security/zeek: Update to 7.0.0
https://github.com/zeek/zeek/releases/tag/v7.0.0
This is the latest major version number Long-Term Support (LTS)
release of Zeek.
- The Telemetry framework has had a major rework, and includes a number of breaking changes. The biggest change is a move towards a Prometheus-first model.
- All of the metrics-related script-level options, type, and methods have been moved to the Telemetry framework.
- The following options have been removed:
Broker::metrics_export_interval Broker::metrics_export_topic Broker::metrics_import_topics Broker::metrics_export_prefixes - The unit field has been removed from the telemetry log.
- All of the BROKER_METRICS_* environment variables have been removed.
- The instruments that previously supported count in scripts and int64_t in C++ were removed in favor of only providing double versions.
- The is_sum argument has been removed from the constructors/creation methods for all of the instruments.
- Zeekctl now sets FileExtract::prefix to spool/extract_files/<node> to avoid deletion of extracted files when stopping worker nodes.
- Support delete on tables, sets and vectors to clear their contents.
- A new helper function can_load() backed by a new bif find_in_zeekpath() was added to determine if a non-relative @load directive might work.
- Zeek packagers can now include a "local" addition into Zeek's version string.
- SMB2 packets containing multiple PDUs now correctly parse all of the headers, instead of just the first one and ignoring the rest.
- The new built-in function lookup_connection_analyzer_id() retrieves the numeric identifier of an analyzer associated with a connection.
- The from_json() function now supports ingesting JSON representations of tables as produced by the to_json() function.
- The analyzer.log now optionally supports logging of disabled analyzers through the new option Analyzer::logging::include_disabling.
- The ftp.log fuid field is now cleared after handling a command with a fuid associated with it.
- The type_name field populated by global_ids() now aligns with the value returned by type_name() for each identifier. E.g, Site::local_nets has a type_name of set[subnet] rather than table.
- The ISO 9660 file signature has been moved into the policy directory.
- The val_footprint() BiF now factors in the size of strings when reporting footprints, roughly equating a string's size with the number of elements comparable to that length.
- The tuning/defaults policy has been deprecated and will be removed in v7.1.
- If a Spicy protocol analyzers feeds data into file analysis, it now needs to call Zeek's Files::register_protocol() and provide a callback for computing file handles.
- The Supervisor's API now returns NodeConfig records with a cluster table whose ClusterEndpoints have a port value of 0/unknown, rather than 0/tcp, to indicate that the node in question has no listening port.
- The --disable-archiver configure flag no longer does anything and will be removed in 7.1. zeek-archiver has moved into the zeek-aux repository.
Reported by: Tim Wojtulewicz