Packages

tcprs

By jswaro

TCP Retransmission and State Analyzer plugin for Bro.

top-dns

By corelight

Log the top DNS queries being requested.

uap-bro

By vitalyrepin

User Agent Parser - Bro implementation based on uap-core

vnc-scanner

By initconf

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

zeek_metainfo

By stevesmoot

Create schemas in many forms for local Zeek installation/configuration. JSON, markup text, Avro, html so far.

zeek-af_packet-plugin

By zeek

This plugin provides native AF_Packet support for Zeek.

zeek-community-id

By corelight

"Community ID" flow hash support in conn.log

zeek-cryptomining

By jsiwek

Detects Bitcoin, Litecoin, or other cryptocurrency mining traffic that uses getwork, getblocktemplate, or Stratum mining protocols over TCP or HTTP. This package used to be named "bro_bitcoin".

zeek-dag

By endace

Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture.

zeek-EternalSafety

By 0xl3x1

EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

zeek-gozi-detector

By corelight

A Zeek based Gozi malware detector.

zeek-jemalloc-profiling

By justinazoff

A broctl plugin that enables jemalloc profiling

zeek-jetdirect

By dopheide

Detect exploit attempt of HP JetDirect printers

zeek-kafka

By seisollc

A Zeek log writer plugin that publishes to Kafka.

zeek-known-hosts-with-dns

By dopheide

This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers.

zeek-known-outbound

By dopheide

This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups.

zeek-new-domains

By rvictory

Monitors for new domains being queried for and raises a notice for them

zeek-notice-slack

By pgaulon

Zeek Notices through Slack webhook

zeek-ntp-monlist

By dopheide

This script just replaces the old ntp-monlist script to work with Zeek 3.0.0+

zeek-package-ARP

By stratosphereips

Zeek Package that supports adding arp.log to zeek log files

Page 5 of 6, showing 20 record(s) out of 118 total