We're thinking to add lower level C++ unit tests into Zeek to more
easily cover code that's otherwise hard to test since you have to
reach it indirectly via a script-layer test in the existing
baseline-oriented test suite.
Let us know if there's any input on choice of unit test framework or
features/requirements that are desirable. I started with my own
>From what I can tell, trace-summary and zeekctl are the only things
that use pysubnettree. pytricia seems to have become the de-facto
module that's used for these structures in Python:
In fact, pytricia has a comparison section where it claim that it's
faster (albeit only slightly) than pysubnettree.
Does it still make sense to maintain pysubnettree? pytricia's
interface looks very similar. A quick glance at how we're using
pysubnettree makes me think that pytricia could just be a drop-in
replacement. Are there build/packaging considerations? It looks like
pytricia is LGPL licensed.
On the flip side, I don't see many recent updates on pytricia.
Although, it's straightforward enough, perhaps it doesn't need
Curious to hear thoughts.
Hi Team -
As part of our work on the Customer Fulfillment Technology Security team at Amazon.com we've developed a set of protocol parsers for industrial control systems devices that we use in our production Zeek deployment. At this stage we're approved to release several of them as open source and would like to understand both if the Zeek team would be interested in taking these as contributions to upstream and, if you are, how best to coordinate the process of merging the contributions in. The five plugins we're approved to share now are:
* Ethernet/IP & Common Industrial Protocol (one plugin)
* MS-TDS Tabular Data Stream Protocol (not strictly ICS but used by some SCADA historians)
If the team is interested in this upstream we can submit as pull requests on GitHub, for example as one pull request per plugin, or via another workflow. If they're not a fit for upstream we can pursue an independent release. I'm really excited to make this available to the community either way! The two main authors, my colleague Tri and myself, will be at ZeekWeek here in Seattle next month to discuss these and a few others we have coming down the pipe.
Let us know what works,
Control Systems Security
As many of you might know, we ship binary packages for Zeek using the
OpenSuse build service. With Zeek 3.0, we are also changing the
namespace and name of all Zeek packages on the OpenSuse build service.
The new namespace is “Security:Zeek”, and the packages are called
zeek and zeek-nightly.
Binary packages for Zeek 3.0.0 are now available. While the packages
should work fine they currently have seen a relatively minimal amount of
testing - and I am happy about any feedback.
Packages are currently available for CentOs 7; Debian 9 & 10; Fedora 29
& 30; Raspbian 9 & 10; SLE 12 SP4; SLE 15 & 15 SP1; openSUSE Leap 15.1;
openSUSE Tumbleweed; Ubuntu 14.04, 18.04, 18.10, 19.04. CentOs 8
packages will be added within the next few weeks; if you are missing any
other distribution let me know.
Instructions how to add install the packages are available at
The source files that are used to generate the packages are available at
Zeek nightly builds are also available again; instructions on how to add
the packages to different systems are available at
and the source files are available at
Nightly packages are currently still building - it might take up to a
few hours until they are available for all supported distributions.
Packages under the old namespace will no longer be updated and will be
completely removed in the near future.