Zeek

Recent Commits

• Tim Wojtulewicz (08 Jun 26)

  Merge remote-tracking branch 'origin/topic/timw/circleci-general-fixups' * origin/topic/timw/circleci-general-fixups: Disable spicy.tcp-eod-behavior-on-destroy btest under asan Rework clone_repos command a little Rename default zeek builds workflow Avoid double builds from merges to master

• Tim Wojtulewicz (08 Jun 26)

  Disable spicy.tcp-eod-behavior-on-destroy btest under asan This test takes a very long time to complete on CircleCI, and can lead to timeouts. Disable it for asan builds to resolve that.

• Tim Wojtulewicz (02 Jun 26)

  Rework clone_repos command a little - Add parameter for including submodules, allowing callers to skip that step - Pass --recommend-shallow for potentially faster submodule updates - Pass -j when updating submodules to request them in parallel

• Tim Wojtulewicz (02 Jun 26)

  Rename default zeek builds workflow

• Tim Wojtulewicz (08 Jun 26)

  Avoid double builds from merges to master

• Tim Wojtulewicz (08 Jun 26)

  Merge remote-tracking branch 'mamaorha/master' * mamaorha/master: code review changes [windows] fix telemetry test failures on Windows CI [windows] fix load-duplicates-links test: use COMSPEC for cmd.exe

• Maor Hamami (08 Jun 26)

  code review changes

• Evan Typanski (08 Jun 26)

  Merge remote-tracking branches 'dxbjavid/ipaddr-convertstring-shift-ub', 'dxbjavid/ftp-parse-port-shift-ub', 'dxbjavid/net-util-extract-uint32-shift-ub', 'dxbjavid/asn1-oid-subidentifier-shift-ub' and 'dxbjavid/rfb-empty-name-null-deref' * dxbjavid/ipaddr-convertstring-shift-ub: ipaddr: Fix remaining casts in bitshifts ipaddr: cast first octet to uint32_t in ConvertString * dxbjavid/ftp-parse-port-shift-ub: ftp: cast remaining parse_port byte shifts to uint32_t use uint32_t for ftp PORT address shift in parse_port * dxbjavid/net-util-extract-uint32-shift-ub: net_util: cast all shifted bytes to uint32_t in extract_uint32 net_util: cast to uint32_t in extract_uint32 to avoid signed-shift overflow * dxbjavid/asn1-oid-subidentifier-shift-ub: asn1: add test for overlong oid subidentifier weird asn1: fix uint64 shift UB on overlong oid subidentifier * dxbjavid/rfb-empty-name-null-deref: rfb: use data() directly for server-params name pointer rfb: fix null deref in proc_handle_server_params on empty name

• Evan Typanski (08 Jun 26)

  ipaddr: Fix remaining casts in bitshifts

• Maor Hamami (07 Jun 26)

  [windows] fix telemetry test failures on Windows CI telemetry.sync: Sort grep output in fetch-metrics.sh to make metric line ordering deterministic across platforms. Update baselines (metrics2.txt, metrics3.txt) to match alphabetical sort order. telemetry.prometheus: Skip on Windows CI (is-windows-ci) - the cluster test has CI-specific networking issues where 3 of 4 node Prometheus HTTP endpoints are unreachable, consistent with other cluster tests already excluded on Windows CI. Also add retry logic, improved error handling, and exit_only_after_terminate for local Windows runs.

• Maor Hamami (07 Jun 26)

  [windows] fix load-duplicates-links test: use COMSPEC for cmd.exe Use COMSPEC instead of bare cmd in the mklink command, since C:\Windows\System32 may not be on PATH in git bash/btest environments.

• Christian Kreibich (05 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/threshold-fix' * origin/topic/johanna/threshold-fix: Fix off-by-one error in base/utils/thresholds

• zeek-bot (05 Jun 26)

  Docs: Regenerated via GitHub workflow [nomail] [skip ci]

• Christian Kreibich (04 Jun 26)

  Merge branch 'dtls-handshake-shift-window' of github.com:/dxbjavid/zeek * 'dtls-handshake-shift-window' of github.com:/dxbjavid/zeek: Add dtls test that checks behavior on sequence number jumps dtls: bound handshake fragment sequence shift in proc_handshake

• Johanna Amann (04 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/geneve-ipv6' * origin/topic/johanna/geneve-ipv6: Geneve: fix parsing of encapsulated ipv6

• Johanna Amann (04 Jun 26)

  Fix off-by-one error in base/utils/thresholds Base-utils-thresholds will try to read a non-existing entry from the thresholds vector, when crossing the last threshold. As far as I can tell this error has been present since the original SVN import. This problem was found using Claude Opus 4.7.

• Johanna Amann (04 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/management-node-port-bug' * origin/topic/johanna/management-node-port-bug: Management framework: fix regression in metrics-port collision avoidance

• Arne Welzel (04 Jun 26)

  Merge remote-tracking branch 'origin/topic/awelzel/websocket-security-considerations' * origin/topic/awelzel/websocket-security-considerations: doc: Wrangle WebSocket docs a bit and add security considerations

• Johanna Amann (04 Jun 26)

  Management framework: fix regression in metrics-port collision avoidance A bug was introduced in 0c0769b1b2, which added a statement before the opening braces of the for loop. This means that most of the ports were never recorded in instance_ports_set, which can lead to collisions. Found with the help of Claude Opus 4.7.

• Johanna Amann (04 Jun 26)

  Geneve: fix parsing of encapsulated ipv6 This fixes a type in the PacketAnalyzer::register_packet_analyzer call that prevented encapsulated ipv6 from being parsed. The majority of this commit was written by Claude Opus 4.7. The issue was found with the help of Claude Opus 4.7 while exploring logic errors in the Zeek codebase.

• Johanna Amann (04 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/ssl-event-docs' * origin/topic/johanna/ssl-event-docs: Update a couple of SSL/TLS event descriptions

• Johanna Amann (04 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/netcontrol-acld-typo' * origin/topic/johanna/netcontrol-acld-typo: Netcontrol acld - fix command

• Arne Welzel (04 Jun 26)

  doc: Wrangle WebSocket docs a bit and add security considerations Suggested in #5521 by @0xxon and slightly related to #5518, but focus on the security considerations.

• Johanna Amann (04 Jun 26)

  Netcontrol acld - fix command This fixes a typo in the conversion of a netcontrol rule to an acld.rule. This bug, in principle, would cause an invalid acld command to be sent, which would probably cause the rule to just not be executed. We never noticed that, because the people using netcontrol+acld don't use it for flow rules - so this code is not really exercised. This also makes this a rather low importance bugfix - but it still seems not nice to have it broken like this. Found with the help of Claude Opus 4.7. I fixed the typos myself.

• Johanna Amann (04 Jun 26)

  Update a couple of SSL/TLS event descriptions We were refering a couple of drafts that have long been standardized. And did not link the RFCs in a couple of places where we probably should. Only documentation changes, no code changes.

• zeek-bot (04 Jun 26)

  Docs: Regenerated via GitHub workflow [nomail] [skip ci]

• Christian Kreibich (03 Jun 26)

  Merge branch 'topic/justin/software-framework-found-cache' * topic/justin/software-framework-found-cache: Update NEWS entry to reflect software framework updates Software framework: updates to tests to reflect caching changes Software framework: reflect changes in detect-webapps.zeek Software framework: additional proxy-side log suppression Software framework: make found_cache and parse_cache lifetimes configurable Update scripts/base/frameworks/software/main.zeek Optimize software found cluster communication

• Christian Kreibich (03 Jun 26)

  Merge branch 'topic/neverlord/websocket' * topic/neverlord/websocket: Update scripts.base.frameworks.telemetry.internal-metrics baseline Bump auxil/broker to pull in removal of WebSocket codebase Remove obsolete Broker WebSocket server references

• Christian Kreibich (18 May 26)

  Update NEWS entry to reflect software framework updates

• Christian Kreibich (18 May 26)

  Software framework: updates to tests to reflect caching changes This updates the scripts.policy.frameworks.software.version-changes tests and pulls in software.log baseline refreshes in the external suites.