CVE-2022-3602

By corelight

CVE-2022-3602 exploit Detection

detect-kaspersky

By initconf

kaspersky

detect-ransomware-filenames

By corelight

Watch SMB transactions for files whose filename matches patterns known to be used by ransomware

dns_axfr

By srozb

Find and notice DNS zone transfer attempts.

dns-heuristics

By initconf

dns-tunnels

By hhzzk

Detect DNS Tunnels attack.

domain-tld

By sethhall

A library for getting the "effective tld" of a domain name.

dovehawk

By dovehawk

MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters.

dovehawk_dns

By dovehawk

Dovehawk.io Passive DNS Capture Module.

dovehawk_flow

By dovehawk

Dovehawk Anonymized Outbound Flow Tracking

dportmatch

By mvlnetdev

Zeek package to add a destination port to the meta fields in Zeek. It creates a notice when both the intel and the destination port matches. This adds a feature that can be used to reduce false positives.

dummy-connections

By hosom

Create dummy connection records.

emojifier

By emojifier

Set your logs on fire with Emojifier!

ExtendIntel

By corelight

A Zeek package to extend logging for Intel

file-extraction

By hosom

Extract files from network traffic with Zeek.

find_smbv1

By klehigh

find SMBv1 activity

flow_labels

By bricata

Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.

ftp-bruteforce

By initconf

ftp-bruteforce

gait

By sandialabs

Adds fields to conn and ssl logs useful for fingeprinting and timing analysis

geoip-conn

By brimsec

Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html).