Packages

flow_labels

By bricata

Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.

ftp-bruteforce

By initconf

ftp-bruteforce

geoip-conn

By brimsec

Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html).

got_zoom

By corelight

Detect Zoom traffic

GQUIC_Protocol_Analyzer

By salesforce

Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic

hassh

By salesforce

HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log

http_csp

By srozb

HTTP Content-Security-Policy report parser

http-stalling-detector

By corelight

Detect HTTP stalling attacks like slowloris.

icannTLD

By corelight

A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query. The field icann_host_subdomain contains the remaining query nodes after the domain is removed. The is_trusted_domain is populated from a separate Input Framework set.

icap

By mitre

Internet Content Adaptation Protocol (ICAP) Analyzer for Bro and Zeek.

indicator-rules

By anthonykasza

An extension to the Intel Framework. This package faciliates the creation of rules which Zeek can monitor for.

intel-expire

By j-gras

Per item expiration for Zeek's intelligence framework.

intel-extensions

By j-gras

Extensions for Bro's intelligence framework.

intel-limiter

By j-gras

Limiter for Zeek's intelligence framework.

intel-seen-more

By j-gras

Additional seen-triggers for Bro's intelligence framework.

IRC-Zeek-package

By stratosphereips

Zeek Package that extracts features of IRC communication

ja3

By salesforce

JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework. https://github.com/salesforce/ja3

Joe-Sandbox-Bro

By joesecurity

JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox. Combined with Joe Sandbox's reporting and alerting features you can build a powerful IDS.

json-streaming-logs

By corelight

JSON streaming logs

kyd

By fatemabw

KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file 'dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the 'dhcp-unknown.py' script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script. https://github.com/fatemabw/kyd

Page 4 of 7, showing 20 record(s) out of 138 total