Packages

GQUIC_Protocol_Analyzer

By salesforce

Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic

http-stalling-detector

By corelight

Detect HTTP stalling attacks like slowloris.

icannTLD

By corelight

A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query. The field icann_host_subdomain contains the remaining query nodes after the domain is removed. The is_trusted_domain is populated from a separate Input Framework set.

ja3

By salesforce

JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework. https://github.com/salesforce/ja3

json-streaming-logs

By corelight

JSON streaming logs

log-add-http-post-bodies

By corelight

Add a POST body excerpt into the HTTP log

log-add-vlan-everywhere

By corelight

Add VLAN to all logs.

my_stats

By corelight

This package dumps stats for troubleshooting.

osquery-framework

By zeek

Osquery script framework for communicating with osquery endpoints

pingback

By corelight

A Zeek package which detects ICMP ping tunnels created by the Pingback tool

spl-spt

By micrictor

A package that creates a log for sequences of packet lengths and times, allowing for new analytics based on these data features.

top-dns

By corelight

Log the top DNS queries being requested.

zeek-community-id

By corelight

"Community ID" flow hash support in conn.log

zeek-elf

By corelight

This package provides some basic analysis for ELF files.

zeek-globload

By corelight

This plugin adds support for shell-style glob patterns when loading Zeek scripts. For example, saying "@load startup.d/*.zeek" will load any Zeek scripts with a .zeek suffix from the startup.d folder.

zeek-jpeg

By corelight

This package provides some basic analysis for JPEG files.

zeek-long-connections

By corelight

Find and log long-lived connections into a "conn_long" log.

zeek-macho

By corelight

This package provides some basic analysis for Mach-o files.

zeek-notice-telegram

By corelight

Package that extends the Notice Framework to include `ACTION_TELEGRAM` for sending messages on notices over Telegram.

Page 2 of 3, showing 20 record(s) out of 52 total