Bro Package Manager: Packages

dns_axfr

Find and notice DNS zone transfer attempts.

domain-tld

A library for getting the "effective tld" of a domain name.

dovehawk

MISP+Bro. Dovehawk is a Bro Module to import MISP indicators to the Intel Framework automatically and report sightings directly back to MISP as they happen.

dummy-connections

By hosom

Create dummy connection records.

file-extraction

By hosom

Extract files from network traffic with Bro.

fix-ascii

By reservoirlabs

ASCII FIX analyzer package

fix-binary

By reservoirlabs

binary FIX analyzer package

flow_labels

By bricata

Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.

HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log

http_csp

By srozb

HTTP Content-Security-Policy report parser

http-stalling-detector

By corelight

Detect HTTP stalling attacks like slowloris.

intel-extensions

By j-gras

Extensions for Bro's intelligence framework.

intel-seen-more

By j-gras

Additional seen-triggers for Bro's intelligence framework.

ja3

By salesforce

JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Bro Intel Framework. https://github.com/salesforce/ja3

Packages

dns_axfr

dns-tunnels

domain-tld

dovehawk

dummy-connections

file-extraction

find_smbv1

fix-ascii

fix-binary

flow_labels

ftp-bruteforce

hassh

http_csp

http-stalling-detector

intel-extensions

intel-seen-more

ja3

Joe-Sandbox-Bro

json-streaming-logs

ldap-analyzer