v5.0.10

This release fixes the following security issues:

• File extraction limits were not correctly enforced for files containing large
  amounts of missing bytes. Crafting files with large amounts of missing bytes
  in them could cause Zeek to spend a long time processing data, allocate a lot
  of main memory, and write a lot of data to disk. Due to the possibility of
  receiving these packets from remote hosts, this is a DoS risk. The fix
  included makes Zeek correctly enforce file size limits. We also added a new
  option (default_limit_includes_missing) which allows to customize the behavior
  when encountering large amounts of missed bytes in file. This issue was
  discovered by Luca Cigarini.

• Sessions are sometimes not cleaned up completely within Zeek during shutdown,
  potentially causing a crash when using the -B dpd flag for debug logging. This
  is low priority because it only happens at shutdown and only when using that
  flag. The fix included is to reorder shutdown to cleanup all the sessions
  prior to tearing down the analyzers.

• A specially-crafted HTTP packet can cause Zeek’s filename extraction code to
  take a long time to process the data. Due to the possibility of receiving
  these packets from remote hosts, this is a DoS risk. The fix included adjusts
  the regular expression used in the extract_filename_from_content_disposition()
  script function to more-correctly match the data.

• A specially-crafted series of FTP packets made up of a CWD request followed by
  a large amount of ERPT requests may cause Zeek to spend a long time logging
  the commands. Due to the possibility of receiving these packets from remote
  hosts, this is a DoS risk. The fix included is to prevent logging of pending
  commands for FTP packets.

• A specially-crafted series of SMB packets containing DCE-RPC traffic may cause
  Zeek to use a large amount of memory and potentially crash. Due to the
  possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included adds additional cleanup for DCE-RPC analyzers when
  closing SMB connections and limits on the number of DCE-RPC analyzers that can
  be created as part of an SMB connection.

This release fixes the following bugs:

• Fixed the DPD signature for the SOCKS analyzer to actually match the format
  for those packets.

• Timeouts in DNS resolution no longer cause uncontrolled memory growth.

• Fix check to skip DNS hostname lookups for notices that are not delivered via
  email in policy/frameworks/notice/extend-email/hostnames. Due to that
  policy script being loaded in the Zeek's default local.zeek, this
  previously caused unneeded DNS lookups for every generated notice instead of
  just those delivered via email.

v6.0.0

Breaking Changes

• Zeek now treats private address space (i.e., non-routable IP address ranges)
  as local by default, matching the intuition of many users that e.g. a
  192.168/16 IP address should show up as local in the logs. To do this, Zeek
  automatically adds Site::private_address_space to Site::local_nets at
  startup. Subsequent runtime updates to Site::private_address_space
  propagate to Site::local_nets, while updates to the latter don't affect
  the former.

  You're free to define Site::local_nets as before and do not need to update
  your configurations. If you added standard private address space to
  Site::local_nets in the past, you no longer need to do so. This also
  applies to zeekctl's networks.cfg file.

  The new global Boolean Site::private_address_space_is_local, true by
  default, controls the behavior. A redef to false brings back Zeek's prior
  behavior of considering private address space an unrelated concept, which will
  come in handy for example when working with tests that compare results against
  log baselines that have not yet been updated.

• Telemetry centralization and Prometheus exposition is not enabled by default
  anymore. Previously, the manager node would open port 9911/tcp by default and
  import all metrics from other nodes. For large clusters, the current implementation
  introduces significant processing overhead on the manager even if the Prometheus
  functionality is not used. While inconvenient, disable this functionality
  (assumed to be used by few as of now) by default to preserve resources.

  The script to enable centralization and the Prometheus endpoint is now
  located in the policy/ folder. Re-enable the old functionality with:

  @load frameworks/telemetry/prometheus

  You may experiment with increasing Broker::metrics_export_interval
  (default 1s) to reduce the extra overhead and communication at the expense
  of stale metrics.

• Custom source tarballs require a repo-info.json file.

  Note, should you be using official Zeek release tarballs only, or build
  Zeek solely from git checkouts, this does not affect you.

  However, if you're building your own Zeek source tarballs, it is now required
  that a repo-info.json file exists at the top-level. The dist target was
  extended to add this file and official Zeek release source tarballs will
  contain it going forward.

  The following command can be used to produce repo-info.json:

  python3 ./ci/collect-repo-info.py --only-git > ../path/to/tarballdir/repo-info.json

  This is required to support the new -V / --build-info option that
  provides information about git submodules and included plugins used during
  the build. The ci/collect-repo-info.py tool runs at ./configure time
  and either collects the required information from a git clone (when git is
  installed), or otherwise uses the content of a file named repo-info.json.

  If you see opportunities to extend repo-info.json with further information,
  please get in touch.

• Plugin authors should raise the minimum required CMake version to 3.15 to
  ensure compatibility with new CMake scaffolding included in this
  release. Older versions will trigger a warning at configuration time and,
  depending on the functionality included in the plugin, may trigger subsequent
  errors during configuration or build.

• Zeek container images are not pushed to the zeekurity organization anymore.
  Please switch to using the zeek/zeek image on DockerHub, or the images
  published to public.ecr.aws/zeek/zeek.

• The IRC_Data analyzer declaration has been moved to protocols/irc/IRC.h.

• The error message returned when using bro_init, bro_done, and
  bro_script_loaded events is now removed. removed. Usage of these events
  has returned that error during script parsing for a few years, and time has
  come to finally remove it.

New Functionality

• Zeek now features experimental JavaScript support:

  /* hello.js */
  zeek.on('zeek_init', () => {
  console.log('Hello, Zeek!');
  });

  $ zeek ./hello.js
  Hello, Zeek!

  When building Zeek on a system that features a recent (16.13+) version of the
  libnode package with development headers, Zeek automatically includes the
  externally-maintained ZeekJS plugin (https://github.com/corelight/zeekjs) as a
  builtin plugin. This allows Zeek to load and execute JavaScript code located
  in .js or .cjs files. When no such files are passed to Zeek, the
  JavaScript engine and Node.js environment aren't initialized and there is no
  runtime impact.

  The Linux distributions Fedora 37 & 38, Ubuntu 22.10, and the upcoming Debian
  12 release provide suitable packages. On other platforms, Node.js can be built
  from source with the --shared option.

  To disable this functionality, pass --disable-javascript to configure.

• Zeek now comes with Spicy support built in, meaning it can now
  leverage any analyzers written in Spicy out of the box. While the
  interface layer connecting Zeek and Spicy used to be implemented
  through an external Zeek plugin, that code has now moved into the
  Zeek code base itself. We also added infrastructure to Zeek that
  enables its built-in standard analyzers to use Spicy instead of
  Binpac. As initial (simple) examples, Zeek's Syslog and Finger
  analyzers are now implemented in Spicy. While their legacy versions
  remain available as fallbacks for now in case Spicy gets explicitly
  disabled at build time, their use is deprecated and their code won't
  be maintained any further. (Some of these Spicy updates were part of
  Zeek 5.2 already, but hadn't been included in its NEWS section.)

• Zeek events now hold network timestamps. For scheduled events, the timestamp
  represents the network time for which the event was scheduled for, otherwise
  it is the network time at event creation. A new bif current_event_time()
  allows to retrieve the current event's network timestamp within the script-layer.

  When Zeek sends events via Broker to other nodes in a cluster, an event's network
  timestamp is attached to the Broker messages. On a receiving Zeek node executing a
  handler for a remote event, current_event_time() returns the network time of
  the sending node at the time the event was created.

  The Broker level implementation allows to exchange arbitrary event metadata, but
  Zeek's script and C++ APIs currently only expose network timestamp functionality.

• A new bif from_json() can be used to parse JSON strings into records.

  type A: record { a: addr; };
  local p = from_json({"a": "192.168.0.1"}", A);
  if ( p$valid )
  print (p$v as A)

  Implicit conversion from JSON to Zeek types is implemented for bool, int, count,
  real, interval (number as seconds) and time (number as unix timestamp), port
  (strings in "80/tcp" notation), patterns, addr, subnet, enum, sets, vectors
  and records similar to the rules of the input framework. Optional or default
  record fields are allowed to be missing or null in the input.

• Zeek now provides native "Community ID" support with a new bif called
  community_id_v1(). Two policy scripts protocols/conn/community-id-logging
  and frameworks/notice/community-id extend the respective logs with a
  community_id field the same way as the external zeek-community-id plugin
  provides. A main difference to the external hash_conn() bif is that the
  community_id_v1() takes a conn_id record instead of a connection.

  Loading the new policy scripts and using the external zeek-community-id
  plugin at the same time is unsupported.

• ZeekControl is now multi-logger aware. When multiple logger nodes are configured
  in ZeekControl's node.cfg, by default the log archival logic adds a logger's name
  as suffix to the rotated file name:

  stats.11:18:57-11:19:00-logger-1.log.gz
  stats.11:18:57-11:19:00-logger-2.log.gz

  Previously, in a multi-logger setup, individual logger processes would overwrite
  each other's log files during rotation, causing data loss.

  For setups with a single logger, there's no change in behavior. The naming
  of the final logs can be customized by providing an alternative
  make-archive-name script and using the new ZEEK_ARG_LOG_SUFFIX
  environment variable.

• A supervisor controlled Zeek cluster is now multi-logger aware. This avoids
  loggers overwriting each other's log files within a single log-queue directory.
  By default, a logger's name is appended to the rotated logs by zeek-archiver.

• Introduce a new command-line option -V / --build-info. It produces
  verbose output in JSON format about the repository state and any included
  plugins.

• The X.509 certificate parser now exposes the signature type that is given inside
  the signed portion of the certificate.

• The SSL parser now parses the CertificateRequest handshake message. There is a new
  ssl_certificate_request event and a new parse_distinguished_name function.
  We also added the protocols/ssl/certificate-request-info policy script, that
  adds some additional information to ssl.log.

• Add logging metrics for streams (zeek-log-stream-writes) and writers
  (zeek-log-writer-writes-total).

• Add networking metrics via the telemetry framework. These are enabled
  when the misc/stats script is loaded.

  zeek-net-dropped-packets
  zeek-net-link-packets
  zeek-net-received-bytes
  zeek-net-packet-lag-seconds
  zeek-net-received-packets-total

  Except for lag, metrics originate from the get_net_stats() bif and are
  updated through the Telemetry::sync() hook every 15 seconds by default.

• The DNS analyzer now parses...

v5.2.2

This release fixes the following security issues:

• A specially-crafted series of FTP packets with a CMD command with a large path
  followed by a very large number of replies could cause Zeek to spend a long
  time processing the data. Due to the possibility of receiving these packets
  from remote hosts, this is a DoS risk. The fix included prevents Zeek from
  reusing the CMD command if it was already consumed by path-traversal logic.

• A specially-crafted with a truncated header can cause Zeek to overflow memory
  and potentially crash. Due to the possibility of receiving these packets from
  remote hosts, this is a DoS risk. This overflow requires implementing the
  raw_packet event handler which isn’t implemented by default, which makes the
  risk of this issue low. The fix included adds additional length checking
  during handling of raw_packet events.

• A specially-crafted series of SMTP packets can cause Zeek to generate a very
  large number of events and take a long time to process them. Zeek correctly
  disables the SMTP analyzer while processing these packets but continues to
  feed packets to it, generating more events. Due to the possibility of
  receiving these packets from remote hosts, this is a DoS risk. The fix
  included prevents an analyzer from calling another analyzer that has already
  been disabled for a connection.

• A specially-crafted series of POP3 packets containing MIME data can cause Zeek
  to spend a long time dealing with each individual file ID. Due to the
  possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included attempts to reuse an existing file ID for a connection
  instead of recreating it each pass through the MIME analyzer.

This release fixes the following bugs:

• The config parser implements handling of commas at the end of input files in a
  safer way now, avoiding some crashes on Linux systems during parsing.

• The AF_Packet plugin wasn't properly masking the tp_vlan_tci values received
  from the kernel, and so could return invalid values for the VLAN ID reported
  to Zeek. The value is now correctly masked.

• The AF_Packet plugin now checks whether the interface is up during setup,
  ensuring that a more useful error message is reported.

v5.0.9

This release fixes the following security issues:

• A specially-crafted series of FTP packets with a CMD command with a large path
  followed by a very large number of replies could cause Zeek to spend a long
  time processing the data. Due to the possibility of receiving these packets
  from remote hosts, this is a DoS risk. The fix included prevents Zeek from
  reusing the CMD command if it was already consumed by path-traversal logic.

• A specially-crafted with a truncated header can cause Zeek to overflow memory
  and potentially crash. Due to the possibility of receiving these packets from
  remote hosts, this is a DoS risk. This overflow requires implementing the
  raw_packet event handler which isn’t implemented by default, which makes the
  risk of this issue low. The fix included adds additional length checking
  during handling of raw_packet events.

• A specially-crafted series of SMTP packets can cause Zeek to generate a very
  large number of events and take a long time to process them. Zeek correctly
  disables the SMTP analyzer while processing these packets but continues to
  feed packets to it, generating more events. Due to the possibility of
  receiving these packets from remote hosts, this is a DoS risk. The fix
  included prevents an analyzer from calling another analyzer that has already
  been disabled for a connection.

• A specially-crafted series of POP3 packets containing MIME data can cause Zeek
  to spend a long time dealing with each individual file ID. Due to the
  possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included attempts to reuse an existing file ID for a connection
  instead of recreating it each pass through the MIME analyzer.

This release fixes the following bugs:

• This release includes a fixes to Zeek and updates to the Broker and Spicy
  submodules to support building against GCC 13.

v5.2.1

This release fixes the following security issues:

• A specially-crafted stream of FTP packets containing a command reply with many
  intermediate lines can cause Zeek to spend a large amount of time processing
  data. Due to the possibility of receiving these packets from remote hosts,
  this is a DoS risk. The fix included is to ignore intermediate lines of
  multiline replies, as they do not contain status data and can’t generally be
  matched to a corresponding command.

• A specially-crafted set of packets containing extremely large file offsets
  cause cause the reassembler code to allocate large amounts of memory. Due to
  the possibility of receiving these packets from remote hosts, this is a DoS
  risk. This was seen originally with the SMB analyzer, but could be reproduced
  with the HTTP analyzer as well. The fix included adds some additional length
  checking to avoid integer overflows in the calculations involving those
  offsets.

• The DNS manager does not correctly expire responses that don’t contain any
  data, such those containing NXDOMAIN or NODATA status codes. This can lead to
  Zeek allocating large amounts of memory for these responses and never
  deallocating them. This is a DoS risk as it is possible to cause Zeek to
  repeatedly make DNS lookups to hostnames that will always return these
  responses. The fix included removes the check for whether empty responses
  should be expired, instead always allowing them to expire once they have hit
  their TTL.

• A specially-crafted stream of RDP packets can cause Zeek to spend large
  amounts of time processing data. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included here is two
  parts. The first adds some additional length checking to the RDP analyzer for
  protocol validation. The second is to remove the use of the PIA analyzer when
  processing internal packets, instead sending all encrypted packet data
  directly to the SSL analyzer.

• A specially-crafted stream of SMTP packets can cause Zeek to spend large
  amounts of time processing data. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included adds some
  validation of the order that SMTP commands are received, ensuring that they
  are received in the proper order.

This release fixes the following bugs:

• Data stores used by the known-{hosts,certs,services} policies now default to
  using local stores instead of Broker stores. This change was made to avoid
  some performance issues with those stores on high-traffic networks.

• Zeekctl now assigns network ports to workers starting at port 27760. This
  fixes an issue where workers were starting up with ports within Linux's
  ephemeral port range, and were potentially failing to startup due the ports
  already being in use. This change may require changes in firewall/routing
  configurations between hosts in a Zeek cluster. This should not affect
  clusters running on FreeBSD, as that OS uses a different range for ephemeral
  ports.

• The languages reported for the keyboard_layout field in rdp.log were
  updated to match the current standardized set of languages. Unknown layout
  values now attempt to fallback to a "parent" layout if one is available.

• Replies to HTTP/0.9 requests are now handled in a separate fashion from
  HTTP/1.x in order to avoid analyzer violations.

• The VXLAN analyzer no longer reports analzyer violations if the tunneled
  packets were not able to be parsed.

• The VXLAN and Geneve report analyzer confirmations once their protocols have
  been fully parsed, but before attempting to forward to the tunneled packets to
  other analyzers. This should make the confirmation of these protocols more
  consistent.

• New wierds were added to the AYIYA, Geneve, and VXLAN analyzers
  (ayiya_empty_packet, geneve_empty_packet, and
  vxlan_empty_packet). These are reported when packets containing these
  protocols do not have any further data after the tunnel header.

• A new script-level option Pcap::non_fd_timeout was added to allow
  fine-tuning the amount of time to sleep on each IO loop when using a packet
  source that doesn't provide a file descriptor (e.g. Myricom). The option
  defaults to 20 microseconds. Tuning this option can greatly reduce the amount
  of CPU time used by Zeek on low-traffic networks, but may also increase the
  number of dropped packets if set to too high of a value.

v5.0.8

This release fixes the following security issues:

• A specially-crafted stream of FTP packets containing a command reply with many
  intermediate lines can cause Zeek to spend a large amount of time processing
  data. Due to the possibility of receiving these packets from remote hosts,
  this is a DoS risk. The fix included is to ignore intermediate lines of
  multiline replies, as they do not contain status data and can’t generally be
  matched to a corresponding command.

• A specially-crafted set of packets containing extremely large file offsets
  cause cause the reassembler code to allocate large amounts of memory. Due to
  the possibility of receiving these packets from remote hosts, this is a DoS
  risk. This was seen originally with the SMB analyzer, but could be reproduced
  with the HTTP analyzer as well. The fix included adds some additional length
  checking to avoid integer overflows in the calculations involving those
  offsets.

• The DNS manager does not correctly expire responses that don’t contain any
  data, such those containing NXDOMAIN or NODATA status codes. This can lead to
  Zeek allocating large amounts of memory for these responses and never
  deallocating them. This is a DoS risk as it is possible to cause Zeek to
  repeatedly make DNS lookups to hostnames that will always return these
  responses. The fix included removes the check for whether empty responses
  should be expired, instead always allowing them to expire once they have hit
  their TTL.

• A specially-crafted stream of RDP packets can cause Zeek to spend large
  amounts of time processing data. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included here is two
  parts. The first adds some additional length checking to the RDP analyzer for
  protocol validation. The second is to remove the use of the PIA analyzer when
  processing internal packets, instead sending all encrypted packet data
  directly to the SSL analyzer.

• A specially-crafted stream of SMTP packets can cause Zeek to spend large
  amounts of time processing data. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included adds some
  validation of the order that SMTP commands are received, ensuring that they
  are received in the proper order.

This release fixes the following bugs:

• Data stores used by the known-{hosts,certs,services} policies now default to
  using local stores instead of Broker stores. This change was made to avoid
  some performance issues with those stores on high-traffic networks.

• The VXLAN and Geneve report analyzer confirmations once their protocols have
  been fully parsed, but before attempting to forward to the tunneled packets to
  other analyzers. This should make the confirmation of these protocols more
  consistent.

• New wierds were added to the AYIYA, Geneve, and VXLAN analyzers
  (ayiya_empty_packet, geneve_empty_packet, and
  vxlan_empty_packet). These are reported when packets containing these
  protocols do not have any further data after the tunnel header.

• A new script-level option Pcap::non_fd_timeout was added to allow
  fine-tuning the amount of time to sleep on each IO loop when using a packet
  source that doesn't provide a file descriptor (e.g. Myricom). The option
  defaults to 20 microseconds. Tuning this option can greatly reduce the amount
  of CPU time used by Zeek on low-traffic networks, but may also increase the
  number of dropped packets if set to too high of a value.

• Avoid attempting to retrieve packets during every loop for a packet source,
  instead switching to a predictive approach that keeps track of whether or
  not that packet source has previously seen traffic. This improves performance
  somewhat, especially on traffic links and on certain packet sources that may
  block when traffic isn't available.

v5.2.0

Breaking Changes

• Zeekctl now assigns network ports to workers starting at port 27760. This
  fixes an issue where workers were starting up with ports within Linux's
  ephemeral port range, and were potentially failing to startup due the ports
  already being in use. This change may require changes in firewall/routing
  configurations between hosts in a Zeek cluster. This should not affect
  clusters running on FreeBSD, as that OS uses a different range for ephemeral
  ports.

• Zeekctl support for the AF_PACKET plugin specific options (af_packet_*) has
  been integrated into zeekctl directly. Upgrading to Zeek 5.2 with a builtin
  AF_PACKET packet source (default on Linux) requires an upgrade of zeekctl
  to the version bundled with Zeek to continue using these options.

• The blank identifier _ cannot be used in expressions and options anymore.
  Outside of obfuscation exercises, this should have little real-world impact.

• A new mysql_eof event has been introduced and the mysql_ok event
  is not raised in its place or artificially anymore. The base scripts were
  adapted accordingly. Users of mysql_ok() likely need to switch to
  mysql_eof().

• Zeek will now exit at startup if an external plugin (e.g. from a package) is
  discovered to have the same name as a built-in plugin. See below for the
  change regarding the AF_PACKET plugin now being built-in for an example of
  this potentially being triggered.

• DNS query type strings were updated to match the current standardized list of
  strings. This changes the string reported for a small subset of query types:

  30: Changed from "EID" to "NXT"
  31: Changed from "NIMLOC" to "EID"
  32: Changed from "NB" to "NIMLOC"

• The --with-caf option for the configure script was removed. Broker now
  requires specific versions of CAF per Zeek release, and passing an
  externally-built version of CAF often lead to build failures.

New Functionality

• Experimental support added for building and running Zeek on Microsoft Windows
  environments. This is considered experimental due to the fact that our
  standard testing setup (btest) doesn't run properly on Windows. This will be
  fixed in the future. In the meantime we have done some basic testing against
  builds done with Visual Studio 2019. Information on how to build on Windows is
  available in the Zeek documentation. Note also that Spicy is currently
  unsupported and will be fixed in the future.

  The feature as checked into the repository is not considered production-ready.
  There are many bugs to squash and features to improve, and we will be steadily
  fixing things over the next few months.

  The Zeek team wants to give a huge thank you to the team at Microsoft for all
  of their effort in completing this port.

• Zeek container images are now being published to zeek/zeek and zeek/zeek-dev
  rather than zeekurity/zeek and zeekurity/zeek-dev on Docker Hub (and continue
  to be published to public.ecr.aws) Further, container images for amd64 and
  arm64 platforms are now available. Main driver for the latter was to allow
  usage of the official container images on Apple's M1 systems.

• Zeekctl support for using af_packet as lb_method has been added.

• New analyzer_confirmation_info and analyzer_violation_info events with
  accompanying record types AnalyzerConfirmationInfo and
  AnalyzerViolationInfo have been added. These supersede
  analyzer_confirmation and analyzer_violation, which have been
  deprecated.

• Added helpers to determine protocol, packet or file analyzer based on
  AllAnalyzers::Tag values named is_protocol_analyzer(),
  is_packet_analyzer() and is_file_analyzer().

• File analyzers can now raise analyzer violations to the script-layer via the
  new AnalyzerViolation() method.

• Packet and file analyzers can now be disabled and enabled at runtime using the
  Analyzer::enable_analyzer() and Analyzer::disable_analyzer()
  wrappers. While initially for protocol analyzers only, these have been
  extended to work for packet and file analyzers. This now allows to leverage
  Analyzer::disabled_analyzers for these kinds of analyzers.

• The blank identifier _ can now be used to ignore loop variables of
  different types without type clash errors. This allows to do the following
  within the same scope:

  local vec = vector("a", "b", "c");
  for ( _, v in vec )
      print v;
  
  for ( i, _ in vec )
      print v;
  

  Iterating over only the values of a table can be done by ignoring the full
  index with a single blank identifier. Due to the internal structure of Zeek
  tables, this can result in a performance improvement.

  local tab = table(["a", 1, T] = "a1T", ["b", 2, F] = "b2f");
  for ( _, v in tab )
          print v;
  

  It's also possible ignore individual indices of different types with the blank
  identifier _ as follows:

  for ( [_, i, _], v in tab )
          print i, v;
  

  As noted under breaking changes, the blank identifier _ cannot be
  referenced in expression anymore.

• It is now possible to put trailing commas within table, vector, set and record
  construction. For example, the following code is now valid, which can make for
  more uniform style and smaller diffs.

  local vec = vector(
          "1",
          "2",
  );
  
  local tab: table[string] of count = [
          ["a"] = 1,
          ["b"] = 2,
  ];
  

  Function calls and record constructors can have a trailing comma after the
  last argument.

  Analyzer::schedule_analyzer(
          chan$orig_h,
          chan$resp_h,
          chan$resp_p,
          Analyzer::ANALYZER_FTP_DATA,
          5mins,
  );
  

• Re-introduce event groups. Allow the &group attribute on event and hook
  handlers for annotating them with one or more event groups. These groups can
  be disabled and enable during runtime. Disabling an event group implies
  disabling all event and hook handlers that are part of it.

  The main difference to a previous implementation in (very) old Zeek versions
  is its granularity: It is now possible to toggle individual event handlers
  (event handler bodies). The original implementation worked at the level of
  events, disabling or enabling all event handlers for a given event at once.
  Additionally, support for hooks was added as these are structurally similar to
  events.

  The BIFs disable_event_group() and enable_event_group() are
  re-instantiated and allow controlling event groups based on the group
  attribute.

  Additionally, event and hook handlers are implicitly placed into event module
  groups based on the module they are implemented in. All events implemented in
  a given module can be toggled with disable_module_events() and
  enable_module_events().

• Extend the Logging::Stream record with an event_groups field and
  toggle these during Log::disable_stream and Log::enable_stream
  invocations. This allows for explicit/manual opt-in performance optimizations
  by turning off event handlers at runtime that are only needed for log
  generation.

• On Linux, the AF_PACKET packet source plugin
  (https://github.com/zeek/zeek-af_packet-plugin) is included as a builtin
  plugin by default. To select this packet source, prefix the interface name
  with af_packet.

  zeek -i af_packet::eth0
  

• Usage of break and next statements is now validated. It was previously
  possible to place these outside of for, while or switch statements
  without any error indication.

• Add two BIFs get_identifier_declaring_script() and
  get_record_field_declaring_script() to query the declaring scripts for
  identifiers and record fields from Zeek scripts.

• Extend the SSH analyzer to produce new events (ssh2_ecc_init,
  ssh2_gh_gex_init, ssh2_gss_init, ssh2_rsa_secret``) to detect when SSH
  client and server roles are reversed.

• Analyzers found in the new Analyzer::requested_analyzers set will be
  enabled at zeek_init() time. The set can be populated via
  :zeek:see:redef. This change only has an effect in settings where
  Analyzer::disable_all is changed to T. By default, all analyzers
  continue to be enabled.

• A new analyzer.log was added to log all analyzer violations and optionally
  analyzer confirmations. This log can be useful during development of new
  analyzers as well as for collecting operational data in production
  environments.

• Expose configurability of for SQLite's synchronous and journal_mode PRAGMAs
  for SQLite backed Broker data stores. Setting these to synchronous=normal
  and journal_mode=wal can significantly improve throughput at the cost of
  some durability in the presence of power loss or OS crash. In the context
  of Zeek, this is likely more than acceptable.

  Additionally, add integrity_check and failure_mode options to support
  detecting and deleting corrupted SQLite database at store initialization.

• A new join_string_set BIF was added, replacing the existing script-level
  version from utils/strings.zeek.

• A new &ordered attribute for tables and sets was added. This attribute
  causes iteration over a table/set to return elements in the order of their
  insertion.

• A new -D argument was added to the configure script to allow passing
  parameters directly to the underlying CMake call.

• Added parsing for the challenge and response fields to the NTLM analyzer.

• A new FTP::max_command_length value was added to script-land, defaulting
  to 100. This value is used by the FTP analyzer to limit ...

v5.1.3

This release fixes the following security issues:

• Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF
  methods) with the TTL set to zero could cause the DNS manager to eventually
  stop being able to make new requests. This would lead to a memory leak that
  causes Zeek to crash. Due to the possibility of receiving these packets from
  remote hosts, this is a DoS risk. The fix included is to more carefully handle
  these types of responses to allow DNS resolution to continue.

• Specially-crafted FTP packets with excessively long usernames, passwords, or
  other fields could cause log writes to use large amounts of disk space. Due to
  the possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included adds new script-level options for limiting the possible
  input length for these fields, reporting weirds when those limits are
  exceeded.

• The find_all and find_all_ordered BIF methods could take extremely large
  amounts of time to process incoming data depending on the size of the
  input. This has been encountered with packet input to multiple analyzers, but
  most notably the SMTP analyzer. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included adds a new
  argument to those BIF methods allowing callers to a set a maximum size for an
  input string to be processed. If the limit is exceeded, a weird is reported.

v5.0.7

This release fixes the following security issues:

• Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF
  methods) with the TTL set to zero could cause the DNS manager to eventually
  stop being able to make new requests. This would lead to a memory leak that
  causes Zeek to crash. Due to the possibility of receiving these packets from
  remote hosts, this is a DoS risk. The fix included is to more carefully handle
  these types of responses to allow DNS resolution to continue.

• Specially-crafted FTP packets with excessively long usernames, passwords, or
  other fields could cause log writes to use large amounts of disk space. Due to
  the possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included adds new script-level options for limiting the possible
  input length for these fields, reporting weirds when those limits are
  exceeded.

• The find_all and find_all_ordered BIF methods could take extremely large
  amounts of time to process incoming data depending on the size of the
  input. This has been encountered with packet input to multiple analyzers, but
  most notably the SMTP analyzer. Due to the possibility of receiving these
  packets from remote hosts, this is a DoS risk. The fix included adds a new
  argument to those BIF methods allowing callers to a set a maximum size for an
  input string to be processed. If the limit is exceeded, a weird is reported.

This release fixes the following bugs:

• Various issues with signed/unsigned character discrepancies on arm64 builds
  are fixed. These caused problems in the HTTP and NetBIOS analyzers, as well
  as Base64 decoding.

• A performance degredation in debug builds involving hashing large keys for
  Dictionaries was fixed.

v5.1.2

This release fixes the following security issues:

• A missing field in the SMB FSControl script-land record could cause a heap
  buffer overflow when receiving packets containing those header types. Due to
  the possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included is to add the missing field to the record type.

• Receiving a series of packets that start with HTTP/1.0 and then switch to
  HTTP/0.9 could cause Zeek to spend a large amount of time processing the
  packets. Due to the possiblity of receiving these packets from remote hosts,
  this is a DoS risk. The fix included is to ensure that the HTTP analyzer
  switches versions correctly.

• Receiving large numbers of FTP commands sequentially from the network with bad
  data in them could cause Zeek to spend a large amount of time processing the
  packets, and generate a large amount of events. Due to the possiblity of
  receiving these packets from remote hosts, this is a DoS risk. The fix
  included adds better validation for FTP command strings and request codes.

This release fixes the following bugs:

• Zeek could throw a scripting error when receiving SMB1 packets containing
  connect_andx_response messages prior to receiving an associated request. A
  new weird smb_tree_connect_andx_response_without_tree will now be raised
  in these cases and the packet will be ignored.

• A performance regression from 4.2 to 5.0 when reading pcap files related to
  Broker's internal clock was fixed.

• Notices created for files transferred over multiple connections will now be
  associated with one of the connections rather than none.

• A new file_over_new_connection event was added to the Intel framework, for
  use when receiving files over established connections (for example, HTTP).
  This ensures that the filename in the file info record is populated correctly.

• The error message returned when trying use invalid enums in scripts now
  correctly includes the script location.

• Analyzer confirmation events are no longer raised per-packet for tunnels. This
  greatly reduces the amount of events/log messages on networks containing a lot
  of tunnel traffic.

• The Teredo packet analyzer is now less greedy when matching packets. This
  should greatly reduce the amount of log messages from that analyzer, as well
  as reduce the number of analyzer violations reported by it.