Packages

bro-community-id

By corelight

"Community ID" flow hash support in conn.log

bro-drwatson

By corelight

Discover and log information discovered in Microsoft DrWatson messages.

bro-hardware

By corelight

Scripts for cases where hardware device identifiers are discovered.

bro-long-connections

By corelight

Find and log long-lived connections into a "conn_long" log.

bro-quic

By corelight

Detects the Google QUIC (GQUIC) protocol and adds "gquic" to conn.log's "service" field.

bro-shellshock

By corelight

Discover successful ShellShock attacks.

bro-xor-exe-plugin

By corelight

A plugin to find Windows executables that have been XOR encoded.

conn-burst

By corelight

Identify bursty connections (large and fast)

GQUIC_Protocol_Analyzer

By salesforce

Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic

http-stalling-detector

By corelight

Detect HTTP stalling attacks like slowloris.

ja3

By salesforce

JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Bro Intel Framework. https://github.com/salesforce/ja3

json-streaming-logs

By corelight

JSON streaming logs

log-add-http-post-bodies

By corelight

Add a POST body excerpt into the HTTP log

log-add-vlan-everywhere

By corelight

Add VLAN to all Bro logs.

osquery-framework

By zeek

Osquery script framework for communicating with osquery endpoints

top-dns

By corelight

Log the top DNS queries being requested.

Page 1 of 1, showing 16 record(s) out of 16 total