Zeek Package Manager
 

zeek-mercury-npf

https://github.com/corelight/zeek-mercury-npf
0
0
0
0
Last Push 10/23/25, 8:53 AM

Mercury NPF for Zeek

This Zeek plugin implements the Network Protocol Fingerprinting (NPF) format as specified in the Mercury project.

Overview

The plugin inspects the following protocols and generates the NPF for them:

  • TCP
  • TLS and DTLS
  • QUIC
  • HTTP
  • SSH
  • OpenVPN (requires installation of https://github.com/corelight/zeek-spicy-openvpn)
  • STUN (requires installation of https://github.com/corelight/zeek-spicy-stun)

Installation

This plugin is distributed as a Zeek package. You can install it using the Zeek package manager zkg after cloning the repository using

zkg install .

Configuration

The plugin provides configuration options to control the version of the fingerprints generated for some protocols.

QUIC

You can choose between two QUIC fingerprint versions:

  • Mercury::QUIC::MERCURY_QUIC (default)
  • Mercury::QUIC::MERCURY_QUIC_1

To change the version, add the following to your local.zeek:

redef Mercury::QUIC::fingerprint_version = Mercury::QUIC::MERCURY_QUIC_1

TLS/DTLS

You can choose between three TLS/DTLS fingerprint versions:

  • Mercury::TLS::MERCURY_TLS (default)
  • Mercury::TLS::MERCURY_TLS_1
  • Mercury::TLS::MERCURY_TLS_2

To change the version, add the following to your local.zeek:

redef Mercury::TLS::fingerprint_version = Mercury::TLS::MERCURY_TLS_2;

Package Version :

Description :

TODO: A more detailed description of Mercury.
It can span multiple lines, with this indentation.

Script Dir :

scripts

Build Command :

./configure && cmake --build build

Test Command :

cd testing && btest -c btest.cfg

Depends :

zeek >=4.0.0

Package Checks :

License:
Info:
Found license 'COPYING'
Readme:
Info:
Found readme 'README'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset: