Just a few days ago, the release of "Zeek 8.0" was announced, the new version of the network traffic analysis and intrusion detection system formerly known as Bro. This software, widely recognized in security and advanced monitoring environments, combines power, flexibility, and scalability in high-bandwidth networks, remaining one of the most comprehensive tools for in-depth analysis of security-related protocols and events.
Its design allows for detailed recording of network activity, with a focus on anomaly detection and the development of customized policies. To achieve this, it includes a specific scripting language, which allows for defining monitoring scenarios tailored to each organization's infrastructure.
Thanks to its modular architecture, Zeek can analyze a wide variety of application-level protocols, evaluating not only basic network headers but also connection status and traffic behavior. This makes it a strategic resource in security management and digital forensics.
Zeek 8.0 Highlights
Version 8.0.0 arrives with technical improvements that expand one of the most relevant functions is Possibility to configure network flow tuple identifiers using plugins, which prevents collisions by separating flows in complex environments. Now, in addition to IP addresses, ports, and protocols, They can be considered VLAN tags or encapsulated traffic identifiers such as VXLAN and Geneve.
Another change is the Introduction of ZeroMQ-based cluster backend, which is already prepared for production environments. Although the Broker backend remains the default, The future points to a complete migration to ZeroMQ, which will simplify message distribution without the need for an intermediate proxy.
In the field of analyzers, Zeek incorporates support for key protocols such as Redis, that now features a dedicated transaction log, and SMTP improvements, This allows you to extract email messages in .eml format for analysis. Support for FTP with TLS Auth, NAPTR record detection in DNS, and PPPoE session ID visibility have also been improved.
Last-minute changes and technical adjustments
The jump to Zeek 8.0.0 also involves significant structural changes. Starting with this release, the system build depends on the ZeroMQ library, This paves the way for the final transition to the new cluster backend. Additionally, Zeek and its submodules now require C++20-compatible compilers (minimum GCC 10, Clang 8, or Visual Studio 2022).
Another relevant modification is the replacing the zeek::Span class with the standard std::span, which affects plugin developers who use the telemetry subsystem. Extensive cleanups have also been performed on the codebase, removing unnecessary dependencies and fine-tuning includes handling.
As for the the logs, the analyzer.log and dpd.log files were unified, And now the ability to change output formats is available through the logschema package, allowing the use of JSON or CSV in addition to traditional text logs. Additionally, adjustments have been made to timestamp handling, which improves event consistency, although it may require modifications to existing scripts.
Advanced telemetry and new cluster capabilities
Cluster management in Zeek also receives a significant update. With the ZeroMQ backend and WebSocket API, Zeekctl can communicate more efficiently with individual nodes., making it easier to execute commands and monitor performance.
Telemetry is also expanded with configurable metrics that allow you to record the number of incoming and outgoing events, their size, and even the origin of the scripts that generate them. Thanks to this granularity, it's possible to optimize node load and detect bottlenecks in real time.
La WebSocket API adds support for the X-Application-Name header, which makes it possible to identify specific metrics per application and facilitates monitoring in distributed environments.
Finally if you are interested in knowing more about it about this release, you can check the details In the following link.
How to install Zeek on Linux?
For those interested in being able to install Zeek on their system, they should know that pre-built binaries are offered through from openSUSE Build Service and it is enough to choose the distribution so that it provides us with the installation commands.
For example, for the case of Ubuntu 25.04:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_25.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_25.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek
Or in your case for Ubuntu 24.04:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_24.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null sudo apt update sudo apt install zeek
In the case of those who are Arch Linux users, they should only have the AUR repository enabled and type in a terminal:
yay -S zeekIf you want to compile the code yourself or learn more, you can consult the Zeek documentation at following link