$category = RULE;
 	info$cmd = cmd;
 	info$state = state;
@ -519,14 +519,14 @@ function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: s

 function log_rule_error(r: Rule, msg: string, p: PluginState)
 	{
-	local info = Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p));
+	local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)];
 	rule_to_info(info, r);
 	Log::write(LOG, info);
 	}

 function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
 	{
-	local info  = Info($ts=network_time());
+	local info: Info  = [$ts=network_time()];
 	info$category = RULE;
 	info$state = state;
 	info$msg = msg;
@ -538,16 +538,16 @@ function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)

 function whitelist_address(a: addr, t: interval, location: string &default="") : string
 	{
-	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
-	local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
+	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];

 	return add_rule(r);
 	}

 function whitelist_subnet(s: subnet, t: interval, location: string &default="") : string
 	{
-	local e = Entity($ty=ADDRESS, $ip=s);
-	local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
+	local e: Entity = [$ty=ADDRESS, $ip=s];
+	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];

 	return add_rule(r);
 	}
@ -561,8 +561,8 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
 		$dst_h=addr_to_subnet(f$dst_h),
 		$dst_p=f$dst_p
 	);
-	local e = Entity($ty=FLOW, $flow=flow);
-	local r = Rule($ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port);
+	local e: Entity = [$ty=FLOW, $flow=flow];
+	local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port];

 	return add_rule(r);
 	}
@ -570,19 +570,19 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
 function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string
 	{
 	local orules: vector of string = vector();
-	local edrop = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected)));
-	local rdrop = Rule($ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location);
+	local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
+	local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
 	orules += add_rule(rdrop);

-	local todnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp));
+	local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
 	local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
 	orules += add_rule(todnsr);

-	local fromdnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected)));
+	local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
 	local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
 	orules += add_rule(fromdnsr);

-	local wle = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp));
+	local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
 	local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
 	orules += add_rule(wlr);

--- a/scripts/base/frameworks/netcontrol/plugins/acld.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.zeek
@ -303,7 +303,7 @@ function create_acld(config: AcldConfig) : PluginState
 		add netcontrol_acld_topics[config$acld_topic];

 	local host = cat(config$acld_host);
-	local p = PluginState($acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id);
+	local p: PluginState = [$acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id];

 	if ( [config$acld_port, host] in netcontrol_acld_peers )
 		Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, config$acld_port));
--- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
@ -117,7 +117,7 @@ global debug_plugin = Plugin(

 function create_debug(do_something: bool, name: string) : PluginState
 	{
-	local p = PluginState($plugin=debug_plugin);
+	local p: PluginState = [$plugin=debug_plugin];

 	# FIXME: Why's the default not working?
 	p$config = table();
@ -132,7 +132,7 @@ function create_debug(do_something: bool, name: string) : PluginState

 function create_debug_error(name: string) : PluginState
 	{
-	local p = copy(PluginState($plugin=debug_plugin));
+	local p: PluginState = copy([$plugin=debug_plugin]);
 	p$config["name"] = name;
 	p$config["all"] = "1";
 	p$plugin$add_rule = debug_add_rule_error;
@ -141,7 +141,7 @@ function create_debug_error(name: string) : PluginState

 function create_debug_exists(name: string) : PluginState
 	{
-	local p = copy(PluginState($plugin=debug_plugin));
+	local p: PluginState = copy([$plugin=debug_plugin]);
 	p$config["name"] = name;
 	p$config["all"] = "1";
 	p$plugin$add_rule = debug_add_rule_exists;
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek
@ -447,7 +447,7 @@ global openflow_plugin = Plugin(

 function create_openflow(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState
 	{
-	local p = PluginState($plugin=openflow_plugin, $of_controller=controller, $of_config=config);
+	local p: PluginState = [$plugin=openflow_plugin, $of_controller=controller, $of_config=config];

 	return p;
 	}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Tim Wojtulewicz	2836442a2c	Updating CHANGES and VERSION.	2025-01-07 11:45:10 -07:00
Tim Wojtulewicz	91571f3411	Merge remote-tracking branch 'origin/topic/christian/news-7-1-contribs' * origin/topic/christian/news-7-1-contribs: Add 7.1 contributors to NEWS file [skip ci] (cherry picked from commit `f1c054f8f3`)	2025-01-07 11:43:07 -07:00
Tim Wojtulewicz	560cdcc0ab	Update docs submodule [nomail]	2025-01-07 10:08:48 -07:00
Tim Wojtulewicz	addbc4ef31	Merge remote-tracking branch 'origin/topic/johanna/even-more-tls-const-updates' * origin/topic/johanna/even-more-tls-const-updates: More updates to the SSL consts from recent protocol additions (cherry picked from commit `2ce71a75a7`)	2025-01-07 10:07:31 -07:00
Tim Wojtulewicz	6f7cb325c6	Merge remote-tracking branch 'origin/topic/johanna/more-post-quantum-curves' * origin/topic/johanna/more-post-quantum-curves: Update ssl consts with more post-quantum curves (cherry picked from commit `7f4a620db6`)	2025-01-07 10:06:41 -07:00
Tim Wojtulewicz	6679de4dc2	Update doc submodule [nomail] [skip ci]	2025-01-06 16:31:55 -07:00
Tim Wojtulewicz	86663c071c	Merge remote-tracking branch 'origin/topic/bbannier/fix-zeek-see-uses' * origin/topic/bbannier/fix-zeek-see-uses: Fix incorrect uses of `zeek:see` (cherry picked from commit `6deae2d28d`)	2025-01-06 16:24:02 -07:00
Tim Wojtulewicz	0f3af67f6f	Update doc submodule [nomail] [skip ci]	2025-01-06 16:23:08 -07:00
Tim Wojtulewicz	cae903b35a	Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy-7.1' into release/7.1 * origin/topic/bbannier/bump-spicy-7.1: Bump spicy-format pre-commit hook Bump auxil/spicy to latest release	2025-01-06 08:16:50 -07:00
Benjamin Bannier	3197fd74ef	Bump spicy-format pre-commit hook	2025-01-06 14:34:12 +01:00
Benjamin Bannier	a2419f30bd	Bump auxil/spicy to latest release	2025-01-06 14:14:12 +01:00
Tim Wojtulewicz	05f8d043a7	Merge remote-tracking branch 'origin/topic/awelzel/4084-vector-of-pattern-compare' * origin/topic/awelzel/4084-vector-of-pattern-compare: ZAM/relexpr-op NE for patterns Expr: Fix folding of pattern values to support == and != (cherry picked from commit `33eaa5ccda`)	2024-12-16 13:02:46 -07:00
Tim Wojtulewicz	4d6031cbb0	Updating CHANGES and VERSION.	2024-12-16 11:28:28 -07:00
Tim Wojtulewicz	993529fae4	Update docs submodule [nomail] [skip ci]	2024-12-16 11:01:50 -07:00
Tim Wojtulewicz	69f1ae2301	Merge remote-tracking branch 'security/topic/awelzel/217-quic-decrypt-crash' * security/topic/awelzel/217-quic-decrypt-crash: QUIC/decrypt_crypto: Actually check if decryption was successful QUIC/decrypt_crypto: Limit payload_length to 10k QUIC/decrypt_crypto: Fix decrypting into too small stack buffer (cherry picked from commit `f940f2d88f`)	2024-12-16 10:21:11 -07:00
				`@ -1 +0,0 @@`
				`Our code of conduct is published at https://zeek.org/community-code-of-conduct/`
				`@ -0,0 +1 @@`
				`Subproject commit 60f6fd2c8a8d274006dfdbedd75272789a59d84b`
				`@ -0,0 +1 @@`
				`Subproject commit 965ec030ab2f769a8a9af9fe2fa33de85ce946c0`
				`@ -1 +0,0 @@`
				`Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48`
				`@ -0,0 +1 @@`
				`Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9`
				`@ -0,0 +1 @@`
				`Subproject commit 517bf6a5c8dc6afdee2b854d575dbdd15736afc5`
				`@ -0,0 +1 @@`
				`Subproject commit a3fe59b3f1ded5c3461995134b66c6db182fa56f`