Zeek Package Manager
 

intel-seen-more

https://github.com/J-Gras/intel-seen-more
2
5
1
0
Last Push 2/24/22, 3:42 PM

Intel Seen More

This package provides additional seen scripts for Zeek's intelligence framework. It implements the following functionalities:

  • udp: Sees originator and responder of UDP connections. Note: The script uses the potentially expensive event new_connection.

  • icmp-ping: Sees originator and responder of ICMP echo requests and replies. Note: The script uses potentially expensive events.

  • effective_dns: Introduces the Intel::EFFECTIVE_DOMAIN indicator type for effective domains. For example "wikipedia.org" will match "www.wikipedia.org" and other subdomains. Note: The scripts require the DomainTLD package.

  • conn-tcp: Introduces the Intel::CONN_TCP indicator type supporting <IP>:<Port> indicators for established TCP connections.

Installation

The scripts are available as package for the Zeek Package Manager and can be installed using the following command:

zkg install intel-seen-more

Usage

By default no script is loaded! To load all scripts add the following to your local.zeek:

@load packages
@load packages/intel-seen-more/seen

Seen scripts can also be loaded selectively:

@load packages
@load packages/intel-seen-more/seen/udp
@load packages/intel-seen-more/seen/effective-dns

Package Version :

Description :

Additional seen-triggers for Zeek's intelligence framework.

Script Dir :

scripts

Depends :

zeek >=3.2

Suggests :

sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset:

Description :

Additional seen-triggers for Bro's intelligence framework.

Script Dir :

scripts

Suggests :

bro/sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Warnings:
intel-seen-more/scripts/seen/udp.bro:4 expensive event new_connection
Unsafe Functions:
Charset:

Description :

Additional seen-triggers for Bro's intelligence framework.

Script Dir :

scripts

Suggests :

bro/sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Warnings:
intel-seen-more/scripts/seen/udp.bro:4 expensive event new_connection
Unsafe Functions:
Charset:

Description :

Additional seen-triggers for Bro's intelligence framework.

Script Dir :

scripts

Suggests :

bro/sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Warnings:
intel-seen-more/scripts/seen/udp.bro:4 expensive event new_connection
Unsafe Functions:
Charset:

Description :

Additional seen-triggers for Bro's intelligence framework.

Script Dir :

scripts

Suggests :

bro/sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Warnings:
intel-seen-more/scripts/seen/udp.bro:4 expensive event new_connection
Unsafe Functions:
Charset:

Description :

Additional seen-triggers for Bro's intelligence framework.

Script Dir :

scripts

Suggests :

sethhall/domain-tld *

Tags :

intel, seen

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Warnings:
intel-seen-more/scripts/seen/udp.bro:4 expensive event new_connection
Unsafe Functions:
Charset: