├── .github └── workflows │ ├── aggregator.yml │ └── pre-commit.yml ├── .pre-commit-config.yaml ├── 0xl3x1 └── zkg.index ├── 0xxon └── zkg.index ├── AmazingPP └── zkg.index ├── README.rst ├── activecm └── zkg.index ├── aggregate.meta ├── amarokinc └── zkg.index ├── amzn └── zkg.index ├── anthonykasza └── zkg.index ├── apache └── zkg.index ├── awelzel └── zkg.index ├── bricata └── zkg.index ├── brimsec └── zkg.index ├── captainGeech42 └── zkg.index ├── chrisanag1985 └── zkg.index ├── cisagov └── zkg.index ├── corelight └── zkg.index ├── cyberUniBO └── zkg.index ├── cybera └── zkg.index ├── dopheide └── zkg.index ├── dovehawk └── zkg.index ├── dw2102 └── zkg.index ├── elcabezzonn └── zkg.index ├── emnahum └── zkg.index ├── emojifier └── zkg.index ├── endace └── zkg.index ├── esnet-security └── zkg.index ├── esnet └── zkg.index ├── evantypanski └── zkg.index ├── fatemabw └── zkg.index ├── fdekeers └── zkg.index ├── foxio └── zkg.index ├── hhzzk └── zkg.index ├── hosom └── zkg.index ├── initconf └── zkg.index ├── irtimmer └── zkg.index ├── j-gras └── zkg.index ├── jbaggs └── zkg.index ├── jmellander └── zkg.index ├── joesecurity └── zkg.index ├── jonzeolla └── zkg.index ├── jsiwek └── zkg.index ├── jswaro └── zkg.index ├── justinazoff └── zkg.index ├── keithjjones └── zkg.index ├── klehigh └── zkg.index ├── mbispham └── zkg.index ├── micrictor └── zkg.index ├── mitre-attack └── zkg.index ├── mitre └── zkg.index ├── mitrecnd └── zkg.index ├── mvlnetdev └── zkg.index ├── ncsa └── zkg.index ├── nskelsey └── zkg.index ├── ntop └── zkg.index ├── nttcom └── zkg.index ├── pgaulon └── zkg.index ├── precurse └── zkg.index ├── qintel └── zkg.index ├── reshadp └── zkg.index ├── rvictory └── zkg.index ├── saiiman └── zkg.index ├── salesforce └── zkg.index ├── sandialabs └── zkg.index ├── seisollc └── zkg.index ├── sethhall └── zkg.index ├── sfinlon └── zkg.index ├── shodan └── zkg.index ├── sithari └── zkg.index ├── srozb └── zkg.index ├── stevesmoot └── zkg.index ├── stratosphereips └── zkg.index ├── tenzir └── zkg.index ├── theflakes └── zkg.index ├── theparanoids └── zkg.index ├── thibaultbl └── zkg.index ├── ukncsc └── zkg.index ├── vitalyrepin └── zkg.index ├── zeek-packages └── zkg.index └── zeek └── zkg.index /.github/workflows/aggregator.yml: -------------------------------------------------------------------------------- 1 | name: Aggregate package source 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | schedule: 8 | - cron: '0 */3 * * *' 9 | 10 | jobs: 11 | aggregate-metadata: 12 | if: github.repository == 'zeek/packages' 13 | runs-on: ubuntu-latest 14 | env: 15 | ZKG_DEFAULT_SOURCE: https://zeek-bot:${{ secrets.ZEEK_BOT_TOKEN }}@github.com/${{ github.repository }} 16 | steps: 17 | - name: zkg refresh 18 | run: | 19 | git config --global user.name zeek-bot 20 | git config --global user.email info@zeek.org 21 | pip3 install zkg && zkg -vvv refresh --aggregate --fail-on-aggregate-problems --push 22 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | name: pre-commit 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: [master] 7 | 8 | jobs: 9 | pre-commit: 10 | runs-on: ubuntu-22.04 11 | steps: 12 | - uses: actions/checkout@v4 13 | - uses: actions/setup-python@v5 14 | - uses: pre-commit/action@v3.0.1 15 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | repos: 4 | - repo: https://github.com/pre-commit/pre-commit-hooks 5 | rev: v4.4.0 6 | hooks: 7 | - id: trailing-whitespace 8 | - id: end-of-file-fixer 9 | - id: file-contents-sorter 10 | files: 'zkg.index' 11 | args: 12 | - "--ignore-case" 13 | 14 | exclude: aggregate.meta 15 | -------------------------------------------------------------------------------- /0xl3x1/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/0xl3x1/zeek-EternalSafety 2 | -------------------------------------------------------------------------------- /0xxon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/0xxon/cve-2020-0601 2 | https://github.com/0xxon/cve-2020-0601-plugin 3 | https://github.com/0xxon/cve-2020-13777 4 | https://github.com/0xxon/zeek-network-statistics 5 | https://github.com/0xxon/zeek-os-package-tracking 6 | https://github.com/0xxon/zeek-plugin-roca 7 | https://github.com/0xxon/zeek-postgresql 8 | https://github.com/0xxon/zeek-sumstats-counttable 9 | https://github.com/0xxon/zeek-tls-log-alternative 10 | -------------------------------------------------------------------------------- /AmazingPP/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/AmazingPP/zeek-capwap 2 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | .. _zeek/packages repository: https://github.com/zeek/packages 2 | .. _Zeek Package Manager: https://github.com/zeek/package-manager 3 | .. _Zeek package: https://docs.zeek.org/projects/package-manager/en/stable/package.html 4 | .. _package index file: https://docs.zeek.org/projects/package-manager/en/stable/source.html#package-index-files 5 | .. _pre-commit: https://pre-commit.com/ 6 | 7 | Zeek Package Source 8 | =================== 9 | 10 | This is the default package source for the `Zeek Package Manager`_. 11 | 12 | Package Submission Process 13 | -------------------------- 14 | 15 | Use the following process to submit packages (please only submit your 16 | own work/packages): 17 | 18 | #. Create a `Zeek package`_. Make sure to set the ``tags`` 19 | and ``description`` metadata fields to help people discover 20 | your package. Also make sure you put your the license information 21 | for your package in a COPYING or LICENSE file. 22 | #. Host your package's git repository at a public location. 23 | E.g. put it on GitHub. 24 | #. Fork this `zeek/packages repository`_ on GitHub. 25 | #. Create a directory within your fork that with a name that uniquely 26 | identifies you. E.g. if you're hosting packages on GitHub, name 27 | the directory the same as your GitHub username. If you're hosting 28 | it somewhere else, you could use a domain name or organization name 29 | for the directory. 30 | #. Put a `package index file`_ within the directory you just made. 31 | #. Commit/push the changes you made to your fork. 32 | #. Optional: Use `pre-commit`_ to verify your changes by running ``pre-commit run -a``. 33 | #. Submit a *pull request*. 34 | -------------------------------------------------------------------------------- /activecm/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/activecm/bro-mongodb.git 2 | https://github.com/activecm/bro-rita.git 3 | https://github.com/activecm/zeek-open-connections 4 | -------------------------------------------------------------------------------- /aggregate.meta: -------------------------------------------------------------------------------- 1 | [0xl3x1/zeek-EternalSafety] 2 | description = EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types. 3 | script_dir = scripts 4 | tags = SMB, Windows, attack, notice, Eternal, SMBv1, EternalBlue 5 | test_command = cd tests && make test 6 | version = master 7 | url = https://github.com/0xl3x1/zeek-EternalSafety 8 | 9 | [0xxon/cve-2020-0601] 10 | depends = 11 | zkg >=2.0 12 | zeek >=4.0.0 13 | description = "Test script for CVE-2020-0601. Please read Readme." 14 | script_dir = scripts 15 | test_command = cd testing && btest -d 16 | url = https://github.com/0xxon/cve-2020-0601 17 | version = v0.4 18 | 19 | [0xxon/cve-2020-0601-plugin] 20 | build_command = ( ./configure && make ) 21 | description = "Test script for CVE-2020-0601. Binary package, requires OpenSSL 1.1.x" 22 | script_dir = scripts 23 | test_command = cd testing && btest -d 24 | url = https://github.com/0xxon/cve-2020-0601-plugin 25 | version = master 26 | 27 | [0xxon/cve-2020-13777] 28 | depends = 29 | zkg >=2.0 30 | zeek >=4.0.0 31 | description = "Test script for CVE-2020-13777. Please read Readme." 32 | script_dir = scripts 33 | test_command = cd testing && btest -d 34 | url = https://github.com/0xxon/cve-2020-13777 35 | version = main 36 | 37 | [0xxon/zeek-network-statistics] 38 | description = Perform regular network measurements and report results. 39 | script_dir = scripts 40 | tags = topk, sumstats 41 | test_command = cd tests && make 42 | version = main 43 | url = https://github.com/0xxon/zeek-network-statistics 44 | 45 | [0xxon/zeek-os-package-tracking] 46 | url = https://github.com/0xxon/zeek-os-package-tracking 47 | version = main 48 | 49 | [0xxon/zeek-plugin-roca] 50 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 51 | description = Identify certificates potentially affected by CVE-2017-15361 52 | plugin_dir = build/Johanna_ROCA.tgz 53 | tags = certificates, CVE-2017-15361 54 | test_command = cd tests && btest -d 55 | url = https://github.com/0xxon/zeek-plugin-roca 56 | version = 0.0.1 57 | 58 | [0xxon/zeek-postgresql] 59 | build_command = ( ./configure --with-postgresql-inc=`pg_config --includedir` --with-postgresql-server-inc=`pg_config --includedir-server` --with-postgresql-lib=`pg_config --libdir` && make ) 60 | description = A PostgreSQL reader and writer for Zeek. 61 | plugin_dir = build 62 | tags = zeek plugin, PostgreSQL, reader, writer, input 63 | test_command = cd tests && btest -d 64 | version = 0.0.8 65 | url = https://github.com/0xxon/zeek-postgresql 66 | 67 | [0xxon/zeek-sumstats-counttable] 68 | description = Two-dimensional buckets for sumstats (count occurences per $str). 69 | tags = sumstats, summary statistics 70 | test_command = cd tests && btest -d 71 | url = https://github.com/0xxon/zeek-sumstats-counttable 72 | version = 0.0.4 73 | 74 | [0xxon/zeek-tls-log-alternative] 75 | description = "This package generates a file called tls.log. The difference from ssl.log is that it is much more focused on logging all kinds of protocol features. This can be interesting for academic purposes - or if one is just interested in more information about specific features used in local TLS traffic." 76 | script_dir = scripts 77 | tags = TLS, SSL, X509, Certificates, PKI 78 | test_command = cd tests && make 79 | version = main 80 | url = https://github.com/0xxon/zeek-tls-log-alternative 81 | 82 | [AmazingPP/zeek-capwap] 83 | build_command = ./configure && cd build && make 84 | depends = 85 | zkg >=2.0 86 | zeek >=4.2.0 87 | script_dir = plugin/scripts 88 | summary = A Zeek CAPWAP packet analyzer 89 | tags = capwap, zeek, packet analyzer 90 | test_command = cd testing && btest -c btest.cfg -D 91 | url = https://github.com/AmazingPP/zeek-capwap 92 | version = v0.1.0 93 | 94 | [activecm/bro-mongodb.git] 95 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 96 | description = Bro IDS/ MongoDB connector. 97 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 98 | version = master 99 | url = https://github.com/activecm/bro-mongodb.git 100 | 101 | [activecm/bro-rita.git] 102 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 103 | description = RITA, Bro IDS connector. 104 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 105 | version = master 106 | url = https://github.com/activecm/bro-rita.git 107 | 108 | [activecm/zeek-open-connections] 109 | aliases = zeek-open-connections bro-open-connections 110 | depends = zkg >=2.0.7 111 | description = Find and log open, long-lived connections into "open_conn", "open_ssl", and "open_http" logs. 112 | script_dir = scripts 113 | tags = conn 114 | version = v1.2.1 115 | url = https://github.com/activecm/zeek-open-connections 116 | 117 | [amarokinc/bad-asn] 118 | credits = Michael Portera @mportatoes, Hudson Carr 119 | description = Adds ASN reputation data of external IP addresses to notice.log if the ASN crosses a predetermined threshold as defined by circl.lu 120 | script_dir = zeek 121 | tags = asn, geoip, conn, remote 122 | version = master 123 | url = https://github.com/amarokinc/bad-asn 124 | 125 | [amarokinc/remote_asn_geoip_conn] 126 | credits = Michael Portera @mportatoes 127 | description = Adds ASN and GeoIP data directly to conn.log for the REMOTE connection. The script checks the orig and resp host fields to determine which one is not defined as part of the local IP ranges and subsequently performs a lookup on the MaxMind ASN and GeoIP databases. 128 | script_dir = zeek 129 | tags = asn, geoip, conn, remote 130 | version = master 131 | url = https://github.com/amarokinc/remote_asn_geoip_conn 132 | 133 | [amzn/zeek-plugin-bacnet] 134 | build_command = ./configure && make 135 | depends = 136 | zkg >=2.0 137 | zeek >=3.0.0 138 | description = Plugin that enables parsing of the BACnet standard building controls protocol 139 | script_dir = scripts/BACnet 140 | tags = zeek plugin, protocol analyzer, log writer, ics, bacnet 141 | url = https://github.com/amzn/zeek-plugin-bacnet 142 | version = 1.0.0 143 | 144 | [amzn/zeek-plugin-enip] 145 | build_command = ./configure && make 146 | depends = 147 | zkg >=2.0 148 | zeek >=3.0.0 149 | description = Plugin that enables parsing of the Ethernet/IP and Common Industrial Protocol standards 150 | script_dir = scripts/ENIP 151 | tags = zeek plugin, protocol analyzer, log writer, ics, enip, cip 152 | url = https://github.com/amzn/zeek-plugin-enip 153 | version = 1.1.0 154 | 155 | [amzn/zeek-plugin-profinet] 156 | build_command = ./configure && make 157 | depends = 158 | zkg >=2.0 159 | zeek >=3.0.0 160 | description = Plugin that enables parsing of the Profinet protocol 161 | script_dir = scripts/PROFINET 162 | tags = zeek plugin, protocol analyzer, log writer, ics, profinet 163 | url = https://github.com/amzn/zeek-plugin-profinet 164 | version = 1.1.0 165 | 166 | [amzn/zeek-plugin-s7comm] 167 | build_command = ./configure && make 168 | depends = 169 | zkg >=2.0 170 | zeek >=3.0.0 171 | description = Plugin that enables parsing of the S7 protocol 172 | script_dir = scripts/S7comm 173 | tags = zeek plugin, protocol analyzer, log writer, ics, s7 174 | url = https://github.com/amzn/zeek-plugin-s7comm 175 | version = 1.0.0 176 | 177 | [amzn/zeek-plugin-tds] 178 | build_command = ./configure && make 179 | depends = 180 | zkg >=2.0 181 | zeek >=3.0.0 182 | description = Plugin that enables parsing of the Tabular Data Stream (TDS) protocol 183 | script_dir = scripts/TDS 184 | tags = zeek plugin, protocol analyzer, log writer, tds 185 | url = https://github.com/amzn/zeek-plugin-tds 186 | version = 1.1.0 187 | 188 | [anthonykasza/common-encodings] 189 | description = A Zeek package which provides common encodings and operations. 190 | script_dir = scripts 191 | tags = rc4, base64, bitshift, encoding, xor 192 | version = 1.0.1 193 | url = https://github.com/anthonykasza/common-encodings 194 | 195 | [anthonykasza/indicator-rules] 196 | depemds = 197 | bro >= 2.6 198 | description = An extension to the Intel Framework. This package faciliates the creation of rules which Zeek can monitor for. 199 | script_dir = scripts 200 | tags = intel, signature, indicators, pure-script 201 | version = master 202 | url = https://github.com/anthonykasza/indicator-rules 203 | 204 | [anthonykasza/ja4] 205 | config_files = scripts/config.zeek 206 | depends = 207 | zeek >=5.0.0 208 | description = An implementation of the JA4 standard in a Zeek package. 209 | script_dir = scripts 210 | tags = ja4, tls, ssl, fingerprint, clienthello, handshake, encryption 211 | test_command = cd testing && btest -c btest.cfg 212 | version = main 213 | url = https://github.com/anthonykasza/ja4 214 | 215 | [anthonykasza/ssl-extensions] 216 | depends = 217 | zeek >=6.1.0 218 | description = A proof-of-concept demonstrating scriptland parsing and event routing for all SSL extensions 219 | script_dir = scripts 220 | tags = tls, ssl, experimental 221 | test_command = cd testing && btest -c btest.cfg 222 | version = main 223 | url = https://github.com/anthonykasza/ssl-extensions 224 | 225 | [apache/metron-bro-plugin-kafka] 226 | build_command = ./configure --bro-dist=%(bro_dist)s --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make 227 | depends = 228 | bro >=2.5.0 229 | bro-pkg >=1.2 230 | description = A Bro log writer plugin that sends logging output to Kafka. 231 | external_depends = 232 | librdkafka ~0.11.5 233 | plugin_dir = build 234 | script_dir = build/scripts/Apache/Kafka 235 | tags = log writer, bro plugin, kafka 236 | test_command = ( cd tests && btest -d ) 237 | user_vars = 238 | LIBRDKAFKA_ROOT [/usr/local/lib] "Path to librdkafka installation tree" 239 | version = 0.3 240 | url = https://github.com/apache/metron-bro-plugin-kafka 241 | 242 | [awelzel/zeek-conn-footprint] 243 | description = Regularly log footprints of long running connections. 244 | script_dir = ./scripts 245 | tags = debugging, footprint, connection, memory 246 | url = https://github.com/awelzel/zeek-conn-footprint 247 | version = v0.2.1 248 | 249 | [awelzel/zeekjs-misp] 250 | depends = 251 | zeekjs >=0.9.0 252 | script_dir = ./scripts 253 | url = https://github.com/awelzel/zeekjs-misp 254 | version = main 255 | 256 | [bricata/flow_labels] 257 | description = Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity. 258 | tags = input, labels 259 | url = https://github.com/bricata/flow_labels 260 | version = master 261 | 262 | [brimsec/geoip-conn] 263 | description = Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html). 264 | script_dir = zeek 265 | tags = conn, geolocation, logging 266 | version = main 267 | url = https://github.com/brimsec/geoip-conn 268 | 269 | [captainGeech42/zeek-bogon] 270 | author = Zander Work (@captainGeech42) 271 | description = Label bogon IPs in conn.log 272 | script_dir = scripts/ 273 | tags = bogon, conn 274 | test_command = (cd tests && btest -d) 275 | url = https://github.com/captainGeech42/zeek-bogon 276 | version = v1.0.1 277 | 278 | [captainGeech42/zeek-intel-path] 279 | author = Zander Work (@captainGeech42) 280 | description = Extend Intel framework to alert on URL paths 281 | script_dir = scripts/ 282 | tags = http, intel, path, url-path, uri 283 | test_command = (cd tests && btest -d) 284 | url = https://github.com/captainGeech42/zeek-intel-path 285 | version = main 286 | 287 | [chrisanag1985/suppress-ssl-notices] 288 | credits = Christos Anagnostopoulos 289 | description = A Module that tries to minimize the noise from the SSL::Invalid_Server_Cert notices. 290 | script_dir = scripts 291 | tags = notices, ssl 292 | version = v0.1.1 293 | url = https://github.com/chrisanag1985/suppress-ssl-notices 294 | 295 | [cisagov/ACID] 296 | credits = Jake Steele , Jack Cyprus , Otis Alexander 297 | depends = 298 | zeek >=4.0.0 299 | http://github.com/cisagov/icsnpp-bacnet * 300 | http://github.com/cisagov/icsnpp-enip * 301 | http://github.com/cisagov/icsnpp-s7comm * 302 | description = ATT&CK-based Control-system Indicator Detection (ACID) is a collection of Zeek scripts designed to detect 303 | ATT&CK for ICS behaviors on OT protocols. These events are reported through the Zeek Notice framework. 304 | script_dir = scripts 305 | summary = ACID is a collection of OT protocol indicator scripts focused on ATT&CK for ICS behaviors. 306 | tags = ics, OT, attack, ATT&CK, mitre, cisa, OT protocol, detection, notices, input, logging, CIP, S7comm, bacnet, icsnpp 307 | url = https://github.com/cisagov/ACID 308 | version = main 309 | 310 | [cisagov/icsnpp-bacnet] 311 | build_command = ./configure && make 312 | build_dir = build/ICSNPP_Bacnet.tgz 313 | credits = Stephen Kleinheider 314 | depends = 315 | zkg >=2.0 316 | zeek >=4.0.0 317 | description = BACnet plugin for parsing and logging of the BACnet (building automation and control) protocol - CISA ICSNPP 318 | script_dir = build/scripts/icsnpp/bacnet 319 | tags = bacnet, BACnet, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 320 | test_command = cd tests && btest -c btest.cfg 321 | url = https://github.com/cisagov/icsnpp-bacnet 322 | version = main 323 | 324 | [cisagov/icsnpp-bsap] 325 | build_command = ./configure && make 326 | build_dir = build/ICSNPP_Bsap.tgz 327 | credits = Devin Vollmer 328 | depends = 329 | zkg >=2.0 330 | zeek >=4.0.0 331 | description = BSAP over IP plugin for parsing and logging of the BSAP protocol - CISA ICSNPP 332 | script_dir = build/scripts/icsnpp/bsap 333 | tags = bsap, BSAP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 334 | test_command = cd tests && btest -c btest.cfg 335 | url = https://github.com/cisagov/icsnpp-bsap 336 | version = main 337 | 338 | [cisagov/icsnpp-dnp3] 339 | credits = Stephen Kleinheider 340 | depends = 341 | zkg >=2.0 342 | zeek >=3.0.0 343 | description = DNP3 script for detailed logging of the DNP3 protocol - CISA ICSNPP 344 | script_dir = scripts 345 | tags = dnp3, DNP3, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer 346 | test_command = cd tests && btest -c btest.cfg 347 | url = https://github.com/cisagov/icsnpp-dnp3 348 | version = main 349 | 350 | [cisagov/icsnpp-enip] 351 | build_command = ./configure && make 352 | build_dir = build/ICSNPP_Enip.tgz 353 | credits = Stephen Kleinheider 354 | depends = 355 | zkg >=2.0 356 | zeek >=4.0.0 357 | description = Ethernet/IP and CIP plugin for parsing and logging of the Ethernet/IP and CIP protocols - CISA ICSNPP 358 | script_dir = build/scripts/icsnpp/enip 359 | tags = enip, ENIP, cip, CIP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 360 | test_command = cd tests && btest -c btest.cfg 361 | url = https://github.com/cisagov/icsnpp-enip 362 | version = main 363 | 364 | [cisagov/icsnpp-ethercat] 365 | build_command = ./configure && make 366 | build_dir = build/ICSNPP_Ethercat.tgz 367 | credits = Devin Vollmer 368 | depends = 369 | zkg >=2.0 370 | zeek >=4.0.0 371 | description = Ethercat plugin for parsing and logging of the Ethercat protocol - CISA ICSNPP 372 | script_dir = build/scripts/icsnpp/ethercat 373 | tags = ecat, ECAT, ethercat, Ethercat, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, packet analyzer 374 | test_command = cd tests && btest -c btest.cfg 375 | url = https://github.com/cisagov/icsnpp-ethercat 376 | version = main 377 | 378 | [cisagov/icsnpp-ge-srtp] 379 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 380 | depends = 381 | zeek >=6.0.0 382 | description = GE-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI. 383 | The GE-SRTP protocol parser is based off of the research paper that can be accessed at https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/70/ 384 | Like Modbus, the GE-SRTP protocol can read both discrete and analog inputs. 385 | script_dir = scripts 386 | summary = GE_-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI. 387 | test_command = cd testing && btest -c btest.cfg 388 | url = https://github.com/cisagov/icsnpp-ge-srtp 389 | version = develop 390 | 391 | [cisagov/icsnpp-genisys] 392 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 393 | credits = Seth Grover 394 | description = Genisys is a protocol defined by Union Switch & Signal for communicating with 395 | SCADA field devices, commonly used in the railway industry. 396 | It is similar in purpose to Modbus. Genisys was designed for use over serial 397 | connections, but is commonly transported over TCP as well. 398 | The protocol enables one client to communicate with one or more server devices 399 | over the same connection. The servers are identified by a one-octet server address. 400 | "Genisys" is a trademark of Union Switch & Signal. 401 | plugin_dir = build/spicy-modules 402 | script_dir = analyzer 403 | summary = Genisys is a protocol defined by Union Switch & Signal for communicating with SCADA field devices, commonly used in the railway industry. 404 | tags = genisys, railway, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 405 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 406 | url = https://github.com/cisagov/icsnpp-genisys 407 | version = main 408 | 409 | [cisagov/icsnpp-hart-ip] 410 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 411 | depends = 412 | zeek >=6.1.0 413 | description = HART-IP is the IP extension of the Highway Addressable Remote Transducer (HART) protocol. 414 | The HART protocol is a hybrid analog+digital industrial automation open protocol. 415 | It is currently maintained by the FieldComm Group (https://www.fieldcommgroup.org/). 416 | script_dir = scripts 417 | summary = HART-IP is the IP extension of the Highway Addressable Remote Transducer (HART) protocol. 418 | test_command = cd testing && btest -c btest.cfg 419 | url = https://github.com/cisagov/icsnpp-hart-ip 420 | version = main 421 | 422 | [cisagov/icsnpp-modbus] 423 | credits = Brett Rasmussen & Stephen Kleinheider 424 | depends = 425 | zkg >=2.10 426 | zeek >=4.2.0 427 | description = Modbus script for detailed logging of the Modbus protocol - CISA ICSNPP 428 | script_dir = scripts 429 | tags = modbus, Modbus, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer 430 | test_command = cd tests && btest -c btest.cfg 431 | url = https://github.com/cisagov/icsnpp-modbus 432 | version = main 433 | 434 | [cisagov/icsnpp-omron-fins] 435 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 436 | depends = 437 | zeek >=6.1.0 438 | description = ICSNPP-Omron-FINS is a Spicy based Zeek plugin for 439 | parsing and logging fields within the Omron FINS protocol. 440 | script_dir = scripts 441 | summary = ICSNPP-Omron-FINS (Factory Interface Network) over UDP 442 | test_command = cd testing && btest -c btest.cfg 443 | url = https://github.com/cisagov/icsnpp-omron-fins 444 | version = main 445 | 446 | [cisagov/icsnpp-opcua-binary] 447 | build_command = ./configure && make 448 | build_dir = build/ICSNPP_OPCUA_Binary.tgz 449 | credits = Kent Kvarfordt 450 | depends = 451 | zkg >=2.0 452 | zeek >=5.2.0 453 | description = OPC Unified Architecture Binary plugin for parsing and logging of the OPC UA Binary protocol - CISA ICSNPP 454 | script_dir = build/scripts/icsnpp/opcua-binary 455 | tags = opcua, opcua_binary, opc, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 456 | test_command = cd tests && btest -c btest.cfg 457 | url = https://github.com/cisagov/icsnpp-opcua-binary 458 | version = main 459 | 460 | [cisagov/icsnpp-profinet-io-cm] 461 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake -DCMAKE_BUILD_TYPE=Debug .. && cmake --build . 462 | credits = Taegan Williams 463 | depends = 464 | zeek >=6.0.3 465 | description = Profinet I/O Context Manager uses traditional Ethernet hardware and software to define a network that 466 | structures the task of exchanging data, alarms and diagnostics with programmable controllers 467 | and other automation controllers 468 | plugin_dir = build/spicy-modules 469 | script_dir = analyzer 470 | summary = Profinet I/O Context Manager (as defined in Profinet Fieldbus Specification IEC 61158-6-10:2019) 471 | tags = profinet, profinet io cm, pn_io, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 472 | test_command = cd testing && btest -c btest.cfg 473 | url = https://github.com/cisagov/icsnpp-profinet-io-cm 474 | version = main 475 | 476 | [cisagov/icsnpp-roc-plus] 477 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 478 | depends = 479 | zeek >=6.1.0 480 | description = ICSNPP-ROC-Plus is a Spicy based Zeek plugin for 481 | parsing and logging fields within the ROC Plus protocol. 482 | script_dir = scripts 483 | summary = ICSNPP-ROC-Plus over UDP 484 | test_command = cd testing && btest -c btest.cfg 485 | url = https://github.com/cisagov/icsnpp-roc-plus 486 | version = main 487 | 488 | [cisagov/icsnpp-s7comm] 489 | build_command = ./configure && make 490 | build_dir = build/ICSNPP_S7comm.tgz 491 | credits = Stephen Kleinheider 492 | depends = 493 | zkg >=2.0 494 | zeek >=4.0.0 495 | description = S7Comm & S7Comm Plus plugin for parsing and logging of the S7Comm, S7Comm Plus and COTP protocols - CISA ICSNPP 496 | script_dir = build/scripts/icsnpp/s7comm 497 | tags = s7comm, s7comm-plus, s7plus, S7comm, S7Comm, S7CommPlus, Siemens, siemens, s7, S7, cotp, COTP, iso_cotp, ISO_COTP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 498 | test_command = cd tests && btest -c btest.cfg 499 | url = https://github.com/cisagov/icsnpp-s7comm 500 | version = main 501 | 502 | [cisagov/icsnpp-synchrophasor] 503 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 504 | credits = Seth Grover 505 | depends = 506 | zeek >=6.0.0 507 | description = Synchrophasor (as defined in C37.118.2-2011 IEEE Standard for Synchrophasor 508 | Data Transfer for Power Systems) defines a simple and direct method of data 509 | transmission and accretion within a phasor measurement system. 510 | plugin_dir = build/spicy-modules 511 | script_dir = analyzer 512 | summary = Synchrophasor Data Transfer for Power Systems is a communication protocol for real-time communication between phasor measurement units (PMU), phasor data concentrators (PDC), and other applications 513 | tags = synchrophasor, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 514 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 515 | url = https://github.com/cisagov/icsnpp-synchrophasor 516 | version = main 517 | 518 | [corelight/boa-detector] 519 | depends = 520 | zeek >=4.0.0 521 | description = A vulnerable Boa web server detector. 522 | script_dir = scripts 523 | summary = A vulnerable Boa web server detector. 524 | test_command = cd testing && btest -c btest.cfg 525 | url = https://github.com/corelight/boa-detector 526 | version = v0.1.0 527 | 528 | [corelight/bro-drwatson] 529 | depends = 530 | https://github.com/corelight/bro-hardware * 531 | description = Discover and log information discovered in Microsoft DrWatson messages. 532 | script_dir = scripts 533 | tags = drwatson, http, windows 534 | test_command = ( cd tests && btest -d ) 535 | url = https://github.com/corelight/bro-drwatson 536 | version = master 537 | 538 | [corelight/bro-hardware] 539 | description = Scripts for cases where hardware device identifiers are discovered. 540 | script_dir = scripts 541 | tags = hardware 542 | version = master 543 | url = https://github.com/corelight/bro-hardware 544 | 545 | [corelight/bro-shellshock] 546 | description = Discover successful ShellShock attacks. 547 | script_dir = scripts 548 | tags = shellshock, detect, scripts 549 | test_command = ( cd tests && btest -d ) 550 | url = https://github.com/corelight/bro-shellshock 551 | version = master 552 | 553 | [corelight/callstranger-detector] 554 | description = Detects CallStranger (CVE) Exploitation Attempts 555 | script_dir = scripts 556 | tags = CallStranger, UPnP 557 | version = master 558 | url = https://github.com/corelight/callstranger-detector 559 | 560 | [corelight/conn-burst] 561 | description = Identify bursty connections (large and fast) 562 | script_dir = scripts 563 | tags = conn, burst 564 | url = https://github.com/corelight/conn-burst 565 | version = master 566 | 567 | [corelight/CVE-2020-16898] 568 | description = A network detection package for CVE-2020-16898 (Windows TCP/IP Remote Code Execution Vulnerability) AKA BadNeighbor 569 | script_dir = scripts 570 | tags = CVE-2020-16898, BadNeighbor 571 | version = master 572 | url = https://github.com/corelight/CVE-2020-16898 573 | 574 | [corelight/CVE-2020-5902-F5BigIP] 575 | description = A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices. 576 | script_dir = scripts 577 | tags = BIGIP, F5, firewall, RCE, CVE10.0, CVE10, CorelightResponse 578 | version = master 579 | url = https://github.com/corelight/CVE-2020-5902-F5BigIP 580 | 581 | [corelight/CVE-2021-38647] 582 | aliases = omigod 583 | description = A Zeek package which detects CVE-2021-38647 (AKA OMIGOD) exploit attempts 584 | script_dir = scripts 585 | tags = HTTP, OMI, WMI, Windows, CVE, CVE-2021-38647, exploit, RCE, RapidResponse 586 | test_command = cd testing && btest -c btest.cfg 587 | version = v0.1.2 588 | url = https://github.com/corelight/CVE-2021-38647 589 | 590 | [corelight/CVE-2021-42292] 591 | depends = 592 | zeek >=3.0.0 593 | description = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit. 594 | script_dir = scripts 595 | summary = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit. 596 | test_command = cd testing && btest -c btest.cfg 597 | url = https://github.com/corelight/CVE-2021-42292 598 | version = v0.1.0 599 | 600 | [corelight/cve-2021-44228] 601 | description = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 602 | script_dir = scripts 603 | summary = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 604 | tags = HTTP, Apache, CVE, CVE-2021-44228, encoding, rapidresponse, Java, logging 605 | version = v0.7.0 606 | url = https://github.com/corelight/cve-2021-44228 607 | 608 | [corelight/cve-2022-21907] 609 | depends = 610 | zeek >=3.0.0 611 | description = A package to detect CVE-2022-21907 612 | script_dir = scripts 613 | summary = A package to detect CVE-2022-21907 614 | url = https://github.com/corelight/cve-2022-21907 615 | version = v0.1.3 616 | 617 | [corelight/cve-2022-22954] 618 | depends = 619 | zeek >=4.0.0 620 | description = Detect CVE-2022-22954 attempts and exploits. 621 | Also logs what data was returned to the attacker. 622 | script_dir = scripts 623 | summary = Detect CVE-2022-22954 attempts and exploits. 624 | test_command = cd testing && btest -c btest.cfg 625 | url = https://github.com/corelight/cve-2022-22954 626 | version = v0.2.0 627 | 628 | [corelight/CVE-2022-23270-PPTP] 629 | depends = 630 | zeek >=4.0.0 631 | description = A package to detect CVE-2022-23270. 632 | script_dir = scripts 633 | summary = A package to detect CVE-2022-23270. 634 | test_command = cd testing && btest -c btest.cfg 635 | url = https://github.com/corelight/CVE-2022-23270-PPTP 636 | version = master 637 | 638 | [corelight/CVE-2022-24491] 639 | depends = 640 | zeek >=4.0.0 641 | description = A CVE-2022-24491 detector. 642 | script_dir = scripts 643 | summary = A CVE-2022-24491 detector. 644 | test_command = cd testing && btest -c btest.cfg 645 | url = https://github.com/corelight/CVE-2022-24491 646 | version = v0.1.3 647 | 648 | [corelight/CVE-2022-24497] 649 | depends = 650 | zeek >=4.0.0 651 | description = A CVE-2022-24497 detector. 652 | script_dir = scripts 653 | summary = A CVE-2022-24497 detector. 654 | test_command = cd testing && btest -c btest.cfg 655 | url = https://github.com/corelight/CVE-2022-24497 656 | version = v0.1.1 657 | 658 | [corelight/cve-2022-26809] 659 | depends = 660 | zeek >=4.0.0 661 | description = CVE-2022-26809 is a DCE/RPC RCE exploit. 662 | This package detects both attempts and successful exploits. 663 | script_dir = scripts 664 | summary = Detects attempts and exploits of CVE-2022-26809 665 | test_command = cd testing && btest -c btest.cfg 666 | url = https://github.com/corelight/cve-2022-26809 667 | version = v0.1.0 668 | 669 | [corelight/CVE-2022-26937] 670 | depends = 671 | zeek >=4.0.0 672 | description = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty. 673 | script_dir = scripts 674 | summary = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty. 675 | test_command = make test 676 | url = https://github.com/corelight/CVE-2022-26937 677 | version = master 678 | 679 | [corelight/CVE-2022-3602] 680 | description = CVE-2022-3602 exploit Detection 681 | script_dir = scripts 682 | summary = Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6 683 | test_command = cd testing && btest -c btest.cfg 684 | url = https://github.com/corelight/CVE-2022-3602 685 | version = v0.1.0 686 | 687 | [corelight/detect-ransomware-filenames] 688 | description = Watch SMB transactions for files whose filename matches patterns known to be used by ransomware 689 | script_dir = scripts 690 | url = https://github.com/corelight/detect-ransomware-filenames 691 | version = master 692 | 693 | [corelight/ExtendIntel] 694 | description = v3.0 - A Zeek package to extend logging for Intel 695 | script_dir = scripts 696 | tags = intel 697 | version = v3.0.0 698 | url = https://github.com/corelight/ExtendIntel 699 | 700 | [corelight/got_zoom] 701 | depends = 702 | bro >=2.5.5 703 | ja3 * 704 | description = Detect Zoom traffic 705 | script_dir = scripts 706 | tags = TLS, SSL, JA3, Video conferencing, Video, Videoconferencing, Remote working, Zoom 707 | version = master 708 | url = https://github.com/corelight/got_zoom 709 | 710 | [corelight/hassh] 711 | depends = 712 | zeek >=4.0.0 713 | description = HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log 714 | script_dir = scripts 715 | summary = SSH client and server fingerprints. 716 | tags = bro plugin, ssh, fingerprint, logging 717 | test_command = cd testing && btest -c btest.cfg 718 | version = v1.0.1 719 | url = https://github.com/corelight/hassh 720 | 721 | [corelight/http-stalling-detector] 722 | description = Detect HTTP stalling attacks like slowloris. 723 | script_dir = scripts 724 | tags = http, DoS, attack, notice 725 | url = https://github.com/corelight/http-stalling-detector 726 | version = master 727 | 728 | [corelight/icannTLD] 729 | description = v28.0.0 - A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query. The field icann_host_subdomain contains the remaining query nodes after the domain is removed. The is_trusted_domain is populated from a separate Input Framework set. 730 | script_dir = scripts 731 | tags = domain, dns, tld, input 732 | version = v28.0.0 733 | url = https://github.com/corelight/icannTLD 734 | 735 | [corelight/json-streaming-logs] 736 | description = JSON streaming logs 737 | script_dir = scripts 738 | tags = logs, json, streaming, stream, filebeat, splunk_forwarder, logstash 739 | test_command = cd testing && btest -d -c btest.cfg 740 | url = https://github.com/corelight/json-streaming-logs 741 | version = v3.1.0 742 | 743 | [corelight/log-add-http-post-bodies] 744 | description = Add a POST body excerpt into the HTTP log 745 | script_dir = scripts 746 | tags = http log extend 747 | version = master 748 | url = https://github.com/corelight/log-add-http-post-bodies 749 | 750 | [corelight/log-add-vlan-everywhere] 751 | description = Add VLAN to all logs. 752 | script_dir = scripts 753 | tags = log extend vlan 754 | url = https://github.com/corelight/log-add-vlan-everywhere 755 | version = v1.0.3 756 | 757 | [corelight/my_stats] 758 | description = This package dumps stats for troubleshooting. 759 | script_dir = scripts 760 | tags = stats 761 | url = https://github.com/corelight/my_stats 762 | version = v0.0.3 763 | 764 | [corelight/pingback] 765 | description = A Zeek package which detects ICMP ping tunnels created by the Pingback tool 766 | script_dir = scripts 767 | tags = C2, ICMP, RAT, Windows, Malware 768 | version = v0.1.2 769 | url = https://github.com/corelight/pingback 770 | 771 | [corelight/top-dns] 772 | depends = 773 | zeek/sethhall/domain-tld * 774 | description = Log the top DNS queries being requested. 775 | script_dir = scripts 776 | tags = dns, sumstats, log, measurement, top 777 | url = https://github.com/corelight/top-dns 778 | version = master 779 | 780 | [corelight/zeek-agenttesla-detector] 781 | depends = 782 | zeek >=4.0.0 783 | description = An AgentTesla malware C2 detector. 784 | script_dir = scripts 785 | summary = An AgentTesla malware C2 detector. 786 | test_command = cd testing && btest -c btest.cfg 787 | url = https://github.com/corelight/zeek-agenttesla-detector 788 | version = v0.1.1 789 | 790 | [corelight/zeek-asyncrat-detector] 791 | depends = 792 | zeek >=4.0.0 793 | description = An AsyncRAT malware detector. 794 | script_dir = scripts 795 | summary = An AsyncRAT malware detector. 796 | test_command = cd testing && btest -c btest.cfg 797 | url = https://github.com/corelight/zeek-asyncrat-detector 798 | version = v0.1.2 799 | 800 | [corelight/zeek-community-id] 801 | build_command = ./configure && cd build && make 802 | depends = 803 | zeek >=3.2.0 804 | description = "Community ID" flow hash support in conn.log 805 | script_dir = scripts/Corelight/CommunityID 806 | tags = zeek plugin, conn, logging, community id, flow hashing, flow id, sha1, corelight 807 | test_command = cd tests && btest -c btest.cfg -d communityid 808 | url = https://github.com/corelight/zeek-community-id 809 | version = 3.2.3 810 | 811 | [corelight/zeek-elf] 812 | build_command = ./configure --enable-debug && make 813 | description = This package provides some basic analysis for ELF files. 814 | script_dir = scripts/Zeek/ELF 815 | tags = intel, files, elf 816 | test_command = cd tests && btest 817 | url = https://github.com/corelight/zeek-elf 818 | version = v0.1.4 819 | 820 | [corelight/zeek-globload] 821 | build_command = ./configure && cd build && make 822 | description = This plugin adds support for shell-style glob 823 | patterns when loading Zeek scripts. For example, saying 824 | "@load startup.d/*.zeek" will load any Zeek scripts 825 | with a .zeek suffix from the startup.d folder. 826 | summary = Support file globbing in @load directives 827 | test_command = cd testing && btest -c btest.cfg 828 | url = https://github.com/corelight/zeek-globload 829 | version = 1.0.0 830 | 831 | [corelight/zeek-gozi-detector] 832 | depends = 833 | zeek >=4.0.0 834 | description = A Zeek based Gozi malware detector. 835 | script_dir = scripts 836 | summary = A Zeek based Gozi malware detector. 837 | test_command = cd testing && btest -c btest.cfg 838 | url = https://github.com/corelight/zeek-gozi-detector 839 | version = v0.1.10 840 | 841 | [corelight/zeek-jpeg] 842 | build_command = ./configure --enable-debug && make 843 | description = This package provides some basic analysis for JPEG files. 844 | script_dir = scripts/Zeek/JPEG 845 | tags = intel, files, jpeg, jpg 846 | test_command = cd tests && btest 847 | url = https://github.com/corelight/zeek-jpeg 848 | version = v0.1.3 849 | 850 | [corelight/zeek-long-connections] 851 | aliases = zeek-long-connections bro-long-connections 852 | depends = zkg >=2.0.7 853 | description = Find and log long-lived connections into a "conn_long" log. 854 | script_dir = scripts 855 | tags = conn 856 | test_command = cd testing && btest -c btest.cfg 857 | version = v1.3.1 858 | url = https://github.com/corelight/zeek-long-connections 859 | 860 | [corelight/zeek-macho] 861 | build_command = ./configure --enable-debug --zeek-dist=%(zeek_dist)s && make 862 | description = This package provides some basic analysis for Mach-o files. 863 | script_dir = scripts/Zeek/MACHO 864 | tags = intel, files, mach-o, macho 865 | test_command = cd tests && btest 866 | url = https://github.com/corelight/zeek-macho 867 | version = v0.1.1 868 | 869 | [corelight/zeek-nats-log-writer] 870 | build_command = ./configure && cmake --build build 871 | description = NATS.io log writer support 872 | summary = NATS.io log writer support 873 | test_command = cd testing && btest -c btest.cfg 874 | url = https://github.com/corelight/zeek-nats-log-writer 875 | version = v0.1.0 876 | 877 | [corelight/zeek-netsupport-detector] 878 | depends = 879 | zeek >=4.0.0 880 | description = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware. 881 | script_dir = scripts 882 | summary = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware. 883 | test_command = cd testing && btest -c btest.cfg 884 | url = https://github.com/corelight/zeek-netsupport-detector 885 | version = v0.1.1 886 | 887 | [corelight/zeek-notice-telegram] 888 | description = Package that extends the Notice Framework to include 889 | `ACTION_TELEGRAM` for sending messages on notices over Telegram. 890 | script_dir = scripts 891 | summary = Send Notices over Telegram 892 | url = https://github.com/corelight/zeek-notice-telegram 893 | version = master 894 | 895 | [corelight/zeek-quasarrat-detector] 896 | depends = 897 | zeek >=4.0.0 898 | description = An QuasarRAT malware detector. 899 | script_dir = scripts 900 | summary = An QuasarRAT malware detector. 901 | test_command = cd testing && btest -c btest.cfg 902 | url = https://github.com/corelight/zeek-quasarrat-detector 903 | version = v0.1.1 904 | 905 | [corelight/zeek-quic] 906 | aliases = zeek-quic bro-quic 907 | build_command = ./configure && make 908 | depends = 909 | zeek >=4.0.0 910 | description = Detects the Google QUIC (GQUIC) protocol and adds "gquic" 911 | to conn.log's "service" field. 912 | plugin_dir = build/Corelight_GQUIC.tgz 913 | script_dir = build/scripts/Corelight/GQUIC 914 | tags = plugin, analyzer, gquic, quic 915 | url = https://github.com/corelight/zeek-quic 916 | version = v0.7.0 917 | 918 | [corelight/zeek-spicy-facefish] 919 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 920 | description = A Facefish rootkit detector, based on Spicy. 921 | plugin_dir = build/spicy-modules 922 | script_dir = analyzer 923 | summary = A Facefish rootkit detector, based on Spicy. 924 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 925 | url = https://github.com/corelight/zeek-spicy-facefish 926 | version = v0.1.1 927 | 928 | [corelight/zeek-spicy-ipsec] 929 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 930 | description = An IPSec Zeek protocol analyzer based on Spicy. 931 | plugin_dir = build/spicy-modules 932 | script_dir = analyzer 933 | summary = An IPSec Zeek protocol analyzer based on Spicy. 934 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 935 | url = https://github.com/corelight/zeek-spicy-ipsec 936 | version = v0.2.23 937 | 938 | [corelight/zeek-spicy-openvpn] 939 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 940 | description = A Zeek OpenVPN protocol analyzer, based on Spicy. 941 | plugin_dir = build/spicy-modules 942 | script_dir = analyzer 943 | summary = A Zeek OpenVPN protocol analyzer, based on Spicy. 944 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 945 | url = https://github.com/corelight/zeek-spicy-openvpn 946 | version = v0.1.10 947 | 948 | [corelight/zeek-spicy-ospf] 949 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 950 | description = A Zeek OSPF packet analyzer, based on Spicy. 951 | plugin_dir = build/spicy-modules 952 | script_dir = analyzer 953 | summary = A Zeek OSPF packet analyzer, based on Spicy. 954 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 955 | url = https://github.com/corelight/zeek-spicy-ospf 956 | version = v0.1.5 957 | 958 | [corelight/zeek-spicy-stun] 959 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 960 | description = A Zeek STUN protocol analyzer based on Spicy. 961 | plugin_dir = build/spicy-modules 962 | script_dir = analyzer 963 | summary = A Zeek STUN protocol analyzer based on Spicy. 964 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 965 | url = https://github.com/corelight/zeek-spicy-stun 966 | version = v0.2.11 967 | 968 | [corelight/zeek-spicy-wireguard] 969 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 970 | description = A Wireguard VPN protocol analyzer, based on Spicy. 971 | plugin_dir = build/spicy-modules 972 | script_dir = analyzer 973 | summary = A Wireguard VPN protocol analyzer, based on Spicy. 974 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 975 | url = https://github.com/corelight/zeek-spicy-wireguard 976 | version = v0.1.5 977 | 978 | [corelight/zeek-strrat-detector] 979 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 980 | depends = 981 | zeek >=4.0.0 982 | description = A Zeek based STRRAT malware detector. 983 | script_dir = scripts 984 | summary = A Zeek based STRRAT malware detector. 985 | test_command = cd testing && btest -c btest.cfg 986 | url = https://github.com/corelight/zeek-strrat-detector 987 | version = v0.1.0 988 | 989 | [corelight/zeek-xor-exe-plugin] 990 | build_command = ./configure && make 991 | description = A plugin to find Windows executables that have been XOR encoded. 992 | plugin_dir = build 993 | script_dir = scripts/Corelight/PE_XOR 994 | tags = plugin, pe, executable, malware 995 | test_command = cd tests && btest -d 996 | url = https://github.com/corelight/zeek-xor-exe-plugin 997 | version = 4.1 998 | 999 | [corelight/zeekjs] 1000 | build_command = ./configure --with-nodejs=%(nodejs_root_dir)s && cd build && make 1001 | depends = 1002 | zeek >=4.2.0 1003 | description = Experimental JavaScript support for Zeek. 1004 | external_depends = 1005 | libnode-dev 1006 | nodejs-devel 1007 | name = ZeekJS 1008 | plugin_dir = build 1009 | tags = javascript, js, plugin 1010 | test_command = cd tests && btest -d -c btest.cfg -g smoke 1011 | user_vars = 1012 | nodejs_root_dir [] "Root directory of Node.js installation (leave blank for defaults)" 1013 | url = https://github.com/corelight/zeekjs 1014 | version = v0.17.1 1015 | 1016 | [corelight/zeekjs-notice-telegram] 1017 | depends = zeekjs * 1018 | description = Package that extends the Notice Framework to include 1019 | `ACTION_TELEGRAM` for sending messages on notices over Telegram using ZeekJS. 1020 | script_dir = scripts 1021 | summary = Send Notices over Telegram (ZeekJS edition) 1022 | test_command = cd testing && btest -c btest.cfg 1023 | url = https://github.com/corelight/zeekjs-notice-telegram 1024 | version = master 1025 | 1026 | [corelight/zerologon] 1027 | corelight_name = Zerologon 1028 | description = Detects Zerologon (CVE-2020-1472) attempts and exploits. 1029 | script_dir = scripts 1030 | summary = Detects Zerologon (CVE-2020-1472) attempts and exploits. 1031 | test_command = cd testing && btest -c btest.cfg 1032 | url = https://github.com/corelight/zerologon 1033 | version = master 1034 | 1035 | [corelight/ztest] 1036 | credits = Ryan Victory 1037 | description = A Zeek Unit Testing Framework 1038 | script_dir = scripts 1039 | tags = library, unit-testing, testing 1040 | test_command = make -C tests 1041 | url = https://github.com/corelight/ztest 1042 | version = master 1043 | 1044 | [cyberUniBO/Zeek-Pcap-Features-Extractor] 1045 | description = Zeek Package that extracts features from pcap files 1046 | tags = zeek plugin, pcap files, features extraction, feature extractor 1047 | version = main 1048 | url = https://github.com/MichelangeloFlorio/Zeek-Pcap-Features-Extractor 1049 | 1050 | [cybera/zeek-sniffpass] 1051 | description = Sniffpass will alert on cleartext passwords discovered in HTTP POST requests 1052 | script_dir = scripts 1053 | tags = password, logging 1054 | version = master 1055 | url = https://github.com/cybera/zeek-sniffpass 1056 | 1057 | [dopheide/bro-quic] 1058 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1059 | description = Attempt to identify QUIC protocol 1060 | plugin_dir = build/Bro_QUIC.tgz 1061 | tags = plugin, analyzer, quic 1062 | url = https://github.com/dopheide-esnet/bro-quic 1063 | version = 0.1 1064 | 1065 | [dopheide/zeek-jetdirect] 1066 | credits = dopheide@es.net, soehlert@es.net, jsdorn1@gmail.com 1067 | depends = 1068 | zeek >=2.0.0 1069 | description = Detect exploit attempt of HP JetDirect printers 1070 | script_dir = ./scripts 1071 | tags = jetdirect, printer, cve-2017-2741 1072 | test_command = cd tests && make 1073 | url = https://github.com/dopheide-esnet/zeek-jetdirect 1074 | version = 0.4 1075 | 1076 | [dopheide/zeek-known-hosts-with-dns] 1077 | description = This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers. 1078 | script_dir = scripts 1079 | tags = known-hosts, known_hosts, dns 1080 | test_command = cd tests && btest -d known_tests 1081 | version = v1.2.4 1082 | url = https://github.com/dopheide-esnet/zeek-known-hosts-with-dns 1083 | 1084 | [dopheide/zeek-known-outbound] 1085 | depends = 1086 | zeek >=3.0.0 1087 | description = This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups. 1088 | script_dir = scripts 1089 | tags = notice, known, services, outbound 1090 | test_command = cd tests && btest -d outbound-tests 1091 | version = master 1092 | url = https://github.com/dopheide-esnet/zeek-known-outbound 1093 | 1094 | [dopheide/zeek-notice-config] 1095 | depends = 1096 | zeek >=3.0.0-rc1 1097 | description = This script enables easy customation of how notice actions are handled. It's built to work with eZeekConfigurator, but that isn't required. 1098 | script_dir = scripts 1099 | tags = notice, configuration, ezeekonfigurator, ezk 1100 | test_command = cd tests && btest -d notice_tests 1101 | version = master 1102 | url = https://github.com/dopheide-esnet/zeek-notice-config 1103 | 1104 | [dopheide/zeek-ntp-monlist] 1105 | depends = 1106 | zeek >=3.0.0-rc1 1107 | description = This script just replaces the old ntp-monlist script to work with Zeek 3.0.0+ 1108 | script_dir = scripts 1109 | tags = ntp, NTP, monlist, ddos 1110 | test_command = cd tests && btest -d ntp_tests 1111 | version = v1.0.2 1112 | url = https://github.com/dopheide-esnet/zeek-ntp-monlist 1113 | 1114 | [dopheide/zeek-ssh-interesting-hostnames-with-known] 1115 | depends = zeek/dopheide/zeek-known-hosts-with-dns * 1116 | description = This script replaces the default ssh/interesting-hostnames and reduces the number of asyncrhonous when() calls made by Zeek. 1117 | script_dir = scripts 1118 | tags = dns, ssh, interesting-hostnames 1119 | test_command = cd tests && btest -d ssh_tests 1120 | version = v1.2.1 1121 | url = https://github.com/dopheide-esnet/zeek-ssh-interesting-hostnames-with-known 1122 | 1123 | [dopheide/bro_notice_correlation] 1124 | description = Adds support for multi-notice correlation. For more information, see http://blog.samoehlert.com/correlating-bro-notices or the talk from BroCon 2016. 1125 | script_dir = scripts 1126 | tags = notices, notice, correlation 1127 | version = master 1128 | url = https://github.com/dopheide/bro_notice_correlation 1129 | 1130 | [dopheide/venom] 1131 | description = Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml 1132 | script_dir = scripts 1133 | tags = Venom, venom, VENOM, rootkit 1134 | version = master 1135 | url = https://github.com/dopheide/venom 1136 | 1137 | [dovehawk/dovehawk] 1138 | description = MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters. 1139 | script_dir = . 1140 | tags = intel, MISP, sightings, signatures, threat intelligence, threat intel, cyber 1141 | version = 1.02.002 1142 | url = https://github.com/tylabs/dovehawk 1143 | 1144 | [dovehawk/dovehawk_dns] 1145 | description = Dovehawk.io Passive DNS Capture Module. 1146 | script_dir = . 1147 | tags = dns, pdns, log, passive, dovehawk 1148 | url = https://github.com/tylabs/dovehawk_dns 1149 | version = master 1150 | 1151 | [dovehawk/dovehawk_flow] 1152 | description = Dovehawk Anonymized Outbound Flow Tracking 1153 | script_dir = ./scripts/ 1154 | tags = netflow, connections, log, remote, dovehwak 1155 | url = https://github.com/tylabs/dovehawk_flow 1156 | version = 1.0.0 1157 | 1158 | [dw2102/S7Comm-Analyzer] 1159 | build_command = ./configure && make 1160 | credits = D. Wullen 1161 | description = Protocol parser for the Siemens S7Comm and S7CommPlus protocol. 1162 | Both parser are based on the Iso-Over-TCP protocol. Not all functions are covered 1163 | in this analyzer, it may not capture all of the packets. 1164 | script_dir = scripts/ 1165 | tags = s7comm, zeek plugin, s7commplus, siemens, zeek, protocol analyzer 1166 | version = master 1167 | url = https://github.com/dw2102/S7Comm-Analyzer 1168 | 1169 | [elcabezzonn/http-header-count] 1170 | description = a script that counts the client http headers. 1171 | script_dir = scripts 1172 | tags = http 1173 | version = main 1174 | url = https://github.com/elcabezzonn/http-header-count 1175 | 1176 | [elcabezzonn/smb2-remote-file-copy] 1177 | description = a script that identifies remote file copies over smb2 1178 | script_dir = scripts 1179 | tags = smb2 1180 | version = master 1181 | url = https://github.com/elcabezzonn/smb2-remote-file-copy 1182 | 1183 | [emnahum/zeek-pcapovertcp-plugin] 1184 | build_command = ./configure && make 1185 | credits = Erich Nahum 1186 | depends = 1187 | zkg >=2.0 1188 | zeek >=4.0.0 1189 | description = Provides PCAP over TCP support for Zeek. 1190 | plugin_dir = build/Zeek_PcapOverTcp.tgz 1191 | script_dir = scripts 1192 | summary = Provides PCAP over TCP support for Zeek. 1193 | tags = zeek plugin, zeekctl plugin, packet source, pcapovertcp, pcap 1194 | url = https://github.com/emnahum/zeek-pcapovertcp-plugin 1195 | version = v1.0.12 1196 | 1197 | [emojifier/emojifier] 1198 | credits = Jan Grashoefer , 1199 | Matthias Grundmann , 1200 | Florian Jacob 1201 | description = Set your logs on fire with Emojifier! 1202 | script_dir = scripts 1203 | tags = emoji, fire, emojifier 1204 | test_command = cd testing && btest -d 1205 | url = https://github.com/emojifier/emojifier 1206 | version = master 1207 | 1208 | [endace/zeek-dag] 1209 | aliases = zeek-dag bro-dag 1210 | build_command = ( ./configure && make ) 1211 | depends = zeek >=2.6.0 1212 | description = Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture. 1213 | plugin_dir = build/Endace_DAG.tgz 1214 | tags = packet source, zeek plugin, plugin, broctl plugin, zeekctl plugin, dag, endace 1215 | test_command = ( cd tests && btest -d ) 1216 | url = https://github.com/endace/zeek-dag 1217 | version = v0.6 1218 | 1219 | [esnet-security/cve-2020-16898] 1220 | credits = Vlad Grigorescu 1221 | depends = 1222 | zeek >=2.6.0 1223 | description = Detects CVE-2020-16898: "Bad Neighbor" 1224 | script_dir = ./scripts 1225 | tags = cve, cve-2020-16898, badneighbor 1226 | test_command = cd tests && make 1227 | url = https://github.com/esnet-security/cve-2020-16898 1228 | version = v0.1 1229 | 1230 | [esnet-security/logfilter] 1231 | credits = Vlad Grigorescu 1232 | description = Enables plugins to write fine-grained policy for log filtering, modification, and path customization. 1233 | script_dir = ./scripts 1234 | tags = logs, filters, ESnet 1235 | test_command = cd tests && make 1236 | url = https://github.com/esnet-security/logfilter 1237 | version = 1.0 1238 | 1239 | [esnet-security/zeek-ebury] 1240 | description = This script attempts to detect the Ebury ssh backdoor based on having base64 in the ssh client string. 1241 | script_dir = scripts 1242 | tags = ssh, ebury 1243 | version = main 1244 | url = https://github.com/esnet-security/zeek-ebury 1245 | 1246 | [esnet-security/Zeek-Known-Services-With-OrigFlag] 1247 | description = This script expands the base known-services policy to include is_local_orig flag to indicate if the service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T). 1248 | script_dir = scripts 1249 | tags = known-services, known_services 1250 | test_command = cd tests && btest -d known_tests 1251 | version = main 1252 | url = https://github.com/esnet-security/Zeek-Known-Services-With-OrigFlag 1253 | 1254 | [esnet-security/zeek-outbound-known-services-with-origflag] 1255 | description = This script expands the base known-services policy to include is_local_orig flag to indicate if an outbound service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T). 1256 | script_dir = scripts 1257 | tags = known-services, known_services 1258 | test_command = cd tests && btest -d known_tests 1259 | version = main 1260 | url = https://github.com/esnet-security/zeek-outbound-known-services-with-origflag 1261 | 1262 | [esnet-security/zeek_scram] 1263 | description = Zeek script for interacting with the SCRAM client 1264 | script_dir = scripts 1265 | tags = scram, bhr 1266 | test_command = cd tests && btest -d scram_tests 1267 | version = master 1268 | url = https://github.com/esnet-security/zeek_scram 1269 | 1270 | [esnet/zeek-exporter] 1271 | build_command = ./configure && make 1272 | config_files = scripts/conf.dat 1273 | credits = Vlad Grigorescu 1274 | depends = 1275 | zeek >=3.0.0 1276 | description = Prometheus exporter for Zeek performance data 1277 | external_depends = 1278 | cmake >=3.5 1279 | libcurl-devel * 1280 | plugin_dir = ./build/ESnet_Zeek_Exporter.tgz 1281 | tags = zeek plugin, performance, perf, stats, prometheus 1282 | test_command = cd tests && btest -d 1283 | url = https://github.com/esnet/zeek-exporter 1284 | version = v0.7.0 1285 | 1286 | [esnet/zeek_perfsonar_owamp] 1287 | build_command = ( ./configure --zeek-dist=%(zeek_dist)s && make ) 1288 | plugin_dir = build/PerfSONAR_OWAMP.tgz 1289 | tags = plugin, analyzer, owamp, perfsonar 1290 | test_command = cd tests && btest 1291 | url = https://github.com/esnet/zeek_perfsonar_owamp 1292 | version = master 1293 | 1294 | [evantypanski/spicy-redis] 1295 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1296 | depends = 1297 | zeek >=4.0.0 1298 | description = Spicy-based analyzer for Redis 1299 | script_dir = scripts 1300 | summary = Spicy-based analyzer for Redis 1301 | test_command = cd testing && btest -c btest.cfg 1302 | url = https://github.com/evantypanski/spicy-redis 1303 | version = main 1304 | 1305 | [fatemabw/bro-inventory-scripts] 1306 | description = Find different type of OSes and AV software in your network traffic. 1307 | script_dir = scripts 1308 | tags = OS detection, Anti-Virus 1309 | version = master 1310 | url = https://github.com/fatemabw/bro-inventory-scripts 1311 | 1312 | [fatemabw/kyd] 1313 | description = KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file 'dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the 'dhcp-unknown.py' script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script. 1314 | https://github.com/fatemabw/kyd 1315 | script_dir = zeek 1316 | tags = dhcp, dhcpfp 1317 | version = master 1318 | url = https://github.com/fatemabw/kyd 1319 | 1320 | [fdekeers/igmp] 1321 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1322 | credits = François De Keersmaeker 1323 | depends = 1324 | zeek >=4.0.0 1325 | description = A Spicy-based packet analyzer for the IGMP protocol. 1326 | Supports IGMPv1, v2 and v3. 1327 | script_dir = scripts 1328 | summary = IGMP packet analyzer in Spicy 1329 | tags = igmp, zeek, spicy, packet analyzer, ids 1330 | test_command = cd testing && btest -c btest.cfg 1331 | url = https://github.com/zeek-plugins/igmp 1332 | version = main 1333 | 1334 | [fdekeers/mdns] 1335 | credits = François De Keersmaeker 1336 | description = Multicast DNS (mDNS) package for Zeek 1337 | script_dir = ./scripts 1338 | tags = IDS, Zeek, mDNS 1339 | test_command = cd tests && make 1340 | url = https://github.com/zeek-plugins/mdns 1341 | version = main 1342 | 1343 | [foxio/ja4] 1344 | credits = John Althouse 1345 | depends = zeek >=5.0.0 1346 | description = Official Zeek package for JA4+ network fingerprinting. 1347 | script_dir = zeek 1348 | tags = ja4, fingerprint, fingerprinting, ja4s, ja4h, ja4x, ja4ssh, ja4l, ja4t, ja4+, ja4plus, ja3 1349 | version = v0.18.5 1350 | url = https://github.com/FoxIO-LLC/ja4 1351 | 1352 | [hhzzk/dns-tunnels] 1353 | description = Detect DNS Tunnels attack. 1354 | script_dir = scripts 1355 | tags = DNS, DNS Tunnels, DNS Tunneling 1356 | version = master 1357 | url = https://github.com/hhzzk/dns-tunnels 1358 | 1359 | [hosom/bro-ja3] 1360 | depends = 1361 | bro >=2.6.0 1362 | description = Generate and log ja3 ssl fingerprints 1363 | script_dir = scripts 1364 | tags = ja3, ssl, intel 1365 | test_command = cd tests && btest -d btests 1366 | version = 1.0.4 1367 | url = https://github.com/hosom/bro-ja3 1368 | 1369 | [hosom/bro-napatech] 1370 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 1371 | depends = 1372 | bro-pkg >=1.2 1373 | bro >=2.5.0 1374 | description = Packet source plugin that provides native support for NTAPI 1375 | plugin_dir = build/Bro_Napatech.tgz 1376 | tags = packet source, plugin, napatech, ntapi 1377 | url = https://github.com/hosom/bro-napatech 1378 | version = 0.1.0 1379 | 1380 | [hosom/bro-oui] 1381 | depends = 1382 | bro >=2.5.5 1383 | description = Add OUI lookup to Bro. 1384 | script_dir = scripts 1385 | tags = oui, mac, dhcp 1386 | version = 1.0.3 1387 | url = https://github.com/hosom/bro-oui 1388 | 1389 | [hosom/dummy-connections] 1390 | depends = 1391 | bro >=2.6.0 1392 | description = Create dummy connection records. 1393 | script_dir = scripts 1394 | tags = connection 1395 | version = 1.0.0 1396 | url = https://github.com/hosom/dummy-connections 1397 | 1398 | [hosom/file-extraction] 1399 | config_files = scripts/config.zeek 1400 | depends = 1401 | zeek >=3.0.0 1402 | description = Extract files from network traffic with Zeek. 1403 | script_dir = scripts 1404 | tags = files, file extraction, file analysis 1405 | version = 2.0.3 1406 | url = https://github.com/hosom/file-extraction 1407 | 1408 | [hosom/log-filters] 1409 | config_files = scripts/config.zeek 1410 | depends = 1411 | zeek >=3.0.0 1412 | description = Implement common log filters. 1413 | script_dir = scripts 1414 | tags = logging, log framework 1415 | version = main 1416 | url = https://github.com/hosom/log-filters 1417 | 1418 | [initconf/2024-09-cups-linux-rce] 1419 | description = 1420 | script_dir = scripts 1421 | tags = 1422 | test_command = ( cd tests && btest -d ) 1423 | version = main 1424 | url = https://github.com/initconf/2024-09-cups-linux-rce 1425 | 1426 | [initconf/Apple-RDP-net-assistant-DoS.git] 1427 | description = udp-3283-DoS 1428 | script_dir = scripts 1429 | tags = net_listerner, Apple RDP, udp DoS 1430 | test_command = ( cd tests && btest -d ) 1431 | version = master 1432 | url = https://github.com/initconf/Apple-RDP-net-assistant-DoS.git 1433 | 1434 | [initconf/blacklist] 1435 | description = package to manage blacklisted IP address ysing bro 1436 | script_dir = scripts 1437 | tags = blacklist 1438 | version = master 1439 | url = https://github.com/initconf/blacklist 1440 | 1441 | [initconf/CVE-2017-5638_struts] 1442 | description = package to detect CVE-2017-5638 struts attack 1443 | script_dir = scripts 1444 | tags = CVE-2017-5638, struts 1445 | version = master 1446 | url = https://github.com/initconf/CVE-2017-5638_struts 1447 | 1448 | [initconf/CVE-2020-16898-Bad-Neighbor.git] 1449 | description = CVE-2020-16898: Bad Neighbor 1450 | script_dir = scripts 1451 | tags = 1452 | test_command = ( cd tests && btest -d ) 1453 | version = master 1454 | url = https://github.com/initconf/CVE-2020-16898-Bad-Neighbor.git 1455 | 1456 | [initconf/detect-kaspersky] 1457 | description = kaspersky 1458 | script_dir = scripts 1459 | tags = kaspersky antivirus 1460 | test_command = ( cd tests && btest -d ) 1461 | version = v3 1462 | url = https://github.com/initconf/detect-kaspersky 1463 | 1464 | [initconf/dns-heuristics] 1465 | description = 1466 | script_dir = scripts 1467 | tags = 1468 | test_command = ( cd tests && btest -d ) 1469 | version = main 1470 | url = https://github.com/initconf/dns-heuristics 1471 | 1472 | [initconf/ftp-bruteforce] 1473 | description = ftp-bruteforce 1474 | script_dir = scripts 1475 | tags = ftp, bruteforce, scan 1476 | test_command = ( cd tests && btest -d ) 1477 | version = v2.0-zeek-3.x.x 1478 | url = https://github.com/initconf/ftp-bruteforce 1479 | 1480 | [initconf/icmp-scans.git] 1481 | description = icmp-scans 1482 | script_dir = scripts 1483 | tags = ftp, bruteforce, scan 1484 | test_command = ( cd tests && btest -d ) 1485 | version = master 1486 | url = https://github.com/initconf/icmp-scans.git 1487 | 1488 | [initconf/LetsEncrypt] 1489 | description = LetsEncrypt 1490 | script_dir = scripts 1491 | tags = 1492 | test_command = ( cd tests && btest -d ) 1493 | version = master 1494 | url = https://github.com/initconf/LetsEncrypt 1495 | 1496 | [initconf/log4j.git] 1497 | description = zeek package to identify log4j exploit attempts for CVE-2021-44228 1498 | script_dir = scripts 1499 | tags = 1500 | test_command = ( cd tests && btest -d ) 1501 | version = main 1502 | url = https://github.com/initconf/log4j.git 1503 | 1504 | [initconf/phish-analysis] 1505 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 1506 | script_dir = scripts 1507 | tags = smtp, phish, urls, emails 1508 | test_command = ( cd tests && btest -d ) 1509 | version = master 1510 | url = https://github.com/initconf/phish-analysis 1511 | 1512 | [initconf/RDP-bruteforce] 1513 | description = rdp-bruteforce 1514 | script_dir = scripts 1515 | tags = rdp, bruteforce, scan 1516 | test_command = ( cd tests && btest -d ) 1517 | version = master 1518 | url = https://github.com/initconf/RDP-bruteforce 1519 | 1520 | [initconf/scan-NG] 1521 | description = scan detection in 2.x world. Forward porting of bro-1.5.3 scan.bro accompanied with new heuristics and quicker detections 1522 | script_dir = scripts 1523 | tags = scan detection 1524 | version = v3.0 1525 | url = https://github.com/initconf/scan-NG 1526 | 1527 | [initconf/sip-attacks.git] 1528 | description = sip-attacks 1529 | script_dir = scripts 1530 | tags = sip, voip 1531 | test_command = ( cd tests && btest -d ) 1532 | version = master 1533 | url = https://github.com/initconf/sip-attacks.git 1534 | 1535 | [initconf/smtp-url-analysis] 1536 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 1537 | script_dir = scripts 1538 | tags = smtp, phish, urls, emails 1539 | test_command = ( cd tests && btest -d ) 1540 | version = master 1541 | url = https://github.com/initconf/smtp-url-analysis 1542 | 1543 | [initconf/vnc-scanner] 1544 | description = Simple policy to detect VNC (RFB) scanners based on src->dst connection counts 1545 | script_dir = scripts 1546 | tags = rfb, vnc, osx high sierra 1547 | test_command = ( cd tests && btest -d ) 1548 | version = master 1549 | url = https://github.com/initconf/vnc-scanner 1550 | 1551 | [initconf/ws-discovery-dos] 1552 | description = udp-scan 1553 | script_dir = scripts 1554 | tags = ws-discovery, scan, dos, toshiba, copiers, scanners 1555 | test_command = ( cd tests && btest -d ) 1556 | version = v2.0 1557 | url = https://github.com/initconf/ws-discovery-dos 1558 | 1559 | [irtimmer/bro-xdp_packet-plugin] 1560 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1561 | depends = 1562 | bro-pkg >=1.2 1563 | bro >=2.5.0 1564 | description = This plugin provides native AF_XDP support for Bro. 1565 | plugin_dir = build/itimmer_af_xdp.tgz 1566 | tags = bro plugin, packet source, af_xdp 1567 | test_command = cd tests && btest -d 1568 | url = https://github.com/irtimmer/bro-xdp_packet-plugin 1569 | version = master 1570 | 1571 | [j-gras/add-interfaces] 1572 | depends = 1573 | zeek >=3.0 1574 | description = Adds cluster node's interface to logs. 1575 | script_dir = scripts 1576 | tags = log, logging, conn, add interface, add worker 1577 | url = https://github.com/J-Gras/add-interfaces 1578 | version = 2.0.0 1579 | 1580 | [j-gras/add-json] 1581 | depends = 1582 | zeek >=4.1 1583 | description = Additional JSON-logging for Zeek. 1584 | script_dir = scripts 1585 | tags = log, logging, JSON 1586 | test_command = cd tests && btest -d 1587 | url = https://github.com/J-Gras/add-json 1588 | version = 3.0.0 1589 | 1590 | [j-gras/add-node-names] 1591 | depends = 1592 | zeek >=2.5 1593 | description = Adds cluster node name to logs. 1594 | script_dir = scripts 1595 | tags = log, logging, conn, add node name, add worker 1596 | url = https://github.com/J-Gras/add-node-names 1597 | version = 2.0.0 1598 | 1599 | [j-gras/bro-af_packet-plugin] 1600 | build_command = ./configure && make 1601 | depends = 1602 | zkg >=2.0 1603 | zeek >=4.0.0 1604 | description = This plugin provides native AF_Packet support for Zeek. 1605 | plugin_dir = build/Zeek_AF_Packet.tgz 1606 | script_dir = scripts/af_packet 1607 | tags = zeek plugin, zeekctl plugin, packet source, af_packet 1608 | test_command = cd tests && btest -d 1609 | url = https://github.com/J-Gras/bro-af_packet-plugin 1610 | version = 4.0.0 1611 | 1612 | [j-gras/bro-fuzzy-hashing] 1613 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1614 | depends = 1615 | bro >=2.5.0 1616 | description = This plugin provides fuzzy hashing for Bro. 1617 | plugin_dir = build/JGras_FuzzyHashing.tgz 1618 | tags = bro plugin 1619 | test_command = cd tests && btest -d 1620 | url = https://github.com/J-Gras/bro-fuzzy-hashing 1621 | version = 0.3.0 1622 | 1623 | [j-gras/bro-lognorm] 1624 | build_command = ./configure && make 1625 | depends = 1626 | zkg >=2.0 1627 | zeek >=4.0.0 1628 | description = This plugin provides liblognorm integration for Zeek. 1629 | plugin_dir = build/Zeek_Lognorm.tgz 1630 | script_dir = scripts/lognorm 1631 | tags = zeek plugin, liblognorm, syslog 1632 | test_command = cd tests && btest -d 1633 | url = https://github.com/J-Gras/bro-lognorm 1634 | version = 1.0.0 1635 | 1636 | [j-gras/intel-expire] 1637 | credits = Jan Grashoefer 1638 | depends = 1639 | zeek >=3.0 1640 | description = Per item expiration for Zeek's intelligence framework. 1641 | script_dir = scripts 1642 | tags = intel, expiration 1643 | test_command = cd testing && btest -d 1644 | url = https://github.com/J-Gras/intel-expire 1645 | version = v1.0.0 1646 | 1647 | [j-gras/intel-extensions] 1648 | credits = Jan Grashoefer 1649 | depends = 1650 | zeek >=3.0 1651 | description = Extensions for Zeek's intelligence framework. 1652 | executables = utils/intel-mgr.py 1653 | script_dir = scripts 1654 | tags = intel, remote control, preserve files 1655 | test_command = cd testing && btest -d 1656 | url = https://github.com/J-Gras/intel-extensions 1657 | version = v0.5.0 1658 | 1659 | [j-gras/intel-limiter] 1660 | credits = Jan Grashoefer 1661 | depends = 1662 | zeek >=3.0 1663 | description = Limiter for Zeek's intelligence framework. 1664 | script_dir = scripts 1665 | tags = intel, limits, threshold 1666 | test_command = cd testing && btest -d 1667 | url = https://github.com/J-Gras/intel-limiter 1668 | version = 1.0.0 1669 | 1670 | [j-gras/intel-seen-more] 1671 | depends = 1672 | zeek >=3.2 1673 | description = Additional seen-triggers for Zeek's intelligence framework. 1674 | script_dir = scripts 1675 | suggests = 1676 | sethhall/domain-tld * 1677 | tags = intel, seen 1678 | url = https://github.com/J-Gras/intel-seen-more 1679 | version = 0.4.0 1680 | 1681 | [jbaggs/anomalous-dns] 1682 | config_files = domain-whitelist.zeek, fast_flux-whitelist.zeek, recursive-whitelist.zeek, scripts/__load__.zeek, scripts/domain-whitelist.zeek, scripts/fast_flux-whitelist.zeek, scripts/recursive-whitelist.zeek 1683 | depends = 1684 | zeek >=5.0.8 1685 | https://github.com/sethhall/domain-tld >=1.2.2 1686 | description = A module for tracking and correlating abnormal DNS behavior. Detection of tunneling and C&C through connection duration and volume, request and answer size, DNS request type, and unique queries per domain. Statistical classification of fast flux networks based on A records and ASNs. 1687 | script_dir = scripts 1688 | tags = zeek scripting, dns, domain, notices 1689 | url = https://github.com/jbaggs/anomalous-dns 1690 | version = 2.0.3 1691 | 1692 | [jbaggs/wildcard-domain] 1693 | depends = 1694 | zeek >=3.0.0 1695 | description = This script adds a new Intel::WILDCARD_DOMAIN type that matches on the base domain name, regardless of what subdomain may be prepended to it. 1696 | script_dir = scripts 1697 | tags = zeek scripting, intel 1698 | url = https://github.com/jbaggs/wildcard-domain 1699 | version = 1.1.0 1700 | 1701 | [jmellander/BinaryHeap] 1702 | description = Binary Heap Implementation 1703 | script_dir = scripts 1704 | tags = zeek, zeek.org, BinaryHeap 1705 | url = https://github.com/jmellander/BinaryHeap 1706 | version = master 1707 | 1708 | [joesecurity/Joe-Sandbox-Bro] 1709 | description = JoeSandbox-Bro extracts files from your internet connection 1710 | and analyzes them automatically on Joe Sandbox. Combined with Joe Sandbox's 1711 | reporting and alerting features you can build a powerful IDS. 1712 | script_dir = scripts 1713 | tags = file analysis, sandbox, malware, virus 1714 | url = https://github.com/joesecurity/Joe-Sandbox-Bro 1715 | version = master 1716 | 1717 | [jonzeolla/scan-sampling] 1718 | description = Modified version of scan.bro to add destination IP sampling. 1719 | script_dir = scripts 1720 | tags = sumstats 1721 | url = https://github.com/JonZeolla/scan-sampling 1722 | version = 0.1.0 1723 | 1724 | [jsiwek/zeek-cryptomining] 1725 | aliases = zeek-cryptomining bro_bitcoin 1726 | depends = zkg >=2.0.7 1727 | description = Detects Bitcoin, Litecoin, or other cryptocurrency 1728 | mining traffic that uses getwork, getblocktemplate, or Stratum mining 1729 | protocols over TCP or HTTP. This package used to be named "bro_bitcoin". 1730 | tags = signatures, bitcoin, mining, cryptocurrency, cryptomining, cryptocoin 1731 | test_command = cd testing && btest -d tests 1732 | url = https://github.com/jsiwek/zeek-cryptomining 1733 | version = master 1734 | 1735 | [jsiwek/zeek-print-log-info] 1736 | depends = zeek >=3.0.0 1737 | description = Gathers and prints field descriptions for all Zeek logs. 1738 | The default output format is CSV files. 1739 | tags = log, logs, logging, introspection, csv 1740 | url = https://github.com/jsiwek/zeek-print-log-info 1741 | version = master 1742 | 1743 | [jswaro/tcprs] 1744 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1745 | description = TCP Retransmission and State Analyzer plugin for Bro. 1746 | plugin_dir = build 1747 | script_dir = scripts 1748 | tags = bro plugin, TCP, retransmission, connection state, conn, input reader, protocol analyzer 1749 | test_command = cd tests btest -d tcprs 1750 | url = https://github.com/jswaro/tcprs 1751 | version = 0.2.1 1752 | 1753 | [justinazoff/zeek-jemalloc-profiling] 1754 | description = A broctl plugin that enables jemalloc profiling 1755 | plugin_dir = plugin 1756 | tags = broctl, jemalloc, profiling 1757 | url = https://github.com/JustinAzoff/zeek-jemalloc-profiling 1758 | version = master 1759 | 1760 | [keithjjones/zeek-amadey-detector] 1761 | depends = 1762 | zeek >=4.0.0 1763 | description = A Zeek based Amadey malware detector. 1764 | script_dir = scripts 1765 | summary = A Zeek based Amadey malware detector. 1766 | test_command = cd testing && btest -c btest.cfg 1767 | url = https://github.com/keithjjones/zeek-amadey-detector 1768 | version = v0.1.13 1769 | 1770 | [keithjjones/zeek-njrat-detector] 1771 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1772 | depends = 1773 | zeek >=4.0.0 1774 | description = A Zeek based njRAT detector. 1775 | script_dir = analyzer 1776 | summary = A Zeek based njRAT detector. 1777 | test_command = cd testing && btest -c btest.cfg 1778 | url = https://github.com/keithjjones/zeek-njrat-detector 1779 | version = v0.1.15 1780 | 1781 | [klehigh/find_smbv1] 1782 | credits = Mark Overholser converted to support newer Zeek 1783 | depends = 1784 | zeek >=2.5.0 1785 | description = find SMBv1 activity 1786 | script_dir = scripts 1787 | tags = smb, logging 1788 | url = https://github.com/klehigh/find_smbv1 1789 | version = 1.0.2 1790 | 1791 | [mbispham/zeekjs-redis] 1792 | build_command = ./configure && cd build && make 1793 | depends = 1794 | zeek >=4.2.0 1795 | description = A zkg package that uses ZeekJS to overwrite 1796 | the Logging Framework to output Zeek logs to Redis. 1797 | Each log id type is associated with a unique key. 1798 | For example, conn.log should be stored in the key 1799 | zeek_conn_logs. 1800 | script_dir = scripts 1801 | summary = Zeek Logs to Redis (ZeekJS Version) 1802 | tags = redis, logging, intel, javascript, js, plugin 1803 | url = https://github.com/mbispham/zeekjs-redis 1804 | version = main 1805 | 1806 | [micrictor/smbfp] 1807 | credits = Michael Torres 1808 | description = A package to create a fingerprint of SMB clients 1809 | script_dir = scripts 1810 | tags = smb, fingerprint 1811 | url = https://github.com/micrictor/smbfp 1812 | version = master 1813 | 1814 | [micrictor/spl-spt] 1815 | credits = Michael Torres 1816 | description = A package that creates a log for sequences of packet lengths and times, 1817 | allowing for new analytics based on these data features. 1818 | script_dir = scripts 1819 | tags = ssl, tls, spt, spl 1820 | url = https://github.com/micrictor/spl-spt 1821 | version = master 1822 | 1823 | [mitre-attack/bzar] 1824 | description = BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting. 1825 | script_dir = scripts 1826 | tags = bzar, att&ck, attack, analytics, cyber analytics repository, car, smb, rpc, dce-rpc 1827 | url = https://github.com/mitre-attack/bzar 1828 | version = master 1829 | 1830 | [mitre/icap] 1831 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1832 | depends = 1833 | bro >=2.5.0 1834 | description = Internet Content Adaptation Protocol (ICAP) Analyzer for Bro and Zeek. 1835 | script_dir = scripts 1836 | tags = bro plugin, zeek plugin, protocol analyzer, internet content adaptation protocol, icap, https plain text 1837 | url = https://github.com/mitre/icap 1838 | version = master 1839 | 1840 | [mitrecnd/bro-http2] 1841 | build_command = ./configure && make 1842 | depends = 1843 | zeek >=3.0.0 1844 | description = A HTTP2 protocol analyzer for the Zeek NSM. 1845 | external_depends = 1846 | libnghttp2>=1.11.0 1847 | libbrotlidec>=1.0.0 1848 | script_dir = scripts 1849 | tags = zeek plugin, protocol analyzer, http2, intel 1850 | test_command = make test 1851 | url = https://github.com/MITRECND/bro-http2 1852 | version = 0.6.1 1853 | 1854 | [mvlnetdev/dportmatch] 1855 | credits = M. van Leeuwen 1856 | depends = 1857 | zeek >=2.6.3 1858 | description = Zeek package to add a destination port to the meta fields in Zeek. It creates a notice when both the intel and the destination port matches. This adds a feature that can be used to reduce false positives. 1859 | script_dir = scripts 1860 | tags = Zeek package, dport, port, intel, dport match 1861 | url = https://github.com/mvlnetdev/dportmatch 1862 | version = main 1863 | 1864 | [ncsa/bro-doctor] 1865 | depends = 1866 | j-gras/add-node-names * 1867 | description = A broctl plugin that helps you troubleshoot common problems 1868 | For cluster-related checks, the package "add-node-names" is recommended. 1869 | plugin_dir = . 1870 | tags = broctl plugin, troubleshoot 1871 | url = https://github.com/ncsa/bro-doctor 1872 | version = 2.0.4 1873 | 1874 | [ncsa/bro-interface-setup] 1875 | description = A broctl plugin that helps you setup capture interfaces 1876 | plugin_dir = . 1877 | tags = bro plugin, interface, mtu 1878 | url = https://github.com/ncsa/bro-interface-setup 1879 | version = master 1880 | 1881 | [ncsa/bro-is-darknet] 1882 | description = This plugin adds a Site::is_darknet function. 1883 | This is useful for scripts that track scan attempts or other probes. 1884 | It can handle purely dark address space as well as honeynet space. 1885 | script_dir = scripts 1886 | tags = bro plugin, site, darknet 1887 | test_command = (cd testing && btest -d) 1888 | url = https://github.com/ncsa/bro-is-darknet 1889 | version = 2.1 1890 | 1891 | [ncsa/bro-simple-scan] 1892 | depends = 1893 | zeek >=3.0.0 1894 | ncsa/bro-is-darknet >=2.0 1895 | description = Simple, high performance tcp scan detection 1896 | script_dir = scripts 1897 | tags = bro plugin, scan detection 1898 | test_command = (cd testing && btest -d) 1899 | url = https://github.com/ncsa/bro-simple-scan 1900 | version = 4.0 1901 | 1902 | [ncsa/bro-zeromq-writer] 1903 | build_command = ./configure --with-zmq=%(ZEROMQ_PREFIX)s && make 1904 | description = ZeroMQ log writer. 1905 | external_depends = 1906 | zeromq >=3.2.0 1907 | script_dir = scripts/NCSA/ZeroMQWriter 1908 | tags = zeek plugin, log writer, zeromq, zmq, 0mq, json 1909 | test_command = make test 1910 | user_vars = 1911 | ZEROMQ_PREFIX [/usr/local] "ZeroMQ install prefix" 1912 | url = https://github.com/ncsa/bro-zeromq-writer 1913 | version = master 1914 | 1915 | [nskelsey/aaalm] 1916 | description = Tag and group devices based on a LAN's structure 1917 | script_dir = scripts 1918 | tags = topology, mapping, visualization, traceroute 1919 | version = master 1920 | url = https://github.com/nskelsey/aaalm 1921 | 1922 | [ntop/bro-pf_ring] 1923 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1924 | description = Packet source plugin that provides native PF_RING support. 1925 | plugin_dir = build 1926 | script_dir = scripts 1927 | tags = packet source, plugin, pf_ring 1928 | test_command = ( cd tests && btest -d ) 1929 | url = https://github.com/ntop/bro-pf_ring 1930 | version = master 1931 | 1932 | [nttcom/zeek-parser-Bacnet] 1933 | depends = 1934 | zeek >=4.0.0 1935 | description = TODO: A more detailed description of icsnpp-bacnet. 1936 | It can span multiple lines, with this indentation. 1937 | script_dir = scripts 1938 | summary = TODO: A summary of icsnpp-bacnet in one line 1939 | test_command = cd testing && btest -c btest.cfg 1940 | url = https://github.com/nttcom/zeek-parser-Bacnet 1941 | version = main 1942 | 1943 | [nttcom/zeek-parser-CCLinkFieldBasic] 1944 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1945 | depends = 1946 | zeek >=4.0.0 1947 | description = TODO: A more detailed description of spicy_cc_link_basic. 1948 | It can span multiple lines, with this indentation. 1949 | script_dir = scripts 1950 | summary = TODO: A summary of spicy_cc_link_basic in one line 1951 | test_command = cd testing && btest -c btest.cfg 1952 | url = https://github.com/nttcom/zeek-parser-CCLinkFieldBasic 1953 | version = main 1954 | 1955 | [nttcom/zeek-parser-CCLinkIENoIP] 1956 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1957 | depends = 1958 | zeek >=4.0.0 1959 | description = TODO: A more detailed description of zeek-parser-CCLinkIENoIP. 1960 | It can span multiple lines, with this indentation. 1961 | script_dir = scripts 1962 | summary = TODO: A summary of zeek-parser-CCLinkIENoIP in one line 1963 | test_command = cd testing && btest -c btest.cfg 1964 | url = https://github.com/nttcom/zeek-parser-CCLinkIENoIP 1965 | version = main 1966 | 1967 | [nttcom/zeek-parser-CCLinkTSNPTP] 1968 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1969 | depends = 1970 | zeek >=4.0.0 1971 | description = TODO: A more detailed description of zeek-parser-CCLinkTSNPTP. 1972 | It can span multiple lines, with this indentation. 1973 | script_dir = scripts 1974 | summary = TODO: A summary of zeek-parser-CCLinkTSNPTP in one line 1975 | test_command = cd testing && btest -c btest.cfg 1976 | url = https://github.com/nttcom/zeek-parser-CCLinkTSNPTP 1977 | version = main 1978 | 1979 | [nttcom/zeek-parser-CCLinkTSNSLMP] 1980 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1981 | depends = 1982 | zeek >=4.0.0 1983 | description = TODO: A more detailed description of zeek-parser-CCLinkTSNSLMP. 1984 | It can span multiple lines, with this indentation. 1985 | script_dir = scripts 1986 | summary = TODO: A summary of zeek-parser-CCLinkTSNSLMP in one line 1987 | test_command = cd testing && btest -c btest.cfg 1988 | url = https://github.com/nttcom/zeek-parser-CCLinkTSNSLMP 1989 | version = main 1990 | 1991 | [nttcom/zeek-parser-CIFS-COM] 1992 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1993 | depends = 1994 | zeek >=4.0.0 1995 | description = TODO: A more detailed description of test. 1996 | It can span multiple lines, with this indentation. 1997 | script_dir = scripts 1998 | summary = TODO: A summary of test in one line 1999 | test_command = cd testing && btest -c btest.cfg 2000 | url = https://github.com/nttcom/zeek-parser-CIFS-COM 2001 | version = main 2002 | 2003 | [nttcom/zeek-parser-CIFS-NBNS-COM] 2004 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2005 | depends = 2006 | zeek >=4.0.0 2007 | description = TODO: A more detailed description of zeek-parser-NBNS. 2008 | It can span multiple lines, with this indentation. 2009 | script_dir = scripts 2010 | summary = TODO: A summary of zeek-parser-NBNS in one line 2011 | test_command = cd testing && btest -c btest.cfg 2012 | url = https://github.com/nttcom/zeek-parser-CIFS-NBNS-COM 2013 | version = main 2014 | 2015 | [nttcom/zeek-parser-DHCPv4-COM] 2016 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2017 | depends = 2018 | zeek >=4.0.0 2019 | description = TODO: A more detailed description of zeek-parser-DHCPv4-COM. 2020 | It can span multiple lines, with this indentation. 2021 | script_dir = scripts 2022 | summary = TODO: A summary of zeek-parser-DHCPv4-COM in one line 2023 | test_command = cd testing && btest -c btest.cfg 2024 | url = https://github.com/nttcom/zeek-parser-DHCPv4-COM 2025 | version = main 2026 | 2027 | [nttcom/zeek-parser-DHCPv6-COM] 2028 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2029 | depends = 2030 | zeek >=4.0.0 2031 | description = TODO: A more detailed description of zeek-parser-DHCPV6. 2032 | It can span multiple lines, with this indentation. 2033 | script_dir = scripts 2034 | summary = TODO: A summary of zeek-parser-DHCPV6 in one line 2035 | test_command = cd testing && btest -c btest.cfg 2036 | url = https://github.com/nttcom/zeek-parser-DHCPv6-COM 2037 | version = main 2038 | 2039 | [nttcom/zeek-parser-OmronFINS] 2040 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2041 | depends = 2042 | zeek >=4.0.0 2043 | description = TODO: A more detailed description of zeek-parser-OmronFINS. 2044 | It can span multiple lines, with this indentation. 2045 | script_dir = scripts 2046 | summary = TODO: A summary of zeek-parser-OmronFINS in one line 2047 | test_command = cd testing && btest -c btest.cfg 2048 | url = https://github.com/nttcom/zeek-parser-OmronFINS 2049 | version = main 2050 | 2051 | [nttcom/zeek-parser-SSDP-COM] 2052 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2053 | depends = 2054 | zeek >=4.0.0 2055 | description = TODO: A more detailed description of zeek-parser-SSDP. 2056 | It can span multiple lines, with this indentation. 2057 | script_dir = scripts 2058 | summary = TODO: A summary of zeek-parser-SSDP in one line 2059 | test_command = cd testing && btest -c btest.cfg 2060 | url = https://github.com/nttcom/zeek-parser-SSDP-COM 2061 | version = main 2062 | 2063 | [pgaulon/zeek-notice-slack] 2064 | aliases = zeek-notice-slack bro-notice-slack 2065 | description = Zeek Notices through Slack webhook 2066 | tags = zeek plugin, notices, slack webhook 2067 | url = https://github.com/pgaulon/zeek-notice-slack 2068 | version = 1.0.2 2069 | 2070 | [pgaulon/zeekjs-notice-slack] 2071 | depends = zeekjs * 2072 | description = Package extending the Notice Framework to include to send Notices via Slack webhooks. 2073 | summary = Zeek Notices via Slack webhooks 2074 | tags = zeekjs, zeek plugin, notices, slack, webhook 2075 | url = https://github.com/pgaulon/zeekjs-notice-slack 2076 | version = v0.0.5 2077 | 2078 | [precurse/zeek-httpattacks] 2079 | description = Checks for HTTP anomalies typically used for attacking. 2080 | script_dir = scripts 2081 | tags = http, detection 2082 | version = master 2083 | url = https://github.com/precurse/zeek-httpattacks 2084 | 2085 | [qintel/qsentry-zeek] 2086 | aliases = qsentry-zeek qsentry qintel 2087 | credits = Qintel Integrations 2088 | description = Adds Qintel QSentry metadata to intel logs. 2089 | script_dir = qsentry 2090 | tags = log, logging, intel, qintel, qsentry, intelligenece, threat intelligence, ti 2091 | url = https://github.com/qintel/qsentry-zeek 2092 | version = 1.0.0 2093 | 2094 | [reshadp/zeek-log-add-mac-addresses] 2095 | description = Add MAC address to all logs. 2096 | script_dir = scripts 2097 | tags = log extend mac 2098 | url = https://github.com/reshadp/zeek-log-add-mac-addresses 2099 | version = main 2100 | 2101 | [rvictory/zeek-new-domains] 2102 | credits = Ryan Victory 2103 | depends = 2104 | sethhall/domain-tld * 2105 | description = Monitors for new domains being queried for and raises a notice for them 2106 | script_dir = scripts 2107 | tags = DNS 2108 | version = master 2109 | url = https://github.com/rvictory/zeek-new-domains 2110 | 2111 | [saiiman/zeek-exfil-detect] 2112 | build_command = ./configure && cd build && make 2113 | depends = 2114 | zeek >=5.1.0 2115 | description = This package offers the possibility of exfiltration detection through statistical analysis methods. 2116 | For this purpose, all connections are added to a baseline, subdivided according to their source 2117 | ip address and destination port. The baseline is then used to perform statistical anomaly detection. 2118 | Anomalies in the baseline are considered as data exfiltrations. 2119 | The severity of the anomaly is recorded using a score between 0 and 1. 2120 | script_dir = scripts 2121 | suggests = 2122 | https://github.com/salesforce/ja3 branch=master 2123 | summary = This package offers the possibility of exfiltration detection through statistical analysis methods. 2124 | tags = conn, exfil, exfiltration, TA0010 2125 | test_command = cd testing && btest -c btest.cfg 2126 | url = https://github.com/SECUINFRA/zeek-exfil-detect 2127 | version = main 2128 | 2129 | [salesforce/bro-sysmon] 2130 | description = Zeek-Sysmon contains a python script that will read in a file, parse JSON Windows Event Logs, generate Zeek events, and forward them to Zeek. Default Zeek-Sysmon scripts log output to files. 2131 | script_dir = bro 2132 | tags = broker, Windows, Event Logs, Sysmon, logging 2133 | version = master 2134 | url = https://github.com/salesforce/bro-sysmon 2135 | 2136 | [salesforce/GQUIC_Protocol_Analyzer] 2137 | build_command = ./configure && make 2138 | depends = 2139 | zkg >=2.0 2140 | zeek >=4.0.0 2141 | description = Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic 2142 | script_dir = scripts/Salesforce/GQUIC 2143 | url = https://github.com/salesforce/GQUIC_Protocol_Analyzer 2144 | version = master 2145 | 2146 | [salesforce/ja3] 2147 | description = JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework. 2148 | https://github.com/salesforce/ja3 2149 | script_dir = zeek 2150 | tags = intel, ssl, logging 2151 | version = master 2152 | url = https://github.com/salesforce/ja3 2153 | 2154 | [sandialabs/gait] 2155 | description = Adds fields to conn and ssl logs useful for fingeprinting and timing analysis 2156 | script_dir = zeek 2157 | tags = conn, tcp, ssl, fingerprinting 2158 | version = main 2159 | url = https://github.com/sandialabs/gait 2160 | 2161 | [seisollc/zeek-kafka] 2162 | build_command = ./configure --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make 2163 | depends = 2164 | zeek >=4.0.0 2165 | zkg >=2.0 2166 | description = A Zeek log writer plugin that publishes to Kafka. 2167 | external_depends = 2168 | librdkafka ~1.4.2 2169 | plugin_dir = build 2170 | script_dir = build/scripts/Seiso/Kafka 2171 | tags = log writer, zeek plugin, kafka 2172 | test_command = cd tests && btest -d 2173 | user_vars = 2174 | LIBRDKAFKA_ROOT [/usr/local] "Path to librdkafka installation tree root" 2175 | version = v1.2.0 2176 | url = https://github.com/seisollc/zeek-kafka 2177 | 2178 | [sethhall/bro-myricom] 2179 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 2180 | depends = 2181 | bro-pkg >=1.2 2182 | description = Packet source plugin that provides native Myricom SNF v3+v4 support. 2183 | plugin_dir = build/Bro_Myricom.tgz 2184 | script_dir = scripts.not_used 2185 | tags = packet source, plugin, myricom 2186 | test_command = ( cd tests && btest -d ) 2187 | url = https://github.com/sethhall/bro-myricom 2188 | version = 1.0.4 2189 | 2190 | [sethhall/credit-card-exposure] 2191 | description = Detect credit card numbers in HTTP and SMTP with Bro. 2192 | script_dir = scripts 2193 | tags = credit cards, dlp, http, smtp, files 2194 | test_command = ( cd tests && btest -d ) 2195 | version = 2.0.0 2196 | url = https://github.com/sethhall/credit-card-exposure 2197 | 2198 | [sethhall/domain-tld] 2199 | description = A library for getting the "effective tld" of a domain name. 2200 | script_dir = scripts 2201 | tags = library, domain 2202 | url = https://github.com/sethhall/domain-tld 2203 | version = v1.2.2 2204 | 2205 | [sethhall/ssn-exposure] 2206 | description = Detect US Social Security numbers in HTTP and SMTP with Bro. 2207 | script_dir = scripts 2208 | tags = ssn, social security number, dlp, files 2209 | version = 1.0.1 2210 | url = https://github.com/sethhall/ssn-exposure 2211 | 2212 | [sethhall/unknown-mime-type-discovery] 2213 | description = Help Zeek by finding unidentified file types. 2214 | script_dir = scripts 2215 | tags = files, signature 2216 | url = https://github.com/sethhall/unknown-mime-type-discovery 2217 | version = v1.0.0 2218 | 2219 | [sethhall/zeek-log-all-http-headers] 2220 | aliases = zeek-log-all-http-headers 2221 | depends = zkg >=2.0.7 2222 | description = Add all HTTP headers and values to the HTTP log. 2223 | script_dir = scripts 2224 | tags = http 2225 | version = v1.0.0 2226 | url = https://github.com/sethhall/zeek-log-all-http-headers 2227 | 2228 | [sfinlon/cif-zeek] 2229 | aliases = cif-zeek cif 2230 | credits = Scott Finlon 2231 | description = Adds Collective Intelligence Framework (CIF) metadata to intel logs. 2232 | script_dir = scripts 2233 | tags = log, logging, intel, intelligenece, threat intelligence, ti, CIF 2234 | url = https://github.com/sfinlon/cif-zeek 2235 | version = 1.0.1 2236 | 2237 | [shodan/shodan-zeek] 2238 | build_command = ./configure && make 2239 | description = Get IP address information from the Shodan InternetDB. 2240 | script_dir = scripts 2241 | tags = zeek plugin, zeek scripting 2242 | url = https://gitlab.com/shodan-public/shodan-zeek/ 2243 | version = master 2244 | 2245 | [sithari/icmp-exfil-detection] 2246 | credits = Rakesh Passa 2247 | depends = 2248 | zeek >=3.2.0 2249 | description = Detects exfiltration of data over ICMP and writes to notice.log with the details of the exfil like duration, exfil size, source/dest ip, etc. 2250 | script_dir = scripts 2251 | tags = ICMP, exfil, exfiltration, protocol misuse 2252 | version = main 2253 | url = https://github.com/sithari/icmp-exfil-detection 2254 | 2255 | [srozb/dns_axfr] 2256 | description = Find and notice DNS zone transfer attempts. 2257 | script_dir = scripts 2258 | tags = dns recon 2259 | version = master 2260 | url = https://github.com/srozb/dns_axfr 2261 | 2262 | [srozb/http_csp] 2263 | description = HTTP Content-Security-Policy report parser 2264 | script_dir = scripts 2265 | tags = CSP intel 2266 | url = https://github.com/srozb/http_csp 2267 | version = 1.0.1 2268 | 2269 | [stevesmoot/zeek_metainfo] 2270 | description = Create schemas in many forms for local Zeek installation/configuration. JSON, markup text, Avro, html so far. 2271 | script_dir = scripts 2272 | tags = schema, docs, json, avro 2273 | test_command = (cd testing && btest -d) 2274 | url = https://github.com/corelight/zeek_metainfo 2275 | version = main 2276 | 2277 | [stevesmoot/appid] 2278 | build_command = make all 2279 | credits = Steve Smoot 2280 | depends = 2281 | zeek/sethhall/domain-tld * 2282 | description = Leverage nDPI and other info to make informed guess at the application for a connection. 2283 | script_dir = . 2284 | tags = nDPI application 2285 | url = https://github.com/stevesmoot/appid 2286 | version = master 2287 | 2288 | [stevesmoot/localcountry] 2289 | depends = 2290 | zeek >=4.0.0 2291 | description = TODO: A more detailed description of LocalCountry. 2292 | It can span multiple lines, with this indentation. 2293 | script_dir = scripts 2294 | summary = TODO: A summary of LocalCountry in one line 2295 | test_command = cd testing && btest -c btest.cfg 2296 | url = https://github.com/stevesmoot/localcountry 2297 | version = main 2298 | 2299 | [stratosphereips/zeek-package-ARP] 2300 | description = Zeek Package that supports adding arp.log to zeek log files 2301 | tags = zeek plugin, arp, features extraction 2302 | version = 1.0.0 2303 | url = https://github.com/stratosphereips/zeek-package-ARP 2304 | 2305 | [stratosphereips/zeek-package-detect-DoH] 2306 | description = Detect DoH servers by adding a is_DoH field in ssl.log and add timeout to them so that the DoH connection won't take too long 2307 | tags = zeek plugin, DoH, features extraction, ssl, DNS 2308 | version = 1.0.0 2309 | url = https://github.com/stratosphereips/zeek-package-detect-DoH 2310 | 2311 | [stratosphereips/zeek-package-IRC] 2312 | description = Zeek Package that extracts features of IRC communication 2313 | tags = zeek plugin, irc, features extraction 2314 | version = v1.6 2315 | url = https://github.com/stratosphereips/zeek-package-IRC 2316 | 2317 | [stratosphereips/zeek-package-log-gateway-IP] 2318 | description = This script gets the gateway IP information taken from the dhcp logs, and adds a notice.log entry if the gateway address is identified 2319 | tags = zeek plugin, Gateway IP, features extraction, notice 2320 | version = 1.0.0 2321 | url = https://github.com/stratosphereips/zeek-package-log-gateway-IP 2322 | 2323 | [tenzir/zeek-mac-ages] 2324 | script_dir = scripts/tenzir/mac-ages 2325 | tags = conn, mac 2326 | url = https://github.com/tenzir/zeek-mac-ages 2327 | version = master 2328 | 2329 | [tenzir/zeek-tenzir] 2330 | aliases = tenzir 2331 | depends = 2332 | zeek >=4.0.0 2333 | description = This package is the official Zeek integration for Tenzir. 2334 | script_dir = scripts 2335 | summary = The official Tenzir integration for Zeek 2336 | tags = tenzir, pipelines, logs, log shipping, postprocessor, rotation 2337 | url = https://github.com/tenzir/zeek-tenzir 2338 | version = master 2339 | 2340 | [theflakes/bro-large_uploads] 2341 | credits = Brian Kellogg 2342 | description = Raise notices on outgoing files over X bytes in size. 2343 | Also raise notices for multiple large outgoing Tx's in Y time frame. 2344 | tags = notices, uploads, conn 2345 | url = https://github.com/theflakes/bro-large_uploads 2346 | version = master 2347 | 2348 | [theparanoids/rdfp] 2349 | credits = Jeff Atkinson , 2350 | Copyright Verizon Media Group 2020 2351 | description = The script will create a new log which will log the details which build the fingerprint and some additional information. The fingerprint is created by concatenating extracted fields from different data packets. https://github.com/yahoo/rdfp 2352 | script_dir = scripts 2353 | url = https://github.com/theparanoids/rdfp 2354 | version = master 2355 | 2356 | [thibaultbl/variation_coefficient] 2357 | alias = coefficient_variation variation_coefficient 2358 | credits = T. BLANC 2359 | description = Implementing coefficient of variation (standard deviation / average), sort of relative standard deviation. 2360 | script_dir = scripts 2361 | tags = statistics, stats, sumstats, standard_deviation, variance 2362 | url = https://github.com/thibaultbl/variation_coefficient 2363 | version = main 2364 | 2365 | [ukncsc/zeek-plugin-ikev2] 2366 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 2367 | depends = 2368 | zeek >=3.0.0 2369 | description = Plugin that enables parsing of the IKEv2 protocol 2370 | script_dir = scripts 2371 | tags = zeek plugin, protocol analyzer, log writer, vpn, ike, ikev2 2372 | test_command = ( cd tests && btest -d ) 2373 | url = https://github.com/ukncsc/zeek-plugin-ikev2 2374 | version = v0.1 2375 | 2376 | [vitalyrepin/uap-bro] 2377 | build_command = ./configure --bro-dist=%(bro_dist)s && make 2378 | config_files = build/scripts/init.bro 2379 | depends = 2380 | bro >=2.5.0 2381 | bro-pkg >=1.2 2382 | description = User Agent Parser - Bro implementation based on uap-core 2383 | external_depends = 2384 | libyaml-cpp-dev ~0.5.2 2385 | libboost-regex-dev ~1.58.0 2386 | plugin_dir = build 2387 | script_dir = build/scripts/VR/UAP 2388 | tags = bro plugin, uap, user_agent 2389 | test_command = ( cd tests && btest -d ) 2390 | version = master 2391 | url = https://github.com/vitalyrepin/uap-bro 2392 | 2393 | [zeek-packages/zeek-agent-v2] 2394 | build_command = git describe --always --long | sed 's/-[^-]*$//' >scripts/version.dat || true 2395 | depends = 2396 | zeek >=4.0.0 2397 | description = 2398 | script_dir = scripts 2399 | summary = Framework collecting Zeek Agent information from endpoints 2400 | test_command = make test 2401 | version = v2.3.0-dev 2402 | url = https://github.com/zeek-packages/zeek-agent-v2 2403 | 2404 | [zeek/hello-world] 2405 | depends = 2406 | zeek >=4.0.0 2407 | description = A test package to verify that your Zeek installation 2408 | can install packages successfully. 2409 | script_dir = scripts 2410 | summary = Hello World! 2411 | test_command = cd testing && btest -c btest.cfg 2412 | url = https://github.com/zeek/hello-world 2413 | version = v1.0.0 2414 | 2415 | [zeek/logschema] 2416 | depends = 2417 | zeek >=5.2.0 2418 | description = This package generates schemas for Zeek's logs. 2419 | For every log your Zeek installation produces, the schema describes each log 2420 | field including name, type, docstring, and more. The package supports JSON Schema, 2421 | CSV, a Zeek log to capture schema information, and a custom JSON representation. 2422 | It understands Zeek's log customization in detail. The schema export code is 2423 | extensible, allowing you to produce your own schemas. 2424 | script_dir = scripts 2425 | summary = Log data schema generation 2426 | test_command = cd testing && ./btest.sh 2427 | url = https://github.com/zeek/logschema 2428 | version = main 2429 | 2430 | [zeek/osquery-framework] 2431 | depends = 2432 | zeek >=3.0.0-rc1 2433 | description = Osquery script framework for communicating with osquery endpoints 2434 | script_dir = osquery-framework 2435 | tags = osquery 2436 | version = v0.4 2437 | url = https://github.com/zeek/osquery-framework 2438 | 2439 | [zeek/spicy-analyzers] 2440 | depends = http://github.com/zeek/spicy-dhcp >=0.0.1 2441 | http://github.com/zeek/spicy-dns >=0.0.2 2442 | http://github.com/zeek/spicy-http >=0.0.1 2443 | http://github.com/zeek/spicy-pe >=0.0.3 2444 | http://github.com/zeek/spicy-png >=0.0.2 2445 | http://github.com/zeek/spicy-tftp >=0.0.1 2446 | http://github.com/zeek/spicy-zip >=0.0.1 2447 | description = Meta package for a number of Spicy-based analyzers. 2448 | summary = Meta package for a number of Spicy-based analyzers 2449 | url = https://github.com/zeek/spicy-analyzers 2450 | version = v0.2.33 2451 | 2452 | [zeek/spicy-dhcp] 2453 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2454 | description = Spicy-based analyzer for the DHCP protocol. 2455 | plugin_dir = build/spicy-modules 2456 | script_dir = analyzer 2457 | summary = Spicy-based analyzer for the DHCP protocol 2458 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2459 | url = https://github.com/zeek/spicy-dhcp 2460 | version = v0.0.11 2461 | 2462 | [zeek/spicy-dns] 2463 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2464 | description = Spicy-based analyzer for the DNS protocol. 2465 | plugin_dir = build/spicy-modules 2466 | script_dir = analyzer 2467 | summary = Spicy-based analyzer for the DNS protocol 2468 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2469 | url = https://github.com/zeek/spicy-dns 2470 | version = v0.0.10 2471 | 2472 | [zeek/spicy-http] 2473 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2474 | description = Spicy-based analyzer for the HTTP protocol. 2475 | plugin_dir = build/spicy-modules 2476 | script_dir = analyzer 2477 | summary = Spicy-based analyzer for the HTTP protocol 2478 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2479 | url = https://github.com/zeek/spicy-http 2480 | version = v0.0.10 2481 | 2482 | [zeek/spicy-ldap] 2483 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2484 | description = An LDAP analyzer based on Spicy 2485 | plugin_dir = build/spicy-modules 2486 | script_dir = analyzer 2487 | summary = LDAP analyzer 2488 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2489 | url = https://github.com/zeek/spicy-ldap 2490 | version = v0.0.16 2491 | 2492 | [zeek/spicy-pe] 2493 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2494 | description = Spicy-based analyzer for the Portable Executable (PE) image format 2495 | plugin_dir = build/spicy-modules 2496 | script_dir = analyzer 2497 | summary = Spicy-based analyzer for the Portable Executable (PE) image format 2498 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2499 | url = https://github.com/zeek/spicy-pe 2500 | version = v0.0.13 2501 | 2502 | [zeek/spicy-plugin] 2503 | build_command = unset -v CXX CXXFLAGS LD LDFLAGS && mkdir -p build && cd build && cmake .. && make -j "${SPICY_ZKG_PROCESSES:-4}" 2504 | depends = zeek >=5.0.0 2505 | executables = build/bin/spicyz 2506 | plugin_dir = build 2507 | script_dir = scripts/Zeek/Spicy 2508 | test_command = unset -v CXX CXXFLAGS LD LDFLAGS && cd tests && btest -d -j "${SPICY_ZKG_PROCESSES:-4}" 2509 | url = https://github.com/zeek/spicy-plugin 2510 | version = v1.5.3 2511 | 2512 | [zeek/spicy-png] 2513 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2514 | description = Spicy-based analyzer for the PNG file format. 2515 | plugin_dir = build/spicy-modules 2516 | script_dir = analyzer 2517 | summary = Spicy-based analyzer for the PNG file format 2518 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2519 | url = https://github.com/zeek/spicy-png 2520 | version = v0.0.7 2521 | 2522 | [zeek/spicy-tftp] 2523 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2524 | depends = 2525 | zeek >=4.0.0 2526 | description = Spicy-based analyzer for the TFTP protocol. 2527 | script_dir = scripts 2528 | summary = Spicy-based analyzer for the TFTP protocol 2529 | test_command = cd testing && btest -c btest.cfg 2530 | url = https://github.com/zeek/spicy-tftp 2531 | version = v0.0.5 2532 | 2533 | [zeek/spicy-zip] 2534 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2535 | description = Spicy-based analyzer for the ZIP file format. 2536 | plugin_dir = build/spicy-modules 2537 | script_dir = analyzer 2538 | summary = Spicy-based analyzer for the ZIP file format 2539 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2540 | url = https://github.com/zeek/spicy-zip 2541 | version = v0.0.7 2542 | 2543 | [zeek/zeek-af_packet-plugin] 2544 | build_command = ./configure && make 2545 | depends = 2546 | zkg >=2.0 2547 | zeek >=4.0.0 2548 | description = This plugin provides native AF_Packet support for Zeek. 2549 | plugin_dir = build/Zeek_AF_Packet.tgz 2550 | script_dir = scripts/af_packet 2551 | tags = zeek plugin, zeekctl plugin, packet source, af_packet 2552 | test_command = cd tests && btest -d 2553 | url = https://github.com/zeek/zeek-af_packet-plugin 2554 | version = 4.0.0 2555 | 2556 | [zeek/zeek-cluster-backend-nats] 2557 | build_command = ./configure && cmake --build build 2558 | description = 2559 | summary = NATS.io based cluster backend 2560 | test_command = cd testing && btest -c btest.cfg 2561 | url = https://github.com/zeek/zeek-cluster-backend-nats 2562 | version = v0.0.3 2563 | 2564 | [zeek/zeek-more-hashes] 2565 | build_command = ./configure && cd build && make 2566 | description = Additional hashing functions for Zeek, started with MurmurHash3. 2567 | name = MoreHashes 2568 | plugin_dir = build 2569 | script_dir = ./scripts/Zeek/MoreHashes 2570 | tags = mmh3 2571 | test_command = cd tests && btest -d -c btest.cfg 2572 | url = https://github.com/zeek/zeek-more-hashes 2573 | version = v0.3.0 2574 | 2575 | [zeek/zeek-netmap] 2576 | build_command = ./configure --with-netmap=%(netmap_root_dir)s && cd build && make 2577 | depends = 2578 | zeek >=3.1.0 2579 | description = Packet source plugin that provides native Netmap support. 2580 | plugin_dir = build 2581 | tags = packet source, plugin, netmap 2582 | test_command = cd tests && btest -d -c btest.cfg 2583 | user_vars = 2584 | netmap_root_dir [] "Root directory of Netmap installation" 2585 | url = https://github.com/zeek/zeek-netmap 2586 | version = v2.0.1 2587 | 2588 | [zeek/zeek-perf-support] 2589 | build_command = ./configure && cmake --build build 2590 | description = 2591 | summary = perf support 2592 | test_command = cd testing && btest -c btest.cfg 2593 | url = https://github.com/zeek/zeek-perf-support 2594 | version = v0.6.0 2595 | 2596 | -------------------------------------------------------------------------------- /amarokinc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/amarokinc/bad-asn 2 | https://github.com/amarokinc/remote_asn_geoip_conn 3 | -------------------------------------------------------------------------------- /amzn/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/amzn/zeek-plugin-bacnet 2 | https://github.com/amzn/zeek-plugin-enip 3 | https://github.com/amzn/zeek-plugin-profinet 4 | https://github.com/amzn/zeek-plugin-s7comm 5 | https://github.com/amzn/zeek-plugin-tds 6 | -------------------------------------------------------------------------------- /anthonykasza/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/anthonykasza/common-encodings 2 | https://github.com/anthonykasza/indicator-rules 3 | https://github.com/anthonykasza/ja4 4 | https://github.com/anthonykasza/ssl-extensions 5 | -------------------------------------------------------------------------------- /apache/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/apache/metron-bro-plugin-kafka 2 | -------------------------------------------------------------------------------- /awelzel/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/awelzel/zeek-conn-footprint 2 | https://github.com/awelzel/zeekjs-misp 3 | -------------------------------------------------------------------------------- /bricata/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/bricata/flow_labels 2 | -------------------------------------------------------------------------------- /brimsec/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/brimsec/geoip-conn 2 | -------------------------------------------------------------------------------- /captainGeech42/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/captainGeech42/zeek-bogon 2 | https://github.com/captainGeech42/zeek-intel-path 3 | -------------------------------------------------------------------------------- /chrisanag1985/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/chrisanag1985/suppress-ssl-notices 2 | -------------------------------------------------------------------------------- /cisagov/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/cisagov/ACID 2 | https://github.com/cisagov/icsnpp-bacnet 3 | https://github.com/cisagov/icsnpp-bsap 4 | https://github.com/cisagov/icsnpp-dnp3 5 | https://github.com/cisagov/icsnpp-enip 6 | https://github.com/cisagov/icsnpp-ethercat 7 | https://github.com/cisagov/icsnpp-ge-srtp 8 | https://github.com/cisagov/icsnpp-genisys 9 | https://github.com/cisagov/icsnpp-hart-ip 10 | https://github.com/cisagov/icsnpp-modbus 11 | https://github.com/cisagov/icsnpp-omron-fins 12 | https://github.com/cisagov/icsnpp-opcua-binary 13 | https://github.com/cisagov/icsnpp-profinet-io-cm 14 | https://github.com/cisagov/icsnpp-roc-plus 15 | https://github.com/cisagov/icsnpp-s7comm 16 | https://github.com/cisagov/icsnpp-synchrophasor 17 | -------------------------------------------------------------------------------- /corelight/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/corelight/boa-detector 2 | https://github.com/corelight/bro-drwatson 3 | https://github.com/corelight/bro-hardware 4 | https://github.com/corelight/bro-shellshock 5 | https://github.com/corelight/callstranger-detector 6 | https://github.com/corelight/conn-burst 7 | https://github.com/corelight/CVE-2020-16898 8 | https://github.com/corelight/CVE-2020-5902-F5BigIP 9 | https://github.com/corelight/CVE-2021-38647 10 | https://github.com/corelight/CVE-2021-42292 11 | https://github.com/corelight/cve-2021-44228 12 | https://github.com/corelight/cve-2022-21907 13 | https://github.com/corelight/cve-2022-22954 14 | https://github.com/corelight/CVE-2022-23270-PPTP 15 | https://github.com/corelight/CVE-2022-24491 16 | https://github.com/corelight/CVE-2022-24497 17 | https://github.com/corelight/cve-2022-26809 18 | https://github.com/corelight/CVE-2022-26937 19 | https://github.com/corelight/CVE-2022-3602 20 | https://github.com/corelight/detect-ransomware-filenames 21 | https://github.com/corelight/ExtendIntel 22 | https://github.com/corelight/got_zoom 23 | https://github.com/corelight/hassh 24 | https://github.com/corelight/http-stalling-detector 25 | https://github.com/corelight/icannTLD 26 | https://github.com/corelight/json-streaming-logs 27 | https://github.com/corelight/log-add-http-post-bodies 28 | https://github.com/corelight/log-add-vlan-everywhere 29 | https://github.com/corelight/my_stats 30 | https://github.com/corelight/pingback 31 | https://github.com/corelight/top-dns 32 | https://github.com/corelight/zeek-agenttesla-detector 33 | https://github.com/corelight/zeek-asyncrat-detector 34 | https://github.com/corelight/zeek-community-id 35 | https://github.com/corelight/zeek-elf 36 | https://github.com/corelight/zeek-globload 37 | https://github.com/corelight/zeek-gozi-detector 38 | https://github.com/corelight/zeek-jpeg 39 | https://github.com/corelight/zeek-long-connections 40 | https://github.com/corelight/zeek-macho 41 | https://github.com/corelight/zeek-nats-log-writer 42 | https://github.com/corelight/zeek-netsupport-detector 43 | https://github.com/corelight/zeek-notice-telegram 44 | https://github.com/corelight/zeek-quasarrat-detector 45 | https://github.com/corelight/zeek-quic 46 | https://github.com/corelight/zeek-spicy-facefish 47 | https://github.com/corelight/zeek-spicy-ipsec 48 | https://github.com/corelight/zeek-spicy-openvpn 49 | https://github.com/corelight/zeek-spicy-ospf 50 | https://github.com/corelight/zeek-spicy-stun 51 | https://github.com/corelight/zeek-spicy-wireguard 52 | https://github.com/corelight/zeek-strrat-detector 53 | https://github.com/corelight/zeek-xor-exe-plugin 54 | https://github.com/corelight/zeekjs 55 | https://github.com/corelight/zeekjs-notice-telegram 56 | https://github.com/corelight/zerologon 57 | https://github.com/corelight/ztest 58 | -------------------------------------------------------------------------------- /cyberUniBO/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/MichelangeloFlorio/Zeek-Pcap-Features-Extractor 2 | -------------------------------------------------------------------------------- /cybera/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/cybera/zeek-sniffpass 2 | -------------------------------------------------------------------------------- /dopheide/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/dopheide-esnet/bro-quic 2 | https://github.com/dopheide-esnet/zeek-jetdirect 3 | https://github.com/dopheide-esnet/zeek-known-hosts-with-dns 4 | https://github.com/dopheide-esnet/zeek-known-outbound 5 | https://github.com/dopheide-esnet/zeek-notice-config 6 | https://github.com/dopheide-esnet/zeek-ntp-monlist 7 | https://github.com/dopheide-esnet/zeek-ssh-interesting-hostnames-with-known 8 | https://github.com/dopheide/bro_notice_correlation 9 | https://github.com/dopheide/venom 10 | -------------------------------------------------------------------------------- /dovehawk/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tylabs/dovehawk 2 | https://github.com/tylabs/dovehawk_dns 3 | https://github.com/tylabs/dovehawk_flow 4 | -------------------------------------------------------------------------------- /dw2102/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/dw2102/S7Comm-Analyzer 2 | -------------------------------------------------------------------------------- /elcabezzonn/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/elcabezzonn/http-header-count 2 | https://github.com/elcabezzonn/smb2-remote-file-copy 3 | -------------------------------------------------------------------------------- /emnahum/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/emnahum/zeek-pcapovertcp-plugin 2 | -------------------------------------------------------------------------------- /emojifier/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/emojifier/emojifier 2 | -------------------------------------------------------------------------------- /endace/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/endace/zeek-dag 2 | -------------------------------------------------------------------------------- /esnet-security/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/esnet-security/cve-2020-16898 2 | https://github.com/esnet-security/logfilter 3 | https://github.com/esnet-security/zeek-ebury 4 | https://github.com/esnet-security/Zeek-Known-Services-With-OrigFlag 5 | https://github.com/esnet-security/zeek-outbound-known-services-with-origflag 6 | https://github.com/esnet-security/zeek_scram 7 | -------------------------------------------------------------------------------- /esnet/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/esnet/zeek-exporter 2 | https://github.com/esnet/zeek_perfsonar_owamp 3 | -------------------------------------------------------------------------------- /evantypanski/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/evantypanski/spicy-redis 2 | -------------------------------------------------------------------------------- /fatemabw/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/fatemabw/bro-inventory-scripts 2 | https://github.com/fatemabw/kyd 3 | -------------------------------------------------------------------------------- /fdekeers/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek-plugins/igmp 2 | https://github.com/zeek-plugins/mdns 3 | -------------------------------------------------------------------------------- /foxio/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/FoxIO-LLC/ja4 2 | -------------------------------------------------------------------------------- /hhzzk/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hhzzk/dns-tunnels 2 | -------------------------------------------------------------------------------- /hosom/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hosom/bro-ja3 2 | https://github.com/hosom/bro-napatech 3 | https://github.com/hosom/bro-oui 4 | https://github.com/hosom/dummy-connections 5 | https://github.com/hosom/file-extraction 6 | https://github.com/hosom/log-filters 7 | -------------------------------------------------------------------------------- /initconf/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/initconf/2024-09-cups-linux-rce 2 | https://github.com/initconf/Apple-RDP-net-assistant-DoS.git 3 | https://github.com/initconf/blacklist 4 | https://github.com/initconf/CVE-2017-5638_struts 5 | https://github.com/initconf/CVE-2020-16898-Bad-Neighbor.git 6 | https://github.com/initconf/detect-kaspersky 7 | https://github.com/initconf/dns-heuristics 8 | https://github.com/initconf/ftp-bruteforce 9 | https://github.com/initconf/icmp-scans.git 10 | https://github.com/initconf/LetsEncrypt 11 | https://github.com/initconf/log4j.git 12 | https://github.com/initconf/phish-analysis 13 | https://github.com/initconf/RDP-bruteforce 14 | https://github.com/initconf/scan-NG 15 | https://github.com/initconf/sip-attacks.git 16 | https://github.com/initconf/smtp-url-analysis 17 | https://github.com/initconf/vnc-scanner 18 | https://github.com/initconf/ws-discovery-dos 19 | -------------------------------------------------------------------------------- /irtimmer/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/irtimmer/bro-xdp_packet-plugin 2 | -------------------------------------------------------------------------------- /j-gras/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/J-Gras/add-interfaces 2 | https://github.com/J-Gras/add-json 3 | https://github.com/J-Gras/add-node-names 4 | https://github.com/J-Gras/bro-af_packet-plugin 5 | https://github.com/J-Gras/bro-fuzzy-hashing 6 | https://github.com/J-Gras/bro-lognorm 7 | https://github.com/J-Gras/intel-expire 8 | https://github.com/J-Gras/intel-extensions 9 | https://github.com/J-Gras/intel-limiter 10 | https://github.com/J-Gras/intel-seen-more 11 | -------------------------------------------------------------------------------- /jbaggs/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jbaggs/anomalous-dns 2 | https://github.com/jbaggs/wildcard-domain 3 | -------------------------------------------------------------------------------- /jmellander/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jmellander/BinaryHeap 2 | -------------------------------------------------------------------------------- /joesecurity/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/joesecurity/Joe-Sandbox-Bro 2 | -------------------------------------------------------------------------------- /jonzeolla/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/JonZeolla/scan-sampling 2 | -------------------------------------------------------------------------------- /jsiwek/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jsiwek/zeek-cryptomining 2 | https://github.com/jsiwek/zeek-print-log-info 3 | -------------------------------------------------------------------------------- /jswaro/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jswaro/tcprs 2 | -------------------------------------------------------------------------------- /justinazoff/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/JustinAzoff/zeek-jemalloc-profiling 2 | -------------------------------------------------------------------------------- /keithjjones/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/keithjjones/zeek-amadey-detector 2 | https://github.com/keithjjones/zeek-njrat-detector 3 | -------------------------------------------------------------------------------- /klehigh/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/klehigh/find_smbv1 2 | -------------------------------------------------------------------------------- /mbispham/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mbispham/zeekjs-redis 2 | -------------------------------------------------------------------------------- /micrictor/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/micrictor/smbfp 2 | https://github.com/micrictor/spl-spt 3 | -------------------------------------------------------------------------------- /mitre-attack/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mitre-attack/bzar 2 | -------------------------------------------------------------------------------- /mitre/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mitre/icap 2 | -------------------------------------------------------------------------------- /mitrecnd/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/MITRECND/bro-http2 2 | -------------------------------------------------------------------------------- /mvlnetdev/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mvlnetdev/dportmatch 2 | -------------------------------------------------------------------------------- /ncsa/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ncsa/bro-doctor 2 | https://github.com/ncsa/bro-interface-setup 3 | https://github.com/ncsa/bro-is-darknet 4 | https://github.com/ncsa/bro-simple-scan 5 | https://github.com/ncsa/bro-zeromq-writer 6 | -------------------------------------------------------------------------------- /nskelsey/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/nskelsey/aaalm 2 | -------------------------------------------------------------------------------- /ntop/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ntop/bro-pf_ring 2 | -------------------------------------------------------------------------------- /nttcom/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/nttcom/zeek-parser-Bacnet 2 | https://github.com/nttcom/zeek-parser-CCLinkFieldBasic 3 | https://github.com/nttcom/zeek-parser-CCLinkIENoIP 4 | https://github.com/nttcom/zeek-parser-CCLinkTSNPTP 5 | https://github.com/nttcom/zeek-parser-CCLinkTSNSLMP 6 | https://github.com/nttcom/zeek-parser-CIFS-COM 7 | https://github.com/nttcom/zeek-parser-CIFS-NBNS-COM 8 | https://github.com/nttcom/zeek-parser-DHCPv4-COM 9 | https://github.com/nttcom/zeek-parser-DHCPv6-COM 10 | https://github.com/nttcom/zeek-parser-OmronFINS 11 | https://github.com/nttcom/zeek-parser-SSDP-COM 12 | -------------------------------------------------------------------------------- /pgaulon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/pgaulon/zeek-notice-slack 2 | https://github.com/pgaulon/zeekjs-notice-slack 3 | -------------------------------------------------------------------------------- /precurse/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/precurse/zeek-httpattacks 2 | -------------------------------------------------------------------------------- /qintel/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/qintel/qsentry-zeek 2 | -------------------------------------------------------------------------------- /reshadp/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/reshadp/zeek-log-add-mac-addresses 2 | -------------------------------------------------------------------------------- /rvictory/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/rvictory/zeek-new-domains 2 | -------------------------------------------------------------------------------- /saiiman/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/SECUINFRA/zeek-exfil-detect 2 | -------------------------------------------------------------------------------- /salesforce/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/salesforce/bro-sysmon 2 | https://github.com/salesforce/GQUIC_Protocol_Analyzer 3 | https://github.com/salesforce/ja3 4 | -------------------------------------------------------------------------------- /sandialabs/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sandialabs/gait 2 | -------------------------------------------------------------------------------- /seisollc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/seisollc/zeek-kafka 2 | -------------------------------------------------------------------------------- /sethhall/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sethhall/bro-myricom 2 | https://github.com/sethhall/credit-card-exposure 3 | https://github.com/sethhall/domain-tld 4 | https://github.com/sethhall/ssn-exposure 5 | https://github.com/sethhall/unknown-mime-type-discovery 6 | https://github.com/sethhall/zeek-log-all-http-headers 7 | -------------------------------------------------------------------------------- /sfinlon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sfinlon/cif-zeek 2 | -------------------------------------------------------------------------------- /shodan/zkg.index: -------------------------------------------------------------------------------- 1 | https://gitlab.com/shodan-public/shodan-zeek/ 2 | -------------------------------------------------------------------------------- /sithari/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sithari/icmp-exfil-detection 2 | -------------------------------------------------------------------------------- /srozb/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/srozb/dns_axfr 2 | https://github.com/srozb/http_csp 3 | -------------------------------------------------------------------------------- /stevesmoot/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/corelight/zeek_metainfo 2 | https://github.com/stevesmoot/appid 3 | https://github.com/stevesmoot/localcountry 4 | -------------------------------------------------------------------------------- /stratosphereips/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/stratosphereips/zeek-package-ARP 2 | https://github.com/stratosphereips/zeek-package-detect-DoH 3 | https://github.com/stratosphereips/zeek-package-IRC 4 | https://github.com/stratosphereips/zeek-package-log-gateway-IP 5 | -------------------------------------------------------------------------------- /tenzir/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tenzir/zeek-mac-ages 2 | https://github.com/tenzir/zeek-tenzir 3 | -------------------------------------------------------------------------------- /theflakes/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/theflakes/bro-large_uploads 2 | -------------------------------------------------------------------------------- /theparanoids/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/theparanoids/rdfp 2 | -------------------------------------------------------------------------------- /thibaultbl/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/thibaultbl/variation_coefficient 2 | -------------------------------------------------------------------------------- /ukncsc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ukncsc/zeek-plugin-ikev2 2 | -------------------------------------------------------------------------------- /vitalyrepin/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/vitalyrepin/uap-bro 2 | -------------------------------------------------------------------------------- /zeek-packages/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek-packages/zeek-agent-v2 2 | -------------------------------------------------------------------------------- /zeek/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek/hello-world 2 | https://github.com/zeek/logschema 3 | https://github.com/zeek/osquery-framework 4 | https://github.com/zeek/spicy-analyzers 5 | https://github.com/zeek/spicy-dhcp 6 | https://github.com/zeek/spicy-dns 7 | https://github.com/zeek/spicy-http 8 | https://github.com/zeek/spicy-ldap 9 | https://github.com/zeek/spicy-pe 10 | https://github.com/zeek/spicy-plugin 11 | https://github.com/zeek/spicy-png 12 | https://github.com/zeek/spicy-tftp 13 | https://github.com/zeek/spicy-zip 14 | https://github.com/zeek/zeek-af_packet-plugin 15 | https://github.com/zeek/zeek-cluster-backend-nats 16 | https://github.com/zeek/zeek-more-hashes 17 | https://github.com/zeek/zeek-netmap 18 | https://github.com/zeek/zeek-perf-support 19 | --------------------------------------------------------------------------------