├── CVE-2019-11479 ├── CVE-2019-11479.rules └── CVE-2019-11479.zeek ├── LICENSE ├── README.md └── Zeek-official-packages ├── 0xxon └── bro-pkg.index ├── README.rst ├── activecm └── bro-pkg.index ├── aggregate.meta ├── anthonykasza └── bro-pkg.index ├── apache └── bro-pkg.index ├── bricata └── bro-pkg.index ├── bro └── bro-pkg.index ├── corelight └── bro-pkg.index ├── dopheide └── bro-pkg.index ├── dovehawk └── bro-pkg.index ├── endace └── bro-pkg.index ├── esnet └── bro-pkg.index ├── fatemabw └── bro-pkg.index ├── hhzzk └── bro-pkg.index ├── hosom └── bro-pkg.index ├── initconf └── bro-pkg.index ├── irtimmer └── bro-pkg.index ├── j-gras └── bro-pkg.index ├── jbaggs └── bro-pkg.index ├── jmellander └── bro-pkg.index ├── joesecurity └── bro-pkg.index ├── jonzeolla └── bro-pkg.index ├── jsiwek └── bro-pkg.index ├── jswaro └── bro-pkg.index ├── klehigh └── bro-pkg.index ├── mitrecnd └── bro-pkg.index ├── ncsa └── bro-pkg.index ├── ntop └── bro-pkg.index ├── pgaulon └── bro-pkg.index ├── reservoirlabs └── bro-pkg.index ├── salesforce └── bro-pkg.index ├── scebro └── bro-pkg.index ├── sethhall └── bro-pkg.index ├── srozb └── bro-pkg.index ├── tenzir └── bro-pkg.index ├── theflakes └── bro-pkg.index └── vitalyrepin └── bro-pkg.index /CVE-2019-11479/CVE-2019-11479.rules: -------------------------------------------------------------------------------- 1 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (flow:stateless; flags:S,12; tcp.mss:<500; sid:1100001; rev:1;) 2 | -------------------------------------------------------------------------------- /CVE-2019-11479/CVE-2019-11479.zeek: -------------------------------------------------------------------------------- 1 | # Version 1.0 (July 2019) 2 | # 3 | # Authors: Zer0d0y@天御攻防实验室 (Zer0d0y@tianyulab.com) 4 | # 5 | # Copyright (c) 2019, 天御攻防实验室. 6 | # All rights reserved. 7 | # Licensed under the MIT license. 8 | # 9 | # 支持Zeek Version > v2.5.x 10 | # 11 | # 致谢:Matt Trostel 12 | 13 | redef record Conn::Info += { 14 | mss: count &optional &log; 15 | sack_ok: bool &optional &log; 16 | }; 17 | 18 | redef record connection += { 19 | mss: count &optional &log; 20 | sack_ok: bool &optional &log; 21 | }; 22 | 23 | event connection_SYN_packet(c: connection, pkt: SYN_packet) { 24 | c$mss = pkt$MSS; 25 | c$sack_ok = pkt$SACK_OK; 26 | } 27 | 28 | event connection_state_remove(c: connection) { 29 | if ( c ?$ mss ) 30 | c$conn$mss = c$mss; 31 | 32 | if (c ?$ sack_ok ) 33 | c$conn$sack_ok = c$sack_ok; 34 | } 35 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 天御[攻防]实验室 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Threat Detection Rules (威胁检测规则集),Zeek(Bro) 脚本/包和Suricata/Snort规则 2 | 3 | ## Suricata/Snort SID range 4 | 5 | `` 6 | We use SID 110,0000-119,9999 for our rules. 7 | `` 8 | 9 | ## License 10 | 11 | `` 12 | See LICENSE file 13 | `` 14 | -------------------------------------------------------------------------------- /Zeek-official-packages/0xxon/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/0xxon/zeek-sumstats-counttable 2 | https://github.com/0xxon/zeek-postgresql 3 | https://github.com/0xxon/zeek-plugin-roca 4 | -------------------------------------------------------------------------------- /Zeek-official-packages/README.rst: -------------------------------------------------------------------------------- 1 | .. _zeek/packages repository: https://github.com/zeek/packages 2 | .. _Zeek Package Manager: https://github.com/zeek/package-manager 3 | .. _Zeek package: https://docs.zeek.org/projects/package-manager/en/stable/package.html 4 | .. _package index file: https://docs.zeek.org/projects/package-manager/en/stable/source.html#package-index-files 5 | 6 | Zeek Package Source 7 | =================== 8 | 9 | This is the default package source for the `Zeek Package Manager`_. 10 | 11 | Package Submission Process 12 | -------------------------- 13 | 14 | Use the following process to submit packages (please only submit your 15 | own work/packages): 16 | 17 | #. Create a `Zeek package`_. Make sure to set the ``tags`` 18 | and ``description`` metadata fields to help people discover 19 | your package. 20 | #. Host your package's git repository at a public location. 21 | E.g. put it on GitHub. 22 | #. Fork this `zeek/packages repository`_ on GitHub. 23 | #. Create a directory within your fork that with a name that uniquely 24 | identifies you. E.g. if you're hosting packages on GitHub, name 25 | the directory the same as your GitHub username. If you're hosting 26 | it somewhere else, you could use a domain name or organization name 27 | for the directory. 28 | #. Put a `package index file`_ within the directory you just made. 29 | #. Commit/push the changes you made to your fork. 30 | #. Submit a *pull request*. 31 | -------------------------------------------------------------------------------- /Zeek-official-packages/activecm/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/activecm/bro-mongodb.git 2 | https://github.com/activecm/bro-rita.git 3 | -------------------------------------------------------------------------------- /Zeek-official-packages/aggregate.meta: -------------------------------------------------------------------------------- 1 | [0xxon/zeek-sumstats-counttable] 2 | description = Two-dimensional buckets for sumstats (count occurences per $str). 3 | tags = sumstats, summary statistics 4 | test_command = cd tests && btest -d 5 | url = https://github.com/0xxon/zeek-sumstats-counttable 6 | version = 0.0.3 7 | 8 | [0xxon/zeek-postgresql] 9 | build_command = ( ./configure --bro-dist=%(bro_dist)s --with-postgresql-inc=`pg_config --includedir` --with-postgresql-server-inc=`pg_config --includedir-server` --with-postgresql-lib=`pg_config --libdir` && make ) 10 | description = A PostgreSQL reader and writer for Bro. 11 | plugin_dir = build 12 | tags = bro plugin, PostgreSQL, reader, writer, input 13 | test_command = cd tests && btest -d 14 | version = 0.0.6 15 | url = https://github.com/0xxon/zeek-postgresql 16 | 17 | [0xxon/zeek-plugin-roca] 18 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 19 | description = Identify certificates potentially affected by CVE-2017-15361 20 | plugin_dir = build/Johanna_ROCA.tgz 21 | tags = certificates, CVE-2017-15361 22 | test_command = cd tests && btest -d 23 | url = https://github.com/0xxon/zeek-plugin-roca 24 | version = 0.0.1 25 | 26 | [activecm/bro-mongodb.git] 27 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 28 | description = Bro IDS/ MongoDB connector. 29 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 30 | version = master 31 | url = https://github.com/activecm/bro-mongodb.git 32 | 33 | [activecm/bro-rita.git] 34 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 35 | description = RITA, Bro IDS connector. 36 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 37 | version = master 38 | url = https://github.com/activecm/bro-rita.git 39 | 40 | [anthonykasza/indicator-rules] 41 | depemds = 42 | bro >= 2.6 43 | description = An extension to the Intel Framework. This package faciliates the creation of rules which Zeek can monitor for. 44 | script_dir = scripts 45 | tags = intel, signature, indicators, pure-script 46 | version = master 47 | url = https://github.com/anthonykasza/indicator-rules 48 | 49 | [apache/metron-bro-plugin-kafka] 50 | build_command = ./configure --bro-dist=%(bro_dist)s --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make 51 | config_files = scripts/init.bro 52 | depends = 53 | bro >=2.5.0 54 | bro-pkg >=1.2 55 | description = A Bro log writer plugin that sends logging output to Kafka. 56 | external_depends = 57 | librdkafka ~0.9.4 58 | plugin_dir = build 59 | script_dir = build/scripts/Apache/Kafka 60 | tags = log writer, bro plugin, kafka 61 | test_command = ( cd tests && btest -d ) 62 | user_vars = 63 | LIBRDKAFKA_ROOT [/usr/local/lib] "Path to librdkafka installation tree" 64 | version = 0.2 65 | url = https://github.com/apache/metron-bro-plugin-kafka 66 | 67 | [bricata/flow_labels] 68 | description = Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity. 69 | tags = input, labels 70 | url = https://github.com/bricata/flow_labels 71 | version = master 72 | 73 | [bro/bro-netmap] 74 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 75 | description = Packet source plugin that provides native Netmap support. 76 | plugin_dir = build 77 | tags = packet source, plugin, netmap 78 | test_command = ( cd tests && btest -d ) 79 | url = https://github.com/bro/bro-netmap 80 | version = master 81 | 82 | [corelight/bro-long-connections] 83 | description = Find and log long-lived connections into a "conn_long" log. 84 | script_dir = scripts 85 | tags = conn 86 | version = master 87 | url = https://github.com/corelight/bro-long-connections 88 | 89 | [corelight/bro-xor-exe-plugin] 90 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 91 | description = A plugin to find Windows executables that have been XOR encoded. 92 | plugin_dir = build 93 | tags = plugin, pe, executable, malware 94 | test_command = ( cd tests && btest -d ) 95 | url = https://github.com/corelight/bro-xor-exe-plugin 96 | version = master 97 | 98 | [corelight/bro-hardware] 99 | description = Scripts for cases where hardware device identifiers are discovered. 100 | script_dir = scripts 101 | tags = hardware 102 | version = master 103 | url = https://github.com/corelight/bro-hardware 104 | 105 | [corelight/bro-drwatson] 106 | depends = 107 | https://github.com/corelight/bro-hardware * 108 | description = Discover and log information discovered in Microsoft DrWatson messages. 109 | script_dir = scripts 110 | tags = drwatson, http, windows 111 | test_command = ( cd tests && btest -d ) 112 | url = https://github.com/corelight/bro-drwatson 113 | version = master 114 | 115 | [corelight/bro-shellshock] 116 | description = Discover successful ShellShock attacks. 117 | script_dir = scripts 118 | tags = shellshock, detect, scripts 119 | test_command = ( cd tests && btest -d ) 120 | url = https://github.com/corelight/bro-shellshock 121 | version = master 122 | 123 | [corelight/conn-burst] 124 | description = Identify bursty connections (large and fast) 125 | script_dir = scripts 126 | tags = conn, burst 127 | url = https://github.com/corelight/conn-burst 128 | version = master 129 | 130 | [corelight/log-add-http-post-bodies] 131 | description = Add a POST body excerpt into the HTTP log 132 | script_dir = scripts 133 | tags = http log extend 134 | version = master 135 | url = https://github.com/corelight/log-add-http-post-bodies 136 | 137 | [corelight/log-add-vlan-everywhere] 138 | description = Add VLAN to all Bro logs. 139 | script_dir = scripts 140 | tags = log extend vlan 141 | version = master 142 | url = https://github.com/corelight/log-add-vlan-everywhere 143 | 144 | [corelight/top-dns] 145 | depends = 146 | bro/sethhall/domain-tld * 147 | description = Log the top DNS queries being requested. 148 | script_dir = scripts 149 | tags = dns, sumstats, log, measurement, top 150 | url = https://github.com/corelight/top-dns 151 | version = master 152 | 153 | [corelight/bro-community-id] 154 | build_command = ./configure --bro-dist=%(bro_dist)s && make 155 | description = "Community ID" flow hash support in conn.log 156 | script_dir = scripts/Corelight/CommunityID 157 | tags = bro plugin, conn, logging, community id, flow hashing, flow id, sha1, corelight 158 | test_command = cd tests && btest -d community-id 159 | url = https://github.com/corelight/bro-community-id 160 | version = 1.0 161 | 162 | [corelight/json-streaming-logs] 163 | description = JSON streaming logs 164 | script_dir = scripts 165 | tags = logs, json, streaming, stream, filebeat, splunk_forwarder, logstash 166 | url = https://github.com/corelight/json-streaming-logs 167 | version = master 168 | 169 | [corelight/http-stalling-detector] 170 | description = Detect HTTP stalling attacks like slowloris. 171 | script_dir = scripts 172 | tags = http, DoS, attack, notice 173 | url = https://github.com/corelight/http-stalling-detector 174 | version = master 175 | 176 | [corelight/bro-quic] 177 | build_command = test -e %(bro_dist)s/bro-path-dev.in && ( ./configure --bro-dist=%(bro_dist)s && make ) || ( ./configure && make ) 178 | description = Detects the Google QUIC (GQUIC) protocol and adds "gquic" 179 | to conn.log's "service" field. 180 | plugin_dir = build/Corelight_GQUIC.tgz 181 | script_dir = build/scripts/Corelight/GQUIC 182 | tags = plugin, analyzer, gquic, quic 183 | url = https://github.com/corelight/bro-quic 184 | version = v0.2 185 | 186 | [dopheide/bro_notice_correlation] 187 | description = Adds support for multi-notice correlation. For more information, see http://blog.samoehlert.com/correlating-bro-notices or the talk from BroCon 2016. 188 | script_dir = scripts 189 | tags = notices, notice, correlation 190 | version = master 191 | url = https://github.com/dopheide/bro_notice_correlation 192 | 193 | [dopheide/venom] 194 | description = Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml 195 | script_dir = scripts 196 | tags = Venom, venom, VENOM, rootkit 197 | version = master 198 | url = https://github.com/dopheide/venom 199 | 200 | [dopheide/bro-quic] 201 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 202 | description = Attempt to identify QUIC protocol 203 | plugin_dir = build/Bro_QUIC.tgz 204 | tags = plugin, analyzer, quic 205 | url = https://github.com/dopheide-esnet/bro-quic 206 | version = 0.1 207 | 208 | [dovehawk/dovehawk] 209 | description = MISP+Bro. Dovehawk is a Bro Module to import MISP indicators to the Intel Framework automatically and report sightings directly back to MISP as they happen. 210 | script_dir = . 211 | tags = intel, MISP, sightings, signatures 212 | version = master 213 | url = https://github.com/tylabs/dovehawk 214 | 215 | [endace/bro-dag] 216 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 217 | description = Packet source plugin that provides native support for Endace DAG capture cards. 218 | plugin_dir = build 219 | tags = packet source, plugin, broctl plugin, dag, endace 220 | test_command = ( cd tests && btest -d ) 221 | url = https://github.com/endace/bro-dag 222 | version = v0.3.0 223 | 224 | [esnet/zeek_perfsonar_owamp] 225 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 226 | plugin_dir = build/PerfSONAR_OWAMP.tgz 227 | tags = plugin, analyzer, owamp, perfsonar 228 | test_command = cd tests && btest 229 | url = https://github.com/esnet/zeek_perfsonar_owamp 230 | version = master 231 | 232 | [fatemabw/bro-inventory-scripts] 233 | description = Find different type of OSes and AV software in your network traffic. 234 | script_dir = scripts 235 | tags = OS detection, Anti-Virus 236 | version = master 237 | url = https://github.com/fatemabw/bro-inventory-scripts 238 | 239 | [hhzzk/dns-tunnels] 240 | description = Detect DNS Tunnels attack. 241 | script_dir = scripts 242 | tags = DNS, DNS Tunnels, DNS Tunneling 243 | version = master 244 | url = https://github.com/hhzzk/dns-tunnels 245 | 246 | [hosom/file-extraction] 247 | config_files = scripts/config.bro 248 | depends = 249 | bro >=2.5.0 250 | description = Extract files from network traffic with Bro. 251 | script_dir = scripts 252 | tags = files, file extraction, file analysis 253 | version = master 254 | url = https://github.com/hosom/file-extraction 255 | 256 | [hosom/log-filters] 257 | config_files = scripts/config.bro 258 | depends = 259 | bro >=2.5.0 260 | description = Implement common log filters. 261 | script_dir = scripts 262 | tags = logging, log framework 263 | version = master 264 | url = https://github.com/hosom/log-filters 265 | 266 | [hosom/bro-napatech] 267 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 268 | depends = 269 | bro-pkg >=1.2 270 | bro >=2.5.0 271 | description = Packet source plugin that provides native support for NTAPI 272 | plugin_dir = build/Bro_Napatech.tgz 273 | tags = packet source, plugin, napatech, ntapi 274 | url = https://github.com/hosom/bro-napatech 275 | version = 0.1.0 276 | 277 | [hosom/bro-oui] 278 | depends = 279 | bro >=2.5.5 280 | description = Add OUI lookup to Bro. 281 | script_dir = scripts 282 | tags = oui, mac, dhcp 283 | version = 1.0.3 284 | url = https://github.com/hosom/bro-oui 285 | 286 | [hosom/bro-ja3] 287 | depends = 288 | bro >=2.6.0 289 | description = Generate and log ja3 ssl fingerprints 290 | script_dir = scripts 291 | tags = ja3, ssl, intel 292 | test_command = cd tests && btest -d btests 293 | version = 1.0.4 294 | url = https://github.com/hosom/bro-ja3 295 | 296 | [hosom/dummy-connections] 297 | depends = 298 | bro >=2.6.0 299 | description = Create dummy connection records. 300 | script_dir = scripts 301 | tags = connection 302 | version = 1.0.0 303 | url = https://github.com/hosom/dummy-connections 304 | 305 | [initconf/scan-NG] 306 | description = scan detection in 2.x world. Forward porting of bro-1.5.3 scan.bro accompanied with new heuristics and quicker detections 307 | script_dir = scripts 308 | tags = scan detection 309 | version = master 310 | url = https://github.com/initconf/scan-NG 311 | 312 | [initconf/CVE-2017-5638_struts] 313 | description = package to detect CVE-2017-5638 struts attack 314 | script_dir = scripts 315 | tags = CVE-2017-5638, struts 316 | version = master 317 | url = https://github.com/initconf/CVE-2017-5638_struts 318 | 319 | [initconf/phish-analysis] 320 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 321 | script_dir = scripts 322 | tags = smtp, phish, urls, emails 323 | test_command = ( cd tests && btest -d ) 324 | version = master 325 | url = https://github.com/initconf/phish-analysis 326 | 327 | [initconf/smtp-url-analysis] 328 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 329 | script_dir = scripts 330 | tags = smtp, phish, urls, emails 331 | test_command = ( cd tests && btest -d ) 332 | version = master 333 | url = https://github.com/initconf/smtp-url-analysis 334 | 335 | [initconf/blacklist] 336 | description = package to manage blacklisted IP address ysing bro 337 | script_dir = scripts 338 | tags = blacklist 339 | version = master 340 | url = https://github.com/initconf/blacklist 341 | 342 | [initconf/vnc-scanner] 343 | description = Simple policy to detect VNC (RFB) scanners based on src->dst connection counts 344 | script_dir = scripts 345 | tags = rfb, vnc, osx high sierra 346 | test_command = ( cd tests && btest -d ) 347 | version = master 348 | url = https://github.com/initconf/vnc-scanner 349 | 350 | [initconf/ftp-bruteforce] 351 | description = ftp-bruteforce 352 | script_dir = scripts 353 | tags = ftp, bruteforce, scan 354 | test_command = ( cd tests && btest -d ) 355 | version = master 356 | url = https://github.com/initconf/ftp-bruteforce 357 | 358 | [initconf/detect-kaspersky] 359 | description = kaspersky 360 | script_dir = scripts 361 | tags = kaspersky antivirus 362 | test_command = ( cd tests && btest -d ) 363 | version = master 364 | url = https://github.com/initconf/detect-kaspersky 365 | 366 | [irtimmer/bro-xdp_packet-plugin] 367 | build_command = ./configure --bro-dist=%(bro_dist)s && make 368 | depends = 369 | bro-pkg >=1.2 370 | bro >=2.5.0 371 | description = This plugin provides native AF_XDP support for Bro. 372 | plugin_dir = build/itimmer_af_xdp.tgz 373 | tags = bro plugin, packet source, af_xdp 374 | test_command = cd tests && btest -d 375 | url = https://github.com/irtimmer/bro-xdp_packet-plugin 376 | version = master 377 | 378 | [j-gras/intel-extensions] 379 | description = Extensions for Bro's intelligence framework. 380 | script_dir = scripts 381 | tags = intel, expiration, removal, preserve files 382 | url = https://github.com/J-Gras/intel-extensions 383 | version = v0.3.0 384 | 385 | [j-gras/add-json] 386 | description = Additional JSON-logging for Bro. 387 | script_dir = scripts 388 | tags = log, logging, JSON 389 | url = https://github.com/J-Gras/add-json 390 | version = 1.1.0 391 | 392 | [j-gras/add-node-names] 393 | depends = 394 | bro >=2.5 395 | description = Adds cluster node name to logs. 396 | script_dir = scripts 397 | tags = log, logging, conn, add node name, add worker 398 | url = https://github.com/J-Gras/add-node-names 399 | version = master 400 | 401 | [j-gras/intel-seen-more] 402 | description = Additional seen-triggers for Bro's intelligence framework. 403 | script_dir = scripts 404 | suggests = 405 | bro/sethhall/domain-tld * 406 | tags = intel, seen 407 | url = https://github.com/J-Gras/intel-seen-more 408 | version = 0.3.0 409 | 410 | [j-gras/bro-af_packet-plugin] 411 | build_command = ./configure && make 412 | depends = 413 | bro-pkg >=1.2 414 | bro >=2.5.0 415 | description = This plugin provides native AF_Packet support for Bro. 416 | plugin_dir = build/Bro_AF_Packet.tgz 417 | tags = bro plugin, broctl plugin, packet source, af_packet 418 | test_command = cd tests && btest -d 419 | url = https://github.com/J-Gras/bro-af_packet-plugin 420 | version = 1.4.0 421 | 422 | [j-gras/bro-lognorm] 423 | build_command = ./configure --bro-dist=%(bro_dist)s && make 424 | depends = 425 | bro >=2.5.0 426 | description = This plugin provides liblognorm integration for Bro. 427 | plugin_dir = build 428 | tags = bro plugin, liblognorm, syslog 429 | test_command = cd tests && btest -d 430 | url = https://github.com/J-Gras/bro-lognorm 431 | version = 0.3.0 432 | 433 | [j-gras/bro-fuzzy-hashing] 434 | build_command = ./configure --bro-dist=%(bro_dist)s && make 435 | depends = 436 | bro >=2.5.0 437 | description = This plugin provides fuzzy hashing for Bro. 438 | plugin_dir = build/JGras_FuzzyHashing.tgz 439 | tags = bro plugin 440 | test_command = cd tests && btest -d 441 | url = https://github.com/J-Gras/bro-fuzzy-hashing 442 | version = 0.3.0 443 | 444 | [jbaggs/anomalous-dns] 445 | depends = https://github.com/sethhall/domain-tld * 446 | description = A module for tracking and correlating abnormal DNS behavior. Detection of tunneling and C&C through connection duration and volume, request and answer size, DNS request type, and unique queries per domain. 447 | tags = bro scripting, dns, domain, notices 448 | version = master 449 | url = https://github.com/jbaggs/anomalous-dns 450 | 451 | [jmellander/BinaryHeap] 452 | description = Binary Heap Implementation 453 | script_dir = scripts 454 | tags = zeek, zeek.org, BinaryHeap 455 | url = https://github.com/jmellander/BinaryHeap 456 | version = master 457 | 458 | [joesecurity/Joe-Sandbox-Bro] 459 | description = JoeSandbox-Bro extracts files from your internet connection 460 | and analyzes them automatically on Joe Sandbox. Combined with Joe Sandbox's 461 | reporting and alerting features you can build a powerful IDS. 462 | script_dir = scripts 463 | tags = file analysis, sandbox, malware, virus 464 | url = https://github.com/joesecurity/Joe-Sandbox-Bro 465 | version = master 466 | 467 | [jonzeolla/scan-sampling] 468 | description = Modified version of scan.bro to add destination IP sampling. 469 | script_dir = scripts 470 | tags = sumstats 471 | url = https://github.com/JonZeolla/scan-sampling 472 | version = 0.1.0 473 | 474 | [jsiwek/bro-test-package] 475 | aliases = zeek-test-package bro-test-package 476 | build_command = cd plugin && ./configure && make 477 | description = An example Zeek package for testing purposes. 478 | plugin_dir = plugin/build 479 | script_dir = plugin/scripts/Demo/Rot13 480 | tags = example, test, bro plugin, broctl plugin, rot13, cipher 481 | test_command = cd testing && btest -d tests 482 | url = https://github.com/jsiwek/bro-test-package 483 | version = 1.0.6 484 | 485 | [jsiwek/bro_bitcoin] 486 | description = Detects Bitcoin, Litecoin, or other cryptocurrency 487 | mining traffic that uses getwork, getblocktemplate, or Stratum mining 488 | protocols over TCP or HTTP. 489 | tags = signatures, bitcoin, mining, cryptocurrency 490 | url = https://github.com/jsiwek/bro_bitcoin 491 | version = master 492 | 493 | [jswaro/tcprs] 494 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 495 | description = TCP Retransmission and State Analyzer plugin for Bro. 496 | plugin_dir = build 497 | script_dir = scripts 498 | tags = bro plugin, TCP, retransmission, connection state, conn, input reader, protocol analyzer 499 | test_command = cd tests btest -d tcprs 500 | url = https://github.com/jswaro/tcprs 501 | version = 0.2.1 502 | 503 | [klehigh/find_smbv1] 504 | depends = 505 | bro >=2.5.0 506 | description = find SMBv1 activity 507 | script_dir = scripts 508 | tags = smb, logging 509 | url = https://github.com/klehigh/find_smbv1 510 | version = 1.0.0 511 | 512 | [mitrecnd/bro-http2] 513 | build_command = ./configure --bro-dist=%(bro_dist)s && make 514 | depends = 515 | bro >=2.5.0 516 | description = A HTTP2 protocol analyzer for the Bro IDS. 517 | external_depends = 518 | libnghttp2>=1.11.0 519 | libbrotlidec>=1.0.0 520 | script_dir = scripts 521 | tags = bro plugin, protocol analyzer, http2, intel 522 | test_command = make test 523 | url = https://github.com/MITRECND/bro-http2 524 | version = 0.4.1 525 | 526 | [ncsa/bro-interface-setup] 527 | description = A broctl plugin that helps you setup capture interfaces 528 | plugin_dir = . 529 | tags = bro plugin, interface, mtu 530 | url = https://github.com/ncsa/bro-interface-setup 531 | version = master 532 | 533 | [ncsa/bro-doctor] 534 | description = A broctl plugin that helps you troubleshoot common problems 535 | For cluster-related checks, the package "add-node-names" is recommended. 536 | plugin_dir = . 537 | suggests = 538 | bro/j-gras/add-node-names * 539 | tags = broctl plugin, troubleshoot 540 | url = https://github.com/ncsa/bro-doctor 541 | version = 1.21.4 542 | 543 | [ncsa/bro-is-darknet] 544 | description = This plugin adds a Site::is_darknet function. 545 | This is useful for scripts that track scan attempts or other probes. 546 | It can handle purely dark address space as well as honeynet space. 547 | script_dir = scripts 548 | tags = bro plugin, site, darknet 549 | test_command = (cd testing && btest -d) 550 | url = https://github.com/ncsa/bro-is-darknet 551 | version = 0.5 552 | 553 | [ncsa/bro-simple-scan] 554 | depends = 555 | bro >=2.5.1 556 | bro/ncsa/bro-is-darknet >=0.3 557 | description = Simple, high performance tcp scan detection 558 | script_dir = scripts 559 | tags = bro plugin, scan detection 560 | test_command = (cd testing && btest -d) 561 | url = https://github.com/ncsa/bro-simple-scan 562 | version = 1.1 563 | 564 | [ncsa/bro-zeromq-writer] 565 | build_command = ./configure --bro-dist=%(bro_dist)s --with-zmq=%(ZEROMQ_PREFIX)s && make 566 | description = ZeroMQ log writer. 567 | external_depends = 568 | zeromq >=3.2.0 569 | script_dir = scripts/NCSA/ZeroMQWriter 570 | tags = bro plugin, log writer, zeromq, zmq, 0mq, json 571 | test_command = make test 572 | user_vars = 573 | ZEROMQ_PREFIX [/usr/local] "ZeroMQ install prefix" 574 | url = https://github.com/ncsa/bro-zeromq-writer 575 | version = master 576 | 577 | [ntop/bro-pf_ring] 578 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 579 | description = Packet source plugin that provides native PF_RING support. 580 | plugin_dir = build 581 | script_dir = scripts 582 | tags = packet source, plugin, pf_ring 583 | test_command = ( cd tests && btest -d ) 584 | url = https://github.com/ntop/bro-pf_ring 585 | version = master 586 | 587 | [pgaulon/bro-notice-slack] 588 | description = Bro Notices through Slack webhook 589 | tags = bro plugin, notices, slack webhook 590 | url = https://github.com/pgaulon/bro-notice-slack 591 | version = 1.0.0 592 | 593 | [reservoirlabs/fix-ascii] 594 | build_command = ./configure --bro-dist=%(bro_dist)s && make 595 | description = ASCII FIX analyzer package 596 | script_dir = scripts/RLABS/FIX/ 597 | tags = bro plugin, bro analyzer, ASCII FIX protocol analyzer 598 | url = https://github.com/reservoirlabs/fix-ascii 599 | version = master 600 | 601 | [reservoirlabs/fix-binary] 602 | build_command = ./configure --bro-dist=%(bro_dist)s && make 603 | description = binary FIX analyzer package 604 | script_dir = scripts/RLABS/FIX_SBE 605 | tags = bro plugin, bro analyzer, binary FIX protocol analyzer 606 | url = https://github.com/reservoirlabs/fix-binary 607 | version = master 608 | 609 | [salesforce/ja3] 610 | description = JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Bro Intel Framework. 611 | https://github.com/salesforce/ja3 612 | script_dir = bro 613 | tags = intel, ssl, logging 614 | version = master 615 | url = https://github.com/salesforce/ja3 616 | 617 | [salesforce/hassh] 618 | description = HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log 619 | script_dir = bro 620 | tags = bro plugin, ssh, fingerprint, logging 621 | version = master 622 | url = https://github.com/salesforce/hassh 623 | 624 | [salesforce/bro-sysmon] 625 | description = Zeek-Sysmon contains a python script that will read in a file, parse JSON Windows Event Logs, generate Zeek events, and forward them to Zeek. Default Zeek-Sysmon scripts log output to files. 626 | script_dir = bro 627 | tags = broker, Windows, Event Logs, Sysmon, logging 628 | version = master 629 | url = https://github.com/salesforce/bro-sysmon 630 | 631 | [scebro/ldap-analyzer] 632 | build_command = ./configure --bro-dist=%(bro_dist)s && make 633 | description = LDAP write operations analyzer for Bro. 634 | plugin_dir = build 635 | scripts_dir = scripts 636 | tags = bro plugin, ldap analyzer, ldap 637 | test_command = cd tests && btest -d 638 | version = master 639 | url = https://github.com/SoftwareConsultingEmporium/ldap-analyzer 640 | 641 | [sethhall/credit-card-exposure] 642 | description = Detect credit card numbers in HTTP and SMTP with Bro. 643 | script_dir = scripts 644 | tags = credit cards, dlp, http, smtp, files 645 | test_command = ( cd tests && btest -d ) 646 | version = master 647 | url = https://github.com/sethhall/credit-card-exposure 648 | 649 | [sethhall/ssn-exposure] 650 | description = Detect US Social Security numbers in HTTP and SMTP with Bro. 651 | script_dir = scripts 652 | tags = ssn, social security number, dlp, files 653 | version = master 654 | url = https://github.com/sethhall/ssn-exposure 655 | 656 | [sethhall/domain-tld] 657 | description = A library for getting the "effective tld" of a domain name. 658 | script_dir = scripts 659 | tags = library, domain 660 | version = master 661 | url = https://github.com/sethhall/domain-tld 662 | 663 | [sethhall/bro-myricom] 664 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 665 | depends = 666 | bro-pkg >=1.2 667 | description = Packet source plugin that provides native Myricom SNF v3+v4 support. 668 | plugin_dir = build/Bro_Myricom.tgz 669 | script_dir = scripts.not_used 670 | tags = packet source, plugin, myricom 671 | test_command = ( cd tests && btest -d ) 672 | url = https://github.com/sethhall/bro-myricom 673 | version = 1.0.4 674 | 675 | [sethhall/unknown-mime-type-discovery] 676 | description = A Bro package for finding new file signatures. 677 | script_dir = scripts 678 | tags = files, signature 679 | url = https://github.com/sethhall/unknown-mime-type-discovery 680 | version = master 681 | 682 | [srozb/dns_axfr] 683 | description = Find and notice DNS zone transfer attempts. 684 | script_dir = scripts 685 | tags = dns recon 686 | version = master 687 | url = https://github.com/srozb/dns_axfr 688 | 689 | [srozb/http_csp] 690 | description = HTTP Content-Security-Policy report parser 691 | script_dir = scripts 692 | tags = CSP intel 693 | url = https://github.com/srozb/http_csp 694 | version = 1.0.0 695 | 696 | [theflakes/bro-large_uploads] 697 | description = Raise notices on outgoing files over X bytes in size. 698 | Also raise notices for multiple large outgoing Tx's in Y time frame. 699 | tags = notices, uploads, conns 700 | url = https://github.com/theflakes/bro-large_uploads 701 | version = master 702 | 703 | [vitalyrepin/uap-bro] 704 | build_command = ./configure --bro-dist=%(bro_dist)s && make 705 | config_files = build/scripts/init.bro 706 | depends = 707 | bro >=2.5.0 708 | bro-pkg >=1.2 709 | description = User Agent Parser - Bro implementation based on uap-core 710 | external_depends = 711 | libyaml-cpp-dev ~0.5.2 712 | libboost-regex-dev ~1.58.0 713 | plugin_dir = build 714 | script_dir = build/scripts/VR/UAP 715 | tags = bro plugin, uap, user_agent 716 | test_command = ( cd tests && btest -d ) 717 | version = master 718 | url = https://github.com/vitalyrepin/uap-bro 719 | 720 | -------------------------------------------------------------------------------- /Zeek-official-packages/anthonykasza/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/anthonykasza/indicator-rules 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/apache/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/apache/metron-bro-plugin-kafka 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/bricata/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/bricata/flow_labels 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/bro/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/bro/bro-netmap 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/corelight/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/corelight/bro-long-connections 2 | https://github.com/corelight/bro-xor-exe-plugin 3 | https://github.com/corelight/bro-hardware 4 | https://github.com/corelight/bro-drwatson 5 | https://github.com/corelight/bro-shellshock 6 | https://github.com/corelight/conn-burst 7 | https://github.com/corelight/log-add-http-post-bodies 8 | https://github.com/corelight/log-add-vlan-everywhere 9 | https://github.com/corelight/top-dns 10 | https://github.com/corelight/bro-community-id 11 | https://github.com/corelight/json-streaming-logs 12 | https://github.com/corelight/http-stalling-detector 13 | https://github.com/corelight/bro-quic 14 | -------------------------------------------------------------------------------- /Zeek-official-packages/dopheide/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/dopheide/bro_notice_correlation 2 | https://github.com/dopheide/venom 3 | https://github.com/dopheide-esnet/bro-quic 4 | -------------------------------------------------------------------------------- /Zeek-official-packages/dovehawk/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tylabs/dovehawk 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/endace/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/endace/bro-dag 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/esnet/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/esnet/zeek_perfsonar_owamp 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/fatemabw/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/fatemabw/bro-inventory-scripts 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/hhzzk/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hhzzk/dns-tunnels 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/hosom/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hosom/file-extraction 2 | https://github.com/hosom/log-filters 3 | https://github.com/hosom/bro-napatech 4 | https://github.com/hosom/bro-oui 5 | https://github.com/hosom/bro-ja3 6 | https://github.com/hosom/dummy-connections 7 | -------------------------------------------------------------------------------- /Zeek-official-packages/initconf/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/initconf/scan-NG 2 | https://github.com/initconf/CVE-2017-5638_struts 3 | https://github.com/initconf/phish-analysis 4 | https://github.com/initconf/smtp-url-analysis 5 | https://github.com/initconf/blacklist 6 | https://github.com/initconf/vnc-scanner 7 | https://github.com/initconf/ftp-bruteforce 8 | https://github.com/initconf/detect-kaspersky 9 | -------------------------------------------------------------------------------- /Zeek-official-packages/irtimmer/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/irtimmer/bro-xdp_packet-plugin 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/j-gras/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/J-Gras/add-json 2 | https://github.com/J-Gras/add-node-names 3 | https://github.com/J-Gras/add-interfaces 4 | https://github.com/J-Gras/intel-extensions 5 | https://github.com/J-Gras/intel-seen-more 6 | https://github.com/J-Gras/intel-expire 7 | https://github.com/J-Gras/bro-af_packet-plugin 8 | https://github.com/J-Gras/bro-lognorm 9 | https://github.com/J-Gras/bro-fuzzy-hashing 10 | -------------------------------------------------------------------------------- /Zeek-official-packages/jbaggs/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jbaggs/anomalous-dns 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/jmellander/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jmellander/BinaryHeap 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/joesecurity/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/joesecurity/Joe-Sandbox-Bro 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/jonzeolla/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/JonZeolla/scan-sampling 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/jsiwek/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jsiwek/bro-test-package 2 | https://github.com/jsiwek/bro_bitcoin 3 | -------------------------------------------------------------------------------- /Zeek-official-packages/jswaro/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jswaro/tcprs 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/klehigh/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/klehigh/find_smbv1 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/mitrecnd/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/MITRECND/bro-http2 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/ncsa/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ncsa/bro-interface-setup 2 | https://github.com/ncsa/bro-doctor 3 | https://github.com/ncsa/bro-is-darknet 4 | https://github.com/ncsa/bro-simple-scan 5 | https://github.com/ncsa/bro-zeromq-writer 6 | -------------------------------------------------------------------------------- /Zeek-official-packages/ntop/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ntop/bro-pf_ring -------------------------------------------------------------------------------- /Zeek-official-packages/pgaulon/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/pgaulon/bro-notice-slack 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/reservoirlabs/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/reservoirlabs/fix-ascii 2 | https://github.com/reservoirlabs/fix-binary 3 | -------------------------------------------------------------------------------- /Zeek-official-packages/salesforce/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/salesforce/ja3 2 | https://github.com/salesforce/hassh 3 | https://github.com/salesforce/bro-sysmon 4 | -------------------------------------------------------------------------------- /Zeek-official-packages/scebro/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/SoftwareConsultingEmporium/ldap-analyzer 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/sethhall/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sethhall/credit-card-exposure 2 | https://github.com/sethhall/ssn-exposure 3 | https://github.com/sethhall/domain-tld 4 | https://github.com/sethhall/bro-myricom 5 | https://github.com/sethhall/unknown-mime-type-discovery 6 | -------------------------------------------------------------------------------- /Zeek-official-packages/srozb/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/srozb/dns_axfr 2 | https://github.com/srozb/http_csp 3 | -------------------------------------------------------------------------------- /Zeek-official-packages/tenzir/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tenzir/zeek-vast 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/theflakes/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/theflakes/bro-large_uploads 2 | -------------------------------------------------------------------------------- /Zeek-official-packages/vitalyrepin/bro-pkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/vitalyrepin/uap-bro 2 | --------------------------------------------------------------------------------