| Port details |
- zeek System for detecting network intruders in real-time
- 4.0.4 security
 =1       4.0.4Version of this port present on the latest quarterly branch. - Maintainer: leres@FreeBSD.org
- Port Added: 2019-11-17 01:03:14
- Last Update: 2021-10-16 09:51:39
- Commit Hash: 4460cf7
- People watching this port, also watch:: json-c, rubywarden, sysinfo, miller
- License: BSD3CLAUSE
- Description:
- Zeek (formerly known as Bro) is an open-source, Unix-based Network
Intrusion Detection System (NIDS) that passively monitors network
traffic and looks for suspicious activity. Zeek detects intrusions
by first parsing network traffic to extract its application-level
semantics and then executing event-oriented analyzers that compare
the activity with patterns deemed troublesome. Its analysis includes
detection of specific attacks (including those defined by signatures,
but also those defined in terms of events) and unusual activities
(e.g., certain hosts connecting to certain services, or patterns
of failed connection attempts).
Zeek is documented in the USENIX 1998 Security Conference proceedings
(as Bro).
WWW: https://www.zeek.org/
- SVNWeb : git : Homepage
- pkg-plist: as obtained via:
make generate-plist - Dependency lines:
-
- For LIB depends:
- Zeek-Netmap.freebsd-amd64.so:security/zeek
- libbinpac.so:security/zeek
- To install the port: cd /usr/ports/security/zeek/ && make install clean
- To add the package, run one of these commands:
- pkg install security/zeek
- pkg install zeek
- PKGNAME: zeek
- Flavors: there is no flavor information for this port.
- distinfo:
- TIMESTAMP = 1632345196
SHA256 (zeek-4.0.4.tar.gz) = d9991de344fa8ed8c92d130837309655dc9e22c4f5e53c141dce6deee5c0505c
SIZE (zeek-4.0.4.tar.gz) = 30981125
- Packages (timestamps in pop-ups are UTC):
- Dependencies
- NOTE: FreshPorts displays only information on required and default dependencies. Optional dependencies are not covered.
- Build dependencies:
-
- swig : devel/swig
- ipsumdump : net/ipsumdump
- bash : shells/bash
- py38-sqlite3>0 : databases/py-sqlite3@py38
- swig : devel/swig
- bison : devel/bison
- cmake : devel/cmake
- ninja : devel/ninja
- python3.8 : lang/python38
- perl5>=5.32.r0<5.33 : lang/perl5.32
- Runtime dependencies:
-
- ipsumdump : net/ipsumdump
- cf : sysutils/lbl-cf
- hf : sysutils/lbl-hf
- bash : shells/bash
- py38-sqlite3>0 : databases/py-sqlite3@py38
- py38-zkg>=2.7.1 : security/py-zkg@py38
- python3.8 : lang/python38
- perl5>=5.32.r0<5.33 : lang/perl5.32
- Library dependencies:
-
- libmaxminddb.so : net/libmaxminddb
- libintl.so : devel/gettext-runtime
- There are no ports dependent upon this port
- Configuration Options:
- ===> The following configuration options are available for zeek-4.0.4:
BROKER=on: Enable the Broker communication library
GEOIP2=on: Build with GeoIP2 (MaxMindDB) support
IPSUMDUMP=on: Enables traffic summaries
LBL_CF=on: Unix time to formated time/date filter support
LBL_HF=on: Address to hostname filter support
NETMAP=on: Native Netmap Packet IOSource for Zeek
PERFTOOLS=off: Use Perftools to improve memory & CPU usage
ZEEKCTL=on: ZeekControl support (implies BROKER and IPSUMDUMP)
ZKG=on: Zeek package manager support
====> Options available for the single BUILD_TYPE: you have to select exactly one of them
DEBUG=off: Optimizations off, debug symbols/flags on
MINSIZEREL=off: Optimizations on, debug symbols/flags off
RELEASE=on: Optimizations on, debug symbols/flags off
RELWITHDEBINFO=off: Optimizations/debug symbols on, debug flags off
===> Use 'make config' to modify these settings
- Options name:
- security_zeek
- USES:
- bison cmake compiler:c++11-lang cpe gettext-runtime ninja perl5 python shebangfix ssl
- pkg-message:
- If installing:
- The rc.d script now honors the zeek_user rc.d variable. To run as
a user other than root (the default) you need to make a few changes.
For example to run as the user zeek, add this to /etc/rc.conf:
zeek_enable="YES"
zeek_user="zeek"
Add this to /etc/devfs.conf:
own bpf root:bpf
perm bpf 0660
And add zeek to the bpf group:
bpf:*:81:zeek
and restart the devfs service:
service devfs restart
or reboot.
If the interface defined in node.cfg is configured for NIC checksum
offloading (the default when this feature is supported by the
hardware) you will want to set ignore_checksums in site/local.zeek:
redef ignore_checksums = T;
- If removing:
- During deinstall of this package, the cfg files for zeekctl are not
deleted if you have edited them. Instead the software will create
a .sample file and the edited files will remain in place when you
upgrade. If you want to delete them, you have to remove the
/usr/local/etc directory manually.
You may also need to manually remove /usr/local/spool/state.db
- Master Sites:
|
| Commit History - (may be incomplete: see SVNWeb link above for full details) |
| Date | By | Description |
|---|
16 Oct 2021 09:51:39
  4.0.4
|
olgeni |
*: fix tab vs. space issues, and comments according to the guide. |
30 Sep 2021 21:23:30
4.0.4
|
rene |
cleanup: drop support for EOL FreeBSD 11.X
Search criteria used:
- 11.4
- OSREL*
- OSVER*
- *_FreeBSD_11
Input from:
- adridg: devel/qca-legacy
- jbeich: _WITH_DPRINTF, _WITH_GETLINE, GNU bfd workarounds
- sunpoet: security/p5-*OpenSSL*
Reviewed by: doceng, kde, multimedia, perl, python, ruby, rust
Differential Revision: https://reviews.freebsd.org/D32008
Test Plan: make index |
22 Sep 2021 22:15:09
4.0.4
|
leres |
security/zeek: Update to 4.0.4
https://github.com/zeek/zeek/releases/tag/v4.0.4
This release fixes two vulnerabilities:
- Paths from log stream make it into system() unchecked, potentially
leading to commands being run on the system unintentionally.
This requires either bad scripting or a malicious package to be
installed, and is considered low severity.
- Fix potential unbounded state growth in the PIA analyzer when
receiving a connection with either a large number of zero-length
packets, or one which continues ack-ing unseen segments. It is
possible to run Zeek out of memory in these instances and cause(Only the first 15 lines of the commit message are shown above  ) |
02 Sep 2021 09:03:25
4.0.3_1 
|
decke |
security/zeek: Add CPE information
Approved by: portmgr (blanket) |
19 Jul 2021 17:08:37
4.0.3_1
|
leres |
security/zeek: Add @sample for local.zeek
This github issue:
https://github.com/zeek/zeekctl/issues/35
complained about the lack of a local.zeek file on a fresh install;
adding @sample for local.zeek solves this.
Reported by: shadonet |
15 Jul 2021 10:37:24
4.0.3
|
pkubaj |
security/zeek: fix build on powerpc64*
In file included from
/wrkdirs/usr/ports/security/zeek/work/zeek-4.0.3/auxil/highwayhash/highwayhash/arch_specific.cc:27:
/usr/include/sys/sysctl.h:1185:25: error: unknown type name 'u_int'
int sysctl(const int *, u_int, void *, size_t *, const void *, size_t); |
12 Jul 2021 01:57:05
4.0.3
|
leres |
security/zeek: Unbreak build under 14.0-CURRENT
According to the cpuset(2) man page, sys/param.h must be included
before sys/cpuset.h. This was fixed in zeek (in the highwayhash
submodule) in May of 2020 and undone in August of 2020. Add a patch
that matches the pull request I just created with upstream:
https://github.com/zeek/highwayhash/pull/1
Thanks to @pluknet for diagnosing the build failure.
Reported by: pkg-fallout |
06 Jul 2021 21:31:18
4.0.3
|
leres |
security/zeek: Update to 4.0.3
https://github.com/zeek/zeek/releases/tag/v4.0.3
This release fixes the following bugs:
- Zeek now accepts unset fields in the input data only when the
corresponding record field is &optional.
- The version field in ssh.log is now optional and will not be set
if we cannot determine the version that was negotiated by the
client and server.
- Zeekctl could crash at startup on certain compilers and platforms
due to a memory corruption issue in the Broker python bindings.(Only the first 15 lines of the commit message are shown above ) |
24 Jun 2021 02:05:45
4.0.2_1
|
leres |
security/zeek: Add a ZKG option to pull in py-zkg |
03 Jun 2021 00:14:47
4.0.2
|
leres |
security/zeek: Update to 4.0.2
https://github.com/zeek/zeek/releases/tag/v4.0.2
This release fixes several potential DoS vulnerabilities:
- Fix potential Undefined Behavior in decode_netbios_name() and
decode_netbios_name_type() BIFs. The latter has a possibility
of a remote heap-buffer-overread, making this a potential DoS
vulnerability.
- Add some extra length checking when parsing mobile ipv6 packets.
Due to the possibility of reading invalid headers from remote
sources, this is a potential DoS vulnerability.
(Only the first 15 lines of the commit message are shown above ) |
12 May 2021 23:47:01
4.0.1
|
leres |
security/zeek: Unbreak build when PREFIX is not /usr/local |
11 May 2021 04:42:39
4.0.1
|
leres |
security/zeek: Unbreak package when CMAKE_BUILD_TYPE is not Release |
11 May 2021 02:09:19
4.0.1
|
leres |
security/zeek: Add fine grained DEBUG options
Allow the user to pick from DEBUG, MINSIZEREL, RELEASE, and
RELWITHDEBINFO options instead of just DEBUG. Don't STRIP with DEBUG
or RELWITHDEBINFO. Make some minor whitespace changes suggested by
portfmt. |
27 Apr 2021 17:35:28
4.0.1
|
pkubaj |
security/zeek: fix build on powerpc64le
Fix typo in systlbyname(). |
21 Apr 2021 21:11:05
4.0.1
|
leres |
security/zeek: Update to 4.0.1 to fix null-pointer dereference and potential DOS
https://github.com/zeek/zeek/releases/tag/v4.0.1
This release fixes the following vulnerability:
- Fix null-pointer dereference when encountering an invalid enum
name in a config/input file that tries to read it into a set[enum].
For those that have such an input feed whose contents may come
from external/remote sources, this is a potential DoS vulnerability.
Other fixes:
- Fix mime type detection bug in IRC/FTP file_transferred event
for file data containing null-bytes(Only the first 15 lines of the commit message are shown above ) |
14 Apr 2021 05:13:29
4.0.0
|
leres |
security/zeek: Unbreak armv7 build and fix testport issue
Add a patch from upstream to fix building on armv7 (used by pfsense):
https://github.com/zeek/zeek/issues/1496
Thanks to @garga for the pointer.
Fix a testport "left over" file @adridg reported. When zeek is run
as part of package installation, it copies some config files to
spool/installed-scripts-do-not-touch/site and local.zeek.sample
hitches a ride and needs to be removed on uninstall. But it is not
really a @sample candidate.
While we're here fix some minor portlint (env -> ${SETENV}) and
clean up some commented out directives.
Reported by: garga adridg |
06 Apr 2021 14:31:13
4.0.0
|
mat |
all: Remove all other $FreeBSD keywords. |
06 Apr 2021 14:31:07
4.0.0
|
mat |
Remove # $FreeBSD$ from Makefiles. |
23 Mar 2021 18:43:26
  4.0.0
|
pkubaj |
security/zeek: fix build on powerpc64 elfv2
-mpowerp8-vector is now necessary due to use of highwayhash.
Fix typo on sysctlbyname.
Also correct typo in BROKEN entries. |
20 Mar 2021 01:16:38
4.0.0
|
leres |
security/zeek: Update to 4.0.0
This is the next Long-Term Support (LTS) major version:
https://github.com/zeek/zeek/releases/tag/v4.0.0
https://zeek.org/2020/12/15/zeek-4-0-release-candidate/
Support for the previous LTS (3.0.x) will end in about two months.
Reported by: Jon Siwek |
23 Feb 2021 01:54:20
3.0.13
|
leres |
security/zeek: Update to 3.0.13
https://github.com/zeek/zeek/releases/tag/v3.0.13
This release fixes the following vulnerability:
- Fix ASCII Input reader's treatment of input files containing
null-bytes. An input file containing null-bytes could lead to a
buffer-over-read, crash Zeek, and be exploited to cause Denial
of Service.
And fixes the following bugs:
- MIME sub-entities overwrote top-level header values cause
misleading SMTP log
- Fix incorrect major_subsys_version field in pe_optional_header
event
Reported by: Jon Siwek |
22 Dec 2020 17:02:54
3.0.12_2
|
pkubaj |
security/zeek: enable on powerpc64 head |
17 Dec 2020 22:01:31
3.0.12_2
|
leres |
security/zeek: Install cmake files
Unstream requested that share/zeek/cmake/* be installed as the files
are used to build zeek plugins.
While here update some pkg-plist @preunexec entries (*.bro -> *.zeek).
Reported by: Robin Sommer, Benjamin Bannier |
16 Dec 2020 01:05:01
3.0.12_1
|
leres |
security/zeek: Improve the pkg upgrade experience
Don't remove %%PREFIX%%/spool/state.db otherwise when zeek is
upgraded zeekctl doesn't detect the running instance and "restart"
fails.
Split uninstall related info in pkg-message.in to a new remove
section (and fix some typos). |
15 Dec 2020 22:17:29
3.0.12
|
leres |
security/zeek: Update to 3.0.12
https://github.com/zeek/zeek/releases/tag/v3.0.12
This release fixes the following bugs:
- Incorrect ICMP Neighbor Discovery Option length calculation
- Fix SMB2 response status parsing
- Fix excessive connection_status_update events for ICMP connections
Reported by: Jon Siwek |
19 Nov 2020 00:34:21
3.0.11_2
|
leres |
security/zeek: Remove deprecated security/broccoli option
Upstream confirms that support for the broccoli protocol will be
removed in a future version of zeek. And given that security/broccoli
requires python2 which will be deprecated at the end of December,
lets remove broccoli support from zeek now. |
06 Nov 2020 18:38:46
3.0.11_1
|
leres |
security/zeek: Fix build on armv7 and allow running as non-root user
Apply Renato Botelho's fix for the ARCH used in PLIST_SUB (with
some changes). Essentially use uname -m instead of trying to fix
up the ARCH defined by bsd.port.mk (uname -p).
While we're here:
- Convert networks.cfg, node.cfg, and zeekctl.cfg to use @sample
- Use @sample to avoid clobbering site.zeek (oops).
- Remove unnecessary subshell for the post-build-NETMAP-on target.
- Silence the annoying "use ZeekControl.plugin instead of (Only the first 15 lines of the commit message are shown above ) |
07 Oct 2020 21:29:54
3.0.11
|
leres |
security/zeek: Update to 3.0.11 to fix memory leaks and potential DOS:
https://github.com/zeek/zeek/releases/tag/v3.0.11
- A memory leak in multipart MIME code has potential for remote
exploitation and cause for Denial of Service via resource
exhaustion.
Other fixes:
- Fix incorrect RSTOS0 conn_state determinations
Reported by: Jon Siwek
MFH: 2020Q4
Security: 769a4f60-9056-4c27-89a1-1758a59a21f8 |
10 Sep 2020 00:15:49
3.0.10
|
leres |
security/zeek: Update to 3.0.10 to fix memory leaks and potential DOS:
https://github.com/zeek/zeek/releases/tag/v3.0.10
- Fix memory leak caused by re-entering AYIYA parsing
- Fix memory leak caused by re-entering GTPv1 parsing
Other fixes:
- Fix Input Framework 'change' events for 'set' destinations
- Fix reported body-length of HTTP messages w/ sub-entities
Reported by: Jon Siwek
MFH: 2020Q3
Security: 2c92fdd3-896c-4a5a-a0d8-52acee69182d |
28 Jul 2020 01:09:39
3.0.8
|
leres |
security/zeek: Update to 3.0.8 and address various vulnerabilities:
https://github.com/zeek/zeek/releases/tag/v3.0.8
- Fix potential DNS analyzer stack overflow
- Fix potential NetbiosSSN analyzer stack overflow
Other fixes:
- Fix DHCP Client ID Option misformat for Hardware Type 0
- Fix/allow copying/cloning of opaque of Broker::Store
- Fix ConnPolling memory over-use(Only the first 15 lines of the commit message are shown above ) |
05 Jul 2020 09:44:25
3.0.7
|
mikael |
security/zeek: fix packaging on aarch64
pkg-static: Unable to access file
/wrkdirs/usr/ports/security/zeek/work/stage/usr/local/lib/zeek/plugins/Bro_Netmap/lib/Bro-Netmap.freebsd-aarch64.so:No
such file or directory
Approved by: portmgr (tier-2 blanket) |
17 Jun 2020 18:17:45
3.0.7
|
sunpoet |
Move devel/swig30 to devel/swig and update to 4.0.1
- Do not silence installation message
- Update dependent ports:
- Fix build with swig 4.0.1
- Update *_DEPENDS
- Remove BINARY_ALIAS
Changes: http://www.swig.org/news.php
PR: 246613
Exp-run by: antoine |
10 Jun 2020 19:15:07
3.0.7
|
leres |
security/zeek: Update to 3.0.7 and address various vulnerabilities:
https://raw.githubusercontent.com/zeek/zeek/v3.0.7/NEWS
- Fix potential stack overflow in NVT analyzer
- Fix NVT analyzer memory leak from multiple telnet authn name options
- Fix multiple content-transfer-encoding headers causing a memory leak
- Fix potential leak of Analyzers added to tree during Analyzer::Done
- Prevent IP fragment reassembly on packets without minimal IP header
Other fixes:(Only the first 15 lines of the commit message are shown above ) |
08 May 2020 20:51:23
3.0.6_1
|
leres |
security/zeek: Fix build with PERFTOOLS which needed BUILD_DEPENDS.
While we're here sort options related.
Reported by: James Welcher |
06 May 2020 23:37:35
3.0.6
|
leres |
security/zeek: Update to 3.0.6 and address multiple vulnerabilites:
https://raw.githubusercontent.com/zeek/zeek/v3.0.6/NEWS
- Fix buffer over-read in Ident analyzer
- Fix SSL scripting error leading to uninitialized field access
and memory leak
- Fix POP3 analyzer global buffer over-read
- Fix potential stack overflows due to use of Variable-Length-Arrays
Other changes since 3.0.5 include:
(Only the first 15 lines of the commit message are shown above ) |
15 Apr 2020 00:01:37
3.0.5
|
leres |
security/zeek: Update to 3.0.5
Chase latest version number that contains a simple fix not relevant
to supported versions of FreeBSD (hence no MFH).
https://raw.githubusercontent.com/zeek/zeek/3ad19762770c567edc3498b3c1f9f216f46970b0/NEWS
- Same as 3.0.4 but fixes compilation on various platforms with
older compilers, for example GCC 4.8.x. |
14 Apr 2020 20:55:15
3.0.4
|
leres |
security/zeek: Update to 3.0.4 and address a remote crash vulnerability:
https://github.com/zeek/zeek/blob/e059d4ec2e689b3c8942f4aa08b272f24ed3f612/NEWS
- Fix stack overflow in POP3 analyzer. An attacker can crash Zeek
remotely via crafted packet sequence.
Other fixes:
- Fix use-after-free in Zeek lambda functions with uninitialized
locals
- Fix buffer overflow due to tables/records created at parse-time
not rebuilt on record redef
(Only the first 15 lines of the commit message are shown above ) |
14 Apr 2020 18:10:15
3.0.3_1
|
leres |
security/zeek: Fix typo in the rc.d script
(From the PR) "bro_stop" should say "zeek_stop" instead.
PR: 245612
Reported by: bugs@codejammer.se
MFH: 2020Q2 |
18 Mar 2020 00:34:19
3.0.3
|
leres |
security/zeek: Limit portscout to even long term support release versions
https://github.com/zeek/zeek/releases
Zeek 3.0.x is the Long-Term Support release, receiving bug fixes
until at least October 2020 while Zeek 3.1.x is the current
feature release, receiving bug fixes until approximately July
2020 when the 3.2.x release series begins.
Approved by: matthew (mentor, implicit) |
15 Mar 2020 22:44:26
3.0.3
|
leres |
security/bro: Update to 3.0.3 and address a number of potential
denial of service issues:
https://github.com/zeek/zeek/releases/tag/v3.0.2
https://github.com/zeek/zeek/releases/tag/v3.0.3
- Potential Denial of Service due to memory leak in DNS TSIG message
parsing.
- Potential Denial of Service due to memory leak (or assertion
when compiling with assertions enabled) when receiving a second
SSH KEX message after a first.
- Potential Denial of Service due to buffer read overflow and/or
memory leaks in Kerberos analyzer. The buffer read overflow (Only the first 15 lines of the commit message are shown above ) |
11 Dec 2019 21:43:22
3.0.1
|
leres |
security/bro: Update to 3.0.1. As announced by Jon Siwek:
This is a bug-fix release that most notably addresses a JSON
logging performance regression in 3.0.0, but also fixes other
minor bugs. A list which details the changes can be found here:
https://github.com/zeek/zeek/releases/tag/v3.0.1
Approved by: ler (mentor, implicit) |
17 Nov 2019 01:03:04
3.0.0
|
leres |
security/zeek: This adds security/zeek, the new version of security/bro.
This is being done as svn copy instead of rename so that users of
security/bro can have some time to migrate. It also allows for
possible security updates to the old bro port which upstream has
indicated is possible for at least a few months.
Reviewed by: ler (mentor)
Approved by: ler (mentor)
Differential Revision: https://reviews.freebsd.org/D22376 |
As an Amazon Associate I earn from qualifying purchases.