Skip to content

v0.10.0

Compare
Choose a tag to compare
@philrz philrz released this 29 May 23:51
7e879a0

Visit the Brim Download page to find the package for your OS platform.

  • Update zq to v0.14.0
  • Update Zeek to v3.2.0-dev-brim2, with the following platform specific changes:
    • Windows: importing pcaps is much faster than previous releases
    • macOS: importing pcaps no longer works on macOS versions prior to 10.14. (#819)
    • Linux: support importing pcapng formatted captures
  • Allow processing of pcaps with a custom Zeek version (#771, #732, #807, #783, wiki)
  • Format timestamps as IS08601 by default, and add a Preferences option to change format (#766)
  • Fix an issue where spaces were not deleted when quitting during pcap import (#780)
  • Migrate app state (such as Search History) upon upgrading rather than clearing it, starting with upgrades from v0.9.1 (#787, #793, #782, #821, #823)
  • Add a Preferences option to change the Data Directory location (#794)
  • Allow exporting of search results to a ZNG file (#802, #827)
  • Fix an issue where clicking the Choose buttons in the Preferences menu would hang the app (#816)
  • Add the ability to rename a Space via right-click (#806, #831)
  • Fix an issue where a JSON typing configuration could not be selected in Preferences (#818)
  • Fix an issue where old error messages were left behind after exiting Preferences (#829)
  • Windows releases are signed, but you may see a warning popup when you run
    the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.

Here's a narrative version of the important highlights:

We're excited to introduce the new Zeek version. We did a lot of work getting our first Windows port of Zeek finished for the initial Brim release a couple months back, but it was a little rough around the edges because it was based on Cygwin. Because of that, it ran slow and had to use some clunky pcap libraries. This new release uses MinGW instead of Cygwin and hence runs much faster, and also is able to leverage modern libpcap. Our changes for Windows are also submitted upstream to Zeek and are starting to be merged in mini PRs, so we're hopeful one day we'll be able to bundle "a GA version of Zeek that happens to run on Windows" rather than our own port. Please track and 👍 zeek/zeek#951 if you're interested in the ongoing Windows efforts.

The "custom Zeek version" (aka "bring your own Zeek") is some cool stuff as well. While we bundle a specific Zeek release with Brim for ease of use, we've heard from users who want to run their own customized Zeek versions and/or use Brim to create/debug Zeek scripts that they're creating in their local Zeek dev environments. With this new support, you can go into the Preferences menu in Brim and point at a simple "Zeek runner" script that runs your pcaps through the Zeek of your choosing, and you're off and running. See the Zeek Customization wiki article for details.

The part about "migrating app state" should be a relief for anyone who was frustrated by having their Search History cleared out when they upgrade to new app versions. This only "kicks in" with users who are upgrading from Brim v0.9.1 (the prior GA release), so if you're running v0.8.0 or older today and upgrade straight to v0.10.0, you'll have to endure one more round of cleared state. But once you're on v0.9.1 or newer, you should have the state of your app (like Search History) preserved as you upgrade through v0.10.0 and other versions going forward.

The ISO8601 timestamps may be a small thing, but we know that not everyone in the world are weirdos with date formats like 05/29 to say May 29th, so now we're defaulting to formats like 2020-05-29T20:02:32Z that everyone can enjoy. 😉 Just go into the Preferences menu if you want to customize it to suit your local taste.

Finally, the "export" option should make it easier for you to save/share your data. If you've executed a search that gives you a narrower set of Zeek events you'd like to bring outside the app, just click the Export button or File->Export from the menu. The ZNG file you'll save can be queried with zq or re-imported into another Space on your Brim or someone else's.