Packages

smbfp

By micrictor

A package to create a fingerprint of SMB clients

smtp-url-analysis

By initconf

Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails

spicy-runtime

By zeek

Provides the Spicy runtime environment

spicy-tftp

By zeek

A Spicy-based TFTP analyzer

spl-spt

By micrictor

A package that creates a log for sequences of packet lengths and times, allowing for new analytics based on these data features.

ssn-exposure

By sethhall

Detect US Social Security numbers in HTTP and SMTP.

tcprs

By jswaro

TCP Retransmission and State Analyzer plugin for Bro.

top-dns

By corelight

Log the top DNS queries being requested.

uap-bro

By vitalyrepin

User Agent Parser - Bro implementation based on uap-core

unknown-mime-type-discovery

By sethhall

Help Zeek by finding unidentified file types.

venom

By dopheide

Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml

vnc-scanner

By initconf

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

zeek-af_packet-plugin

By j-gras

This plugin provides native AF_Packet support for Zeek.

zeek-bogon

By captainGeech42

Label bogon IPs in conn.log

zeek-community-id

By corelight

"Community ID" flow hash support in conn.log

zeek-cryptomining

By jsiwek

Detects Bitcoin, Litecoin, or other cryptocurrency mining traffic that uses getwork, getblocktemplate, or Stratum mining protocols over TCP or HTTP. This package used to be named "bro_bitcoin".

zeek-elf

By corelight

This package provides some basic analysis for ELF files.

zeek-EternalSafety

By lexibrent

EternalSafety is a Zeek/Bro package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

Page 6 of 8, showing 20 record(s) out of 154 total