├── foxio └── zkg.index ├── jswaro └── zkg.index ├── mitre └── zkg.index ├── endace └── zkg.index ├── hhzzk └── zkg.index ├── nskelsey └── zkg.index ├── ntop └── zkg.index ├── sfinlon └── zkg.index ├── bricata └── zkg.index ├── brimsec └── zkg.index ├── cybera └── zkg.index ├── dw2102 └── zkg.index ├── emojifier └── zkg.index ├── klehigh └── zkg.index ├── mbispham └── zkg.index ├── mitre-attack └── zkg.index ├── mitrecnd └── zkg.index ├── mvlnetdev └── zkg.index ├── qintel └── zkg.index ├── sandialabs └── zkg.index ├── seisollc └── zkg.index ├── theparanoids └── zkg.index ├── 0xl3x1 └── zkg.index ├── AmazingPP └── zkg.index ├── jmellander └── zkg.index ├── jonzeolla └── zkg.index ├── precurse └── zkg.index ├── rvictory └── zkg.index ├── saiiman └── zkg.index ├── shodan └── zkg.index ├── ukncsc └── zkg.index ├── vitalyrepin └── zkg.index ├── apache └── zkg.index ├── emnahum └── zkg.index ├── irtimmer └── zkg.index ├── joesecurity └── zkg.index ├── sithari └── zkg.index ├── theflakes └── zkg.index ├── reshadp └── zkg.index ├── thibaultbl └── zkg.index ├── zeek-packages └── zkg.index ├── chrisanag1985 └── zkg.index ├── justinazoff └── zkg.index ├── cyberUniBO └── zkg.index ├── srozb └── zkg.index ├── fdekeers └── zkg.index ├── micrictor └── zkg.index ├── tenzir └── zkg.index ├── esnet └── zkg.index ├── fatemabw └── zkg.index ├── jbaggs └── zkg.index ├── amarokinc └── zkg.index ├── jsiwek └── zkg.index ├── pgaulon └── zkg.index ├── captainGeech42 └── zkg.index ├── elcabezzonn └── zkg.index ├── keithjjones └── zkg.index ├── dovehawk └── zkg.index ├── stevesmoot └── zkg.index ├── evantypanski └── zkg.index ├── salesforce └── zkg.index ├── activecm └── zkg.index ├── awelzel └── zkg.index ├── anthonykasza └── zkg.index ├── ncsa └── zkg.index ├── amzn └── zkg.index ├── hosom └── zkg.index ├── stratosphereips └── zkg.index ├── sethhall └── zkg.index ├── .github └── workflows │ ├── pre-commit.yml │ ├── aggregator.yml │ └── test-aggregation.yml ├── esnet-security └── zkg.index ├── .pre-commit-config.yaml ├── j-gras └── zkg.index ├── 0xxon └── zkg.index ├── dopheide └── zkg.index ├── nttcom └── zkg.index ├── zeek └── zkg.index ├── cisagov └── zkg.index ├── initconf └── zkg.index ├── README.rst ├── corelight └── zkg.index └── aggregate.meta /foxio/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/FoxIO-LLC/ja4 2 | -------------------------------------------------------------------------------- /jswaro/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jswaro/tcprs 2 | -------------------------------------------------------------------------------- /mitre/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mitre/icap 2 | -------------------------------------------------------------------------------- /endace/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/endace/zeek-dag 2 | -------------------------------------------------------------------------------- /hhzzk/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hhzzk/dns-tunnels 2 | -------------------------------------------------------------------------------- /nskelsey/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/nskelsey/aaalm 2 | -------------------------------------------------------------------------------- /ntop/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ntop/bro-pf_ring 2 | -------------------------------------------------------------------------------- /sfinlon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sfinlon/cif-zeek 2 | -------------------------------------------------------------------------------- /bricata/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/bricata/flow_labels 2 | -------------------------------------------------------------------------------- /brimsec/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/brimsec/geoip-conn 2 | -------------------------------------------------------------------------------- /cybera/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/cybera/zeek-sniffpass 2 | -------------------------------------------------------------------------------- /dw2102/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/dw2102/S7Comm-Analyzer 2 | -------------------------------------------------------------------------------- /emojifier/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/emojifier/emojifier 2 | -------------------------------------------------------------------------------- /klehigh/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/klehigh/find_smbv1 2 | -------------------------------------------------------------------------------- /mbispham/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mbispham/zeekjs-redis 2 | -------------------------------------------------------------------------------- /mitre-attack/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mitre-attack/bzar 2 | -------------------------------------------------------------------------------- /mitrecnd/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/MITRECND/bro-http2 2 | -------------------------------------------------------------------------------- /mvlnetdev/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/mvlnetdev/dportmatch 2 | -------------------------------------------------------------------------------- /qintel/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/qintel/qsentry-zeek 2 | -------------------------------------------------------------------------------- /sandialabs/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sandialabs/gait 2 | -------------------------------------------------------------------------------- /seisollc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/seisollc/zeek-kafka 2 | -------------------------------------------------------------------------------- /theparanoids/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/theparanoids/rdfp 2 | -------------------------------------------------------------------------------- /0xl3x1/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/0xl3x1/zeek-EternalSafety 2 | -------------------------------------------------------------------------------- /AmazingPP/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/AmazingPP/zeek-capwap 2 | -------------------------------------------------------------------------------- /jmellander/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jmellander/BinaryHeap 2 | -------------------------------------------------------------------------------- /jonzeolla/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/JonZeolla/scan-sampling 2 | -------------------------------------------------------------------------------- /precurse/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/precurse/zeek-httpattacks 2 | -------------------------------------------------------------------------------- /rvictory/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/rvictory/zeek-new-domains 2 | -------------------------------------------------------------------------------- /saiiman/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/SECUINFRA/zeek-exfil-detect 2 | -------------------------------------------------------------------------------- /shodan/zkg.index: -------------------------------------------------------------------------------- 1 | https://gitlab.com/shodan-public/shodan-zeek/ 2 | -------------------------------------------------------------------------------- /ukncsc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ukncsc/zeek-plugin-ikev2 2 | -------------------------------------------------------------------------------- /vitalyrepin/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/vitalyrepin/uap-bro 2 | -------------------------------------------------------------------------------- /apache/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/apache/metron-bro-plugin-kafka 2 | -------------------------------------------------------------------------------- /emnahum/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/emnahum/zeek-pcapovertcp-plugin 2 | -------------------------------------------------------------------------------- /irtimmer/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/irtimmer/bro-xdp_packet-plugin 2 | -------------------------------------------------------------------------------- /joesecurity/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/joesecurity/Joe-Sandbox-Bro 2 | -------------------------------------------------------------------------------- /sithari/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sithari/icmp-exfil-detection 2 | -------------------------------------------------------------------------------- /theflakes/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/theflakes/bro-large_uploads 2 | -------------------------------------------------------------------------------- /reshadp/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/reshadp/zeek-log-add-mac-addresses 2 | -------------------------------------------------------------------------------- /thibaultbl/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/thibaultbl/variation_coefficient 2 | -------------------------------------------------------------------------------- /zeek-packages/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek-packages/zeek-agent-v2 2 | -------------------------------------------------------------------------------- /chrisanag1985/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/chrisanag1985/suppress-ssl-notices 2 | -------------------------------------------------------------------------------- /justinazoff/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/JustinAzoff/zeek-jemalloc-profiling 2 | -------------------------------------------------------------------------------- /cyberUniBO/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/MichelangeloFlorio/Zeek-Pcap-Features-Extractor 2 | -------------------------------------------------------------------------------- /srozb/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/srozb/dns_axfr 2 | https://github.com/srozb/http_csp 3 | -------------------------------------------------------------------------------- /fdekeers/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek-plugins/igmp 2 | https://github.com/zeek-plugins/mdns 3 | -------------------------------------------------------------------------------- /micrictor/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/micrictor/smbfp 2 | https://github.com/micrictor/spl-spt 3 | -------------------------------------------------------------------------------- /tenzir/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tenzir/zeek-mac-ages 2 | https://github.com/tenzir/zeek-tenzir 3 | -------------------------------------------------------------------------------- /esnet/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/esnet/zeek-exporter 2 | https://github.com/esnet/zeek_perfsonar_owamp 3 | -------------------------------------------------------------------------------- /fatemabw/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/fatemabw/bro-inventory-scripts 2 | https://github.com/fatemabw/kyd 3 | -------------------------------------------------------------------------------- /jbaggs/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jbaggs/anomalous-dns 2 | https://github.com/jbaggs/wildcard-domain 3 | -------------------------------------------------------------------------------- /amarokinc/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/amarokinc/bad-asn 2 | https://github.com/amarokinc/remote_asn_geoip_conn 3 | -------------------------------------------------------------------------------- /jsiwek/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/jsiwek/zeek-cryptomining 2 | https://github.com/jsiwek/zeek-print-log-info 3 | -------------------------------------------------------------------------------- /pgaulon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/pgaulon/zeek-notice-slack 2 | https://github.com/pgaulon/zeekjs-notice-slack 3 | -------------------------------------------------------------------------------- /captainGeech42/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/captainGeech42/zeek-bogon 2 | https://github.com/captainGeech42/zeek-intel-path 3 | -------------------------------------------------------------------------------- /elcabezzonn/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/elcabezzonn/http-header-count 2 | https://github.com/elcabezzonn/smb2-remote-file-copy 3 | -------------------------------------------------------------------------------- /keithjjones/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/keithjjones/zeek-amadey-detector 2 | https://github.com/keithjjones/zeek-njrat-detector 3 | -------------------------------------------------------------------------------- /dovehawk/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/tylabs/dovehawk 2 | https://github.com/tylabs/dovehawk_dns 3 | https://github.com/tylabs/dovehawk_flow 4 | -------------------------------------------------------------------------------- /stevesmoot/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/corelight/zeek_metainfo 2 | https://github.com/stevesmoot/appid 3 | https://github.com/stevesmoot/localcountry 4 | -------------------------------------------------------------------------------- /evantypanski/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/evantypanski/spicy-nats 2 | https://github.com/evantypanski/spicy-redis 3 | https://github.com/evantypanski/xdp-zeek 4 | -------------------------------------------------------------------------------- /salesforce/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/salesforce/bro-sysmon 2 | https://github.com/salesforce/GQUIC_Protocol_Analyzer 3 | https://github.com/salesforce/ja3 4 | -------------------------------------------------------------------------------- /activecm/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/activecm/bro-mongodb.git 2 | https://github.com/activecm/bro-rita.git 3 | https://github.com/activecm/zeek-open-connections 4 | -------------------------------------------------------------------------------- /awelzel/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/awelzel/zeek-conn-footprint 2 | https://github.com/awelzel/zeekctl-systemd 3 | https://github.com/awelzel/zeekjs-misp 4 | https://github.com/awelzel/zeekjs-udp-logging 5 | -------------------------------------------------------------------------------- /anthonykasza/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/anthonykasza/common-encodings 2 | https://github.com/anthonykasza/indicator-rules 3 | https://github.com/anthonykasza/ja4 4 | https://github.com/anthonykasza/ssl-extensions 5 | -------------------------------------------------------------------------------- /ncsa/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/ncsa/bro-doctor 2 | https://github.com/ncsa/bro-interface-setup 3 | https://github.com/ncsa/bro-is-darknet 4 | https://github.com/ncsa/bro-simple-scan 5 | https://github.com/ncsa/bro-zeromq-writer 6 | -------------------------------------------------------------------------------- /amzn/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/amzn/zeek-plugin-bacnet 2 | https://github.com/amzn/zeek-plugin-enip 3 | https://github.com/amzn/zeek-plugin-profinet 4 | https://github.com/amzn/zeek-plugin-s7comm 5 | https://github.com/amzn/zeek-plugin-tds 6 | -------------------------------------------------------------------------------- /hosom/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/hosom/bro-ja3 2 | https://github.com/hosom/bro-napatech 3 | https://github.com/hosom/bro-oui 4 | https://github.com/hosom/dummy-connections 5 | https://github.com/hosom/file-extraction 6 | https://github.com/hosom/log-filters 7 | -------------------------------------------------------------------------------- /stratosphereips/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/stratosphereips/zeek-package-ARP 2 | https://github.com/stratosphereips/zeek-package-detect-DoH 3 | https://github.com/stratosphereips/zeek-package-IRC 4 | https://github.com/stratosphereips/zeek-package-log-gateway-IP 5 | -------------------------------------------------------------------------------- /sethhall/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/sethhall/bro-myricom 2 | https://github.com/sethhall/credit-card-exposure 3 | https://github.com/sethhall/domain-tld 4 | https://github.com/sethhall/ssn-exposure 5 | https://github.com/sethhall/unknown-mime-type-discovery 6 | https://github.com/sethhall/zeek-log-all-http-headers 7 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | name: pre-commit 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: [master] 7 | 8 | jobs: 9 | pre-commit: 10 | runs-on: ubuntu-22.04 11 | steps: 12 | - uses: actions/checkout@v4 13 | - uses: actions/setup-python@v5 14 | - uses: pre-commit/action@v3.0.1 15 | -------------------------------------------------------------------------------- /esnet-security/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/esnet-security/cve-2020-16898 2 | https://github.com/esnet-security/logfilter 3 | https://github.com/esnet-security/zeek-ebury 4 | https://github.com/esnet-security/Zeek-Known-Services-With-OrigFlag 5 | https://github.com/esnet-security/zeek-outbound-known-services-with-origflag 6 | https://github.com/esnet-security/zeek_scram 7 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | repos: 4 | - repo: https://github.com/pre-commit/pre-commit-hooks 5 | rev: v5.0.0 6 | hooks: 7 | - id: trailing-whitespace 8 | - id: end-of-file-fixer 9 | - id: file-contents-sorter 10 | files: 'zkg.index' 11 | args: 12 | - "--ignore-case" 13 | 14 | exclude: aggregate.meta 15 | -------------------------------------------------------------------------------- /j-gras/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/J-Gras/add-interfaces 2 | https://github.com/J-Gras/add-json 3 | https://github.com/J-Gras/add-node-names 4 | https://github.com/J-Gras/bro-af_packet-plugin 5 | https://github.com/J-Gras/bro-fuzzy-hashing 6 | https://github.com/J-Gras/bro-lognorm 7 | https://github.com/J-Gras/intel-expire 8 | https://github.com/J-Gras/intel-extensions 9 | https://github.com/J-Gras/intel-limiter 10 | https://github.com/J-Gras/intel-seen-more 11 | -------------------------------------------------------------------------------- /0xxon/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/0xxon/cve-2020-0601 2 | https://github.com/0xxon/cve-2020-0601-plugin 3 | https://github.com/0xxon/cve-2020-13777 4 | https://github.com/0xxon/zeek-network-statistics 5 | https://github.com/0xxon/zeek-os-package-tracking 6 | https://github.com/0xxon/zeek-plugin-roca 7 | https://github.com/0xxon/zeek-postgresql 8 | https://github.com/0xxon/zeek-sshprebannermessage 9 | https://github.com/0xxon/zeek-sumstats-counttable 10 | https://github.com/0xxon/zeek-tls-log-alternative 11 | -------------------------------------------------------------------------------- /dopheide/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/dopheide-esnet/bro-quic 2 | https://github.com/dopheide-esnet/zeek-jetdirect 3 | https://github.com/dopheide-esnet/zeek-known-hosts-with-dns 4 | https://github.com/dopheide-esnet/zeek-known-outbound 5 | https://github.com/dopheide-esnet/zeek-notice-config 6 | https://github.com/dopheide-esnet/zeek-ntp-monlist 7 | https://github.com/dopheide-esnet/zeek-ssh-interesting-hostnames-with-known 8 | https://github.com/dopheide/bro_notice_correlation 9 | https://github.com/dopheide/venom 10 | -------------------------------------------------------------------------------- /nttcom/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/nttcom/zeek-parser-Bacnet 2 | https://github.com/nttcom/zeek-parser-CCLinkFieldBasic 3 | https://github.com/nttcom/zeek-parser-CCLinkIENoIP 4 | https://github.com/nttcom/zeek-parser-CCLinkTSNPTP 5 | https://github.com/nttcom/zeek-parser-CCLinkTSNSLMP 6 | https://github.com/nttcom/zeek-parser-CIFS-COM 7 | https://github.com/nttcom/zeek-parser-CIFS-NBNS-COM 8 | https://github.com/nttcom/zeek-parser-DHCPv4-COM 9 | https://github.com/nttcom/zeek-parser-DHCPv6-COM 10 | https://github.com/nttcom/zeek-parser-OmronFINS 11 | https://github.com/nttcom/zeek-parser-SSDP-COM 12 | -------------------------------------------------------------------------------- /.github/workflows/aggregator.yml: -------------------------------------------------------------------------------- 1 | name: Aggregate package source 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | schedule: 8 | - cron: '0 */3 * * *' 9 | 10 | jobs: 11 | aggregate-metadata: 12 | if: github.repository == 'zeek/packages' 13 | runs-on: ubuntu-latest 14 | env: 15 | ZKG_DEFAULT_SOURCE: https://zeek-bot:${{ secrets.ZEEK_BOT_TOKEN }}@github.com/${{ github.repository }} 16 | steps: 17 | - name: zkg refresh 18 | run: | 19 | git config --global user.name zeek-bot 20 | git config --global user.email info@zeek.org 21 | pip3 install zkg && zkg -vvv refresh --aggregate --fail-on-aggregate-problems --push 22 | -------------------------------------------------------------------------------- /zeek/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/zeek/hello-world 2 | https://github.com/zeek/logschema 3 | https://github.com/zeek/osquery-framework 4 | https://github.com/zeek/spicy-analyzers 5 | https://github.com/zeek/spicy-dhcp 6 | https://github.com/zeek/spicy-dns 7 | https://github.com/zeek/spicy-http 8 | https://github.com/zeek/spicy-ldap 9 | https://github.com/zeek/spicy-pe 10 | https://github.com/zeek/spicy-plugin 11 | https://github.com/zeek/spicy-png 12 | https://github.com/zeek/spicy-tftp 13 | https://github.com/zeek/spicy-zip 14 | https://github.com/zeek/zeek-af_packet-plugin 15 | https://github.com/zeek/zeek-cluster-backend-nats 16 | https://github.com/zeek/zeek-more-hashes 17 | https://github.com/zeek/zeek-netmap 18 | https://github.com/zeek/zeek-perf-support 19 | -------------------------------------------------------------------------------- /cisagov/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/cisagov/ACID 2 | https://github.com/cisagov/icsnpp-bacnet 3 | https://github.com/cisagov/icsnpp-bsap 4 | https://github.com/cisagov/icsnpp-c1222 5 | https://github.com/cisagov/icsnpp-dnp3 6 | https://github.com/cisagov/icsnpp-enip 7 | https://github.com/cisagov/icsnpp-ethercat 8 | https://github.com/cisagov/icsnpp-ge-srtp 9 | https://github.com/cisagov/icsnpp-genisys 10 | https://github.com/cisagov/icsnpp-hart-ip 11 | https://github.com/cisagov/icsnpp-modbus 12 | https://github.com/cisagov/icsnpp-omron-fins 13 | https://github.com/cisagov/icsnpp-opcua-binary 14 | https://github.com/cisagov/icsnpp-profinet-io-cm 15 | https://github.com/cisagov/icsnpp-roc-plus 16 | https://github.com/cisagov/icsnpp-s7comm 17 | https://github.com/cisagov/icsnpp-synchrophasor 18 | -------------------------------------------------------------------------------- /.github/workflows/test-aggregation.yml: -------------------------------------------------------------------------------- 1 | name: Test aggregation for PRs 2 | 3 | on: 4 | pull_request 5 | 6 | jobs: 7 | aggregate-metadata: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v5 11 | - name: Switch to valid git branch 12 | run: | 13 | # This forces git to recognize that we're on a branch when it tries to pull the 14 | # local directory as the source. 15 | git switch -c gh-action-${GITHUB_RUN_ID} 16 | - name: Install zkg 17 | run: | 18 | pip3 install zkg 19 | - name: zkg refresh 20 | env: 21 | # Override the default source used by 'zkg refresh' to point at the 22 | # checkout for the PR. 23 | ZKG_DEFAULT_SOURCE: "." 24 | run: | 25 | zkg -vvv refresh --aggregate --fail-on-aggregate-problems 26 | -------------------------------------------------------------------------------- /initconf/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/initconf/2024-09-cups-linux-rce 2 | https://github.com/initconf/Apple-RDP-net-assistant-DoS.git 3 | https://github.com/initconf/blacklist 4 | https://github.com/initconf/CVE-2017-5638_struts 5 | https://github.com/initconf/CVE-2020-16898-Bad-Neighbor.git 6 | https://github.com/initconf/detect-kaspersky 7 | https://github.com/initconf/dns-heuristics 8 | https://github.com/initconf/ftp-bruteforce 9 | https://github.com/initconf/icmp-scans.git 10 | https://github.com/initconf/LetsEncrypt 11 | https://github.com/initconf/log4j.git 12 | https://github.com/initconf/phish-analysis 13 | https://github.com/initconf/RDP-bruteforce 14 | https://github.com/initconf/scan-NG 15 | https://github.com/initconf/sip-attacks.git 16 | https://github.com/initconf/smtp-url-analysis 17 | https://github.com/initconf/vnc-scanner 18 | https://github.com/initconf/ws-discovery-dos 19 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | .. _zeek/packages repository: https://github.com/zeek/packages 2 | .. _Zeek Package Manager: https://github.com/zeek/package-manager 3 | .. _Zeek package: https://docs.zeek.org/projects/package-manager/en/stable/package.html 4 | .. _package index file: https://docs.zeek.org/projects/package-manager/en/stable/source.html#package-index-files 5 | .. _pre-commit: https://pre-commit.com/ 6 | 7 | Zeek Package Source 8 | =================== 9 | 10 | This is the default package source for the `Zeek Package Manager`_. 11 | 12 | Package Submission Process 13 | -------------------------- 14 | 15 | Use the following process to submit packages (please only submit your 16 | own work/packages): 17 | 18 | #. Create a `Zeek package`_. Make sure to set the ``tags`` 19 | and ``description`` metadata fields to help people discover 20 | your package. Also make sure you put your the license information 21 | for your package in a COPYING or LICENSE file. 22 | #. Host your package's git repository at a public location. 23 | E.g. put it on GitHub. 24 | #. Fork this `zeek/packages repository`_ on GitHub. 25 | #. Create a directory within your fork that with a name that uniquely 26 | identifies you. E.g. if you're hosting packages on GitHub, name 27 | the directory the same as your GitHub username. If you're hosting 28 | it somewhere else, you could use a domain name or organization name 29 | for the directory. 30 | #. Put a `package index file`_ within the directory you just made. 31 | #. Commit/push the changes you made to your fork. 32 | #. Optional: Use `pre-commit`_ to verify your changes by running ``pre-commit run -a``. 33 | #. Submit a *pull request*. 34 | -------------------------------------------------------------------------------- /corelight/zkg.index: -------------------------------------------------------------------------------- 1 | https://github.com/corelight/boa-detector 2 | https://github.com/corelight/bro-drwatson 3 | https://github.com/corelight/bro-hardware 4 | https://github.com/corelight/bro-shellshock 5 | https://github.com/corelight/callstranger-detector 6 | https://github.com/corelight/conn-burst 7 | https://github.com/corelight/CVE-2020-16898 8 | https://github.com/corelight/CVE-2020-5902-F5BigIP 9 | https://github.com/corelight/CVE-2021-38647 10 | https://github.com/corelight/CVE-2021-42292 11 | https://github.com/corelight/cve-2021-44228 12 | https://github.com/corelight/cve-2022-21907 13 | https://github.com/corelight/cve-2022-22954 14 | https://github.com/corelight/CVE-2022-23270-PPTP 15 | https://github.com/corelight/CVE-2022-24491 16 | https://github.com/corelight/CVE-2022-24497 17 | https://github.com/corelight/cve-2022-26809 18 | https://github.com/corelight/CVE-2022-26937 19 | https://github.com/corelight/CVE-2022-3602 20 | https://github.com/corelight/detect-ransomware-filenames 21 | https://github.com/corelight/ExtendIntel 22 | https://github.com/corelight/got_zoom 23 | https://github.com/corelight/hassh 24 | https://github.com/corelight/http-stalling-detector 25 | https://github.com/corelight/icannTLD 26 | https://github.com/corelight/json-streaming-logs 27 | https://github.com/corelight/log-add-http-post-bodies 28 | https://github.com/corelight/log-add-vlan-everywhere 29 | https://github.com/corelight/my_stats 30 | https://github.com/corelight/pingback 31 | https://github.com/corelight/top-dns 32 | https://github.com/corelight/zeek-agenttesla-detector 33 | https://github.com/corelight/zeek-asyncrat-detector 34 | https://github.com/corelight/zeek-community-id 35 | https://github.com/corelight/zeek-elf 36 | https://github.com/corelight/zeek-globload 37 | https://github.com/corelight/zeek-gozi-detector 38 | https://github.com/corelight/zeek-jpeg 39 | https://github.com/corelight/zeek-long-connections 40 | https://github.com/corelight/zeek-macho 41 | https://github.com/corelight/zeek-mercury-npf 42 | https://github.com/corelight/zeek-nats-log-writer 43 | https://github.com/corelight/zeek-netsupport-detector 44 | https://github.com/corelight/zeek-notice-telegram 45 | https://github.com/corelight/zeek-quasarrat-detector 46 | https://github.com/corelight/zeek-quic 47 | https://github.com/corelight/zeek-spicy-facefish 48 | https://github.com/corelight/zeek-spicy-ipsec 49 | https://github.com/corelight/zeek-spicy-openvpn 50 | https://github.com/corelight/zeek-spicy-ospf 51 | https://github.com/corelight/zeek-spicy-stun 52 | https://github.com/corelight/zeek-spicy-wireguard 53 | https://github.com/corelight/zeek-strrat-detector 54 | https://github.com/corelight/zeek-xor-exe-plugin 55 | https://github.com/corelight/zeekjs 56 | https://github.com/corelight/zeekjs-notice-telegram 57 | https://github.com/corelight/zerologon 58 | https://github.com/corelight/ztest 59 | -------------------------------------------------------------------------------- /aggregate.meta: -------------------------------------------------------------------------------- 1 | [0xl3x1/zeek-EternalSafety] 2 | description = EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types. 3 | script_dir = scripts 4 | tags = SMB, Windows, attack, notice, Eternal, SMBv1, EternalBlue 5 | test_command = cd tests && make test 6 | version = master 7 | url = https://github.com/0xl3x1/zeek-EternalSafety 8 | 9 | [0xxon/cve-2020-0601] 10 | depends = 11 | zkg >=2.0 12 | zeek >=4.0.0 13 | description = "Test script for CVE-2020-0601. Please read Readme." 14 | script_dir = scripts 15 | test_command = cd testing && btest -d 16 | url = https://github.com/0xxon/cve-2020-0601 17 | version = v0.4 18 | 19 | [0xxon/cve-2020-0601-plugin] 20 | build_command = ( ./configure && make ) 21 | description = "Test script for CVE-2020-0601. Binary package, requires OpenSSL 1.1.x" 22 | script_dir = scripts 23 | test_command = cd testing && btest -d 24 | url = https://github.com/0xxon/cve-2020-0601-plugin 25 | version = master 26 | 27 | [0xxon/cve-2020-13777] 28 | depends = 29 | zkg >=2.0 30 | zeek >=4.0.0 31 | description = "Test script for CVE-2020-13777. Please read Readme." 32 | script_dir = scripts 33 | test_command = cd testing && btest -d 34 | url = https://github.com/0xxon/cve-2020-13777 35 | version = main 36 | 37 | [0xxon/zeek-network-statistics] 38 | description = Perform regular network measurements and report results. 39 | script_dir = scripts 40 | tags = topk, sumstats 41 | test_command = cd tests && make 42 | version = main 43 | url = https://github.com/0xxon/zeek-network-statistics 44 | 45 | [0xxon/zeek-os-package-tracking] 46 | url = https://github.com/0xxon/zeek-os-package-tracking 47 | version = main 48 | 49 | [0xxon/zeek-plugin-roca] 50 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 51 | description = Identify certificates potentially affected by CVE-2017-15361 52 | plugin_dir = build/Johanna_ROCA.tgz 53 | tags = certificates, CVE-2017-15361 54 | test_command = cd tests && btest -d 55 | url = https://github.com/0xxon/zeek-plugin-roca 56 | version = 0.0.1 57 | 58 | [0xxon/zeek-postgresql] 59 | build_command = ( ./configure --with-postgresql-inc=`pg_config --includedir` --with-postgresql-server-inc=`pg_config --includedir-server` --with-postgresql-lib=`pg_config --libdir` && make ) 60 | description = A PostgreSQL reader and writer for Zeek. 61 | plugin_dir = build 62 | tags = zeek plugin, PostgreSQL, reader, writer, input 63 | test_command = cd tests && btest -d 64 | version = 0.0.8 65 | url = https://github.com/0xxon/zeek-postgresql 66 | 67 | [0xxon/zeek-sshprebannermessage] 68 | depends = 69 | zeek >=4.0.0 70 | script_dir = scripts 71 | summary = Log SSH pre banner messages 72 | test_command = cd testing && btest -c btest.cfg 73 | url = https://github.com/0xxon/zeek-sshprebannermessage 74 | version = main 75 | 76 | [0xxon/zeek-sumstats-counttable] 77 | description = Two-dimensional buckets for sumstats (count occurences per $str). 78 | tags = sumstats, summary statistics 79 | test_command = cd tests && btest -d 80 | url = https://github.com/0xxon/zeek-sumstats-counttable 81 | version = 0.0.4 82 | 83 | [0xxon/zeek-tls-log-alternative] 84 | description = "This package generates a file called tls.log. The difference from ssl.log is that it is much more focused on logging all kinds of protocol features. This can be interesting for academic purposes - or if one is just interested in more information about specific features used in local TLS traffic." 85 | script_dir = scripts 86 | tags = TLS, SSL, X509, Certificates, PKI 87 | test_command = cd tests && make 88 | version = main 89 | url = https://github.com/0xxon/zeek-tls-log-alternative 90 | 91 | [AmazingPP/zeek-capwap] 92 | build_command = ./configure && cd build && make 93 | depends = 94 | zkg >=2.0 95 | zeek >=4.2.0 96 | script_dir = plugin/scripts 97 | summary = A Zeek CAPWAP packet analyzer 98 | tags = capwap, zeek, packet analyzer 99 | test_command = cd testing && btest -c btest.cfg -D 100 | url = https://github.com/AmazingPP/zeek-capwap 101 | version = v0.1.0 102 | 103 | [activecm/bro-mongodb.git] 104 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 105 | description = Bro IDS/ MongoDB connector. 106 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 107 | version = master 108 | url = https://github.com/activecm/bro-mongodb.git 109 | 110 | [activecm/bro-rita.git] 111 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 112 | description = RITA, Bro IDS connector. 113 | tags = bro plugin, MongoDB, writer, security, conn, logging, rita 114 | version = master 115 | url = https://github.com/activecm/bro-rita.git 116 | 117 | [activecm/zeek-open-connections] 118 | aliases = zeek-open-connections bro-open-connections 119 | depends = zkg >=2.0.7 120 | description = Find and log open, long-lived connections into "open_conn", "open_ssl", and "open_http" logs. 121 | script_dir = scripts 122 | tags = conn 123 | version = v1.2.1 124 | url = https://github.com/activecm/zeek-open-connections 125 | 126 | [amarokinc/bad-asn] 127 | credits = Michael Portera @mportatoes, Hudson Carr 128 | description = Adds ASN reputation data of external IP addresses to notice.log if the ASN crosses a predetermined threshold as defined by circl.lu 129 | script_dir = zeek 130 | tags = asn, geoip, conn, remote 131 | version = master 132 | url = https://github.com/amarokinc/bad-asn 133 | 134 | [amarokinc/remote_asn_geoip_conn] 135 | credits = Michael Portera @mportatoes 136 | description = Adds ASN and GeoIP data directly to conn.log for the REMOTE connection. The script checks the orig and resp host fields to determine which one is not defined as part of the local IP ranges and subsequently performs a lookup on the MaxMind ASN and GeoIP databases. 137 | script_dir = zeek 138 | tags = asn, geoip, conn, remote 139 | version = master 140 | url = https://github.com/amarokinc/remote_asn_geoip_conn 141 | 142 | [amzn/zeek-plugin-bacnet] 143 | build_command = ./configure && make 144 | depends = 145 | zkg >=2.0 146 | zeek >=3.0.0 147 | description = Plugin that enables parsing of the BACnet standard building controls protocol 148 | script_dir = scripts/BACnet 149 | tags = zeek plugin, protocol analyzer, log writer, ics, bacnet 150 | url = https://github.com/amzn/zeek-plugin-bacnet 151 | version = 1.0.0 152 | 153 | [amzn/zeek-plugin-enip] 154 | build_command = ./configure && make 155 | depends = 156 | zkg >=2.0 157 | zeek >=3.0.0 158 | description = Plugin that enables parsing of the Ethernet/IP and Common Industrial Protocol standards 159 | script_dir = scripts/ENIP 160 | tags = zeek plugin, protocol analyzer, log writer, ics, enip, cip 161 | url = https://github.com/amzn/zeek-plugin-enip 162 | version = 1.1.0 163 | 164 | [amzn/zeek-plugin-profinet] 165 | build_command = ./configure && make 166 | depends = 167 | zkg >=2.0 168 | zeek >=3.0.0 169 | description = Plugin that enables parsing of the Profinet protocol 170 | script_dir = scripts/PROFINET 171 | tags = zeek plugin, protocol analyzer, log writer, ics, profinet 172 | url = https://github.com/amzn/zeek-plugin-profinet 173 | version = 1.1.0 174 | 175 | [amzn/zeek-plugin-s7comm] 176 | build_command = ./configure && make 177 | depends = 178 | zkg >=2.0 179 | zeek >=3.0.0 180 | description = Plugin that enables parsing of the S7 protocol 181 | script_dir = scripts/S7comm 182 | tags = zeek plugin, protocol analyzer, log writer, ics, s7 183 | url = https://github.com/amzn/zeek-plugin-s7comm 184 | version = 1.0.0 185 | 186 | [amzn/zeek-plugin-tds] 187 | build_command = ./configure && make 188 | depends = 189 | zkg >=2.0 190 | zeek >=3.0.0 191 | description = Plugin that enables parsing of the Tabular Data Stream (TDS) protocol 192 | script_dir = scripts/TDS 193 | tags = zeek plugin, protocol analyzer, log writer, tds 194 | url = https://github.com/amzn/zeek-plugin-tds 195 | version = 1.1.0 196 | 197 | [anthonykasza/common-encodings] 198 | description = A Zeek package which provides common encodings and operations. 199 | script_dir = scripts 200 | tags = rc4, base64, bitshift, encoding, xor 201 | version = 1.0.1 202 | url = https://github.com/anthonykasza/common-encodings 203 | 204 | [anthonykasza/indicator-rules] 205 | depemds = 206 | bro >= 2.6 207 | description = An extension to the Intel Framework. This package faciliates the creation of rules which Zeek can monitor for. 208 | script_dir = scripts 209 | tags = intel, signature, indicators, pure-script 210 | version = master 211 | url = https://github.com/anthonykasza/indicator-rules 212 | 213 | [anthonykasza/ja4] 214 | config_files = scripts/config.zeek 215 | depends = 216 | zeek >=5.0.0 217 | description = An implementation of the JA4 standard in a Zeek package. 218 | script_dir = scripts 219 | tags = ja4, tls, ssl, fingerprint, clienthello, handshake, encryption 220 | test_command = cd testing && btest -c btest.cfg 221 | version = main 222 | url = https://github.com/anthonykasza/ja4 223 | 224 | [anthonykasza/ssl-extensions] 225 | depends = 226 | zeek >=6.1.0 227 | description = A proof-of-concept demonstrating scriptland parsing and event routing for all SSL extensions 228 | script_dir = scripts 229 | tags = tls, ssl, experimental 230 | test_command = cd testing && btest -c btest.cfg 231 | version = main 232 | url = https://github.com/anthonykasza/ssl-extensions 233 | 234 | [apache/metron-bro-plugin-kafka] 235 | build_command = ./configure --bro-dist=%(bro_dist)s --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make 236 | depends = 237 | bro >=2.5.0 238 | bro-pkg >=1.2 239 | description = A Bro log writer plugin that sends logging output to Kafka. 240 | external_depends = 241 | librdkafka ~0.11.5 242 | plugin_dir = build 243 | script_dir = build/scripts/Apache/Kafka 244 | tags = log writer, bro plugin, kafka 245 | test_command = ( cd tests && btest -d ) 246 | user_vars = 247 | LIBRDKAFKA_ROOT [/usr/local/lib] "Path to librdkafka installation tree" 248 | version = 0.3 249 | url = https://github.com/apache/metron-bro-plugin-kafka 250 | 251 | [awelzel/zeek-conn-footprint] 252 | description = Regularly log footprints of long running connections. 253 | script_dir = ./scripts 254 | tags = debugging, footprint, connection, memory 255 | url = https://github.com/awelzel/zeek-conn-footprint 256 | version = v0.2.1 257 | 258 | [awelzel/zeekctl-systemd] 259 | description = A Zeekctl plugin that hooks install and start to run Zeek using systemd 260 | plugin_dir = plugin 261 | tags = zeekctl, systemd, supervisor 262 | url = https://github.com/awelzel/zeekctl-systemd 263 | version = v0.1.0 264 | 265 | [awelzel/zeekjs-misp] 266 | depends = 267 | zeekjs >=0.9.0 268 | script_dir = ./scripts 269 | url = https://github.com/awelzel/zeekjs-misp 270 | version = main 271 | 272 | [awelzel/zeekjs-udp-logging] 273 | description = JavaScript based logging via UDP 274 | script_dir = ./scripts 275 | url = https://github.com/awelzel/zeekjs-udp-logging 276 | version = main 277 | 278 | [bricata/flow_labels] 279 | description = Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity. 280 | tags = input, labels 281 | url = https://github.com/bricata/flow_labels 282 | version = master 283 | 284 | [brimsec/geoip-conn] 285 | description = Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html). 286 | script_dir = zeek 287 | tags = conn, geolocation, logging 288 | version = main 289 | url = https://github.com/brimsec/geoip-conn 290 | 291 | [captainGeech42/zeek-bogon] 292 | author = Zander Work (@captainGeech42) 293 | description = Label bogon IPs in conn.log 294 | script_dir = scripts/ 295 | tags = bogon, conn 296 | test_command = (cd tests && btest -d) 297 | url = https://github.com/captainGeech42/zeek-bogon 298 | version = v1.0.1 299 | 300 | [captainGeech42/zeek-intel-path] 301 | author = Zander Work (@captainGeech42) 302 | description = Extend Intel framework to alert on URL paths 303 | script_dir = scripts/ 304 | tags = http, intel, path, url-path, uri 305 | test_command = (cd tests && btest -d) 306 | url = https://github.com/captainGeech42/zeek-intel-path 307 | version = main 308 | 309 | [chrisanag1985/suppress-ssl-notices] 310 | credits = Christos Anagnostopoulos 311 | description = A Module that tries to minimize the noise from the SSL::Invalid_Server_Cert notices. 312 | script_dir = scripts 313 | tags = notices, ssl 314 | version = v0.1.1 315 | url = https://github.com/chrisanag1985/suppress-ssl-notices 316 | 317 | [cisagov/ACID] 318 | credits = Jake Steele , Jack Cyprus , Otis Alexander 319 | depends = 320 | zeek >=4.0.0 321 | http://github.com/cisagov/icsnpp-bacnet * 322 | http://github.com/cisagov/icsnpp-enip * 323 | http://github.com/cisagov/icsnpp-s7comm * 324 | description = ATT&CK-based Control-system Indicator Detection (ACID) is a collection of Zeek scripts designed to detect 325 | ATT&CK for ICS behaviors on OT protocols. These events are reported through the Zeek Notice framework. 326 | script_dir = scripts 327 | summary = ACID is a collection of OT protocol indicator scripts focused on ATT&CK for ICS behaviors. 328 | tags = ics, OT, attack, ATT&CK, mitre, cisa, OT protocol, detection, notices, input, logging, CIP, S7comm, bacnet, icsnpp 329 | url = https://github.com/cisagov/ACID 330 | version = main 331 | 332 | [cisagov/icsnpp-bacnet] 333 | build_command = ./configure && make 334 | build_dir = build/ICSNPP_Bacnet.tgz 335 | credits = Stephen Kleinheider 336 | depends = 337 | zkg >=2.0 338 | zeek >=4.0.0 339 | description = BACnet plugin for parsing and logging of the BACnet (building automation and control) protocol - CISA ICSNPP 340 | script_dir = build/scripts/icsnpp/bacnet 341 | tags = bacnet, BACnet, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 342 | test_command = cd testing && btest -c btest.cfg 343 | url = https://github.com/cisagov/icsnpp-bacnet 344 | version = main 345 | 346 | [cisagov/icsnpp-bsap] 347 | build_command = ./configure && make 348 | build_dir = build/ICSNPP_Bsap.tgz 349 | credits = Devin Vollmer 350 | depends = 351 | zkg >=2.0 352 | zeek >=4.0.0 353 | description = BSAP over IP plugin for parsing and logging of the BSAP protocol - CISA ICSNPP 354 | script_dir = build/scripts/icsnpp/bsap 355 | tags = bsap, BSAP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 356 | test_command = cd testing && btest -c btest.cfg 357 | url = https://github.com/cisagov/icsnpp-bsap 358 | version = main 359 | 360 | [cisagov/icsnpp-c1222] 361 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 362 | depends = 363 | zeek >=4.0.0 364 | description = ANSI C12.22/IEEE Std 1703 describe a protocol for transporting ANSI C12.19 table data over networks, 365 | for the purpose of interoperability among communications modules and meters. 366 | script_dir = scripts 367 | summary = ANSI C12.22 is the American National Standard for Protocol Specification for Interfacing to Data Communication Networks. 368 | test_command = cd testing && btest -c btest.cfg 369 | url = https://github.com/cisagov/icsnpp-c1222 370 | version = main 371 | 372 | [cisagov/icsnpp-dnp3] 373 | credits = Stephen Kleinheider 374 | depends = 375 | zkg >=2.0 376 | zeek >=3.0.0 377 | description = DNP3 script for detailed logging of the DNP3 protocol - CISA ICSNPP 378 | script_dir = scripts 379 | tags = dnp3, DNP3, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer 380 | test_command = cd testing && btest -c btest.cfg 381 | url = https://github.com/cisagov/icsnpp-dnp3 382 | version = main 383 | 384 | [cisagov/icsnpp-enip] 385 | build_command = ./configure && make 386 | build_dir = build/ICSNPP_Enip.tgz 387 | credits = Stephen Kleinheider 388 | depends = 389 | zkg >=2.0 390 | zeek >=4.0.0 391 | description = Ethernet/IP and CIP plugin for parsing and logging of the Ethernet/IP and CIP protocols - CISA ICSNPP 392 | script_dir = build/scripts/icsnpp/enip 393 | tags = enip, ENIP, cip, CIP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 394 | test_command = cd testing && btest -c btest.cfg 395 | url = https://github.com/cisagov/icsnpp-enip 396 | version = main 397 | 398 | [cisagov/icsnpp-ethercat] 399 | build_command = ./configure && make 400 | build_dir = build/ICSNPP_Ethercat.tgz 401 | credits = Devin Vollmer 402 | depends = 403 | zkg >=2.0 404 | zeek >=4.0.0 405 | description = Ethercat plugin for parsing and logging of the Ethercat protocol - CISA ICSNPP 406 | script_dir = build/scripts/icsnpp/ethercat 407 | tags = ecat, ECAT, ethercat, Ethercat, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, packet analyzer 408 | test_command = cd testing && btest -c btest.cfg 409 | url = https://github.com/cisagov/icsnpp-ethercat 410 | version = main 411 | 412 | [cisagov/icsnpp-ge-srtp] 413 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 414 | depends = 415 | zeek >=6.0.0 416 | description = GE-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI. 417 | The GE-SRTP protocol parser is based off of the research paper that can be accessed at https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/70/ 418 | Like Modbus, the GE-SRTP protocol can read both discrete and analog inputs. 419 | script_dir = scripts 420 | summary = GE_-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI. 421 | test_command = cd testing && btest -c btest.cfg 422 | url = https://github.com/cisagov/icsnpp-ge-srtp 423 | version = main 424 | 425 | [cisagov/icsnpp-genisys] 426 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 427 | credits = Seth Grover , Jason Rush =6.1.0 447 | description = HART-IP is the IP extension of the Highway Addressable Remote Transducer (HART) protocol. 448 | The HART protocol is a hybrid analog+digital industrial automation open protocol. 449 | It is currently maintained by the FieldComm Group (https://www.fieldcommgroup.org/). 450 | script_dir = scripts 451 | summary = HART-IP is the IP extension of the Highway Addressable Remote Transducer (HART) protocol. 452 | test_command = cd testing && btest -c btest.cfg 453 | url = https://github.com/cisagov/icsnpp-hart-ip 454 | version = main 455 | 456 | [cisagov/icsnpp-modbus] 457 | credits = Brett Rasmussen & Stephen Kleinheider 458 | depends = 459 | zkg >=2.10 460 | zeek >=4.2.0 461 | description = Modbus script for detailed logging of the Modbus protocol - CISA ICSNPP 462 | script_dir = scripts 463 | tags = modbus, Modbus, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer 464 | test_command = cd tests && btest -c btest.cfg 465 | url = https://github.com/cisagov/icsnpp-modbus 466 | version = v2.0.0 467 | 468 | [cisagov/icsnpp-omron-fins] 469 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 470 | depends = 471 | zeek >=6.1.0 472 | description = ICSNPP-Omron-FINS is a Spicy based Zeek plugin for 473 | parsing and logging fields within the Omron FINS protocol. 474 | script_dir = scripts 475 | summary = ICSNPP-Omron-FINS (Factory Interface Network) over UDP 476 | test_command = cd testing && btest -c btest.cfg 477 | url = https://github.com/cisagov/icsnpp-omron-fins 478 | version = main 479 | 480 | [cisagov/icsnpp-opcua-binary] 481 | build_command = ./configure && make 482 | build_dir = build/ICSNPP_OPCUA_Binary.tgz 483 | credits = Kent Kvarfordt 484 | depends = 485 | zkg >=2.0 486 | zeek >=5.2.0 487 | description = OPC Unified Architecture Binary plugin for parsing and logging of the OPC UA Binary protocol - CISA ICSNPP 488 | script_dir = build/scripts/icsnpp/opcua-binary 489 | tags = opcua, opcua_binary, opc, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 490 | test_command = cd tests && btest -c btest.cfg 491 | url = https://github.com/cisagov/icsnpp-opcua-binary 492 | version = v2.0.0 493 | 494 | [cisagov/icsnpp-profinet-io-cm] 495 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake -DCMAKE_BUILD_TYPE=Debug .. && cmake --build . 496 | credits = Taegan Williams 497 | depends = 498 | zeek >=6.0.3 499 | description = Profinet I/O Context Manager uses traditional Ethernet hardware and software to define a network that 500 | structures the task of exchanging data, alarms and diagnostics with programmable controllers 501 | and other automation controllers 502 | plugin_dir = build/spicy-modules 503 | script_dir = analyzer 504 | summary = Profinet I/O Context Manager (as defined in Profinet Fieldbus Specification IEC 61158-6-10:2019) 505 | tags = profinet, profinet io cm, pn_io, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 506 | test_command = cd testing && btest -c btest.cfg 507 | url = https://github.com/cisagov/icsnpp-profinet-io-cm 508 | version = main 509 | 510 | [cisagov/icsnpp-roc-plus] 511 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 512 | credits = Jason Rush 513 | depends = 514 | zeek >=6.1.0 515 | description = ICSNPP-ROC-Plus is a Spicy based Zeek plugin for 516 | parsing and logging fields within the ROC Plus protocol. 517 | script_dir = scripts 518 | summary = ICSNPP-ROC-Plus over UDP 519 | tags = ROC-PLUS, ROCPLUS, ROC, ROC+, roc-plus, rocplus, roc, roc+, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 520 | test_command = cd testing && btest -c btest.cfg 521 | url = https://github.com/cisagov/icsnpp-roc-plus 522 | version = main 523 | 524 | [cisagov/icsnpp-s7comm] 525 | build_command = ./configure && make 526 | build_dir = build/ICSNPP_S7comm.tgz 527 | credits = Stephen Kleinheider 528 | depends = 529 | zkg >=2.0 530 | zeek >=4.0.0 531 | description = S7Comm & S7Comm Plus plugin for parsing and logging of the S7Comm, S7Comm Plus and COTP protocols - CISA ICSNPP 532 | script_dir = build/scripts/icsnpp/s7comm 533 | tags = s7comm, s7comm-plus, s7plus, S7comm, S7Comm, S7CommPlus, Siemens, siemens, s7, S7, cotp, COTP, iso_cotp, ISO_COTP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 534 | test_command = cd testing && btest -c btest.cfg 535 | url = https://github.com/cisagov/icsnpp-s7comm 536 | version = main 537 | 538 | [cisagov/icsnpp-synchrophasor] 539 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 540 | credits = Seth Grover 541 | depends = 542 | zeek >=6.0.0 543 | description = Synchrophasor (as defined in C37.118.2-2011 IEEE Standard for Synchrophasor 544 | Data Transfer for Power Systems) defines a simple and direct method of data 545 | transmission and accretion within a phasor measurement system. 546 | plugin_dir = build/spicy-modules 547 | script_dir = analyzer 548 | summary = Synchrophasor Data Transfer for Power Systems is a communication protocol for real-time communication between phasor measurement units (PMU), phasor data concentrators (PDC), and other applications 549 | tags = synchrophasor, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer 550 | test_command = cd testing && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 551 | url = https://github.com/cisagov/icsnpp-synchrophasor 552 | version = main 553 | 554 | [corelight/boa-detector] 555 | depends = 556 | zeek >=4.0.0 557 | description = A vulnerable Boa web server detector. 558 | script_dir = scripts 559 | summary = A vulnerable Boa web server detector. 560 | test_command = cd testing && btest -c btest.cfg 561 | url = https://github.com/corelight/boa-detector 562 | version = v0.1.0 563 | 564 | [corelight/bro-drwatson] 565 | depends = 566 | https://github.com/corelight/bro-hardware * 567 | description = Discover and log information discovered in Microsoft DrWatson messages. 568 | script_dir = scripts 569 | tags = drwatson, http, windows 570 | test_command = ( cd tests && btest -d ) 571 | url = https://github.com/corelight/bro-drwatson 572 | version = master 573 | 574 | [corelight/bro-hardware] 575 | description = Scripts for cases where hardware device identifiers are discovered. 576 | script_dir = scripts 577 | tags = hardware 578 | version = master 579 | url = https://github.com/corelight/bro-hardware 580 | 581 | [corelight/bro-shellshock] 582 | description = Discover successful ShellShock attacks. 583 | script_dir = scripts 584 | tags = shellshock, detect, scripts 585 | test_command = ( cd tests && btest -d ) 586 | url = https://github.com/corelight/bro-shellshock 587 | version = master 588 | 589 | [corelight/callstranger-detector] 590 | description = Detects CallStranger (CVE) Exploitation Attempts 591 | script_dir = scripts 592 | tags = CallStranger, UPnP 593 | version = master 594 | url = https://github.com/corelight/callstranger-detector 595 | 596 | [corelight/conn-burst] 597 | description = Identify bursty connections (large and fast) 598 | script_dir = scripts 599 | tags = conn, burst 600 | url = https://github.com/corelight/conn-burst 601 | version = master 602 | 603 | [corelight/CVE-2020-16898] 604 | description = A network detection package for CVE-2020-16898 (Windows TCP/IP Remote Code Execution Vulnerability) AKA BadNeighbor 605 | script_dir = scripts 606 | tags = CVE-2020-16898, BadNeighbor 607 | version = master 608 | url = https://github.com/corelight/CVE-2020-16898 609 | 610 | [corelight/CVE-2020-5902-F5BigIP] 611 | description = A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices. 612 | script_dir = scripts 613 | tags = BIGIP, F5, firewall, RCE, CVE10.0, CVE10, CorelightResponse 614 | version = master 615 | url = https://github.com/corelight/CVE-2020-5902-F5BigIP 616 | 617 | [corelight/CVE-2021-38647] 618 | aliases = omigod 619 | description = A Zeek package which detects CVE-2021-38647 (AKA OMIGOD) exploit attempts 620 | script_dir = scripts 621 | tags = HTTP, OMI, WMI, Windows, CVE, CVE-2021-38647, exploit, RCE, RapidResponse 622 | test_command = cd testing && btest -c btest.cfg 623 | version = v0.1.2 624 | url = https://github.com/corelight/CVE-2021-38647 625 | 626 | [corelight/CVE-2021-42292] 627 | depends = 628 | zeek >=3.0.0 629 | description = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit. 630 | script_dir = scripts 631 | summary = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit. 632 | test_command = cd testing && btest -c btest.cfg 633 | url = https://github.com/corelight/CVE-2021-42292 634 | version = v0.1.0 635 | 636 | [corelight/cve-2021-44228] 637 | description = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 638 | script_dir = scripts 639 | summary = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 640 | tags = HTTP, Apache, CVE, CVE-2021-44228, encoding, rapidresponse, Java, logging 641 | version = v0.7.0 642 | url = https://github.com/corelight/cve-2021-44228 643 | 644 | [corelight/cve-2022-21907] 645 | depends = 646 | zeek >=3.0.0 647 | description = A package to detect CVE-2022-21907 648 | script_dir = scripts 649 | summary = A package to detect CVE-2022-21907 650 | url = https://github.com/corelight/cve-2022-21907 651 | version = v0.1.3 652 | 653 | [corelight/cve-2022-22954] 654 | depends = 655 | zeek >=4.0.0 656 | description = Detect CVE-2022-22954 attempts and exploits. 657 | Also logs what data was returned to the attacker. 658 | script_dir = scripts 659 | summary = Detect CVE-2022-22954 attempts and exploits. 660 | test_command = cd testing && btest -c btest.cfg 661 | url = https://github.com/corelight/cve-2022-22954 662 | version = v0.2.0 663 | 664 | [corelight/CVE-2022-23270-PPTP] 665 | depends = 666 | zeek >=4.0.0 667 | description = A package to detect CVE-2022-23270. 668 | script_dir = scripts 669 | summary = A package to detect CVE-2022-23270. 670 | test_command = cd testing && btest -c btest.cfg 671 | url = https://github.com/corelight/CVE-2022-23270-PPTP 672 | version = master 673 | 674 | [corelight/CVE-2022-24491] 675 | depends = 676 | zeek >=4.0.0 677 | description = A CVE-2022-24491 detector. 678 | script_dir = scripts 679 | summary = A CVE-2022-24491 detector. 680 | test_command = cd testing && btest -c btest.cfg 681 | url = https://github.com/corelight/CVE-2022-24491 682 | version = v0.1.3 683 | 684 | [corelight/CVE-2022-24497] 685 | depends = 686 | zeek >=4.0.0 687 | description = A CVE-2022-24497 detector. 688 | script_dir = scripts 689 | summary = A CVE-2022-24497 detector. 690 | test_command = cd testing && btest -c btest.cfg 691 | url = https://github.com/corelight/CVE-2022-24497 692 | version = v0.1.1 693 | 694 | [corelight/cve-2022-26809] 695 | depends = 696 | zeek >=4.0.0 697 | description = CVE-2022-26809 is a DCE/RPC RCE exploit. 698 | This package detects both attempts and successful exploits. 699 | script_dir = scripts 700 | summary = Detects attempts and exploits of CVE-2022-26809 701 | test_command = cd testing && btest -c btest.cfg 702 | url = https://github.com/corelight/cve-2022-26809 703 | version = v0.1.0 704 | 705 | [corelight/CVE-2022-26937] 706 | depends = 707 | zeek >=4.0.0 708 | description = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty. 709 | script_dir = scripts 710 | summary = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty. 711 | test_command = make test 712 | url = https://github.com/corelight/CVE-2022-26937 713 | version = master 714 | 715 | [corelight/CVE-2022-3602] 716 | description = CVE-2022-3602 exploit Detection 717 | script_dir = scripts 718 | summary = Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6 719 | test_command = cd testing && btest -c btest.cfg 720 | url = https://github.com/corelight/CVE-2022-3602 721 | version = v0.1.0 722 | 723 | [corelight/detect-ransomware-filenames] 724 | description = Watch SMB transactions for files whose filename matches patterns known to be used by ransomware 725 | script_dir = scripts 726 | url = https://github.com/corelight/detect-ransomware-filenames 727 | version = master 728 | 729 | [corelight/ExtendIntel] 730 | description = v3.0 - A Zeek package to extend logging for Intel 731 | script_dir = scripts 732 | tags = intel 733 | version = v3.0.0 734 | url = https://github.com/corelight/ExtendIntel 735 | 736 | [corelight/got_zoom] 737 | depends = 738 | bro >=2.5.5 739 | ja3 * 740 | description = Detect Zoom traffic 741 | script_dir = scripts 742 | tags = TLS, SSL, JA3, Video conferencing, Video, Videoconferencing, Remote working, Zoom 743 | version = master 744 | url = https://github.com/corelight/got_zoom 745 | 746 | [corelight/hassh] 747 | depends = 748 | zeek >=4.0.0 749 | description = HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log 750 | script_dir = scripts 751 | summary = SSH client and server fingerprints. 752 | tags = bro plugin, ssh, fingerprint, logging 753 | test_command = cd testing && btest -c btest.cfg 754 | version = v1.0.1 755 | url = https://github.com/corelight/hassh 756 | 757 | [corelight/http-stalling-detector] 758 | description = Detect HTTP stalling attacks like slowloris. 759 | script_dir = scripts 760 | tags = http, DoS, attack, notice 761 | url = https://github.com/corelight/http-stalling-detector 762 | version = master 763 | 764 | [corelight/icannTLD] 765 | description = v28.0.0 - A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query. The field icann_host_subdomain contains the remaining query nodes after the domain is removed. The is_trusted_domain is populated from a separate Input Framework set. 766 | script_dir = scripts 767 | tags = domain, dns, tld, input 768 | version = v28.0.0 769 | url = https://github.com/corelight/icannTLD 770 | 771 | [corelight/json-streaming-logs] 772 | description = JSON streaming logs 773 | script_dir = scripts 774 | tags = logs, json, streaming, stream, filebeat, splunk_forwarder, logstash 775 | test_command = cd testing && btest -d -c btest.cfg 776 | url = https://github.com/corelight/json-streaming-logs 777 | version = v3.2.0 778 | 779 | [corelight/log-add-http-post-bodies] 780 | description = Add a POST body excerpt into the HTTP log. 781 | script_dir = scripts 782 | tags = http log extend 783 | version = master 784 | url = https://github.com/corelight/log-add-http-post-bodies 785 | 786 | [corelight/log-add-vlan-everywhere] 787 | description = Add VLAN to all logs. 788 | script_dir = scripts 789 | tags = log extend vlan 790 | url = https://github.com/corelight/log-add-vlan-everywhere 791 | version = v1.0.3 792 | 793 | [corelight/my_stats] 794 | description = This package dumps stats for troubleshooting. 795 | script_dir = scripts 796 | tags = stats 797 | url = https://github.com/corelight/my_stats 798 | version = v0.0.3 799 | 800 | [corelight/pingback] 801 | description = A Zeek package which detects ICMP ping tunnels created by the Pingback tool 802 | script_dir = scripts 803 | tags = C2, ICMP, RAT, Windows, Malware 804 | version = v0.1.3 805 | url = https://github.com/corelight/pingback 806 | 807 | [corelight/top-dns] 808 | depends = 809 | zeek/sethhall/domain-tld * 810 | description = Log the top DNS queries being requested. 811 | script_dir = scripts 812 | tags = dns, sumstats, log, measurement, top 813 | url = https://github.com/corelight/top-dns 814 | version = master 815 | 816 | [corelight/zeek-agenttesla-detector] 817 | depends = 818 | zeek >=4.0.0 819 | description = An AgentTesla malware C2 detector. 820 | script_dir = scripts 821 | summary = An AgentTesla malware C2 detector. 822 | test_command = cd testing && btest -c btest.cfg 823 | url = https://github.com/corelight/zeek-agenttesla-detector 824 | version = v0.1.1 825 | 826 | [corelight/zeek-asyncrat-detector] 827 | depends = 828 | zeek >=4.0.0 829 | description = An AsyncRAT malware detector. 830 | script_dir = scripts 831 | summary = An AsyncRAT malware detector. 832 | test_command = cd testing && btest -c btest.cfg 833 | url = https://github.com/corelight/zeek-asyncrat-detector 834 | version = v0.1.3 835 | 836 | [corelight/zeek-community-id] 837 | build_command = ./configure && cd build && make 838 | depends = 839 | zeek >=3.2.0 840 | description = "Community ID" flow hash support in conn.log 841 | script_dir = scripts/Corelight/CommunityID 842 | tags = zeek plugin, conn, logging, community id, flow hashing, flow id, sha1, corelight 843 | test_command = cd tests && btest -c btest.cfg -d communityid 844 | url = https://github.com/corelight/zeek-community-id 845 | version = 3.2.3 846 | 847 | [corelight/zeek-elf] 848 | build_command = ./configure --enable-debug && make 849 | description = This package provides some basic analysis for ELF files. 850 | script_dir = scripts/Zeek/ELF 851 | tags = intel, files, elf 852 | test_command = cd tests && btest 853 | url = https://github.com/corelight/zeek-elf 854 | version = v0.1.4 855 | 856 | [corelight/zeek-globload] 857 | build_command = ./configure && cd build && make 858 | description = This plugin adds support for shell-style glob 859 | patterns when loading Zeek scripts. For example, saying 860 | "@load startup.d/*.zeek" will load any Zeek scripts 861 | with a .zeek suffix from the startup.d folder. 862 | summary = Support file globbing in @load directives 863 | test_command = cd testing && btest -c btest.cfg 864 | url = https://github.com/corelight/zeek-globload 865 | version = 1.0.0 866 | 867 | [corelight/zeek-gozi-detector] 868 | depends = 869 | zeek >=4.0.0 870 | description = A Zeek based Gozi malware detector. 871 | script_dir = scripts 872 | summary = A Zeek based Gozi malware detector. 873 | test_command = cd testing && btest -c btest.cfg 874 | url = https://github.com/corelight/zeek-gozi-detector 875 | version = v0.1.11 876 | 877 | [corelight/zeek-jpeg] 878 | build_command = ./configure --enable-debug && make 879 | description = This package provides some basic analysis for JPEG files. 880 | script_dir = scripts/Zeek/JPEG 881 | tags = intel, files, jpeg, jpg 882 | test_command = cd tests && btest 883 | url = https://github.com/corelight/zeek-jpeg 884 | version = v0.1.3 885 | 886 | [corelight/zeek-long-connections] 887 | aliases = zeek-long-connections bro-long-connections 888 | depends = zkg >=2.0.7 889 | description = Find and log long-lived connections into a "conn_long" log. 890 | script_dir = scripts 891 | tags = conn 892 | test_command = cd testing && btest -c btest.cfg 893 | version = v1.3.2 894 | url = https://github.com/corelight/zeek-long-connections 895 | 896 | [corelight/zeek-macho] 897 | build_command = ./configure --enable-debug --zeek-dist=%(zeek_dist)s && make 898 | description = This package provides some basic analysis for Mach-o files. 899 | script_dir = scripts/Zeek/MACHO 900 | tags = intel, files, mach-o, macho 901 | test_command = cd tests && btest 902 | url = https://github.com/corelight/zeek-macho 903 | version = v0.1.1 904 | 905 | [corelight/zeek-mercury-npf] 906 | build_command = ./configure && cmake --build build 907 | depends = 908 | zeek >=4.0.0 909 | description = TODO: A more detailed description of Mercury. 910 | It can span multiple lines, with this indentation. 911 | script_dir = scripts 912 | summary = TODO: A summary of Mercury in one line 913 | test_command = cd testing && btest -c btest.cfg 914 | url = https://github.com/corelight/zeek-mercury-npf 915 | version = main 916 | 917 | [corelight/zeek-nats-log-writer] 918 | build_command = ./configure && cmake --build build 919 | description = NATS.io log writer support 920 | summary = NATS.io log writer support 921 | test_command = cd testing && btest -c btest.cfg 922 | url = https://github.com/corelight/zeek-nats-log-writer 923 | version = v0.1.0 924 | 925 | [corelight/zeek-netsupport-detector] 926 | depends = 927 | zeek >=4.0.0 928 | description = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware. 929 | script_dir = scripts 930 | summary = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware. 931 | test_command = cd testing && btest -c btest.cfg 932 | url = https://github.com/corelight/zeek-netsupport-detector 933 | version = v0.1.2 934 | 935 | [corelight/zeek-notice-telegram] 936 | description = Package that extends the Notice Framework to include 937 | `ACTION_TELEGRAM` for sending messages on notices over Telegram. 938 | script_dir = scripts 939 | summary = Send Notices over Telegram 940 | url = https://github.com/corelight/zeek-notice-telegram 941 | version = master 942 | 943 | [corelight/zeek-quasarrat-detector] 944 | depends = 945 | zeek >=4.0.0 946 | description = An QuasarRAT malware detector. 947 | script_dir = scripts 948 | summary = An QuasarRAT malware detector. 949 | test_command = cd testing && btest -c btest.cfg 950 | url = https://github.com/corelight/zeek-quasarrat-detector 951 | version = v0.1.3 952 | 953 | [corelight/zeek-quic] 954 | aliases = zeek-quic bro-quic 955 | build_command = ./configure && make 956 | depends = 957 | zeek >=4.0.0 958 | description = Detects the Google QUIC (GQUIC) protocol and adds "gquic" 959 | to conn.log's "service" field. 960 | plugin_dir = build/Corelight_GQUIC.tgz 961 | script_dir = build/scripts/Corelight/GQUIC 962 | tags = plugin, analyzer, gquic, quic 963 | url = https://github.com/corelight/zeek-quic 964 | version = v0.7.0 965 | 966 | [corelight/zeek-spicy-facefish] 967 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 968 | description = A Facefish rootkit detector, based on Spicy. 969 | plugin_dir = build/spicy-modules 970 | script_dir = analyzer 971 | summary = A Facefish rootkit detector, based on Spicy. 972 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 973 | url = https://github.com/corelight/zeek-spicy-facefish 974 | version = v0.1.1 975 | 976 | [corelight/zeek-spicy-ipsec] 977 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 978 | description = An IPSec Zeek protocol analyzer based on Spicy. 979 | plugin_dir = build/spicy-modules 980 | script_dir = analyzer 981 | summary = An IPSec Zeek protocol analyzer based on Spicy. 982 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 983 | url = https://github.com/corelight/zeek-spicy-ipsec 984 | version = v0.2.24 985 | 986 | [corelight/zeek-spicy-openvpn] 987 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 988 | description = A Zeek OpenVPN protocol analyzer, based on Spicy. 989 | plugin_dir = build/spicy-modules 990 | script_dir = analyzer 991 | summary = A Zeek OpenVPN protocol analyzer, based on Spicy. 992 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 993 | url = https://github.com/corelight/zeek-spicy-openvpn 994 | version = v0.1.11 995 | 996 | [corelight/zeek-spicy-ospf] 997 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 998 | description = A Zeek OSPF packet analyzer, based on Spicy. 999 | plugin_dir = build/spicy-modules 1000 | script_dir = analyzer 1001 | summary = A Zeek OSPF packet analyzer, based on Spicy. 1002 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 1003 | url = https://github.com/corelight/zeek-spicy-ospf 1004 | version = v0.1.6 1005 | 1006 | [corelight/zeek-spicy-stun] 1007 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1008 | description = A Zeek STUN protocol analyzer based on Spicy. 1009 | plugin_dir = build/spicy-modules 1010 | script_dir = analyzer 1011 | summary = A Zeek STUN protocol analyzer based on Spicy. 1012 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 1013 | url = https://github.com/corelight/zeek-spicy-stun 1014 | version = v0.2.13 1015 | 1016 | [corelight/zeek-spicy-wireguard] 1017 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1018 | description = A Wireguard VPN protocol analyzer, based on Spicy. 1019 | plugin_dir = build/spicy-modules 1020 | script_dir = analyzer 1021 | test_command = cd testing && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 1022 | url = https://github.com/corelight/zeek-spicy-wireguard 1023 | version = v0.1.8 1024 | 1025 | [corelight/zeek-strrat-detector] 1026 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1027 | depends = 1028 | zeek >=4.0.0 1029 | description = A Zeek based STRRAT malware detector. 1030 | script_dir = scripts 1031 | summary = A Zeek based STRRAT malware detector. 1032 | test_command = cd testing && btest -c btest.cfg 1033 | url = https://github.com/corelight/zeek-strrat-detector 1034 | version = v0.1.2 1035 | 1036 | [corelight/zeek-xor-exe-plugin] 1037 | build_command = ./configure && make 1038 | description = A plugin to find Windows executables that have been XOR encoded. 1039 | plugin_dir = build 1040 | script_dir = scripts/Corelight/PE_XOR 1041 | tags = plugin, pe, executable, malware 1042 | test_command = cd tests && btest -d 1043 | url = https://github.com/corelight/zeek-xor-exe-plugin 1044 | version = 4.1 1045 | 1046 | [corelight/zeekjs] 1047 | build_command = ./configure --with-nodejs=%(nodejs_root_dir)s && cd build && make 1048 | depends = 1049 | zeek >=4.2.0 1050 | description = Experimental JavaScript support for Zeek. 1051 | external_depends = 1052 | libnode-dev 1053 | nodejs-devel 1054 | name = ZeekJS 1055 | plugin_dir = build 1056 | tags = javascript, js, plugin 1057 | test_command = cd tests && btest -d -c btest.cfg -g smoke 1058 | user_vars = 1059 | nodejs_root_dir [] "Root directory of Node.js installation (leave blank for defaults)" 1060 | url = https://github.com/corelight/zeekjs 1061 | version = v0.22.0 1062 | 1063 | [corelight/zeekjs-notice-telegram] 1064 | depends = zeekjs * 1065 | description = Package that extends the Notice Framework to include 1066 | `ACTION_TELEGRAM` for sending messages on notices over Telegram using ZeekJS. 1067 | script_dir = scripts 1068 | summary = Send Notices over Telegram (ZeekJS edition) 1069 | test_command = cd testing && btest -c btest.cfg 1070 | url = https://github.com/corelight/zeekjs-notice-telegram 1071 | version = master 1072 | 1073 | [corelight/zerologon] 1074 | corelight_name = Zerologon 1075 | description = Detects Zerologon (CVE-2020-1472) attempts and exploits. 1076 | script_dir = scripts 1077 | summary = Detects Zerologon (CVE-2020-1472) attempts and exploits. 1078 | test_command = cd testing && btest -c btest.cfg 1079 | url = https://github.com/corelight/zerologon 1080 | version = master 1081 | 1082 | [corelight/ztest] 1083 | credits = Ryan Victory 1084 | description = A Zeek Unit Testing Framework 1085 | script_dir = scripts 1086 | tags = library, unit-testing, testing 1087 | test_command = make -C tests 1088 | url = https://github.com/corelight/ztest 1089 | version = master 1090 | 1091 | [cyberUniBO/Zeek-Pcap-Features-Extractor] 1092 | description = Zeek Package that extracts features from pcap files 1093 | tags = zeek plugin, pcap files, features extraction, feature extractor 1094 | version = main 1095 | url = https://github.com/MichelangeloFlorio/Zeek-Pcap-Features-Extractor 1096 | 1097 | [cybera/zeek-sniffpass] 1098 | description = Sniffpass will alert on cleartext passwords discovered in HTTP POST requests 1099 | script_dir = scripts 1100 | tags = password, logging 1101 | version = master 1102 | url = https://github.com/cybera/zeek-sniffpass 1103 | 1104 | [dopheide/bro-quic] 1105 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1106 | description = Attempt to identify QUIC protocol 1107 | plugin_dir = build/Bro_QUIC.tgz 1108 | tags = plugin, analyzer, quic 1109 | url = https://github.com/dopheide-esnet/bro-quic 1110 | version = 0.1 1111 | 1112 | [dopheide/zeek-jetdirect] 1113 | credits = dopheide@es.net, soehlert@es.net, jsdorn1@gmail.com 1114 | depends = 1115 | zeek >=2.0.0 1116 | description = Detect exploit attempt of HP JetDirect printers 1117 | script_dir = ./scripts 1118 | tags = jetdirect, printer, cve-2017-2741 1119 | test_command = cd tests && make 1120 | url = https://github.com/dopheide-esnet/zeek-jetdirect 1121 | version = 0.4 1122 | 1123 | [dopheide/zeek-known-hosts-with-dns] 1124 | description = This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers. 1125 | script_dir = scripts 1126 | tags = known-hosts, known_hosts, dns 1127 | test_command = cd tests && btest -d known_tests 1128 | version = v1.2.4 1129 | url = https://github.com/dopheide-esnet/zeek-known-hosts-with-dns 1130 | 1131 | [dopheide/zeek-known-outbound] 1132 | depends = 1133 | zeek >=3.0.0 1134 | description = This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups. 1135 | script_dir = scripts 1136 | tags = notice, known, services, outbound 1137 | test_command = cd tests && btest -d outbound-tests 1138 | version = master 1139 | url = https://github.com/dopheide-esnet/zeek-known-outbound 1140 | 1141 | [dopheide/zeek-notice-config] 1142 | depends = 1143 | zeek >=3.0.0-rc1 1144 | description = This script enables easy customation of how notice actions are handled. It's built to work with eZeekConfigurator, but that isn't required. 1145 | script_dir = scripts 1146 | tags = notice, configuration, ezeekonfigurator, ezk 1147 | test_command = cd tests && btest -d notice_tests 1148 | version = master 1149 | url = https://github.com/dopheide-esnet/zeek-notice-config 1150 | 1151 | [dopheide/zeek-ntp-monlist] 1152 | depends = 1153 | zeek >=3.0.0-rc1 1154 | description = This script just replaces the old ntp-monlist script to work with Zeek 3.0.0+ 1155 | script_dir = scripts 1156 | tags = ntp, NTP, monlist, ddos 1157 | test_command = cd tests && btest -d ntp_tests 1158 | version = v1.0.2 1159 | url = https://github.com/dopheide-esnet/zeek-ntp-monlist 1160 | 1161 | [dopheide/zeek-ssh-interesting-hostnames-with-known] 1162 | depends = zeek/dopheide/zeek-known-hosts-with-dns * 1163 | description = This script replaces the default ssh/interesting-hostnames and reduces the number of asyncrhonous when() calls made by Zeek. 1164 | script_dir = scripts 1165 | tags = dns, ssh, interesting-hostnames 1166 | test_command = cd tests && btest -d ssh_tests 1167 | version = v1.2.1 1168 | url = https://github.com/dopheide-esnet/zeek-ssh-interesting-hostnames-with-known 1169 | 1170 | [dopheide/bro_notice_correlation] 1171 | description = Adds support for multi-notice correlation. For more information, see http://blog.samoehlert.com/correlating-bro-notices or the talk from BroCon 2016. 1172 | script_dir = scripts 1173 | tags = notices, notice, correlation 1174 | version = master 1175 | url = https://github.com/dopheide/bro_notice_correlation 1176 | 1177 | [dopheide/venom] 1178 | description = Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml 1179 | script_dir = scripts 1180 | tags = Venom, venom, VENOM, rootkit 1181 | version = master 1182 | url = https://github.com/dopheide/venom 1183 | 1184 | [dovehawk/dovehawk] 1185 | description = MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters. 1186 | script_dir = . 1187 | tags = intel, MISP, sightings, signatures, threat intelligence, threat intel, cyber 1188 | version = 1.02.002 1189 | url = https://github.com/tylabs/dovehawk 1190 | 1191 | [dovehawk/dovehawk_dns] 1192 | description = Dovehawk.io Passive DNS Capture Module. 1193 | script_dir = . 1194 | tags = dns, pdns, log, passive, dovehawk 1195 | url = https://github.com/tylabs/dovehawk_dns 1196 | version = master 1197 | 1198 | [dovehawk/dovehawk_flow] 1199 | description = Dovehawk Anonymized Outbound Flow Tracking 1200 | script_dir = ./scripts/ 1201 | tags = netflow, connections, log, remote, dovehwak 1202 | url = https://github.com/tylabs/dovehawk_flow 1203 | version = 1.0.0 1204 | 1205 | [dw2102/S7Comm-Analyzer] 1206 | build_command = ./configure && make 1207 | credits = D. Wullen 1208 | description = Protocol parser for the Siemens S7Comm and S7CommPlus protocol. 1209 | Both parser are based on the Iso-Over-TCP protocol. Not all functions are covered 1210 | in this analyzer, it may not capture all of the packets. 1211 | script_dir = scripts/ 1212 | tags = s7comm, zeek plugin, s7commplus, siemens, zeek, protocol analyzer 1213 | version = master 1214 | url = https://github.com/dw2102/S7Comm-Analyzer 1215 | 1216 | [elcabezzonn/http-header-count] 1217 | description = a script that counts the client http headers. 1218 | script_dir = scripts 1219 | tags = http 1220 | version = main 1221 | url = https://github.com/elcabezzonn/http-header-count 1222 | 1223 | [elcabezzonn/smb2-remote-file-copy] 1224 | description = a script that identifies remote file copies over smb2 1225 | script_dir = scripts 1226 | tags = smb2 1227 | version = master 1228 | url = https://github.com/elcabezzonn/smb2-remote-file-copy 1229 | 1230 | [emnahum/zeek-pcapovertcp-plugin] 1231 | build_command = ./configure && make 1232 | credits = Erich Nahum 1233 | depends = 1234 | zkg >=2.0 1235 | zeek >=4.0.0 1236 | description = Provides PCAP over TCP support for Zeek. 1237 | plugin_dir = build/Zeek_PcapOverTcp.tgz 1238 | script_dir = scripts 1239 | summary = Provides PCAP over TCP support for Zeek. 1240 | tags = zeek plugin, zeekctl plugin, packet source, pcapovertcp, pcap 1241 | url = https://github.com/emnahum/zeek-pcapovertcp-plugin 1242 | version = v1.0.12 1243 | 1244 | [emojifier/emojifier] 1245 | credits = Jan Grashoefer , 1246 | Matthias Grundmann , 1247 | Florian Jacob 1248 | description = Set your logs on fire with Emojifier! 1249 | script_dir = scripts 1250 | tags = emoji, fire, emojifier 1251 | test_command = cd testing && btest -d 1252 | url = https://github.com/emojifier/emojifier 1253 | version = master 1254 | 1255 | [endace/zeek-dag] 1256 | aliases = zeek-dag bro-dag 1257 | build_command = ( ./configure && make ) 1258 | depends = zeek >=2.6.0 1259 | description = Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture. 1260 | plugin_dir = build/Endace_DAG.tgz 1261 | tags = packet source, zeek plugin, plugin, broctl plugin, zeekctl plugin, dag, endace 1262 | test_command = ( cd tests && btest -d ) 1263 | url = https://github.com/endace/zeek-dag 1264 | version = v0.6 1265 | 1266 | [esnet-security/cve-2020-16898] 1267 | credits = Vlad Grigorescu 1268 | depends = 1269 | zeek >=2.6.0 1270 | description = Detects CVE-2020-16898: "Bad Neighbor" 1271 | script_dir = ./scripts 1272 | tags = cve, cve-2020-16898, badneighbor 1273 | test_command = cd tests && make 1274 | url = https://github.com/esnet-security/cve-2020-16898 1275 | version = v0.1 1276 | 1277 | [esnet-security/logfilter] 1278 | credits = Vlad Grigorescu 1279 | description = Enables plugins to write fine-grained policy for log filtering, modification, and path customization. 1280 | script_dir = ./scripts 1281 | tags = logs, filters, ESnet 1282 | test_command = cd tests && make 1283 | url = https://github.com/esnet-security/logfilter 1284 | version = 1.0 1285 | 1286 | [esnet-security/zeek-ebury] 1287 | description = This script attempts to detect the Ebury ssh backdoor based on having base64 in the ssh client string. 1288 | script_dir = scripts 1289 | tags = ssh, ebury 1290 | version = main 1291 | url = https://github.com/esnet-security/zeek-ebury 1292 | 1293 | [esnet-security/Zeek-Known-Services-With-OrigFlag] 1294 | description = This script expands the base known-services policy to include is_local_orig flag to indicate if the service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T). 1295 | script_dir = scripts 1296 | tags = known-services, known_services 1297 | test_command = cd tests && btest -d known_tests 1298 | version = main 1299 | url = https://github.com/esnet-security/Zeek-Known-Services-With-OrigFlag 1300 | 1301 | [esnet-security/zeek-outbound-known-services-with-origflag] 1302 | description = This script expands the base known-services policy to include is_local_orig flag to indicate if an outbound service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T). 1303 | script_dir = scripts 1304 | tags = known-services, known_services 1305 | test_command = cd tests && btest -d known_tests 1306 | version = main 1307 | url = https://github.com/esnet-security/zeek-outbound-known-services-with-origflag 1308 | 1309 | [esnet-security/zeek_scram] 1310 | description = Zeek script for interacting with the SCRAM client 1311 | script_dir = scripts 1312 | tags = scram, bhr 1313 | test_command = cd tests && btest -d scram_tests 1314 | version = master 1315 | url = https://github.com/esnet-security/zeek_scram 1316 | 1317 | [esnet/zeek-exporter] 1318 | build_command = ./configure && make 1319 | config_files = scripts/conf.dat 1320 | credits = Vlad Grigorescu 1321 | depends = 1322 | zeek >=3.0.0 1323 | description = Prometheus exporter for Zeek performance data 1324 | external_depends = 1325 | cmake >=3.5 1326 | libcurl-devel * 1327 | plugin_dir = ./build/ESnet_Zeek_Exporter.tgz 1328 | tags = zeek plugin, performance, perf, stats, prometheus 1329 | test_command = cd tests && btest -d 1330 | url = https://github.com/esnet/zeek-exporter 1331 | version = v0.8.0 1332 | 1333 | [esnet/zeek_perfsonar_owamp] 1334 | build_command = ( ./configure --zeek-dist=%(zeek_dist)s && make ) 1335 | plugin_dir = build/PerfSONAR_OWAMP.tgz 1336 | tags = plugin, analyzer, owamp, perfsonar 1337 | test_command = cd tests && btest 1338 | url = https://github.com/esnet/zeek_perfsonar_owamp 1339 | version = master 1340 | 1341 | [evantypanski/spicy-nats] 1342 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1343 | depends = 1344 | zeek >=4.0.0 1345 | description = A NATS protocol parser! 1346 | script_dir = scripts 1347 | summary = A NATS protocol parser 1348 | test_command = cd testing && btest -c btest.cfg 1349 | url = https://github.com/evantypanski/spicy-nats 1350 | version = main 1351 | 1352 | [evantypanski/spicy-redis] 1353 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1354 | depends = 1355 | zeek >=4.0.0 1356 | description = Spicy-based analyzer for Redis 1357 | script_dir = scripts 1358 | summary = Spicy-based analyzer for Redis 1359 | test_command = cd testing && btest -c btest.cfg 1360 | url = https://github.com/evantypanski/spicy-redis 1361 | version = main 1362 | 1363 | [evantypanski/xdp-zeek] 1364 | build_command = ./configure && make 1365 | description = XDP traffic shunter 1366 | plugin_dir = build/XDP_Shunter.tgz 1367 | script_dir = scripts 1368 | test_command = cd tests && btest -c btest.cfg 1369 | url = https://github.com/evantypanski/xdp-zeek 1370 | version = main 1371 | 1372 | [fatemabw/bro-inventory-scripts] 1373 | description = Find different type of OSes and AV software in your network traffic. 1374 | script_dir = scripts 1375 | tags = OS detection, Anti-Virus 1376 | version = master 1377 | url = https://github.com/fatemabw/bro-inventory-scripts 1378 | 1379 | [fatemabw/kyd] 1380 | description = KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file 'dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the 'dhcp-unknown.py' script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script. 1381 | https://github.com/fatemabw/kyd 1382 | script_dir = zeek 1383 | tags = dhcp, dhcpfp 1384 | version = master 1385 | url = https://github.com/fatemabw/kyd 1386 | 1387 | [fdekeers/igmp] 1388 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1389 | credits = François De Keersmaeker 1390 | depends = 1391 | zeek >=4.0.0 1392 | description = A Spicy-based packet analyzer for the IGMP protocol. 1393 | Supports IGMPv1, v2 and v3. 1394 | script_dir = scripts 1395 | summary = IGMP packet analyzer in Spicy 1396 | tags = igmp, zeek, spicy, packet analyzer, ids 1397 | test_command = cd testing && btest -c btest.cfg 1398 | url = https://github.com/zeek-plugins/igmp 1399 | version = main 1400 | 1401 | [fdekeers/mdns] 1402 | credits = François De Keersmaeker 1403 | description = Multicast DNS (mDNS) package for Zeek 1404 | script_dir = ./scripts 1405 | tags = IDS, Zeek, mDNS 1406 | test_command = cd tests && make 1407 | url = https://github.com/zeek-plugins/mdns 1408 | version = main 1409 | 1410 | [foxio/ja4] 1411 | credits = John Althouse 1412 | depends = zeek >=5.0.0 1413 | description = Official Zeek package for JA4+ network fingerprinting. 1414 | script_dir = zeek 1415 | tags = ja4, fingerprint, fingerprinting, ja4s, ja4h, ja4x, ja4ssh, ja4l, ja4t, ja4+, ja4plus, ja3, ja4d, ja4d6 1416 | version = v0.18.8 1417 | url = https://github.com/FoxIO-LLC/ja4 1418 | 1419 | [hhzzk/dns-tunnels] 1420 | description = Detect DNS Tunnels attack. 1421 | script_dir = scripts 1422 | tags = DNS, DNS Tunnels, DNS Tunneling 1423 | version = master 1424 | url = https://github.com/hhzzk/dns-tunnels 1425 | 1426 | [hosom/bro-ja3] 1427 | depends = 1428 | bro >=2.6.0 1429 | description = Generate and log ja3 ssl fingerprints 1430 | script_dir = scripts 1431 | tags = ja3, ssl, intel 1432 | test_command = cd tests && btest -d btests 1433 | version = 1.0.4 1434 | url = https://github.com/hosom/bro-ja3 1435 | 1436 | [hosom/bro-napatech] 1437 | build_command = (./configure --bro-dist=%(bro_dist)s && make) 1438 | depends = 1439 | bro-pkg >=1.2 1440 | bro >=2.5.0 1441 | description = Packet source plugin that provides native support for NTAPI 1442 | plugin_dir = build/Bro_Napatech.tgz 1443 | tags = packet source, plugin, napatech, ntapi 1444 | url = https://github.com/hosom/bro-napatech 1445 | version = 0.1.0 1446 | 1447 | [hosom/bro-oui] 1448 | depends = 1449 | bro >=2.5.5 1450 | description = Add OUI lookup to Bro. 1451 | script_dir = scripts 1452 | tags = oui, mac, dhcp 1453 | version = 1.0.3 1454 | url = https://github.com/hosom/bro-oui 1455 | 1456 | [hosom/dummy-connections] 1457 | depends = 1458 | bro >=2.6.0 1459 | description = Create dummy connection records. 1460 | script_dir = scripts 1461 | tags = connection 1462 | version = 1.0.0 1463 | url = https://github.com/hosom/dummy-connections 1464 | 1465 | [hosom/file-extraction] 1466 | config_files = scripts/config.zeek 1467 | depends = 1468 | zeek >=3.0.0 1469 | description = Extract files from network traffic with Zeek. 1470 | script_dir = scripts 1471 | tags = files, file extraction, file analysis 1472 | version = 2.0.3 1473 | url = https://github.com/hosom/file-extraction 1474 | 1475 | [hosom/log-filters] 1476 | config_files = scripts/config.zeek 1477 | depends = 1478 | zeek >=3.0.0 1479 | description = Implement common log filters. 1480 | script_dir = scripts 1481 | tags = logging, log framework 1482 | version = main 1483 | url = https://github.com/hosom/log-filters 1484 | 1485 | [initconf/2024-09-cups-linux-rce] 1486 | description = 1487 | script_dir = scripts 1488 | tags = 1489 | test_command = ( cd tests && btest -d ) 1490 | version = main 1491 | url = https://github.com/initconf/2024-09-cups-linux-rce 1492 | 1493 | [initconf/Apple-RDP-net-assistant-DoS.git] 1494 | description = udp-3283-DoS 1495 | script_dir = scripts 1496 | tags = net_listerner, Apple RDP, udp DoS 1497 | test_command = ( cd tests && btest -d ) 1498 | version = master 1499 | url = https://github.com/initconf/Apple-RDP-net-assistant-DoS.git 1500 | 1501 | [initconf/blacklist] 1502 | description = package to manage blacklisted IP address ysing bro 1503 | script_dir = scripts 1504 | tags = blacklist 1505 | version = master 1506 | url = https://github.com/initconf/blacklist 1507 | 1508 | [initconf/CVE-2017-5638_struts] 1509 | description = package to detect CVE-2017-5638 struts attack 1510 | script_dir = scripts 1511 | tags = CVE-2017-5638, struts 1512 | version = master 1513 | url = https://github.com/initconf/CVE-2017-5638_struts 1514 | 1515 | [initconf/CVE-2020-16898-Bad-Neighbor.git] 1516 | description = CVE-2020-16898: Bad Neighbor 1517 | script_dir = scripts 1518 | tags = 1519 | test_command = ( cd tests && btest -d ) 1520 | version = master 1521 | url = https://github.com/initconf/CVE-2020-16898-Bad-Neighbor.git 1522 | 1523 | [initconf/detect-kaspersky] 1524 | description = kaspersky 1525 | script_dir = scripts 1526 | tags = kaspersky antivirus 1527 | test_command = ( cd tests && btest -d ) 1528 | version = v3 1529 | url = https://github.com/initconf/detect-kaspersky 1530 | 1531 | [initconf/dns-heuristics] 1532 | description = 1533 | script_dir = scripts 1534 | tags = 1535 | test_command = ( cd tests && btest -d ) 1536 | version = main 1537 | url = https://github.com/initconf/dns-heuristics 1538 | 1539 | [initconf/ftp-bruteforce] 1540 | description = ftp-bruteforce 1541 | script_dir = scripts 1542 | tags = ftp, bruteforce, scan 1543 | test_command = ( cd tests && btest -d ) 1544 | version = v2.0-zeek-3.x.x 1545 | url = https://github.com/initconf/ftp-bruteforce 1546 | 1547 | [initconf/icmp-scans.git] 1548 | description = icmp-scans 1549 | script_dir = scripts 1550 | tags = ftp, bruteforce, scan 1551 | test_command = ( cd tests && btest -d ) 1552 | version = master 1553 | url = https://github.com/initconf/icmp-scans.git 1554 | 1555 | [initconf/LetsEncrypt] 1556 | description = LetsEncrypt 1557 | script_dir = scripts 1558 | tags = 1559 | test_command = ( cd tests && btest -d ) 1560 | version = master 1561 | url = https://github.com/initconf/LetsEncrypt 1562 | 1563 | [initconf/log4j.git] 1564 | description = zeek package to identify log4j exploit attempts for CVE-2021-44228 1565 | script_dir = scripts 1566 | tags = 1567 | test_command = ( cd tests && btest -d ) 1568 | version = main 1569 | url = https://github.com/initconf/log4j.git 1570 | 1571 | [initconf/phish-analysis] 1572 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 1573 | script_dir = scripts 1574 | tags = smtp, phish, urls, emails 1575 | test_command = ( cd tests && btest -d ) 1576 | version = master 1577 | url = https://github.com/initconf/phish-analysis 1578 | 1579 | [initconf/RDP-bruteforce] 1580 | description = rdp-bruteforce 1581 | script_dir = scripts 1582 | tags = rdp, bruteforce, scan 1583 | test_command = ( cd tests && btest -d ) 1584 | version = master 1585 | url = https://github.com/initconf/RDP-bruteforce 1586 | 1587 | [initconf/scan-NG] 1588 | description = scan detection in 2.x world. Forward porting of bro-1.5.3 scan.bro accompanied with new heuristics and quicker detections 1589 | script_dir = scripts 1590 | tags = scan detection 1591 | version = v3.0 1592 | url = https://github.com/initconf/scan-NG 1593 | 1594 | [initconf/sip-attacks.git] 1595 | description = sip-attacks 1596 | script_dir = scripts 1597 | tags = sip, voip 1598 | test_command = ( cd tests && btest -d ) 1599 | version = master 1600 | url = https://github.com/initconf/sip-attacks.git 1601 | 1602 | [initconf/smtp-url-analysis] 1603 | description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails 1604 | script_dir = scripts 1605 | tags = smtp, phish, urls, emails 1606 | test_command = ( cd tests && btest -d ) 1607 | version = master 1608 | url = https://github.com/initconf/smtp-url-analysis 1609 | 1610 | [initconf/vnc-scanner] 1611 | description = Simple policy to detect VNC (RFB) scanners based on src->dst connection counts 1612 | script_dir = scripts 1613 | tags = rfb, vnc, osx high sierra 1614 | test_command = ( cd tests && btest -d ) 1615 | version = master 1616 | url = https://github.com/initconf/vnc-scanner 1617 | 1618 | [initconf/ws-discovery-dos] 1619 | description = udp-scan 1620 | script_dir = scripts 1621 | tags = ws-discovery, scan, dos, toshiba, copiers, scanners 1622 | test_command = ( cd tests && btest -d ) 1623 | version = v2.0 1624 | url = https://github.com/initconf/ws-discovery-dos 1625 | 1626 | [irtimmer/bro-xdp_packet-plugin] 1627 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1628 | depends = 1629 | bro-pkg >=1.2 1630 | bro >=2.5.0 1631 | description = This plugin provides native AF_XDP support for Bro. 1632 | plugin_dir = build/itimmer_af_xdp.tgz 1633 | tags = bro plugin, packet source, af_xdp 1634 | test_command = cd tests && btest -d 1635 | url = https://github.com/irtimmer/bro-xdp_packet-plugin 1636 | version = master 1637 | 1638 | [j-gras/add-interfaces] 1639 | depends = 1640 | zeek >=3.0 1641 | description = Adds cluster node's interface to logs. 1642 | script_dir = scripts 1643 | tags = log, logging, conn, add interface, add worker 1644 | url = https://github.com/J-Gras/add-interfaces 1645 | version = 2.0.0 1646 | 1647 | [j-gras/add-json] 1648 | depends = 1649 | zeek >=4.1 1650 | description = Additional JSON-logging for Zeek. 1651 | script_dir = scripts 1652 | tags = log, logging, JSON 1653 | test_command = cd tests && btest -d 1654 | url = https://github.com/J-Gras/add-json 1655 | version = 3.0.0 1656 | 1657 | [j-gras/add-node-names] 1658 | depends = 1659 | zeek >=2.5 1660 | description = Adds cluster node name to logs. 1661 | script_dir = scripts 1662 | tags = log, logging, conn, add node name, add worker 1663 | url = https://github.com/J-Gras/add-node-names 1664 | version = 2.0.0 1665 | 1666 | [j-gras/bro-af_packet-plugin] 1667 | build_command = ./configure && make 1668 | depends = 1669 | zkg >=2.0 1670 | zeek >=4.0.0 1671 | description = This plugin provides native AF_Packet support for Zeek. 1672 | plugin_dir = build/Zeek_AF_Packet.tgz 1673 | script_dir = scripts/af_packet 1674 | tags = zeek plugin, zeekctl plugin, packet source, af_packet 1675 | test_command = cd tests && btest -d 1676 | url = https://github.com/J-Gras/bro-af_packet-plugin 1677 | version = 4.0.0 1678 | 1679 | [j-gras/bro-fuzzy-hashing] 1680 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1681 | depends = 1682 | bro >=2.5.0 1683 | description = This plugin provides fuzzy hashing for Bro. 1684 | plugin_dir = build/JGras_FuzzyHashing.tgz 1685 | tags = bro plugin 1686 | test_command = cd tests && btest -d 1687 | url = https://github.com/J-Gras/bro-fuzzy-hashing 1688 | version = 0.3.0 1689 | 1690 | [j-gras/bro-lognorm] 1691 | build_command = ./configure && make 1692 | depends = 1693 | zkg >=2.0 1694 | zeek >=4.0.0 1695 | description = This plugin provides liblognorm integration for Zeek. 1696 | plugin_dir = build/Zeek_Lognorm.tgz 1697 | script_dir = scripts/lognorm 1698 | tags = zeek plugin, liblognorm, syslog 1699 | test_command = cd tests && btest -d 1700 | url = https://github.com/J-Gras/bro-lognorm 1701 | version = 1.0.0 1702 | 1703 | [j-gras/intel-expire] 1704 | credits = Jan Grashoefer 1705 | depends = 1706 | zeek >=3.0 1707 | description = Per item expiration for Zeek's intelligence framework. 1708 | script_dir = scripts 1709 | tags = intel, expiration 1710 | test_command = cd testing && btest -d 1711 | url = https://github.com/J-Gras/intel-expire 1712 | version = v1.0.0 1713 | 1714 | [j-gras/intel-extensions] 1715 | credits = Jan Grashoefer 1716 | depends = 1717 | zeek >=3.0 1718 | description = Extensions for Zeek's intelligence framework. 1719 | executables = utils/intel-mgr.py 1720 | script_dir = scripts 1721 | tags = intel, remote control, preserve files 1722 | test_command = cd testing && btest -d 1723 | url = https://github.com/J-Gras/intel-extensions 1724 | version = v0.5.0 1725 | 1726 | [j-gras/intel-limiter] 1727 | credits = Jan Grashoefer 1728 | depends = 1729 | zeek >=3.0 1730 | description = Limiter for Zeek's intelligence framework. 1731 | script_dir = scripts 1732 | tags = intel, limits, threshold 1733 | test_command = cd testing && btest -d 1734 | url = https://github.com/J-Gras/intel-limiter 1735 | version = 1.0.0 1736 | 1737 | [j-gras/intel-seen-more] 1738 | depends = 1739 | zeek >=3.2 1740 | description = Additional seen-triggers for Zeek's intelligence framework. 1741 | script_dir = scripts 1742 | suggests = 1743 | sethhall/domain-tld * 1744 | tags = intel, seen 1745 | url = https://github.com/J-Gras/intel-seen-more 1746 | version = 0.4.0 1747 | 1748 | [jbaggs/anomalous-dns] 1749 | config_files = domain-whitelist.zeek, fast_flux-whitelist.zeek, recursive-whitelist.zeek, scripts/__load__.zeek, scripts/domain-whitelist.zeek, scripts/fast_flux-whitelist.zeek, scripts/recursive-whitelist.zeek 1750 | depends = 1751 | zeek >=5.0.8 1752 | https://github.com/sethhall/domain-tld >=1.2.2 1753 | description = A module for tracking and correlating abnormal DNS behavior. Detection of tunneling and C&C through connection duration and volume, request and answer size, DNS request type, and unique queries per domain. Statistical classification of fast flux networks based on A records and ASNs. 1754 | script_dir = scripts 1755 | tags = zeek scripting, dns, domain, notices 1756 | url = https://github.com/jbaggs/anomalous-dns 1757 | version = 2.0.3 1758 | 1759 | [jbaggs/wildcard-domain] 1760 | depends = 1761 | zeek >=3.0.0 1762 | description = This script adds a new Intel::WILDCARD_DOMAIN type that matches on the base domain name, regardless of what subdomain may be prepended to it. 1763 | script_dir = scripts 1764 | tags = zeek scripting, intel 1765 | url = https://github.com/jbaggs/wildcard-domain 1766 | version = 1.1.0 1767 | 1768 | [jmellander/BinaryHeap] 1769 | description = Binary Heap Implementation 1770 | script_dir = scripts 1771 | tags = zeek, zeek.org, BinaryHeap 1772 | url = https://github.com/jmellander/BinaryHeap 1773 | version = master 1774 | 1775 | [joesecurity/Joe-Sandbox-Bro] 1776 | description = JoeSandbox-Bro extracts files from your internet connection 1777 | and analyzes them automatically on Joe Sandbox. Combined with Joe Sandbox's 1778 | reporting and alerting features you can build a powerful IDS. 1779 | script_dir = scripts 1780 | tags = file analysis, sandbox, malware, virus 1781 | url = https://github.com/joesecurity/Joe-Sandbox-Bro 1782 | version = master 1783 | 1784 | [jonzeolla/scan-sampling] 1785 | description = Modified version of scan.bro to add destination IP sampling. 1786 | script_dir = scripts 1787 | tags = sumstats 1788 | url = https://github.com/JonZeolla/scan-sampling 1789 | version = 0.1.0 1790 | 1791 | [jsiwek/zeek-cryptomining] 1792 | aliases = zeek-cryptomining bro_bitcoin 1793 | depends = zkg >=2.0.7 1794 | description = Detects Bitcoin, Litecoin, or other cryptocurrency 1795 | mining traffic that uses getwork, getblocktemplate, or Stratum mining 1796 | protocols over TCP or HTTP. This package used to be named "bro_bitcoin". 1797 | tags = signatures, bitcoin, mining, cryptocurrency, cryptomining, cryptocoin 1798 | test_command = cd testing && btest -d tests 1799 | url = https://github.com/jsiwek/zeek-cryptomining 1800 | version = master 1801 | 1802 | [jsiwek/zeek-print-log-info] 1803 | depends = zeek >=3.0.0 1804 | description = Gathers and prints field descriptions for all Zeek logs. 1805 | The default output format is CSV files. 1806 | tags = log, logs, logging, introspection, csv 1807 | url = https://github.com/jsiwek/zeek-print-log-info 1808 | version = master 1809 | 1810 | [jswaro/tcprs] 1811 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1812 | description = TCP Retransmission and State Analyzer plugin for Bro. 1813 | plugin_dir = build 1814 | script_dir = scripts 1815 | tags = bro plugin, TCP, retransmission, connection state, conn, input reader, protocol analyzer 1816 | test_command = cd tests btest -d tcprs 1817 | url = https://github.com/jswaro/tcprs 1818 | version = 0.2.1 1819 | 1820 | [justinazoff/zeek-jemalloc-profiling] 1821 | description = A broctl plugin that enables jemalloc profiling 1822 | plugin_dir = plugin 1823 | tags = broctl, jemalloc, profiling 1824 | url = https://github.com/JustinAzoff/zeek-jemalloc-profiling 1825 | version = master 1826 | 1827 | [keithjjones/zeek-amadey-detector] 1828 | depends = 1829 | zeek >=4.0.0 1830 | description = A Zeek based Amadey malware detector. 1831 | script_dir = scripts 1832 | summary = A Zeek based Amadey malware detector. 1833 | test_command = cd testing && btest -c btest.cfg 1834 | url = https://github.com/keithjjones/zeek-amadey-detector 1835 | version = v0.1.14 1836 | 1837 | [keithjjones/zeek-njrat-detector] 1838 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 1839 | depends = 1840 | zeek >=4.0.0 1841 | description = A Zeek based njRAT detector. 1842 | script_dir = analyzer 1843 | summary = A Zeek based njRAT detector. 1844 | test_command = cd testing && btest -c btest.cfg 1845 | url = https://github.com/keithjjones/zeek-njrat-detector 1846 | version = v0.1.15 1847 | 1848 | [klehigh/find_smbv1] 1849 | credits = Mark Overholser converted to support newer Zeek 1850 | depends = 1851 | zeek >=2.5.0 1852 | description = find SMBv1 activity 1853 | script_dir = scripts 1854 | tags = smb, logging 1855 | url = https://github.com/klehigh/find_smbv1 1856 | version = 1.0.2 1857 | 1858 | [mbispham/zeekjs-redis] 1859 | build_command = ./configure && cd build && make 1860 | depends = 1861 | zeek >=4.2.0 1862 | description = A zkg package that uses ZeekJS to overwrite 1863 | the Logging Framework to output Zeek logs to Redis. 1864 | Each log id type is associated with a unique key. 1865 | For example, conn.log should be stored in the key 1866 | zeek_conn_logs. 1867 | script_dir = scripts 1868 | summary = Zeek Logs to Redis (ZeekJS Version) 1869 | tags = redis, logging, intel, javascript, js, plugin 1870 | url = https://github.com/mbispham/zeekjs-redis 1871 | version = main 1872 | 1873 | [micrictor/smbfp] 1874 | credits = Michael Torres 1875 | description = A package to create a fingerprint of SMB clients 1876 | script_dir = scripts 1877 | tags = smb, fingerprint 1878 | url = https://github.com/micrictor/smbfp 1879 | version = master 1880 | 1881 | [micrictor/spl-spt] 1882 | credits = Michael Torres 1883 | description = A package that creates a log for sequences of packet lengths and times, 1884 | allowing for new analytics based on these data features. 1885 | script_dir = scripts 1886 | tags = ssl, tls, spt, spl 1887 | url = https://github.com/micrictor/spl-spt 1888 | version = master 1889 | 1890 | [mitre-attack/bzar] 1891 | description = BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting. 1892 | script_dir = scripts 1893 | tags = bzar, att&ck, attack, analytics, cyber analytics repository, car, smb, rpc, dce-rpc 1894 | url = https://github.com/mitre-attack/bzar 1895 | version = master 1896 | 1897 | [mitre/icap] 1898 | build_command = ./configure --bro-dist=%(bro_dist)s && make 1899 | depends = 1900 | bro >=2.5.0 1901 | description = Internet Content Adaptation Protocol (ICAP) Analyzer for Bro and Zeek. 1902 | script_dir = scripts 1903 | tags = bro plugin, zeek plugin, protocol analyzer, internet content adaptation protocol, icap, https plain text 1904 | url = https://github.com/mitre/icap 1905 | version = master 1906 | 1907 | [mitrecnd/bro-http2] 1908 | build_command = ./configure && make 1909 | depends = 1910 | zeek >=3.0.0 1911 | description = A HTTP2 protocol analyzer for the Zeek NSM. 1912 | external_depends = 1913 | libnghttp2>=1.11.0 1914 | libbrotlidec>=1.0.0 1915 | script_dir = scripts 1916 | tags = zeek plugin, protocol analyzer, http2, intel 1917 | test_command = make test 1918 | url = https://github.com/MITRECND/bro-http2 1919 | version = 0.6.1 1920 | 1921 | [mvlnetdev/dportmatch] 1922 | credits = M. van Leeuwen 1923 | depends = 1924 | zeek >=2.6.3 1925 | description = Zeek package to add a destination port to the meta fields in Zeek. It creates a notice when both the intel and the destination port matches. This adds a feature that can be used to reduce false positives. 1926 | script_dir = scripts 1927 | tags = Zeek package, dport, port, intel, dport match 1928 | url = https://github.com/mvlnetdev/dportmatch 1929 | version = main 1930 | 1931 | [ncsa/bro-doctor] 1932 | depends = 1933 | j-gras/add-node-names * 1934 | description = A broctl plugin that helps you troubleshoot common problems 1935 | For cluster-related checks, the package "add-node-names" is recommended. 1936 | plugin_dir = . 1937 | tags = broctl plugin, troubleshoot 1938 | url = https://github.com/ncsa/bro-doctor 1939 | version = 2.0.4 1940 | 1941 | [ncsa/bro-interface-setup] 1942 | description = A broctl plugin that helps you setup capture interfaces 1943 | plugin_dir = . 1944 | tags = bro plugin, interface, mtu 1945 | url = https://github.com/ncsa/bro-interface-setup 1946 | version = master 1947 | 1948 | [ncsa/bro-is-darknet] 1949 | description = This plugin adds a Site::is_darknet function. 1950 | This is useful for scripts that track scan attempts or other probes. 1951 | It can handle purely dark address space as well as honeynet space. 1952 | script_dir = scripts 1953 | tags = bro plugin, site, darknet 1954 | test_command = (cd testing && btest -d) 1955 | url = https://github.com/ncsa/bro-is-darknet 1956 | version = 2.2 1957 | 1958 | [ncsa/bro-simple-scan] 1959 | depends = 1960 | zeek >=3.0.0 1961 | ncsa/bro-is-darknet >=2.0 1962 | description = Simple, high performance tcp scan detection 1963 | script_dir = scripts 1964 | tags = bro plugin, scan detection 1965 | test_command = (cd testing && btest -d) 1966 | url = https://github.com/ncsa/bro-simple-scan 1967 | version = 4.0 1968 | 1969 | [ncsa/bro-zeromq-writer] 1970 | build_command = ./configure --with-zmq=%(ZEROMQ_PREFIX)s && make 1971 | description = ZeroMQ log writer. 1972 | external_depends = 1973 | zeromq >=3.2.0 1974 | script_dir = scripts/NCSA/ZeroMQWriter 1975 | tags = zeek plugin, log writer, zeromq, zmq, 0mq, json 1976 | test_command = make test 1977 | user_vars = 1978 | ZEROMQ_PREFIX [/usr/local] "ZeroMQ install prefix" 1979 | url = https://github.com/ncsa/bro-zeromq-writer 1980 | version = master 1981 | 1982 | [nskelsey/aaalm] 1983 | description = Tag and group devices based on a LAN's structure 1984 | script_dir = scripts 1985 | tags = topology, mapping, visualization, traceroute 1986 | version = master 1987 | url = https://github.com/nskelsey/aaalm 1988 | 1989 | [ntop/bro-pf_ring] 1990 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 1991 | description = Packet source plugin that provides native PF_RING support. 1992 | plugin_dir = build 1993 | script_dir = scripts 1994 | tags = packet source, plugin, pf_ring 1995 | test_command = ( cd tests && btest -d ) 1996 | url = https://github.com/ntop/bro-pf_ring 1997 | version = master 1998 | 1999 | [nttcom/zeek-parser-Bacnet] 2000 | depends = 2001 | zeek >=4.0.0 2002 | description = TODO: A more detailed description of icsnpp-bacnet. 2003 | It can span multiple lines, with this indentation. 2004 | script_dir = scripts 2005 | summary = TODO: A summary of icsnpp-bacnet in one line 2006 | test_command = cd testing && btest -c btest.cfg 2007 | url = https://github.com/nttcom/zeek-parser-Bacnet 2008 | version = main 2009 | 2010 | [nttcom/zeek-parser-CCLinkFieldBasic] 2011 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2012 | depends = 2013 | zeek >=4.0.0 2014 | description = TODO: A more detailed description of spicy_cc_link_basic. 2015 | It can span multiple lines, with this indentation. 2016 | script_dir = scripts 2017 | summary = TODO: A summary of spicy_cc_link_basic in one line 2018 | test_command = cd testing && btest -c btest.cfg 2019 | url = https://github.com/nttcom/zeek-parser-CCLinkFieldBasic 2020 | version = main 2021 | 2022 | [nttcom/zeek-parser-CCLinkIENoIP] 2023 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2024 | depends = 2025 | zeek >=4.0.0 2026 | description = TODO: A more detailed description of zeek-parser-CCLinkIENoIP. 2027 | It can span multiple lines, with this indentation. 2028 | script_dir = scripts 2029 | summary = TODO: A summary of zeek-parser-CCLinkIENoIP in one line 2030 | test_command = cd testing && btest -c btest.cfg 2031 | url = https://github.com/nttcom/zeek-parser-CCLinkIENoIP 2032 | version = main 2033 | 2034 | [nttcom/zeek-parser-CCLinkTSNPTP] 2035 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2036 | depends = 2037 | zeek >=4.0.0 2038 | description = TODO: A more detailed description of zeek-parser-CCLinkTSNPTP. 2039 | It can span multiple lines, with this indentation. 2040 | script_dir = scripts 2041 | summary = TODO: A summary of zeek-parser-CCLinkTSNPTP in one line 2042 | test_command = cd testing && btest -c btest.cfg 2043 | url = https://github.com/nttcom/zeek-parser-CCLinkTSNPTP 2044 | version = main 2045 | 2046 | [nttcom/zeek-parser-CCLinkTSNSLMP] 2047 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2048 | depends = 2049 | zeek >=4.0.0 2050 | description = TODO: A more detailed description of zeek-parser-CCLinkTSNSLMP. 2051 | It can span multiple lines, with this indentation. 2052 | script_dir = scripts 2053 | summary = TODO: A summary of zeek-parser-CCLinkTSNSLMP in one line 2054 | test_command = cd testing && btest -c btest.cfg 2055 | url = https://github.com/nttcom/zeek-parser-CCLinkTSNSLMP 2056 | version = main 2057 | 2058 | [nttcom/zeek-parser-CIFS-COM] 2059 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2060 | depends = 2061 | zeek >=4.0.0 2062 | description = TODO: A more detailed description of test. 2063 | It can span multiple lines, with this indentation. 2064 | script_dir = scripts 2065 | summary = TODO: A summary of test in one line 2066 | test_command = cd testing && btest -c btest.cfg 2067 | url = https://github.com/nttcom/zeek-parser-CIFS-COM 2068 | version = main 2069 | 2070 | [nttcom/zeek-parser-CIFS-NBNS-COM] 2071 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2072 | depends = 2073 | zeek >=4.0.0 2074 | description = TODO: A more detailed description of zeek-parser-NBNS. 2075 | It can span multiple lines, with this indentation. 2076 | script_dir = scripts 2077 | summary = TODO: A summary of zeek-parser-NBNS in one line 2078 | test_command = cd testing && btest -c btest.cfg 2079 | url = https://github.com/nttcom/zeek-parser-CIFS-NBNS-COM 2080 | version = main 2081 | 2082 | [nttcom/zeek-parser-DHCPv4-COM] 2083 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2084 | depends = 2085 | zeek >=4.0.0 2086 | description = TODO: A more detailed description of zeek-parser-DHCPv4-COM. 2087 | It can span multiple lines, with this indentation. 2088 | script_dir = scripts 2089 | summary = TODO: A summary of zeek-parser-DHCPv4-COM in one line 2090 | test_command = cd testing && btest -c btest.cfg 2091 | url = https://github.com/nttcom/zeek-parser-DHCPv4-COM 2092 | version = main 2093 | 2094 | [nttcom/zeek-parser-DHCPv6-COM] 2095 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2096 | depends = 2097 | zeek >=4.0.0 2098 | description = TODO: A more detailed description of zeek-parser-DHCPV6. 2099 | It can span multiple lines, with this indentation. 2100 | script_dir = scripts 2101 | summary = TODO: A summary of zeek-parser-DHCPV6 in one line 2102 | test_command = cd testing && btest -c btest.cfg 2103 | url = https://github.com/nttcom/zeek-parser-DHCPv6-COM 2104 | version = main 2105 | 2106 | [nttcom/zeek-parser-OmronFINS] 2107 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2108 | depends = 2109 | zeek >=4.0.0 2110 | description = TODO: A more detailed description of zeek-parser-OmronFINS. 2111 | It can span multiple lines, with this indentation. 2112 | script_dir = scripts 2113 | summary = TODO: A summary of zeek-parser-OmronFINS in one line 2114 | test_command = cd testing && btest -c btest.cfg 2115 | url = https://github.com/nttcom/zeek-parser-OmronFINS 2116 | version = main 2117 | 2118 | [nttcom/zeek-parser-SSDP-COM] 2119 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2120 | depends = 2121 | zeek >=4.0.0 2122 | description = TODO: A more detailed description of zeek-parser-SSDP. 2123 | It can span multiple lines, with this indentation. 2124 | script_dir = scripts 2125 | summary = TODO: A summary of zeek-parser-SSDP in one line 2126 | test_command = cd testing && btest -c btest.cfg 2127 | url = https://github.com/nttcom/zeek-parser-SSDP-COM 2128 | version = main 2129 | 2130 | [pgaulon/zeek-notice-slack] 2131 | aliases = zeek-notice-slack bro-notice-slack 2132 | description = Zeek Notices through Slack webhook 2133 | tags = zeek plugin, notices, slack webhook 2134 | url = https://github.com/pgaulon/zeek-notice-slack 2135 | version = 1.0.2 2136 | 2137 | [pgaulon/zeekjs-notice-slack] 2138 | depends = zeekjs * 2139 | description = Package extending the Notice Framework to include to send Notices via Slack webhooks. 2140 | summary = Zeek Notices via Slack webhooks 2141 | tags = zeekjs, zeek plugin, notices, slack, webhook 2142 | url = https://github.com/pgaulon/zeekjs-notice-slack 2143 | version = v0.0.5 2144 | 2145 | [precurse/zeek-httpattacks] 2146 | description = Checks for HTTP anomalies typically used for attacking. 2147 | script_dir = scripts 2148 | tags = http, detection 2149 | version = master 2150 | url = https://github.com/precurse/zeek-httpattacks 2151 | 2152 | [qintel/qsentry-zeek] 2153 | aliases = qsentry-zeek qsentry qintel 2154 | credits = Qintel Integrations 2155 | description = Adds Qintel QSentry metadata to intel logs. 2156 | script_dir = qsentry 2157 | tags = log, logging, intel, qintel, qsentry, intelligenece, threat intelligence, ti 2158 | url = https://github.com/qintel/qsentry-zeek 2159 | version = 1.0.0 2160 | 2161 | [reshadp/zeek-log-add-mac-addresses] 2162 | description = Add MAC address to all logs. 2163 | script_dir = scripts 2164 | tags = log extend mac 2165 | url = https://github.com/reshadp/zeek-log-add-mac-addresses 2166 | version = main 2167 | 2168 | [rvictory/zeek-new-domains] 2169 | credits = Ryan Victory 2170 | depends = 2171 | sethhall/domain-tld * 2172 | description = Monitors for new domains being queried for and raises a notice for them 2173 | script_dir = scripts 2174 | tags = DNS 2175 | version = master 2176 | url = https://github.com/rvictory/zeek-new-domains 2177 | 2178 | [saiiman/zeek-exfil-detect] 2179 | build_command = ./configure && cd build && make 2180 | depends = 2181 | zeek >=5.1.0 2182 | description = This package offers the possibility of exfiltration detection through statistical analysis methods. 2183 | For this purpose, all connections are added to a baseline, subdivided according to their source 2184 | ip address and destination port. The baseline is then used to perform statistical anomaly detection. 2185 | Anomalies in the baseline are considered as data exfiltrations. 2186 | The severity of the anomaly is recorded using a score between 0 and 1. 2187 | script_dir = scripts 2188 | suggests = 2189 | https://github.com/salesforce/ja3 branch=master 2190 | summary = This package offers the possibility of exfiltration detection through statistical analysis methods. 2191 | tags = conn, exfil, exfiltration, TA0010 2192 | test_command = cd testing && btest -c btest.cfg 2193 | url = https://github.com/SECUINFRA/zeek-exfil-detect 2194 | version = main 2195 | 2196 | [salesforce/bro-sysmon] 2197 | description = Zeek-Sysmon contains a python script that will read in a file, parse JSON Windows Event Logs, generate Zeek events, and forward them to Zeek. Default Zeek-Sysmon scripts log output to files. 2198 | script_dir = bro 2199 | tags = broker, Windows, Event Logs, Sysmon, logging 2200 | version = master 2201 | url = https://github.com/salesforce/bro-sysmon 2202 | 2203 | [salesforce/GQUIC_Protocol_Analyzer] 2204 | build_command = ./configure && make 2205 | depends = 2206 | zkg >=2.0 2207 | zeek >=4.0.0 2208 | description = Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic 2209 | script_dir = scripts/Salesforce/GQUIC 2210 | url = https://github.com/salesforce/GQUIC_Protocol_Analyzer 2211 | version = master 2212 | 2213 | [salesforce/ja3] 2214 | description = JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework. 2215 | https://github.com/salesforce/ja3 2216 | script_dir = zeek 2217 | tags = intel, ssl, logging 2218 | version = master 2219 | url = https://github.com/salesforce/ja3 2220 | 2221 | [sandialabs/gait] 2222 | description = Adds fields to conn and ssl logs useful for fingeprinting and timing analysis 2223 | script_dir = zeek 2224 | tags = conn, tcp, ssl, fingerprinting 2225 | version = main 2226 | url = https://github.com/sandialabs/gait 2227 | 2228 | [seisollc/zeek-kafka] 2229 | build_command = ./configure --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make 2230 | depends = 2231 | zeek >=4.0.0 2232 | zkg >=2.0 2233 | description = A Zeek log writer plugin that publishes to Kafka. 2234 | external_depends = 2235 | librdkafka ~1.4.2 2236 | plugin_dir = build 2237 | script_dir = build/scripts/Seiso/Kafka 2238 | tags = log writer, zeek plugin, kafka 2239 | test_command = cd tests && btest -d 2240 | user_vars = 2241 | LIBRDKAFKA_ROOT [/usr/local] "Path to librdkafka installation tree root" 2242 | version = v1.2.0 2243 | url = https://github.com/seisollc/zeek-kafka 2244 | 2245 | [sethhall/bro-myricom] 2246 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 2247 | depends = 2248 | bro-pkg >=1.2 2249 | description = Packet source plugin that provides native Myricom SNF v3+v4 support. 2250 | plugin_dir = build/Bro_Myricom.tgz 2251 | script_dir = scripts.not_used 2252 | tags = packet source, plugin, myricom 2253 | test_command = ( cd tests && btest -d ) 2254 | url = https://github.com/sethhall/bro-myricom 2255 | version = 1.0.4 2256 | 2257 | [sethhall/credit-card-exposure] 2258 | description = Detect credit card numbers in HTTP and SMTP with Bro. 2259 | script_dir = scripts 2260 | tags = credit cards, dlp, http, smtp, files 2261 | test_command = ( cd tests && btest -d ) 2262 | version = 2.0.0 2263 | url = https://github.com/sethhall/credit-card-exposure 2264 | 2265 | [sethhall/domain-tld] 2266 | description = A library for getting the "effective tld" of a domain name. 2267 | script_dir = scripts 2268 | tags = library, domain 2269 | url = https://github.com/sethhall/domain-tld 2270 | version = v1.2.2 2271 | 2272 | [sethhall/ssn-exposure] 2273 | description = Detect US Social Security numbers in HTTP and SMTP with Bro. 2274 | script_dir = scripts 2275 | tags = ssn, social security number, dlp, files 2276 | version = 1.0.1 2277 | url = https://github.com/sethhall/ssn-exposure 2278 | 2279 | [sethhall/unknown-mime-type-discovery] 2280 | description = Help Zeek by finding unidentified file types. 2281 | script_dir = scripts 2282 | tags = files, signature 2283 | url = https://github.com/sethhall/unknown-mime-type-discovery 2284 | version = v1.0.0 2285 | 2286 | [sethhall/zeek-log-all-http-headers] 2287 | aliases = zeek-log-all-http-headers 2288 | depends = zkg >=2.0.7 2289 | description = Add all HTTP headers and values to the HTTP log. 2290 | script_dir = scripts 2291 | tags = http 2292 | version = v1.0.0 2293 | url = https://github.com/sethhall/zeek-log-all-http-headers 2294 | 2295 | [sfinlon/cif-zeek] 2296 | aliases = cif-zeek cif 2297 | credits = Scott Finlon 2298 | description = Adds Collective Intelligence Framework (CIF) metadata to intel logs. 2299 | script_dir = scripts 2300 | tags = log, logging, intel, intelligenece, threat intelligence, ti, CIF 2301 | url = https://github.com/sfinlon/cif-zeek 2302 | version = 1.0.1 2303 | 2304 | [shodan/shodan-zeek] 2305 | build_command = ./configure && make 2306 | description = Get IP address information from the Shodan InternetDB. 2307 | script_dir = scripts 2308 | tags = zeek plugin, zeek scripting 2309 | url = https://gitlab.com/shodan-public/shodan-zeek/ 2310 | version = master 2311 | 2312 | [sithari/icmp-exfil-detection] 2313 | credits = Rakesh Passa 2314 | depends = 2315 | zeek >=3.2.0 2316 | description = Detects exfiltration of data over ICMP and writes to notice.log with the details of the exfil like duration, exfil size, source/dest ip, etc. 2317 | script_dir = scripts 2318 | tags = ICMP, exfil, exfiltration, protocol misuse 2319 | version = main 2320 | url = https://github.com/sithari/icmp-exfil-detection 2321 | 2322 | [srozb/dns_axfr] 2323 | description = Find and notice DNS zone transfer attempts. 2324 | script_dir = scripts 2325 | tags = dns recon 2326 | version = master 2327 | url = https://github.com/srozb/dns_axfr 2328 | 2329 | [srozb/http_csp] 2330 | description = HTTP Content-Security-Policy report parser 2331 | script_dir = scripts 2332 | tags = CSP intel 2333 | url = https://github.com/srozb/http_csp 2334 | version = 1.0.1 2335 | 2336 | [stevesmoot/zeek_metainfo] 2337 | description = Create schemas in many forms for local Zeek installation/configuration. JSON, markup text, Avro, html so far. 2338 | script_dir = scripts 2339 | tags = schema, docs, json, avro 2340 | test_command = (cd testing && btest -d) 2341 | url = https://github.com/corelight/zeek_metainfo 2342 | version = main 2343 | 2344 | [stevesmoot/appid] 2345 | build_command = make all 2346 | credits = Steve Smoot 2347 | depends = 2348 | zeek/sethhall/domain-tld * 2349 | description = Leverage nDPI and other info to make informed guess at the application for a connection. 2350 | script_dir = . 2351 | tags = nDPI application 2352 | url = https://github.com/stevesmoot/appid 2353 | version = master 2354 | 2355 | [stevesmoot/localcountry] 2356 | depends = 2357 | zeek >=4.0.0 2358 | description = TODO: A more detailed description of LocalCountry. 2359 | It can span multiple lines, with this indentation. 2360 | script_dir = scripts 2361 | summary = TODO: A summary of LocalCountry in one line 2362 | test_command = cd testing && btest -c btest.cfg 2363 | url = https://github.com/stevesmoot/localcountry 2364 | version = main 2365 | 2366 | [stratosphereips/zeek-package-ARP] 2367 | description = Zeek Package that supports adding arp.log to zeek log files 2368 | tags = zeek plugin, arp, features extraction 2369 | version = 1.0.0 2370 | url = https://github.com/stratosphereips/zeek-package-ARP 2371 | 2372 | [stratosphereips/zeek-package-detect-DoH] 2373 | description = Detect DoH servers by adding a is_DoH field in ssl.log and add timeout to them so that the DoH connection won't take too long 2374 | tags = zeek plugin, DoH, features extraction, ssl, DNS 2375 | version = 1.0.0 2376 | url = https://github.com/stratosphereips/zeek-package-detect-DoH 2377 | 2378 | [stratosphereips/zeek-package-IRC] 2379 | description = Zeek Package that extracts features of IRC communication 2380 | tags = zeek plugin, irc, features extraction 2381 | version = v1.6 2382 | url = https://github.com/stratosphereips/zeek-package-IRC 2383 | 2384 | [stratosphereips/zeek-package-log-gateway-IP] 2385 | description = This script gets the gateway IP information taken from the dhcp logs, and adds a notice.log entry if the gateway address is identified 2386 | tags = zeek plugin, Gateway IP, features extraction, notice 2387 | version = 1.0.0 2388 | url = https://github.com/stratosphereips/zeek-package-log-gateway-IP 2389 | 2390 | [tenzir/zeek-mac-ages] 2391 | script_dir = scripts/tenzir/mac-ages 2392 | tags = conn, mac 2393 | url = https://github.com/tenzir/zeek-mac-ages 2394 | version = master 2395 | 2396 | [tenzir/zeek-tenzir] 2397 | aliases = tenzir 2398 | depends = 2399 | zeek >=4.0.0 2400 | description = This package is the official Zeek integration for Tenzir. 2401 | script_dir = scripts 2402 | summary = The official Tenzir integration for Zeek 2403 | tags = tenzir, pipelines, logs, log shipping, postprocessor, rotation 2404 | url = https://github.com/tenzir/zeek-tenzir 2405 | version = master 2406 | 2407 | [theflakes/bro-large_uploads] 2408 | credits = Brian Kellogg 2409 | description = Raise notices on outgoing files over X bytes in size. 2410 | Also raise notices for multiple large outgoing Tx's in Y time frame. 2411 | tags = notices, uploads, conn 2412 | url = https://github.com/theflakes/bro-large_uploads 2413 | version = master 2414 | 2415 | [theparanoids/rdfp] 2416 | credits = Jeff Atkinson , 2417 | Copyright Verizon Media Group 2020 2418 | description = The script will create a new log which will log the details which build the fingerprint and some additional information. The fingerprint is created by concatenating extracted fields from different data packets. https://github.com/yahoo/rdfp 2419 | script_dir = scripts 2420 | url = https://github.com/theparanoids/rdfp 2421 | version = master 2422 | 2423 | [thibaultbl/variation_coefficient] 2424 | alias = coefficient_variation variation_coefficient 2425 | credits = T. BLANC 2426 | description = Implementing coefficient of variation (standard deviation / average), sort of relative standard deviation. 2427 | script_dir = scripts 2428 | tags = statistics, stats, sumstats, standard_deviation, variance 2429 | url = https://github.com/thibaultbl/variation_coefficient 2430 | version = main 2431 | 2432 | [ukncsc/zeek-plugin-ikev2] 2433 | build_command = ( ./configure --bro-dist=%(bro_dist)s && make ) 2434 | depends = 2435 | zeek >=3.0.0 2436 | description = Plugin that enables parsing of the IKEv2 protocol 2437 | script_dir = scripts 2438 | tags = zeek plugin, protocol analyzer, log writer, vpn, ike, ikev2 2439 | test_command = ( cd tests && btest -d ) 2440 | url = https://github.com/ukncsc/zeek-plugin-ikev2 2441 | version = v0.1 2442 | 2443 | [vitalyrepin/uap-bro] 2444 | build_command = ./configure --bro-dist=%(bro_dist)s && make 2445 | config_files = build/scripts/init.bro 2446 | depends = 2447 | bro >=2.5.0 2448 | bro-pkg >=1.2 2449 | description = User Agent Parser - Bro implementation based on uap-core 2450 | external_depends = 2451 | libyaml-cpp-dev ~0.5.2 2452 | libboost-regex-dev ~1.58.0 2453 | plugin_dir = build 2454 | script_dir = build/scripts/VR/UAP 2455 | tags = bro plugin, uap, user_agent 2456 | test_command = ( cd tests && btest -d ) 2457 | version = master 2458 | url = https://github.com/vitalyrepin/uap-bro 2459 | 2460 | [zeek-packages/zeek-agent-v2] 2461 | build_command = git describe --always --long | sed 's/-[^-]*$//' >scripts/version.dat || true 2462 | depends = 2463 | zeek >=4.0.0 2464 | description = 2465 | script_dir = scripts 2466 | summary = Framework collecting Zeek Agent information from endpoints 2467 | test_command = make test 2468 | version = v2.3.0-dev 2469 | url = https://github.com/zeek-packages/zeek-agent-v2 2470 | 2471 | [zeek/hello-world] 2472 | depends = 2473 | zeek >=4.0.0 2474 | description = A test package to verify that your Zeek installation 2475 | can install packages successfully. 2476 | script_dir = scripts 2477 | summary = Hello World! 2478 | test_command = cd testing && btest -c btest.cfg 2479 | url = https://github.com/zeek/hello-world 2480 | version = v1.0.0 2481 | 2482 | [zeek/logschema] 2483 | depends = 2484 | zeek >=5.2.0 2485 | description = This package generates schemas for Zeek's logs. 2486 | For every log your Zeek installation produces, the schema describes each log 2487 | field including name, type, docstring, and more. The package supports JSON Schema, 2488 | CSV, a Zeek log to capture schema information, and a custom JSON representation. 2489 | It understands Zeek's log customization in detail. The schema export code is 2490 | extensible, allowing you to produce your own schemas. 2491 | script_dir = scripts 2492 | summary = Log data schema generation 2493 | test_command = cd testing && ./btest.sh 2494 | url = https://github.com/zeek/logschema 2495 | version = v2.0.1 2496 | 2497 | [zeek/osquery-framework] 2498 | depends = 2499 | zeek >=3.0.0-rc1 2500 | description = Osquery script framework for communicating with osquery endpoints 2501 | script_dir = osquery-framework 2502 | tags = osquery 2503 | version = v0.4 2504 | url = https://github.com/zeek/osquery-framework 2505 | 2506 | [zeek/spicy-analyzers] 2507 | depends = http://github.com/zeek/spicy-dhcp >=0.0.1 2508 | http://github.com/zeek/spicy-dns >=0.0.2 2509 | http://github.com/zeek/spicy-http >=0.0.1 2510 | http://github.com/zeek/spicy-pe >=0.0.3 2511 | http://github.com/zeek/spicy-png >=0.0.2 2512 | http://github.com/zeek/spicy-tftp >=0.0.1 2513 | http://github.com/zeek/spicy-zip >=0.0.1 2514 | description = Meta package for a number of Spicy-based analyzers. 2515 | summary = Meta package for a number of Spicy-based analyzers 2516 | url = https://github.com/zeek/spicy-analyzers 2517 | version = v0.2.33 2518 | 2519 | [zeek/spicy-dhcp] 2520 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2521 | description = Spicy-based analyzer for the DHCP protocol. 2522 | plugin_dir = build/spicy-modules 2523 | script_dir = analyzer 2524 | summary = Spicy-based analyzer for the DHCP protocol 2525 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2526 | url = https://github.com/zeek/spicy-dhcp 2527 | version = v0.0.12 2528 | 2529 | [zeek/spicy-dns] 2530 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2531 | description = Spicy-based analyzer for the DNS protocol. 2532 | plugin_dir = build/spicy-modules 2533 | script_dir = analyzer 2534 | summary = Spicy-based analyzer for the DNS protocol 2535 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2536 | url = https://github.com/zeek/spicy-dns 2537 | version = v0.0.12 2538 | 2539 | [zeek/spicy-http] 2540 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2541 | description = Spicy-based analyzer for the HTTP protocol. 2542 | plugin_dir = build/spicy-modules 2543 | script_dir = analyzer 2544 | summary = Spicy-based analyzer for the HTTP protocol 2545 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2546 | url = https://github.com/zeek/spicy-http 2547 | version = v0.0.12 2548 | 2549 | [zeek/spicy-ldap] 2550 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2551 | description = An LDAP analyzer based on Spicy 2552 | plugin_dir = build/spicy-modules 2553 | script_dir = analyzer 2554 | summary = LDAP analyzer 2555 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2556 | url = https://github.com/zeek/spicy-ldap 2557 | version = v0.0.16 2558 | 2559 | [zeek/spicy-pe] 2560 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2561 | description = Spicy-based analyzer for the Portable Executable (PE) image format 2562 | plugin_dir = build/spicy-modules 2563 | script_dir = analyzer 2564 | summary = Spicy-based analyzer for the Portable Executable (PE) image format 2565 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2566 | url = https://github.com/zeek/spicy-pe 2567 | version = v0.0.15 2568 | 2569 | [zeek/spicy-plugin] 2570 | build_command = unset -v CXX CXXFLAGS LD LDFLAGS && mkdir -p build && cd build && cmake .. && make -j "${SPICY_ZKG_PROCESSES:-4}" 2571 | depends = zeek >=5.0.0 2572 | executables = build/bin/spicyz 2573 | plugin_dir = build 2574 | script_dir = scripts/Zeek/Spicy 2575 | test_command = unset -v CXX CXXFLAGS LD LDFLAGS && cd tests && btest -d -j "${SPICY_ZKG_PROCESSES:-4}" 2576 | url = https://github.com/zeek/spicy-plugin 2577 | version = v1.5.3 2578 | 2579 | [zeek/spicy-png] 2580 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2581 | description = Spicy-based analyzer for the PNG file format. 2582 | plugin_dir = build/spicy-modules 2583 | script_dir = analyzer 2584 | summary = Spicy-based analyzer for the PNG file format 2585 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2586 | url = https://github.com/zeek/spicy-png 2587 | version = v0.0.8 2588 | 2589 | [zeek/spicy-tftp] 2590 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2591 | depends = 2592 | zeek >=4.0.0 2593 | description = Spicy-based analyzer for the TFTP protocol. 2594 | script_dir = scripts 2595 | summary = Spicy-based analyzer for the TFTP protocol 2596 | test_command = cd testing && btest -c btest.cfg 2597 | url = https://github.com/zeek/spicy-tftp 2598 | version = v0.0.5 2599 | 2600 | [zeek/spicy-zip] 2601 | build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build . 2602 | description = Spicy-based analyzer for the ZIP file format. 2603 | plugin_dir = build/spicy-modules 2604 | script_dir = analyzer 2605 | summary = Spicy-based analyzer for the ZIP file format 2606 | test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc) 2607 | url = https://github.com/zeek/spicy-zip 2608 | version = v0.0.8 2609 | 2610 | [zeek/zeek-af_packet-plugin] 2611 | build_command = ./configure && make 2612 | depends = 2613 | zkg >=2.0 2614 | zeek >=4.0.0 2615 | description = This plugin provides native AF_Packet support for Zeek. 2616 | plugin_dir = build/Zeek_AF_Packet.tgz 2617 | script_dir = scripts/af_packet 2618 | tags = zeek plugin, zeekctl plugin, packet source, af_packet 2619 | test_command = cd tests && btest -d 2620 | url = https://github.com/zeek/zeek-af_packet-plugin 2621 | version = 4.0.0 2622 | 2623 | [zeek/zeek-cluster-backend-nats] 2624 | build_command = ./configure && cmake --build build 2625 | description = 2626 | summary = NATS.io based cluster backend 2627 | test_command = cd testing && btest -c btest.cfg 2628 | url = https://github.com/zeek/zeek-cluster-backend-nats 2629 | version = v0.0.3 2630 | 2631 | [zeek/zeek-more-hashes] 2632 | build_command = ./configure && cd build && make 2633 | description = Additional hashing functions for Zeek, started with MurmurHash3. 2634 | name = MoreHashes 2635 | plugin_dir = build 2636 | script_dir = ./scripts/Zeek/MoreHashes 2637 | tags = mmh3 2638 | test_command = cd tests && btest -d -c btest.cfg 2639 | url = https://github.com/zeek/zeek-more-hashes 2640 | version = v0.3.0 2641 | 2642 | [zeek/zeek-netmap] 2643 | build_command = ./configure --with-netmap=%(netmap_root_dir)s && cd build && make 2644 | depends = 2645 | zeek >=3.1.0 2646 | description = Packet source plugin that provides native Netmap support. 2647 | plugin_dir = build 2648 | tags = packet source, plugin, netmap 2649 | test_command = cd tests && btest -d -c btest.cfg 2650 | user_vars = 2651 | netmap_root_dir [] "Root directory of Netmap installation" 2652 | url = https://github.com/zeek/zeek-netmap 2653 | version = v2.0.1 2654 | 2655 | [zeek/zeek-perf-support] 2656 | build_command = ./configure && cmake --build build 2657 | description = 2658 | summary = perf support 2659 | test_command = cd testing && btest -c btest.cfg 2660 | url = https://github.com/zeek/zeek-perf-support 2661 | version = v0.9.1 2662 | 2663 | --------------------------------------------------------------------------------