Note: Our current website is at www.zeek.org. This website is unmaintained and contains outdated information.

Development Projects

Contents

Larger Projects
Small/Medium Projects
Finished Projects
Legacy Projects

Here we collect a list of development projects and ideas for future Zeek versions. Some are already in the works, some are scheduled to start shortly, and others are just ideas at this point. For those projects with more extensive descriptions, please keep in mind that usually these represent initial proposals for the targeted functionality, and won’t necessarily match what the end result will look like eventually. This list contains work items of all sizes, let us know if you are interested in helping out with any of them.

Larger Projects

Broctld: A proposed design for broctld.
Language extensions for Broker: A proposal for Zeek language extensions to faciliate a nicer Broker framework API.
BinPAC++/Spicy (prototype exists): A next-generation parser generator for protocols, replacing the current BinPAC.
Deep Cluster (in progress): Building hierarchies of clusters, all controlled by BroControl.
Zeek Script Compiler (prototype exists): This will leverage HILTI, which is currently in development.
A Zeek Performance Benchmark (prototype exists, but on hold): Estimating Zeek’s performance is difficult because it depends on so many factors. We could develop a standardized benchmark that allows comparisons across sites and hardware platforms.
Metasploit Detector: A set of Zeek scripts to reliably identify Metasploit-based attacks.
Bloom-filter that supports globbing: Can we develop a bloom-filter-based data structure that supports globbing for lookups?
osquery Integration (in progress): Leverage osquery as host sensors for Zeek.
Distributed file reassembly via Broker: Extend Broker to do remote file extraction, similar to how it does remote logging, but feeding it into the file reassembler at the remote end.

Small/Medium Projects

Broker Extensions

As we’re collecting initial experiences with Broker, some items for the wishlist have come up that would be nice to add.
Improving DPD confirmation/rejection semantics

The semantics for ProtocolViolation() and ProtocolConfirmation() need fine-tuning.
Code Pretty Printer

Zeek’s source code has evolved over many years, and is now using a number of slightly different layout styles. We need a pretty printer that unifies layout automatically, both for C++ code and the Zeek script code.
Sandboxing Zeek

BroControl could setup/maintain an OS-level sandbox/jail for the running Zeek process.
Regression testing tasks:
- Add a btest-diff
- Parallelize communication tests
- Improve coverage
Readers/writers
- "Raw" writer
- ES writer improvements
www.zeek.org could use some layout/CSS cleanup.
Scripting language tasks:
- Add a list type
- Add UTF8 strings, replace current string type with type for raw bytes.
- All issues tagged with Area: Scripting
Protocol analyzers:
- Bring POP3 back. (#672).
- Bring ARP back.
Intelligence interfaces to external source.
Develop and maintain database of vulnerable software for monitoring.
Drop root privileges after opening interfaces, w/ integration into broctl.
paraglob: Evaluate/improve.
Investigate optimizing management of memory shared between main and child threads.
Mechanism to feed external data directly into protocol and file analyzers. One application is fuzzing.

Finished Projects

These projects are finished but we keep the information here for reference. Please note that since these are often initial design thoughts, specifics probably don’t match with what ended up being implemented in Zeek.

Bro Package Manager: A CPAN/PyPi/easy_install kind of tool for Zeek scripts making it easy to provide and use externally maintained Zeek scripts, Zeek plugins and BroControl plugins.
Packet Acquisition and Control Framework (now called NetControl): The task here is designing and implementing an abstracted interface for packet acquisition and control that integrates a number of recent developments in that space into an abstracted interface for Zeek to use.
New logging interface: A complete redesign of how Zeek does logging.
A BroControl plugin API: Making BroControl extensible with custom functionality.
Generating documentation for scripts with Sphinx: A doxygen for Zeek scripts.
New data input interface: An API for importing external data into Zeek.
Testing Strategy: A summary of how we plan to do comprehensive regression testing.
Binary logging: Switching Zeek output to a high-performance binary format.
File Analyzer: Enabling Zeek to look into files, efficiently and flexibly.
Probabilistic Counting: Probabilistic data structures for estimating cardinality and frequency with low memory footprints.
Plugin infrastructure.: We want to turn analyzers/readers/writers into plugins that can be maintained separately, and then loaded into Zeek at runtime.
A new Communication and Data Distribution Framework/Library: Zeek’s current communication framework is quite powerful in some ways, but limited in others; and it comes with a lot of internal complexity. This summarizes a proposal for a new system that would either augment or replace the current framework.