Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.
Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html).
Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic
HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log
A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query. The field icann_host_subdomain contains the remaining query nodes after the domain is removed. The is_trusted_domain is populated from a separate Input Framework set.
BACnet plugin for parsing and logging of the BACnet (building automation and control) protocol - CISA ICSNPP
BSAP over IP plugin for parsing and logging of the BSAP protocol - CISA ICSNPP
BSAP for Serial->Ethernet plugin for parsing and logging of the BSAP protocol - CISA ICSNPP
Ethernet/IP and CIP plugin for parsing and logging of the Ethernet/IP and CIP protocols - CISA ICSNPP