Packages

tcprs

By jswaro

TCP Retransmission and State Analyzer plugin for Bro.

top-dns

By corelight

Log the top DNS queries being requested.

uap-bro

By vitalyrepin

User Agent Parser - Bro implementation based on uap-core

unknown-mime-type-discovery

By sethhall

A Bro package for finding new file signatures.

venom

By dopheide

Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml

vnc-scanner

By initconf

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

zeek-EternalSafety

By lexibrent

EternalSafety is a Zeek/Bro package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

zeek-httpattacks

By precurse

Checks for HTTP anomalies typically used for attacking.

zeek-known-hosts-with-dns

By dopheide

This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers.

zeek-notice-slack

By pgaulon

Bro Notices through Slack webhook

zeek-ntp-monlist

By dopheide

This script just replaces the old ntp-monlist script to work with Zeek 3.0.0+

zeek-plugin-roca

By 0xxon

Identify certificates potentially affected by CVE-2017-15361

zeek-postgresql

By 0xxon

A PostgreSQL reader and writer for Bro.

zeek-sniffpass

By cybera

Sniffpass will alert on cleartext passwords discovered in HTTP POST requests

zeek-ssh-interesting-hostnames-with-known

By dopheide

This script replaces the default ssh/interesting-hostnames and reduces the number of asyncrhonous when() calls made by Zeek.

zeek-sumstats-counttable

By 0xxon

Two-dimensional buckets for sumstats (count occurences per $str).

zeek-vast

By tenzir

A package that enables Zeek to communicate with VAST

Page 5 of 5, showing 19 record(s) out of 99 total