Packages

bro-inventory-scripts

By fatemabw

Find different type of OSes and AV software in your network traffic.

bro-ja3

By hosom

Generate and log ja3 ssl fingerprints

bro-sysmon

By salesforce

Zeek-Sysmon contains a python script that will read in a file, parse JSON Windows Event Logs, generate Zeek events, and forward them to Zeek. Default Zeek-Sysmon scripts log output to files.

gait

By sandialabs

Adds fields to conn and ssl logs useful for fingeprinting and timing analysis

GQUIC_Protocol_Analyzer

By salesforce

Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic

hassh

By corelight

HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log

ja3

By salesforce

JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework. https://github.com/salesforce/ja3

ja4

By foxio

Official Zeek package for JA4+ network fingerprinting.

ja4

By anthonykasza

An implementation of the JA4 standard in a Zeek package.

kyd

By fatemabw

KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file 'dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the 'dhcp-unknown.py' script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script. https://github.com/fatemabw/kyd

rdfp

By theparanoids

The script will create a new log which will log the details which build the fingerprint and some additional information. The fingerprint is created by concatenating extracted fields from different data packets. https://github.com/yahoo/rdfp

smbfp

By micrictor

A package to create a fingerprint of SMB clients

zeek-asyncrat-detector

By corelight

An AsyncRAT malware detector.

zeek-exfil-detect

By saiiman

This package offers the possibility of exfiltration detection through statistical analysis methods. For this purpose, all connections are added to a baseline, subdivided according to their source ip address and destination port. The baseline is then used to perform statistical anomaly detection. Anomalies in the baseline are considered as data exfiltrations. The severity of the anomaly is recorded using a score between 0 and 1.

zeek-parser-DHCPv6-COM

By nttcom

TODO: A more detailed description of zeek-parser-DHCPV6. It can span multiple lines, with this indentation.

zeek-spicy-stun

By corelight

A Zeek STUN protocol analyzer based on Spicy.

Page 1 of 1, showing 16 record(s) out of 16 total