vnc-scanner

By initconf

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

wildcard-domain

By jbaggs

This script adds a new Intel::WILDCARD_DOMAIN type that matches on the base domain name, regardless of what subdomain may be prepended to it.

ws-discovery-dos

By initconf

udp-scan

zeek_metainfo

By stevesmoot

Create schemas in many forms for local Zeek installation/configuration. JSON, markup text, Avro, html so far.

zeek_perfsonar_owamp

By esnet

zeek_scram

By esnet-security

Zeek script for interacting with the SCRAM client

zeek-af_packet-plugin

By zeek

This plugin provides native AF_Packet support for Zeek.

zeek-agent-v2

By zeek-packages

zeek-amadey-detector

By keithjjones

A Zeek based Amadey malware detector.

zeek-asyncrat-detector

By corelight

An AsyncRAT malware detector.

zeek-bogon

By captainGeech42

Label bogon IPs in conn.log

zeek-capwap

By AmazingPP

zeek-community-id

By corelight

"Community ID" flow hash support in conn.log

zeek-conn-footprint

By awelzel

Regularly log footprints of long running connections.

zeek-cryptomining

By jsiwek

Detects Bitcoin, Litecoin, or other cryptocurrency mining traffic that uses getwork, getblocktemplate, or Stratum mining protocols over TCP or HTTP. This package used to be named "bro_bitcoin".

zeek-dag

By endace

Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture.

zeek-ebury

By esnet-security

This script attempts to detect the Ebury ssh backdoor based on having base64 in the ssh client string.

zeek-elf

By corelight

This package provides some basic analysis for ELF files.

zeek-EternalSafety

By 0xl3x1

EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

zeek-exfil-detect

By saiiman

This package offers the possibility of exfiltration detection through statistical analysis methods. For this purpose, all connections are added to a baseline, subdivided according to their source ip address and destination port. The baseline is then used to perform statistical anomaly detection. Anomalies in the baseline are considered as data exfiltrations. The severity of the anomaly is recorded using a score between 0 and 1.