December 5, 2022 by Tim Wojtulewicz
Editor's note: This post was originally published on the Zeek.org blog on Nov. 28, 2022. Reposted here in full with permission as a courtesy.
As we shared at ZeekWeek 2022 in October, we’re thrilled to announce emerging support for Zeek on Windows, thanks to an open-source contribution from Microsoft. Part of its integration of Zeek into its Defender for Endpoint security platform, this contribution provides fully-native build support for Windows platforms and opens up a range of future technical possibilities in this vast ecosystem. Make sure to check out Microsoft’s talks on the technical aspects of this integration as well as the detection capabilities this move enables.
In this blog post we’d like to recap the open-source work that’s unfolded since the beginning of our collaboration with Microsoft, summarize the current status, and outline next steps.
Initiated by an emerging partnership between Corelight and Microsoft, the first concrete conversations about Zeek running natively on Windows and its potential for Defender happened early in the year. In mid-September the Zeek team, led by Tim Wojtulewicz, began to work closely with the Microsoft engineering team on actual code, and to map out a path to getting the contribution integrated into Zeek’s main line of development.
The first step on this path was to review an initial version of Microsoft’s contribution, based on their internally deployed Zeek build, to understand potential trouble spots, focus areas, and the extent to which changes would affect our source tree’s already complex submodule structure. To align the process with our regular GitHub-based workflows, this set of initial PRs and their review happened in private repositories that we forked from our public ones in the last week of September. This also gave our team an opportunity to set up local builds and deploy a Windows CI environment.
The MIT-licensed libunistd provides a lot of the port’s underlying Windows/UNIX compatibility. In line with many of Zeek’s third-party dependencies, we added an internal fork of the library as an additional submodule to allow us to pin our build to specific commits, and we’re upstreaming any modifications we make to it. Many of the hiccups we identified at this stage were due to subtle discrepancies in this compatibility layer, such as one version adding a trailing slash while the other does not, or timestamps suddenly turning negative because of 32-bit/64-bit confusion. However, Zeek’s codebase has remained encouragingly free of platform-specific ifdefs and similar ugliness!
Finally, Microsoft’s main Zeek PR landed on October 31, consisted of 72 commits, and got merged 11 days later.
At this point we provide experimental support for the Windows platform, as follows:
The Zeek 5.2 release, scheduled for early 2023, will be the first to feature Windows support. In the meantime, we encourage folks interested to check out the documentation, experiment, and share feedback in Slack and our Discourse forum.
The Zeek Project would like to thank the team at Microsoft and particularly Tomer Lev and Elad Solomon for this contribution, the late hours, and the fun and lively collaboration — it’s been a thrill and joy to work with you all.
By Tim Wojtulewicz