By j-gras

This plugin provides native AF_Packet support for Zeek.


By captainGeech42

Label bogon IPs in conn.log


By corelight

"Community ID" flow hash support in conn.log


By jsiwek

Detects Bitcoin, Litecoin, or other cryptocurrency mining traffic that uses getwork, getblocktemplate, or Stratum mining protocols over TCP or HTTP. This package used to be named "bro_bitcoin".


By corelight

This package provides some basic analysis for ELF files.


By lexibrent

EternalSafety is a Zeek/Bro package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.


By esnet

Prometheus exporter for Zeek performance data


By precurse

Checks for HTTP anomalies typically used for attacking.


By captainGeech42

Extend Intel framework to alert on URL paths


By justinazoff

A broctl plugin that enables jemalloc profiling


By corelight

This package provides some basic analysis for JPEG files.


By seisollc

A Bro log writer plugin that sends logging output to Kafka.


By dopheide

This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers.


By dopheide

This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups.


By sethhall

Add all HTTP headers and values to the HTTP log.


By corelight

Find and log long-lived connections into a "conn_long" log.


By corelight

This package provides some basic analysis for Mach-o files.

Page 7 of 9, showing 20 record(s) out of 168 total