Seven years after the formation of the last significant branch
Zeek is a traffic analysis platform primarily focused on, but not limited to, monitoring security-related events. Modules are provided for analyzing and parsing various network protocols of the application level, taking into account the state of connections and allowing the formation of a detailed log (archive) of network activity. A domain-specific language is proposed for writing scripts for monitoring and detecting anomalies, taking into account the specifics of specific infrastructures. The system is optimized for use in high bandwidth networks. An API is provided for integration with third-party information systems and real-time data exchange.
В
- The parser for the NTP protocol has been completely rewritten and a new parser for MQTT has been added. Expanded analyzer capabilities for DNS, RDP, SMB and TLS. For DNS, SPF records are parsed, and for DNSSEC, RRSIG, DNSKEY, DS, NSEC, and NSEC3 records are parsed and their associated events are highlighted. Added support for the SMB 3.x protocol to the SMB parser, and for TLS, support for TLS 1.3;
- Implemented support for deencapsulation of streams transmitted inside VXLAN tunnels;
- Added support for links with the NFLOG type;
- Added the ability to save extracted data in the log in UTF8 encoding;
- Added support for closures for anonymous functions to the scripting language, added a key-value table iteration operator ("for ( key, value in t)"), implemented Python-style vector splitting operations ("v[2:4]"), proposed a new paraglob structure for fast matching of string masks in large binary data sets;
- All references to the name "bro" in file paths, settings, packages, scripts, namespaces, and functions have been changed to "zeek" (old names are supported for backwards compatibility). The bro-pkg package manager has been renamed to zkg.
Source: opennet.ru