Packages

zeek-elf

By corelight

This package provides some basic analysis for ELF files.

zeek-EternalSafety

By 0xl3x1

EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

zeek-exfil-detect

By saiiman

This package offers the possibility of exfiltration detection through statistical analysis methods. For this purpose, all connections are added to a baseline, subdivided according to their source ip address and destination port. The baseline is then used to perform statistical anomaly detection. Anomalies in the baseline are considered as data exfiltrations. The severity of the anomaly is recorded using a score between 0 and 1.

zeek-exporter

By esnet

Prometheus exporter for Zeek performance data

zeek-globload

By corelight

This plugin adds support for shell-style glob patterns when loading Zeek scripts. For example, saying "@load startup.d/*.zeek" will load any Zeek scripts with a .zeek suffix from the startup.d folder.

zeek-gozi-detector

By corelight

A Zeek based Gozi malware detector.

zeek-httpattacks

By precurse

Checks for HTTP anomalies typically used for attacking.

zeek-intel-path

By captainGeech42

Extend Intel framework to alert on URL paths

zeek-jemalloc-profiling

By justinazoff

A broctl plugin that enables jemalloc profiling

zeek-jetdirect

By dopheide

Detect exploit attempt of HP JetDirect printers

zeek-jpeg

By corelight

This package provides some basic analysis for JPEG files.

zeek-kafka

By seisollc

A Zeek log writer plugin that publishes to Kafka.

zeek-known-hosts-with-dns

By dopheide

This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers.

zeek-known-outbound

By dopheide

This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups.

Zeek-Known-Services-With-OrigFlag

By esnet-security

This script expands the base known-services policy to include is_local_orig flag to indicate if the service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T).

zeek-log-add-mac-addresses

By reshadp

Add MAC address to all logs.

zeek-log-all-http-headers

By sethhall

Add all HTTP headers and values to the HTTP log.

zeek-long-connections

By corelight

Find and log long-lived connections into a "conn_long" log.

zeek-macho

By corelight

This package provides some basic analysis for Mach-o files.

Page 10 of 14, showing 20 record(s) out of 261 total