├── .gitignore ├── LICENSE ├── README.adoc ├── __load__.zeek ├── frameworks ├── compliance │ └── detect-insecure-protos.zeek ├── files │ ├── extract2fsf.zeek │ ├── extraction │ │ ├── LICENSE │ │ ├── README.md │ │ ├── __load__.zeek │ │ ├── file-extensions.zeek │ │ ├── main.zeek │ │ └── plugins │ │ │ ├── __load__.zeek │ │ │ ├── extract-all-files.zeek │ │ │ ├── extract-archive.zeek │ │ │ ├── extract-common-exploit-types.zeek │ │ │ ├── extract-elf.zeek │ │ │ ├── extract-executable-types.zeek │ │ │ ├── extract-java.zeek │ │ │ ├── extract-macho.zeek │ │ │ ├── extract-ms-office.zeek │ │ │ ├── extract-pdf.zeek │ │ │ ├── extract-pe.zeek │ │ │ ├── extract-scripts.zeek │ │ │ ├── store-files-by-md5.zeek │ │ │ ├── store-files-by-sha1.zeek │ │ │ └── store-files-by-sha256.zeek │ ├── fsf-client │ │ ├── conf │ │ │ ├── __init__.py │ │ │ └── config.py │ │ └── fsf_client.py │ └── unified2-integration.zeek ├── intel │ ├── __load__.zeek │ ├── intel-1.dat │ └── intel.zeek ├── logging │ ├── disable-ascii.zeek │ └── extension.zeek └── notice │ └── scot-integration.zeek ├── misc ├── conn-add-geoip.zeek ├── conn-add-worker.zeek ├── hassh │ ├── LICENSE.txt │ ├── __load__.zeek │ └── hassh.zeek └── ja3 │ ├── __load__.zeek │ ├── intel_ja3.zeek │ ├── ja3.zeek │ └── ja3s.zeek ├── plugins ├── afpacket.zeek ├── community_id.zeek ├── kafka.zeek └── publish-community_id │ ├── README.md │ ├── __load__.zeek │ ├── connection.zeek │ ├── dce_rpc.zeek │ ├── dhcp.zeek │ ├── dnp3.zeek │ ├── dns.zeek │ ├── ftp.zeek │ ├── http.zeek │ ├── irc.zeek │ ├── krb.zeek │ ├── modbus.zeek │ ├── mysql.zeek │ ├── ntlm.zeek │ ├── ntp.zeek │ ├── radius.zeek │ ├── rdp.zeek │ ├── rfb.zeek │ ├── sip.zeek │ ├── smb.zeek │ ├── smtp.zeek │ ├── snmp.zeek │ ├── socks.zeek │ ├── ssh.zeek │ ├── ssl.zeek │ ├── syslog.zeek │ └── tunnel.zeek ├── protocols ├── dns │ └── known_domains.zeek ├── http │ ├── cookie-log.zeek │ └── http-body-url-extraction.zeek ├── pop3 │ ├── __load__.zeek │ └── main.zeek ├── smtp │ ├── extract_smtp_body.zeek │ └── smtp-url.zeek └── ssl │ ├── dod-ca-list.zeek │ ├── generate_zeek_dod_ca.sh │ ├── new-certs.zeek │ └── ssl-add-cert-hash.zeek ├── rock.zeek ├── skeleton.zeek └── utils └── json.zeek /.gitignore: -------------------------------------------------------------------------------- 1 | .state 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/LICENSE -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/README.adoc -------------------------------------------------------------------------------- /__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/__load__.zeek -------------------------------------------------------------------------------- /frameworks/compliance/detect-insecure-protos.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/compliance/detect-insecure-protos.zeek -------------------------------------------------------------------------------- /frameworks/files/extract2fsf.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extract2fsf.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/LICENSE -------------------------------------------------------------------------------- /frameworks/files/extraction/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/README.md -------------------------------------------------------------------------------- /frameworks/files/extraction/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/__load__.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/file-extensions.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/file-extensions.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/main.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/main.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/__load__.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-all-files.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-all-files.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-archive.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-archive.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-common-exploit-types.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-common-exploit-types.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-elf.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-elf.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-executable-types.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-executable-types.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-java.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-java.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-macho.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-macho.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-ms-office.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-ms-office.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-pdf.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-pdf.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-pe.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-pe.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/extract-scripts.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/extract-scripts.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/store-files-by-md5.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/store-files-by-md5.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/store-files-by-sha1.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/store-files-by-sha1.zeek -------------------------------------------------------------------------------- /frameworks/files/extraction/plugins/store-files-by-sha256.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/extraction/plugins/store-files-by-sha256.zeek -------------------------------------------------------------------------------- /frameworks/files/fsf-client/conf/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['config'] 2 | -------------------------------------------------------------------------------- /frameworks/files/fsf-client/conf/config.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/fsf-client/conf/config.py -------------------------------------------------------------------------------- /frameworks/files/fsf-client/fsf_client.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/fsf-client/fsf_client.py -------------------------------------------------------------------------------- /frameworks/files/unified2-integration.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/files/unified2-integration.zeek -------------------------------------------------------------------------------- /frameworks/intel/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/intel/__load__.zeek -------------------------------------------------------------------------------- /frameworks/intel/intel-1.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/intel/intel-1.dat -------------------------------------------------------------------------------- /frameworks/intel/intel.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/intel/intel.zeek -------------------------------------------------------------------------------- /frameworks/logging/disable-ascii.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/logging/disable-ascii.zeek -------------------------------------------------------------------------------- /frameworks/logging/extension.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/logging/extension.zeek -------------------------------------------------------------------------------- /frameworks/notice/scot-integration.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/frameworks/notice/scot-integration.zeek -------------------------------------------------------------------------------- /misc/conn-add-geoip.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/conn-add-geoip.zeek -------------------------------------------------------------------------------- /misc/conn-add-worker.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/conn-add-worker.zeek -------------------------------------------------------------------------------- /misc/hassh/LICENSE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/hassh/LICENSE.txt -------------------------------------------------------------------------------- /misc/hassh/__load__.zeek: -------------------------------------------------------------------------------- 1 | @load ./hassh 2 | -------------------------------------------------------------------------------- /misc/hassh/hassh.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/hassh/hassh.zeek -------------------------------------------------------------------------------- /misc/ja3/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/ja3/__load__.zeek -------------------------------------------------------------------------------- /misc/ja3/intel_ja3.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/ja3/intel_ja3.zeek -------------------------------------------------------------------------------- /misc/ja3/ja3.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/ja3/ja3.zeek -------------------------------------------------------------------------------- /misc/ja3/ja3s.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/misc/ja3/ja3s.zeek -------------------------------------------------------------------------------- /plugins/afpacket.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/afpacket.zeek -------------------------------------------------------------------------------- /plugins/community_id.zeek: -------------------------------------------------------------------------------- 1 | @load ./publish-community_id 2 | -------------------------------------------------------------------------------- /plugins/kafka.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/kafka.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/README.md -------------------------------------------------------------------------------- /plugins/publish-community_id/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/__load__.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/connection.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/connection.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/dce_rpc.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/dce_rpc.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/dhcp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/dhcp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/dnp3.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/dnp3.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/dns.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/dns.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/ftp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/ftp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/http.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/http.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/irc.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/irc.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/krb.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/krb.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/modbus.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/modbus.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/mysql.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/mysql.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/ntlm.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/ntlm.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/ntp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/ntp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/radius.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/radius.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/rdp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/rdp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/rfb.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/rfb.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/sip.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/sip.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/smb.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/smb.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/smtp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/smtp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/snmp.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/snmp.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/socks.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/socks.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/ssh.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/ssh.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/ssl.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/ssl.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/syslog.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/syslog.zeek -------------------------------------------------------------------------------- /plugins/publish-community_id/tunnel.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/plugins/publish-community_id/tunnel.zeek -------------------------------------------------------------------------------- /protocols/dns/known_domains.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/dns/known_domains.zeek -------------------------------------------------------------------------------- /protocols/http/cookie-log.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/http/cookie-log.zeek -------------------------------------------------------------------------------- /protocols/http/http-body-url-extraction.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/http/http-body-url-extraction.zeek -------------------------------------------------------------------------------- /protocols/pop3/__load__.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/pop3/__load__.zeek -------------------------------------------------------------------------------- /protocols/pop3/main.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/pop3/main.zeek -------------------------------------------------------------------------------- /protocols/smtp/extract_smtp_body.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/smtp/extract_smtp_body.zeek -------------------------------------------------------------------------------- /protocols/smtp/smtp-url.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/smtp/smtp-url.zeek -------------------------------------------------------------------------------- /protocols/ssl/dod-ca-list.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/ssl/dod-ca-list.zeek -------------------------------------------------------------------------------- /protocols/ssl/generate_zeek_dod_ca.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/ssl/generate_zeek_dod_ca.sh -------------------------------------------------------------------------------- /protocols/ssl/new-certs.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/ssl/new-certs.zeek -------------------------------------------------------------------------------- /protocols/ssl/ssl-add-cert-hash.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/protocols/ssl/ssl-add-cert-hash.zeek -------------------------------------------------------------------------------- /rock.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/rock.zeek -------------------------------------------------------------------------------- /skeleton.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/skeleton.zeek -------------------------------------------------------------------------------- /utils/json.zeek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rocknsm/rock-scripts/HEAD/utils/json.zeek --------------------------------------------------------------------------------