CVE-2022-3602 exploit Detection
Watch SMB transactions for files whose filename matches patterns known to be used by ransomware
Detect DNS Tunnels attack.
A library for getting the "effective tld" of a domain name.
MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters.
Dovehawk.io Passive DNS Capture Module.
Dovehawk Anonymized Outbound Flow Tracking
Zeek package to add a destination port to the meta fields in Zeek. It creates a notice when both the intel and the destination port matches. This adds a feature that can be used to reduce false positives.
Create dummy connection records.
Extract files from network traffic with Zeek.
find SMBv1 activity
Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.
Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html).
Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic
HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log