variation_coefficient

By thibaultbl

Implementing coefficient of variation (standard deviation / average), sort of relative standard deviation.

venom

By dopheide

Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml

vnc-scanner

By initconf

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

wildcard-domain

By jbaggs

This script adds a new Intel::WILDCARD_DOMAIN type that matches on the base domain name, regardless of what subdomain may be prepended to it.

ws-discovery-dos

By initconf

udp-scan

zeek_metainfo

By stevesmoot

Create schemas in many forms for local Zeek installation/configuration. JSON, markup text, Avro, html so far.

zeek_perfsonar_owamp

By esnet

zeek_scram

By esnet-security

Zeek script for interacting with the SCRAM client

zeek-af_packet-plugin

By zeek

This plugin provides native AF_Packet support for Zeek.

zeek-agent-v2

By zeek-packages

zeek-agenttesla-detector

By corelight

An AgentTesla malware C2 detector.

zeek-amadey-detector

By keithjjones

A Zeek based Amadey malware detector.

zeek-asyncrat-detector

By corelight

An AsyncRAT malware detector.

zeek-bogon

By captainGeech42

Label bogon IPs in conn.log

zeek-capwap

By AmazingPP

zeek-community-id

By corelight

"Community ID" flow hash support in conn.log

zeek-conn-footprint

By awelzel

Regularly log footprints of long running connections.

zeek-cryptomining

By jsiwek

Detects Bitcoin, Litecoin, or other cryptocurrency mining traffic that uses getwork, getblocktemplate, or Stratum mining protocols over TCP or HTTP. This package used to be named "bro_bitcoin".

zeek-dag

By endace

Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture.

zeek-ebury

By esnet-security

This script attempts to detect the Ebury ssh backdoor based on having base64 in the ssh client string.