aggregate.meta

[0xl3x1/zeek-EternalSafety]
description = EternalSafety is a Zeek package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek's SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.
script_dir = scripts
tags = SMB, Windows, attack, notice, Eternal, SMBv1, EternalBlue
test_command = cd tests && make test
version = master
url = https://github.com/0xl3x1/zeek-EternalSafety

[0xxon/cve-2020-0601]
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = "Test script for CVE-2020-0601. Please read Readme."
script_dir = scripts
test_command = cd testing && btest -d
url = https://github.com/0xxon/cve-2020-0601
version = v0.4

[0xxon/cve-2020-0601-plugin]
build_command = ( ./configure && make )
description = "Test script for CVE-2020-0601. Binary package, requires OpenSSL 1.1.x"
script_dir = scripts
test_command = cd testing && btest -d
url = https://github.com/0xxon/cve-2020-0601-plugin
version = master

[0xxon/cve-2020-13777]
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = "Test script for CVE-2020-13777. Please read Readme."
script_dir = scripts
test_command = cd testing && btest -d
url = https://github.com/0xxon/cve-2020-13777
version = main

[0xxon/zeek-network-statistics]
description = Perform regular network measurements and report results.
script_dir = scripts
tags = topk, sumstats
test_command = cd tests && make
version = main
url = https://github.com/0xxon/zeek-network-statistics

[0xxon/zeek-os-package-tracking]
url = https://github.com/0xxon/zeek-os-package-tracking
version = main

[0xxon/zeek-plugin-roca]
build_command = ( ./configure --bro-dist=%(bro_dist)s && make )
description = Identify certificates potentially affected by CVE-2017-15361
plugin_dir = build/Johanna_ROCA.tgz
tags = certificates, CVE-2017-15361
test_command = cd tests && btest -d
url = https://github.com/0xxon/zeek-plugin-roca
version = 0.0.1

[0xxon/zeek-postgresql]
build_command = ( ./configure --with-postgresql-inc=`pg_config --includedir` --with-postgresql-server-inc=`pg_config --includedir-server` --with-postgresql-lib=`pg_config --libdir` && make )
description = A PostgreSQL reader and writer for Zeek.
plugin_dir = build
tags = zeek plugin, PostgreSQL, reader, writer, input
test_command = cd tests && btest -d
version = 0.0.8
url = https://github.com/0xxon/zeek-postgresql

[0xxon/zeek-sumstats-counttable]
description = Two-dimensional buckets for sumstats (count occurences per $str).
tags = sumstats, summary statistics
test_command = cd tests && btest -d
url = https://github.com/0xxon/zeek-sumstats-counttable
version = 0.0.4

[0xxon/zeek-tls-log-alternative]
description = "This package generates a file called tls.log. The difference from ssl.log is that it is much more focused on logging all kinds of protocol features. This can be interesting for academic purposes - or if one is just interested in more information about specific features used in local TLS traffic."
script_dir = scripts
tags = TLS, SSL, X509, Certificates, PKI
test_command = cd tests && make
version = main
url = https://github.com/0xxon/zeek-tls-log-alternative

[AmazingPP/zeek-capwap]
build_command = ./configure && cd build && make
depends = 
	zkg >=2.0
	zeek >=4.2.0
script_dir = plugin/scripts
summary = A Zeek CAPWAP packet analyzer
tags = capwap, zeek, packet analyzer
test_command = cd testing && btest -c btest.cfg -D
url = https://github.com/AmazingPP/zeek-capwap
version = v0.1.0

[activecm/bro-mongodb.git]
build_command = (./configure --bro-dist=%(bro_dist)s && make)
description = Bro IDS/ MongoDB connector.
tags = bro plugin, MongoDB, writer, security, conn, logging, rita
version = master
url = https://github.com/activecm/bro-mongodb.git

[activecm/bro-rita.git]
build_command = (./configure --bro-dist=%(bro_dist)s && make)
description = RITA, Bro IDS connector.
tags = bro plugin, MongoDB, writer, security, conn, logging, rita
version = master
url = https://github.com/activecm/bro-rita.git

[activecm/zeek-open-connections]
aliases = zeek-open-connections bro-open-connections
depends = zkg >=2.0.7
description = Find and log open, long-lived connections into "open_conn", "open_ssl", and "open_http" logs.
script_dir = scripts
tags = conn
version = v1.2.1
url = https://github.com/activecm/zeek-open-connections

[amarokinc/bad-asn]
credits = Michael Portera @mportatoes, Hudson Carr
description = Adds ASN reputation data of external IP addresses to notice.log if the ASN crosses a predetermined threshold as defined by circl.lu
script_dir = zeek
tags = asn, geoip, conn, remote
version = master
url = https://github.com/amarokinc/bad-asn

[amarokinc/remote_asn_geoip_conn]
credits = Michael Portera @mportatoes
description = Adds ASN and GeoIP data directly to conn.log for the REMOTE connection. The script checks the orig and resp host fields to determine which one is not defined as part of the local IP ranges and subsequently performs a lookup on the MaxMind ASN and GeoIP databases.
script_dir = zeek
tags = asn, geoip, conn, remote
version = master
url = https://github.com/amarokinc/remote_asn_geoip_conn

[amzn/zeek-plugin-bacnet]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = Plugin that enables parsing of the BACnet standard building controls protocol
script_dir = scripts/BACnet
tags = zeek plugin, protocol analyzer, log writer, ics, bacnet
url = https://github.com/amzn/zeek-plugin-bacnet
version = 1.0.0

[amzn/zeek-plugin-enip]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = Plugin that enables parsing of the Ethernet/IP and Common Industrial Protocol standards
script_dir = scripts/ENIP
tags = zeek plugin, protocol analyzer, log writer, ics, enip, cip
url = https://github.com/amzn/zeek-plugin-enip
version = 1.1.0

[amzn/zeek-plugin-profinet]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = Plugin that enables parsing of the Profinet protocol
script_dir = scripts/PROFINET
tags = zeek plugin, protocol analyzer, log writer, ics, profinet
url = https://github.com/amzn/zeek-plugin-profinet
version = 1.1.0

[amzn/zeek-plugin-s7comm]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = Plugin that enables parsing of the S7 protocol
script_dir = scripts/S7comm
tags = zeek plugin, protocol analyzer, log writer, ics, s7
url = https://github.com/amzn/zeek-plugin-s7comm
version = 1.0.0

[amzn/zeek-plugin-tds]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = Plugin that enables parsing of the Tabular Data Stream (TDS) protocol
script_dir = scripts/TDS
tags = zeek plugin, protocol analyzer, log writer, tds
url = https://github.com/amzn/zeek-plugin-tds
version = 1.1.0

[anthonykasza/common-encodings]
description = A Zeek package which provides common encodings and operations.
script_dir = scripts
tags = rc4, base64, bitshift, encoding, xor
version = 1.0.1
url = https://github.com/anthonykasza/common-encodings

[anthonykasza/indicator-rules]
depemds = 
	bro >= 2.6
description = An extension to the Intel Framework. This package faciliates the creation of rules which Zeek can monitor for.
script_dir = scripts
tags = intel, signature, indicators, pure-script
version = master
url = https://github.com/anthonykasza/indicator-rules

[anthonykasza/ja4]
config_files = scripts/config.zeek
depends = 
	zeek >=5.0.0
description = An implementation of the JA4 standard in a Zeek package.
script_dir = scripts
tags = ja4, tls, ssl, fingerprint, clienthello, handshake, encryption
test_command = cd testing && btest -c btest.cfg
version = main
url = https://github.com/anthonykasza/ja4

[anthonykasza/ssl-extensions]
depends = 
	zeek >=6.1.0
description = A proof-of-concept demonstrating scriptland parsing and event routing for all SSL extensions
script_dir = scripts
tags = tls, ssl, experimental
test_command = cd testing && btest -c btest.cfg
version = main
url = https://github.com/anthonykasza/ssl-extensions

[apache/metron-bro-plugin-kafka]
build_command = ./configure --bro-dist=%(bro_dist)s --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make
depends = 
	bro >=2.5.0
	bro-pkg >=1.2
description = A Bro log writer plugin that sends logging output to Kafka.
external_depends = 
	librdkafka ~0.11.5
plugin_dir = build
script_dir = build/scripts/Apache/Kafka
tags = log writer, bro plugin, kafka
test_command = ( cd tests && btest -d )
user_vars = 
	LIBRDKAFKA_ROOT [/usr/local/lib] "Path to librdkafka installation tree"
version = 0.3
url = https://github.com/apache/metron-bro-plugin-kafka

[awelzel/zeek-conn-footprint]
description = Regularly log footprints of long running connections.
script_dir = ./scripts
tags = debugging, footprint, connection, memory
url = https://github.com/awelzel/zeek-conn-footprint
version = v0.2.1

[awelzel/zeekjs-misp]
depends = 
	zeekjs >=0.9.0
script_dir = ./scripts
url = https://github.com/awelzel/zeekjs-misp
version = main

[bricata/flow_labels]
description = Provides mechanisms for managing and using institutional knowledge about a monitored environment to make informed observations of normal and abnormal network activity.
tags = input, labels
url = https://github.com/bricata/flow_labels
version = master

[brimsec/geoip-conn]
description = Adds additional fields to the conn.log for the data obtained via Zeek's GeoLocation feature (https://docs.zeek.org/en/current/frameworks/geoip.html).
script_dir = zeek
tags = conn, geolocation, logging
version = main
url = https://github.com/brimsec/geoip-conn

[captainGeech42/zeek-bogon]
author = Zander Work (@captainGeech42)
description = Label bogon IPs in conn.log
script_dir = scripts/
tags = bogon, conn
test_command = (cd tests && btest -d)
url = https://github.com/captainGeech42/zeek-bogon
version = v1.0.1

[captainGeech42/zeek-intel-path]
author = Zander Work (@captainGeech42)
description = Extend Intel framework to alert on URL paths
script_dir = scripts/
tags = http, intel, path, url-path, uri
test_command = (cd tests && btest -d)
url = https://github.com/captainGeech42/zeek-intel-path
version = main

[chrisanag1985/suppress-ssl-notices]
credits = Christos Anagnostopoulos
description = A Module that tries to minimize the noise from the SSL::Invalid_Server_Cert notices.
script_dir = scripts
tags = notices, ssl
version = v0.1.1
url = https://github.com/chrisanag1985/suppress-ssl-notices

[cisagov/ACID]
credits = Jake Steele <jsteele@mitre.org>, Jack Cyprus <jcyprus@mitre.org>, Otis Alexander <oalexander@mitre.org>
depends = 
	zeek >=4.0.0
	http://github.com/cisagov/icsnpp-bacnet *
	http://github.com/cisagov/icsnpp-enip *
	http://github.com/cisagov/icsnpp-s7comm *
description = ATT&CK-based Control-system Indicator Detection (ACID) is a collection of Zeek scripts designed to detect
	ATT&CK for ICS behaviors on OT protocols. These events are reported through the Zeek Notice framework.
script_dir = scripts
summary = ACID is a collection of OT protocol indicator scripts focused on ATT&CK for ICS behaviors.
tags = ics, OT, attack, ATT&CK, mitre, cisa, OT protocol, detection, notices, input, logging, CIP, S7comm, bacnet, icsnpp
url = https://github.com/cisagov/ACID
version = main

[cisagov/icsnpp-bacnet]
build_command = ./configure && make
build_dir = build/ICSNPP_Bacnet.tgz
credits = Stephen Kleinheider <stephen.kleinheider@inl.gov>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = BACnet plugin for parsing and logging of the BACnet (building automation and control) protocol - CISA ICSNPP
script_dir = build/scripts/icsnpp/bacnet
tags = bacnet, BACnet, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-bacnet
version = main

[cisagov/icsnpp-bsap]
build_command = ./configure && make
build_dir = build/ICSNPP_Bsap.tgz
credits = Devin Vollmer <devin.vollmer@inl.gov>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = BSAP over IP plugin for parsing and logging of the BSAP protocol - CISA ICSNPP
script_dir = build/scripts/icsnpp/bsap
tags = bsap, BSAP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-bsap
version = main

[cisagov/icsnpp-dnp3]
credits = Stephen Kleinheider <stephen.kleinheider@inl.gov>
depends = 
	zkg >=2.0
	zeek >=3.0.0
description = DNP3 script for detailed logging of the DNP3 protocol - CISA ICSNPP
script_dir = scripts
tags = dnp3, DNP3, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-dnp3
version = main

[cisagov/icsnpp-enip]
build_command = ./configure && make
build_dir = build/ICSNPP_Enip.tgz
credits = Stephen Kleinheider <stephen.kleinheider@inl.gov>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = Ethernet/IP and CIP plugin for parsing and logging of the Ethernet/IP and CIP protocols - CISA ICSNPP
script_dir = build/scripts/icsnpp/enip
tags = enip, ENIP, cip, CIP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-enip
version = main

[cisagov/icsnpp-ethercat]
build_command = ./configure && make
build_dir = build/ICSNPP_Ethercat.tgz
credits = Devin Vollmer <devin.vollmer@inl.gov>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = Ethercat plugin for parsing and logging of the Ethercat protocol - CISA ICSNPP
script_dir = build/scripts/icsnpp/ethercat
tags = ecat, ECAT, ethercat, Ethercat, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, packet analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-ethercat
version = main

[cisagov/icsnpp-ge-srtp.git]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=6.0.0
description = GE-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI.
	The GE-SRTP protocol parser is based off of the research paper that can be accessed at https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/70/
	Like Modbus, the GE-SRTP protocol can read both discrete and analog inputs.
script_dir = scripts
summary = GE_-SRTP is a proprietary protocol used for communication between a GE PLC and a GE HMI.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-ge-srtp.git
version = develop

[cisagov/icsnpp-genisys]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
credits = Seth Grover <seth.grover@inl.gov>
description = Genisys is a protocol defined by Union Switch & Signal for communicating with
	SCADA field devices, commonly used in the railway industry.
	It is similar in purpose to Modbus. Genisys was designed for use over serial
	connections, but is commonly transported over TCP as well.
	The protocol enables one client to communicate with one or more server devices
	over the same connection.  The servers are identified by a one-octet server address.
	"Genisys" is a trademark of Union Switch & Signal.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Genisys is a protocol defined by Union Switch & Signal for communicating with SCADA field devices, commonly used in the railway industry.
tags = genisys, railway, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/cisagov/icsnpp-genisys
version = main

[cisagov/icsnpp-modbus]
credits = Brett Rasmussen <brett.rasmussen@inl.gov> & Stephen Kleinheider <stephen.kleinheider@inl.gov>
depends = 
	zkg >=2.10
	zeek >=4.2.0
description = Modbus script for detailed logging of the Modbus protocol - CISA ICSNPP
script_dir = scripts
tags = modbus, Modbus, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek scripting, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-modbus
version = main

[cisagov/icsnpp-opcua-binary]
build_command = ./configure && make
build_dir = build/ICSNPP_OPCUA_Binary.tgz
credits = Kent Kvarfordt <kent.kvarfordt@inl.gov>
depends = 
	zkg >=2.0
	zeek >=5.2.0
description = OPC Unified Architecture Binary plugin for parsing and logging of the OPC UA Binary protocol - CISA ICSNPP
script_dir = build/scripts/icsnpp/opcua-binary
tags = opcua, opcua_binary, opc, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-opcua-binary
version = main

[cisagov/icsnpp-profinet-io-cm]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake -DCMAKE_BUILD_TYPE=Debug .. && cmake --build .
credits = Taegan Williams <taegan.williams@inl.gov>
depends = 
	zeek >=6.0.3
description = Profinet I/O Context Manager uses traditional Ethernet hardware and software to define a network that
	structures the task of exchanging data, alarms and diagnostics with programmable controllers
	and other automation controllers
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Profinet I/O Context Manager (as defined in Profinet Fieldbus Specification IEC 61158-6-10:2019)
tags = profinet, profinet io cm, pn_io, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd testing && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-profinet-io-cm
version = main

[cisagov/icsnpp-s7comm]
build_command = ./configure && make
build_dir = build/ICSNPP_S7comm.tgz
credits = Stephen Kleinheider <stephen.kleinheider@inl.gov>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = S7Comm & S7Comm Plus plugin for parsing and logging of the S7Comm, S7Comm Plus and COTP protocols - CISA ICSNPP
script_dir = build/scripts/icsnpp/s7comm
tags = s7comm, s7comm-plus, s7plus, S7comm, S7Comm, S7CommPlus, Siemens, siemens, s7, S7, cotp, COTP, iso_cotp, ISO_COTP, ics, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && btest -c btest.cfg
url = https://github.com/cisagov/icsnpp-s7comm
version = main

[cisagov/icsnpp-synchrophasor]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
credits = Seth Grover <seth.grover@inl.gov>
depends = 
	zeek >=6.0.0
description = Synchrophasor (as defined in C37.118.2-2011 IEEE Standard for Synchrophasor
	Data Transfer for Power Systems) defines a simple and direct method of data
	transmission and accretion within a phasor measurement system.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Synchrophasor Data Transfer for Power Systems is a communication protocol for real-time communication between phasor measurement units (PMU), phasor data concentrators (PDC), and other applications
tags = synchrophasor, power, SCADA, ICS, CISA, INL, ICSNPP, icsnpp, zeek plugin, log writer, protocol analyzer
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/cisagov/icsnpp-synchrophasor
version = main

[corelight/boa-detector]
depends = 
	zeek >=4.0.0
description = A vulnerable Boa web server detector.
script_dir = scripts
summary = A vulnerable Boa web server detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/boa-detector
version = v0.1.0

[corelight/bro-drwatson]
depends = 
	https://github.com/corelight/bro-hardware *
description = Discover and log information discovered in Microsoft DrWatson messages.
script_dir = scripts
tags = drwatson, http, windows
test_command = ( cd tests && btest -d )
url = https://github.com/corelight/bro-drwatson
version = master

[corelight/bro-hardware]
description = Scripts for cases where hardware device identifiers are discovered.
script_dir = scripts
tags = hardware
version = master
url = https://github.com/corelight/bro-hardware

[corelight/bro-shellshock]
description = Discover successful ShellShock attacks.
script_dir = scripts
tags = shellshock, detect, scripts
test_command = ( cd tests && btest -d )
url = https://github.com/corelight/bro-shellshock
version = master

[corelight/callstranger-detector]
description = Detects CallStranger (CVE) Exploitation Attempts
script_dir = scripts
tags = CallStranger, UPnP
version = master
url = https://github.com/corelight/callstranger-detector

[corelight/conn-burst]
description = Identify bursty connections (large and fast)
script_dir = scripts
tags = conn, burst
url = https://github.com/corelight/conn-burst
version = master

[corelight/CVE-2020-16898]
description = A network detection package for CVE-2020-16898 (Windows TCP/IP Remote Code Execution Vulnerability) AKA BadNeighbor
script_dir = scripts
tags = CVE-2020-16898, BadNeighbor
version = master
url = https://github.com/corelight/CVE-2020-16898

[corelight/CVE-2020-5902-F5BigIP]
description = A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices.
script_dir = scripts
tags = BIGIP, F5, firewall, RCE, CVE10.0, CVE10, CorelightResponse
version = master
url = https://github.com/corelight/CVE-2020-5902-F5BigIP

[corelight/CVE-2021-38647]
aliases = omigod
description = A Zeek package which detects CVE-2021-38647 (AKA OMIGOD) exploit attempts
script_dir = scripts
tags = HTTP, OMI, WMI, Windows, CVE, CVE-2021-38647, exploit, RCE, RapidResponse
test_command = cd testing && btest -c btest.cfg
version = v0.1.2
url = https://github.com/corelight/CVE-2021-38647

[corelight/CVE-2021-42292]
depends = 
	zeek >=3.0.0
description = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit.
script_dir = scripts
summary = A package to detect CVE-2021-42292, a Microsoft Excel priviledge exploit.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/CVE-2021-42292
version = v0.1.0

[corelight/cve-2021-44228]
description = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228).
script_dir = scripts
summary = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228).
tags = HTTP, Apache, CVE, CVE-2021-44228, encoding, rapidresponse, Java, logging
version = v0.7.0
url = https://github.com/corelight/cve-2021-44228

[corelight/cve-2022-21907]
depends = 
	zeek >=3.0.0
description = A package to detect CVE-2022-21907
script_dir = scripts
summary = A package to detect CVE-2022-21907
url = https://github.com/corelight/cve-2022-21907
version = v0.1.3

[corelight/cve-2022-22954]
depends = 
	zeek >=4.0.0
description = Detect CVE-2022-22954 attempts and exploits.
	Also logs what data was returned to the attacker.
script_dir = scripts
summary = Detect CVE-2022-22954 attempts and exploits.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/cve-2022-22954
version = v0.2.0

[corelight/CVE-2022-23270-PPTP]
depends = 
	zeek >=4.0.0
description = A package to detect CVE-2022-23270.
script_dir = scripts
summary = A package to detect CVE-2022-23270.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/CVE-2022-23270-PPTP
version = master

[corelight/CVE-2022-24491]
depends = 
	zeek >=4.0.0
description = A CVE-2022-24491 detector.
script_dir = scripts
summary = A CVE-2022-24491 detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/CVE-2022-24491
version = v0.1.3

[corelight/CVE-2022-24497]
depends = 
	zeek >=4.0.0
description = A CVE-2022-24497 detector.
script_dir = scripts
summary = A CVE-2022-24497 detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/CVE-2022-24497
version = v0.1.1

[corelight/cve-2022-26809]
depends = 
	zeek >=4.0.0
description = CVE-2022-26809 is a DCE/RPC RCE exploit.
	This package detects both attempts and successful exploits.
script_dir = scripts
summary = Detects attempts and exploits of CVE-2022-26809
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/cve-2022-26809
version = v0.1.0

[corelight/CVE-2022-26937]
depends = 
	zeek >=4.0.0
description = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty.
script_dir = scripts
summary = A Zeek package to detect CVE-2022-26937, a Windows NFS vulnerabilty.
test_command = make test
url = https://github.com/corelight/CVE-2022-26937
version = master

[corelight/CVE-2022-3602]
description = CVE-2022-3602 exploit Detection
script_dir = scripts
summary = Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/CVE-2022-3602
version = v0.1.0

[corelight/detect-ransomware-filenames]
description = Watch SMB transactions for files whose filename matches patterns known to be used by ransomware
script_dir = scripts
url = https://github.com/corelight/detect-ransomware-filenames
version = master

[corelight/ExtendIntel]
description = v3.0 - A Zeek package to extend logging for Intel
script_dir = scripts
tags = intel
version = v3.0.0
url = https://github.com/corelight/ExtendIntel

[corelight/got_zoom]
depends = 
	bro >=2.5.5
	ja3 *
description = Detect Zoom traffic
script_dir = scripts
tags = TLS, SSL, JA3, Video conferencing, Video, Videoconferencing, Remote working, Zoom
version = master
url = https://github.com/corelight/got_zoom

[corelight/hassh]
depends = 
	zeek >=4.0.0
description = HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log
script_dir = scripts
summary = SSH client and server fingerprints.
tags = bro plugin, ssh, fingerprint, logging
test_command = cd testing && btest -c btest.cfg
version = v1.0.1
url = https://github.com/corelight/hassh

[corelight/http-stalling-detector]
description = Detect HTTP stalling attacks like slowloris.
script_dir = scripts
tags = http, DoS, attack, notice
url = https://github.com/corelight/http-stalling-detector
version = master

[corelight/icannTLD]
description = v28.0.0 - A Zeek script using Input Framework to get icann_tld, icann_domain, icann_host_subdomain, and is_trusted_domain from a DNS query.  The field icann_host_subdomain contains the remaining query nodes after the domain is removed.  The is_trusted_domain is populated from a separate Input Framework set.
script_dir = scripts
tags = domain, dns, tld, input
version = v28.0.0
url = https://github.com/corelight/icannTLD

[corelight/json-streaming-logs]
description = JSON streaming logs
script_dir = scripts
tags = logs, json, streaming, stream, filebeat, splunk_forwarder, logstash
test_command = cd testing && btest -d -c btest.cfg
url = https://github.com/corelight/json-streaming-logs
version = v3.1.0

[corelight/log-add-http-post-bodies]
description = Add a POST body excerpt into the HTTP log
script_dir = scripts
tags = http log extend
version = master
url = https://github.com/corelight/log-add-http-post-bodies

[corelight/log-add-vlan-everywhere]
description = Add VLAN to all logs.
script_dir = scripts
tags = log extend vlan
url = https://github.com/corelight/log-add-vlan-everywhere
version = v1.0.3

[corelight/my_stats]
description = This package dumps stats for troubleshooting.
script_dir = scripts
tags = stats
url = https://github.com/corelight/my_stats
version = v0.0.3

[corelight/pingback]
description = A Zeek package which detects ICMP ping tunnels created by the Pingback tool
script_dir = scripts
tags = C2, ICMP, RAT, Windows, Malware
version = v0.1.2
url = https://github.com/corelight/pingback

[corelight/top-dns]
depends = 
	zeek/sethhall/domain-tld *
description = Log the top DNS queries being requested.
script_dir = scripts
tags = dns, sumstats, log, measurement, top
url = https://github.com/corelight/top-dns
version = master

[corelight/zeek-agenttesla-detector]
depends = 
	zeek >=4.0.0
description = An AgentTesla malware C2 detector.
script_dir = scripts
summary = An AgentTesla malware C2 detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-agenttesla-detector
version = v0.1.1

[corelight/zeek-asyncrat-detector]
depends = 
	zeek >=4.0.0
description = An AsyncRAT malware detector.
script_dir = scripts
summary = An AsyncRAT malware detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-asyncrat-detector
version = v0.1.2

[corelight/zeek-community-id]
build_command = ./configure && cd build && make
depends = 
	zeek >=3.2.0
description = "Community ID" flow hash support in conn.log
script_dir = scripts/Corelight/CommunityID
tags = zeek plugin, conn, logging, community id, flow hashing, flow id, sha1, corelight
test_command = cd tests && btest -c btest.cfg -d communityid
url = https://github.com/corelight/zeek-community-id
version = 3.2.3

[corelight/zeek-elf]
build_command = ./configure --enable-debug && make
description = This package provides some basic analysis for ELF files.
script_dir = scripts/Zeek/ELF
tags = intel, files, elf
test_command = cd tests && btest
url = https://github.com/corelight/zeek-elf
version = v0.1.4

[corelight/zeek-globload]
build_command = ./configure && cd build && make
description = This plugin adds support for shell-style glob
	patterns when loading Zeek scripts. For example, saying
	"@load startup.d/*.zeek" will load any Zeek scripts
	with a .zeek suffix from the startup.d folder.
summary = Support file globbing in @load directives
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-globload
version = 1.0.0

[corelight/zeek-gozi-detector]
depends = 
	zeek >=4.0.0
description = A Zeek based Gozi malware detector.
script_dir = scripts
summary = A Zeek based Gozi malware detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-gozi-detector
version = v0.1.10

[corelight/zeek-jpeg]
build_command = ./configure --enable-debug && make
description = This package provides some basic analysis for JPEG files.
script_dir = scripts/Zeek/JPEG
tags = intel, files, jpeg, jpg
test_command = cd tests && btest
url = https://github.com/corelight/zeek-jpeg
version = v0.1.3

[corelight/zeek-long-connections]
aliases = zeek-long-connections bro-long-connections
depends = zkg >=2.0.7
description = Find and log long-lived connections into a "conn_long" log.
script_dir = scripts
tags = conn
test_command = cd testing && btest -c btest.cfg
version = v1.3.1
url = https://github.com/corelight/zeek-long-connections

[corelight/zeek-macho]
build_command = ./configure --enable-debug --zeek-dist=%(zeek_dist)s && make
description = This package provides some basic analysis for Mach-o files.
script_dir = scripts/Zeek/MACHO
tags = intel, files, mach-o, macho
test_command = cd tests && btest
url = https://github.com/corelight/zeek-macho
version = v0.1.1

[corelight/zeek-nats-log-writer]
build_command = ./configure && cmake --build build
description = NATS.io log writer support
summary = NATS.io log writer support
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-nats-log-writer
version = v0.1.0

[corelight/zeek-netsupport-detector]
depends = 
	zeek >=4.0.0
description = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware.
script_dir = scripts
summary = A Zeek base NetSupport detector. NetSupport is often abused by attackers in malware.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-netsupport-detector
version = v0.1.0

[corelight/zeek-notice-telegram]
description = Package that extends the Notice Framework to include
	`ACTION_TELEGRAM` for sending messages on notices over Telegram.
script_dir = scripts
summary = Send Notices over Telegram
url = https://github.com/corelight/zeek-notice-telegram
version = master

[corelight/zeek-quasarrat-detector]
depends = 
	zeek >=4.0.0
description = An QuasarRAT malware detector.
script_dir = scripts
summary = An QuasarRAT malware detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-quasarrat-detector
version = main

[corelight/zeek-quic]
aliases = zeek-quic bro-quic
build_command = ./configure && make
depends = 
	zeek >=4.0.0
description = Detects the Google QUIC (GQUIC) protocol and adds "gquic"
	to conn.log's "service" field.
plugin_dir = build/Corelight_GQUIC.tgz
script_dir = build/scripts/Corelight/GQUIC
tags = plugin, analyzer, gquic, quic
url = https://github.com/corelight/zeek-quic
version = v0.7.0

[corelight/zeek-spicy-facefish]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = A Facefish rootkit detector, based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = A Facefish rootkit detector, based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-facefish
version = v0.1.1

[corelight/zeek-spicy-ipsec]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = An IPSec Zeek protocol analyzer based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = An IPSec Zeek protocol analyzer based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-ipsec
version = v0.2.22

[corelight/zeek-spicy-openvpn]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = A Zeek OpenVPN protocol analyzer, based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = A Zeek OpenVPN protocol analyzer, based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-openvpn
version = v0.1.7

[corelight/zeek-spicy-ospf]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = A Zeek OSPF packet analyzer, based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = A Zeek OSPF packet analyzer, based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-ospf
version = v0.1.5

[corelight/zeek-spicy-stun]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = A Zeek STUN protocol analyzer based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = A Zeek STUN protocol analyzer based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-stun
version = v0.2.11

[corelight/zeek-spicy-wireguard]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = A Wireguard VPN protocol analyzer, based on Spicy.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = A Wireguard VPN protocol analyzer, based on Spicy.
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/corelight/zeek-spicy-wireguard
version = v0.1.4

[corelight/zeek-strrat-detector]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = A Zeek based STRRAT malware detector.
script_dir = scripts
summary = A Zeek based STRRAT malware detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeek-strrat-detector
version = v0.1.0

[corelight/zeek-xor-exe-plugin]
build_command = ./configure && make
description = A plugin to find Windows executables that have been XOR encoded.
plugin_dir = build
script_dir = scripts/Corelight/PE_XOR
tags = plugin, pe, executable, malware
test_command = cd tests && btest -d
url = https://github.com/corelight/zeek-xor-exe-plugin
version = 4.1

[corelight/zeekjs]
build_command = ./configure --with-nodejs=%(nodejs_root_dir)s && cd build && make
depends = 
	zeek >=4.2.0
description = Experimental JavaScript support for Zeek.
external_depends = 
	libnode-dev
	nodejs-devel
name = ZeekJS
plugin_dir = build
tags = javascript, js, plugin
test_command = cd tests && btest -d -c btest.cfg -g smoke
user_vars = 
	nodejs_root_dir [] "Root directory of Node.js installation (leave blank for defaults)"
url = https://github.com/corelight/zeekjs
version = v0.13.0

[corelight/zeekjs-notice-telegram]
depends = zeekjs *
description = Package that extends the Notice Framework to include
	`ACTION_TELEGRAM` for sending messages on notices over Telegram using ZeekJS.
script_dir = scripts
summary = Send Notices over Telegram (ZeekJS edition)
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zeekjs-notice-telegram
version = master

[corelight/zerologon]
corelight_name = Zerologon
description = Detects Zerologon (CVE-2020-1472) attempts and exploits.
script_dir = scripts
summary = Detects Zerologon (CVE-2020-1472) attempts and exploits.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/corelight/zerologon
version = master

[corelight/ztest]
credits = Ryan Victory <ryan.victory@corelight.com>
description = A Zeek Unit Testing Framework
script_dir = scripts
tags = library, unit-testing, testing
test_command = make -C tests
url = https://github.com/corelight/ztest
version = master

[cyberUniBO/Zeek-Pcap-Features-Extractor]
description = Zeek Package that extracts features from pcap files
tags = zeek plugin, pcap files, features extraction, feature extractor
version = main
url = https://github.com/MichelangeloFlorio/Zeek-Pcap-Features-Extractor

[cybera/zeek-sniffpass]
description = Sniffpass will alert on cleartext passwords discovered in HTTP POST requests
script_dir = scripts
tags = password, logging
version = master
url = https://github.com/cybera/zeek-sniffpass

[dopheide/bro-quic]
build_command = ( ./configure --bro-dist=%(bro_dist)s && make )
description = Attempt to identify QUIC protocol
plugin_dir = build/Bro_QUIC.tgz
tags = plugin, analyzer, quic
url = https://github.com/dopheide-esnet/bro-quic
version = 0.1

[dopheide/zeek-jetdirect]
credits = dopheide@es.net, soehlert@es.net, jsdorn1@gmail.com
depends = 
	zeek >=2.0.0
description = Detect exploit attempt of HP JetDirect printers
script_dir = ./scripts
tags = jetdirect, printer, cve-2017-2741
test_command = cd tests && make
url = https://github.com/dopheide-esnet/zeek-jetdirect
version = 0.4

[dopheide/zeek-known-hosts-with-dns]
description = This script expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers.
script_dir = scripts
tags = known-hosts, known_hosts, dns
test_command = cd tests && btest -d known_tests
version = v1.2.4
url = https://github.com/dopheide-esnet/zeek-known-hosts-with-dns

[dopheide/zeek-known-outbound]
depends = 
	zeek >=3.0.0
description = This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups.
script_dir = scripts
tags = notice, known, services, outbound
test_command = cd tests && btest -d outbound-tests
version = master
url = https://github.com/dopheide-esnet/zeek-known-outbound

[dopheide/zeek-notice-config]
depends = 
	zeek >=3.0.0-rc1
description = This script enables easy customation of how notice actions are handled.  It's built to work with eZeekConfigurator, but that isn't required.
script_dir = scripts
tags = notice, configuration, ezeekonfigurator, ezk
test_command = cd tests && btest -d notice_tests
version = master
url = https://github.com/dopheide-esnet/zeek-notice-config

[dopheide/zeek-ntp-monlist]
depends = 
	zeek >=3.0.0-rc1
description = This script just replaces the old ntp-monlist script to work with Zeek 3.0.0+
script_dir = scripts
tags = ntp, NTP, monlist, ddos
test_command = cd tests && btest -d ntp_tests
version = v1.0.2
url = https://github.com/dopheide-esnet/zeek-ntp-monlist

[dopheide/zeek-ssh-interesting-hostnames-with-known]
depends = zeek/dopheide/zeek-known-hosts-with-dns *
description = This script replaces the default ssh/interesting-hostnames and reduces the number of asyncrhonous when() calls made by Zeek.
script_dir = scripts
tags = dns, ssh, interesting-hostnames
test_command = cd tests && btest -d ssh_tests
version = v1.2.1
url = https://github.com/dopheide-esnet/zeek-ssh-interesting-hostnames-with-known

[dopheide/bro_notice_correlation]
description = Adds support for multi-notice correlation. For more information, see http://blog.samoehlert.com/correlating-bro-notices or the talk from BroCon 2016.
script_dir = scripts
tags = notices, notice, correlation
version = master
url = https://github.com/dopheide/bro_notice_correlation

[dopheide/venom]
description = Attempts to detect an attacker calling to the VENOM Linux Rootkit https://security.web.cern.ch/security/venom.shtml
script_dir = scripts
tags = Venom, venom, VENOM, rootkit
version = master
url = https://github.com/dopheide/venom

[dovehawk/dovehawk]
description = MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters.
script_dir = .
tags = intel, MISP, sightings, signatures, threat intelligence, threat intel, cyber
version = 1.02.002
url = https://github.com/tylabs/dovehawk

[dovehawk/dovehawk_dns]
description = Dovehawk.io Passive DNS Capture Module.
script_dir = .
tags = dns, pdns, log, passive, dovehawk
url = https://github.com/tylabs/dovehawk_dns
version = master

[dovehawk/dovehawk_flow]
description = Dovehawk Anonymized Outbound Flow Tracking
script_dir = ./scripts/
tags = netflow, connections, log, remote, dovehwak
url = https://github.com/tylabs/dovehawk_flow
version = 1.0.0

[dw2102/S7Comm-Analyzer]
build_command = ./configure && make
credits = D. Wullen <d.wullen@gmx.de>
description = Protocol parser for the Siemens S7Comm and S7CommPlus protocol.
	Both parser are based on the Iso-Over-TCP protocol. Not all functions are covered
	in this analyzer, it may not capture all of the packets.
script_dir = scripts/
tags = s7comm, zeek plugin, s7commplus, siemens, zeek, protocol analyzer
version = master
url = https://github.com/dw2102/S7Comm-Analyzer

[elcabezzonn/http-header-count]
description = a script that counts the client http headers.
script_dir = scripts
tags = http
version = main
url = https://github.com/elcabezzonn/http-header-count

[elcabezzonn/smb2-remote-file-copy]
description = a script that identifies remote file copies over smb2
script_dir = scripts
tags = smb2
version = master
url = https://github.com/elcabezzonn/smb2-remote-file-copy

[emnahum/zeek-pcapovertcp-plugin]
build_command = ./configure && make
credits = Erich Nahum <github@nahum.org>
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = Provides PCAP over TCP support for Zeek.
plugin_dir = build/Zeek_PcapOverTcp.tgz
script_dir = scripts
summary = Provides PCAP over TCP support for Zeek.
tags = zeek plugin, zeekctl plugin, packet source, pcapovertcp, pcap
url = https://github.com/emnahum/zeek-pcapovertcp-plugin
version = v1.0.12

[emojifier/emojifier]
credits = Jan Grashoefer <jan.grashoefer@gmail.com>,
	Matthias Grundmann <matthias.grundmann@kit.edu>,
	Florian Jacob <florian.jacob@kit.edu>
description = Set your logs on fire with Emojifier!
script_dir = scripts
tags = emoji, fire, emojifier
test_command = cd testing && btest -d
url = https://github.com/emojifier/emojifier
version = master

[endace/zeek-dag]
aliases = zeek-dag bro-dag
build_command = ( ./configure && make )
depends = zeek >=2.6.0
description = Packet source plugin that provides native support for Endace DAG card and EndaceProbe Application Dock packet capture.
plugin_dir = build/Endace_DAG.tgz
tags = packet source, zeek plugin, plugin, broctl plugin, zeekctl plugin, dag, endace
test_command = ( cd tests && btest -d )
url = https://github.com/endace/zeek-dag
version = v0.6

[esnet-security/cve-2020-16898]
credits = Vlad Grigorescu <vlad@es.net>
depends = 
	zeek >=2.6.0
description = Detects CVE-2020-16898: "Bad Neighbor"
script_dir = ./scripts
tags = cve, cve-2020-16898, badneighbor
test_command = cd tests && make
url = https://github.com/esnet-security/cve-2020-16898
version = v0.1

[esnet-security/logfilter]
credits = Vlad Grigorescu <vlad@es.net>
description = Enables plugins to write fine-grained policy for log filtering, modification, and path customization.
script_dir = ./scripts
tags = logs, filters, ESnet
test_command = cd tests && make
url = https://github.com/esnet-security/logfilter
version = 1.0

[esnet-security/zeek-ebury]
description = This script attempts to detect the Ebury ssh backdoor based on having base64 in the ssh client string.
script_dir = scripts
tags = ssh, ebury
version = main
url = https://github.com/esnet-security/zeek-ebury

[esnet-security/Zeek-Known-Services-With-OrigFlag]
description = This script expands the base known-services policy to include is_local_orig flag to indicate if the service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T).
script_dir = scripts
tags = known-services, known_services
test_command = cd tests && btest -d known_tests
version = main
url = https://github.com/esnet-security/Zeek-Known-Services-With-OrigFlag

[esnet-security/zeek-outbound-known-services-with-origflag]
description = This script expands the base known-services policy to include is_local_orig flag to indicate if an outbound service was discovered from non-local nets (is_local_orig =F) or from local nets (is_local_orig=T).
script_dir = scripts
tags = known-services, known_services
test_command = cd tests && btest -d known_tests
version = main
url = https://github.com/esnet-security/zeek-outbound-known-services-with-origflag

[esnet-security/zeek_scram]
description = Zeek script for interacting with the SCRAM client
script_dir = scripts
tags = scram, bhr
test_command = cd tests && btest -d scram_tests
version = master
url = https://github.com/esnet-security/zeek_scram

[esnet/zeek-exporter]
build_command = ./configure && make
config_files = scripts/conf.dat
credits = Vlad Grigorescu <vlad@es.net>
depends = 
	zeek >=3.0.0
description = Prometheus exporter for Zeek performance data
external_depends = 
	cmake >=3.5
	libcurl-devel *
plugin_dir = ./build/ESnet_Zeek_Exporter.tgz
tags = zeek plugin, performance, perf, stats, prometheus
test_command = cd tests && btest -d
url = https://github.com/esnet/zeek-exporter
version = v0.6.0

[esnet/zeek_perfsonar_owamp]
build_command = ( ./configure --zeek-dist=%(zeek_dist)s && make )
plugin_dir = build/PerfSONAR_OWAMP.tgz
tags = plugin, analyzer, owamp, perfsonar
test_command = cd tests && btest
url = https://github.com/esnet/zeek_perfsonar_owamp
version = master

[fatemabw/bro-inventory-scripts]
description = Find different type of OSes and AV software in your network traffic.
script_dir = scripts
tags = OS detection, Anti-Virus
version = master
url = https://github.com/fatemabw/bro-inventory-scripts

[fatemabw/kyd]
description = KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file 'dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the 'dhcp-unknown.py' script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script.
	https://github.com/fatemabw/kyd
script_dir = zeek
tags = dhcp, dhcpfp
version = master
url = https://github.com/fatemabw/kyd

[fdekeers/igmp]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
credits = François De Keersmaeker <francois.dekeersmaeker@uclouvain.be>
depends = 
	zeek >=4.0.0
description = A Spicy-based packet analyzer for the IGMP protocol.
	Supports IGMPv1, v2 and v3.
script_dir = scripts
summary = IGMP packet analyzer in Spicy
tags = igmp, zeek, spicy, packet analyzer, ids
test_command = cd testing && btest -c btest.cfg
url = https://github.com/zeek-plugins/igmp
version = main

[fdekeers/mdns]
credits = François De Keersmaeker <francois.dekeersmaeker@uclouvain.be>
description = Multicast DNS (mDNS) package for Zeek
script_dir = ./scripts
tags = IDS, Zeek, mDNS
test_command = cd tests && make
url = https://github.com/zeek-plugins/mdns
version = main

[foxio/ja4]
credits = John Althouse
depends = zeek >=5.0.0
description = Official Zeek package for JA4+ network fingerprinting.
script_dir = zeek
tags = ja4, fingerprint, fingerprinting, ja4s, ja4h, ja4x, ja4ssh, ja4l, ja4t, ja4+, ja4plus, ja3
version = v0.18.4
url = https://github.com/FoxIO-LLC/ja4

[hhzzk/dns-tunnels]
description = Detect DNS Tunnels attack.
script_dir = scripts
tags = DNS, DNS Tunnels, DNS Tunneling
version = master
url = https://github.com/hhzzk/dns-tunnels

[hosom/bro-ja3]
depends = 
	bro >=2.6.0
description = Generate and log ja3 ssl fingerprints
script_dir = scripts
tags = ja3, ssl, intel
test_command = cd tests && btest -d btests
version = 1.0.4
url = https://github.com/hosom/bro-ja3

[hosom/bro-napatech]
build_command = (./configure --bro-dist=%(bro_dist)s && make)
depends = 
	bro-pkg >=1.2
	bro >=2.5.0
description = Packet source plugin that provides native support for NTAPI
plugin_dir = build/Bro_Napatech.tgz
tags = packet source, plugin, napatech, ntapi
url = https://github.com/hosom/bro-napatech
version = 0.1.0

[hosom/bro-oui]
depends = 
	bro >=2.5.5
description = Add OUI lookup to Bro.
script_dir = scripts
tags = oui, mac, dhcp
version = 1.0.3
url = https://github.com/hosom/bro-oui

[hosom/dummy-connections]
depends = 
	bro >=2.6.0
description = Create dummy connection records.
script_dir = scripts
tags = connection
version = 1.0.0
url = https://github.com/hosom/dummy-connections

[hosom/file-extraction]
config_files = scripts/config.zeek
depends = 
	zeek >=3.0.0
description = Extract files from network traffic with Zeek.
script_dir = scripts
tags = files, file extraction, file analysis
version = 2.0.3
url = https://github.com/hosom/file-extraction

[hosom/log-filters]
config_files = scripts/config.zeek
depends = 
	zeek >=3.0.0
description = Implement common log filters.
script_dir = scripts
tags = logging, log framework
version = main
url = https://github.com/hosom/log-filters

[initconf/2024-09-cups-linux-rce]
description = 
script_dir = scripts
tags = 
test_command = ( cd tests && btest -d )
version = main
url = https://github.com/initconf/2024-09-cups-linux-rce

[initconf/Apple-RDP-net-assistant-DoS.git]
description = udp-3283-DoS
script_dir = scripts
tags = net_listerner, Apple RDP, udp DoS
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/Apple-RDP-net-assistant-DoS.git

[initconf/blacklist]
description = package to manage blacklisted IP address ysing bro
script_dir = scripts
tags = blacklist
version = master
url = https://github.com/initconf/blacklist

[initconf/CVE-2017-5638_struts]
description = package to detect CVE-2017-5638 struts attack
script_dir = scripts
tags = CVE-2017-5638, struts
version = master
url = https://github.com/initconf/CVE-2017-5638_struts

[initconf/CVE-2020-16898-Bad-Neighbor.git]
description = CVE-2020-16898: Bad Neighbor
script_dir = scripts
tags = 
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/CVE-2020-16898-Bad-Neighbor.git

[initconf/detect-kaspersky]
description = kaspersky
script_dir = scripts
tags = kaspersky antivirus
test_command = ( cd tests && btest -d )
version = v3
url = https://github.com/initconf/detect-kaspersky

[initconf/dns-heuristics]
description = 
script_dir = scripts
tags = 
test_command = ( cd tests && btest -d )
version = main
url = https://github.com/initconf/dns-heuristics

[initconf/ftp-bruteforce]
description = ftp-bruteforce
script_dir = scripts
tags = ftp, bruteforce, scan
test_command = ( cd tests && btest -d )
version = v2.0-zeek-3.x.x
url = https://github.com/initconf/ftp-bruteforce

[initconf/icmp-scans.git]
description = icmp-scans
script_dir = scripts
tags = ftp, bruteforce, scan
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/icmp-scans.git

[initconf/LetsEncrypt]
description = LetsEncrypt
script_dir = scripts
tags = 
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/LetsEncrypt

[initconf/log4j.git]
description = zeek package to identify log4j exploit attempts for  CVE-2021-44228
script_dir = scripts
tags = 
test_command = ( cd tests && btest -d )
version = main
url = https://github.com/initconf/log4j.git

[initconf/phish-analysis]
description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails
script_dir = scripts
tags = smtp, phish, urls, emails
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/phish-analysis

[initconf/RDP-bruteforce]
description = rdp-bruteforce
script_dir = scripts
tags = rdp, bruteforce, scan
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/RDP-bruteforce

[initconf/scan-NG]
description = scan detection in 2.x world. Forward porting of bro-1.5.3 scan.bro accompanied with new heuristics and quicker detections
script_dir = scripts
tags = scan detection
version = master
url = https://github.com/initconf/scan-NG

[initconf/sip-attacks.git]
description = sip-attacks
script_dir = scripts
tags = sip, voip
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/sip-attacks.git

[initconf/smtp-url-analysis]
description = Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails
script_dir = scripts
tags = smtp, phish, urls, emails
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/smtp-url-analysis

[initconf/vnc-scanner]
description = Simple policy to detect VNC (RFB) scanners based on src->dst connection counts
script_dir = scripts
tags = rfb, vnc, osx high sierra
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/initconf/vnc-scanner

[initconf/ws-discovery-dos]
description = udp-scan
script_dir = scripts
tags = ws-discovery, scan, dos, toshiba, copiers, scanners
test_command = ( cd tests && btest -d )
version = v2.0
url = https://github.com/initconf/ws-discovery-dos

[irtimmer/bro-xdp_packet-plugin]
build_command = ./configure --bro-dist=%(bro_dist)s && make
depends = 
	bro-pkg >=1.2
	bro >=2.5.0
description = This plugin provides native AF_XDP support for Bro.
plugin_dir = build/itimmer_af_xdp.tgz
tags = bro plugin, packet source, af_xdp
test_command = cd tests && btest -d
url = https://github.com/irtimmer/bro-xdp_packet-plugin
version = master

[j-gras/add-interfaces]
depends = 
	zeek >=3.0
description = Adds cluster node's interface to logs.
script_dir = scripts
tags = log, logging, conn, add interface, add worker
url = https://github.com/J-Gras/add-interfaces
version = 2.0.0

[j-gras/add-json]
depends = 
	zeek >=4.1
description = Additional JSON-logging for Zeek.
script_dir = scripts
tags = log, logging, JSON
test_command = cd tests && btest -d
url = https://github.com/J-Gras/add-json
version = 3.0.0

[j-gras/add-node-names]
depends = 
	zeek >=2.5
description = Adds cluster node name to logs.
script_dir = scripts
tags = log, logging, conn, add node name, add worker
url = https://github.com/J-Gras/add-node-names
version = 2.0.0

[j-gras/bro-af_packet-plugin]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = This plugin provides native AF_Packet support for Zeek.
plugin_dir = build/Zeek_AF_Packet.tgz
script_dir = scripts/af_packet
tags = zeek plugin, zeekctl plugin, packet source, af_packet
test_command = cd tests && btest -d
url = https://github.com/J-Gras/bro-af_packet-plugin
version = 4.0.0

[j-gras/bro-fuzzy-hashing]
build_command = ./configure --bro-dist=%(bro_dist)s && make
depends = 
	bro >=2.5.0
description = This plugin provides fuzzy hashing for Bro.
plugin_dir = build/JGras_FuzzyHashing.tgz
tags = bro plugin
test_command = cd tests && btest -d
url = https://github.com/J-Gras/bro-fuzzy-hashing
version = 0.3.0

[j-gras/bro-lognorm]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = This plugin provides liblognorm integration for Zeek.
plugin_dir = build/Zeek_Lognorm.tgz
script_dir = scripts/lognorm
tags = zeek plugin, liblognorm, syslog
test_command = cd tests && btest -d
url = https://github.com/J-Gras/bro-lognorm
version = 1.0.0

[j-gras/intel-expire]
credits = Jan Grashoefer <jan.grashoefer@gmail.com>
depends = 
	zeek >=3.0
description = Per item expiration for Zeek's intelligence framework.
script_dir = scripts
tags = intel, expiration
test_command = cd testing && btest -d
url = https://github.com/J-Gras/intel-expire
version = v1.0.0

[j-gras/intel-extensions]
credits = Jan Grashoefer <jan.grashoefer@gmail.com>
depends = 
	zeek >=3.0
description = Extensions for Zeek's intelligence framework.
executables = utils/intel-mgr.py
script_dir = scripts
tags = intel, remote control, preserve files
test_command = cd testing && btest -d
url = https://github.com/J-Gras/intel-extensions
version = v0.5.0

[j-gras/intel-limiter]
credits = Jan Grashoefer <jan.grashoefer@gmail.com>
depends = 
	zeek >=3.0
description = Limiter for Zeek's intelligence framework.
script_dir = scripts
tags = intel, limits, threshold
test_command = cd testing && btest -d
url = https://github.com/J-Gras/intel-limiter
version = 1.0.0

[j-gras/intel-seen-more]
depends = 
	zeek >=3.2
description = Additional seen-triggers for Zeek's intelligence framework.
script_dir = scripts
suggests = 
	sethhall/domain-tld *
tags = intel, seen
url = https://github.com/J-Gras/intel-seen-more
version = 0.4.0

[jbaggs/anomalous-dns]
config_files = domain-whitelist.zeek, fast_flux-whitelist.zeek, recursive-whitelist.zeek, scripts/__load__.zeek, scripts/domain-whitelist.zeek, scripts/fast_flux-whitelist.zeek, scripts/recursive-whitelist.zeek
depends = 
	zeek >=5.0.8
	https://github.com/sethhall/domain-tld >=1.2.2
description = A module for tracking and correlating abnormal DNS behavior. Detection of tunneling and C&C through connection duration and volume, request and answer size, DNS request type, and unique queries per domain. Statistical classification of fast flux networks based on A records and ASNs.
script_dir = scripts
tags = zeek scripting, dns, domain, notices
url = https://github.com/jbaggs/anomalous-dns
version = 2.0.3

[jbaggs/wildcard-domain]
depends = 
	zeek >=3.0.0
description = This script adds a new Intel::WILDCARD_DOMAIN type that matches on the base domain name, regardless of what subdomain may be prepended to it.
script_dir = scripts
tags = zeek scripting, intel
url = https://github.com/jbaggs/wildcard-domain
version = 1.1.0

[jmellander/BinaryHeap]
description = Binary Heap Implementation
script_dir = scripts
tags = zeek, zeek.org, BinaryHeap
url = https://github.com/jmellander/BinaryHeap
version = master

[joesecurity/Joe-Sandbox-Bro]
description = JoeSandbox-Bro extracts files from your internet connection
	and analyzes them automatically on Joe Sandbox. Combined with Joe Sandbox's
	reporting and alerting features you can build a powerful IDS.
script_dir = scripts
tags = file analysis, sandbox, malware, virus
url = https://github.com/joesecurity/Joe-Sandbox-Bro
version = master

[jonzeolla/scan-sampling]
description = Modified version of scan.bro to add destination IP sampling.
script_dir = scripts
tags = sumstats
url = https://github.com/JonZeolla/scan-sampling
version = 0.1.0

[jsiwek/zeek-cryptomining]
aliases = zeek-cryptomining bro_bitcoin
depends = zkg >=2.0.7
description = Detects Bitcoin, Litecoin, or other cryptocurrency
	mining traffic that uses getwork, getblocktemplate, or Stratum mining
	protocols over TCP or HTTP.  This package used to be named "bro_bitcoin".
tags = signatures, bitcoin, mining, cryptocurrency, cryptomining, cryptocoin
test_command = cd testing && btest -d tests
url = https://github.com/jsiwek/zeek-cryptomining
version = master

[jsiwek/zeek-print-log-info]
depends = zeek >=3.0.0
description = Gathers and prints field descriptions for all Zeek logs.
	The default output format is CSV files.
tags = log, logs, logging, introspection, csv
url = https://github.com/jsiwek/zeek-print-log-info
version = master

[jswaro/tcprs]
build_command = ( ./configure --bro-dist=%(bro_dist)s && make )
description = TCP Retransmission and State Analyzer plugin for Bro.
plugin_dir = build
script_dir = scripts
tags = bro plugin, TCP, retransmission, connection state, conn, input reader, protocol analyzer
test_command = cd tests btest -d tcprs
url = https://github.com/jswaro/tcprs
version = 0.2.1

[justinazoff/zeek-jemalloc-profiling]
description = A broctl plugin that enables jemalloc profiling
plugin_dir = plugin
tags = broctl, jemalloc, profiling
url = https://github.com/JustinAzoff/zeek-jemalloc-profiling
version = master

[keithjjones/zeek-amadey-detector]
depends = 
	zeek >=4.0.0
description = A Zeek based Amadey malware detector.
script_dir = scripts
summary = A Zeek based Amadey malware detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/keithjjones/zeek-amadey-detector
version = v0.1.13

[keithjjones/zeek-njrat-detector]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = A Zeek based njRAT detector.
script_dir = analyzer
summary = A Zeek based njRAT detector.
test_command = cd testing && btest -c btest.cfg
url = https://github.com/keithjjones/zeek-njrat-detector
version = v0.1.15

[klehigh/find_smbv1]
credits = Mark Overholser converted to support newer Zeek
depends = 
	zeek >=2.5.0
description = find SMBv1 activity
script_dir = scripts
tags = smb, logging
url = https://github.com/klehigh/find_smbv1
version = 1.0.2

[mbispham/zeekjs-redis]
build_command = ./configure && cd build && make
depends = 
	zeek >=4.2.0
description = A zkg package that uses ZeekJS to overwrite
	the Logging Framework to output Zeek logs to Redis.
	Each log id type is associated with a unique key.
	For example, conn.log should be stored in the key
	zeek_conn_logs.
script_dir = scripts
summary = Zeek Logs to Redis (ZeekJS Version)
tags = redis, logging, intel, javascript, js, plugin
url = https://github.com/mbispham/zeekjs-redis
version = main

[micrictor/smbfp]
credits = Michael Torres <mic.ric.tor@gmail.com>
description = A package to create a fingerprint of SMB clients
script_dir = scripts
tags = smb, fingerprint
url = https://github.com/micrictor/smbfp
version = master

[micrictor/spl-spt]
credits = Michael Torres <mic.ric.tor@gmail.com>
description = A package that creates a log for sequences of packet lengths and times,
	allowing for new analytics based on these data features.
script_dir = scripts
tags = ssl, tls, spt, spl
url = https://github.com/micrictor/spl-spt
version = master

[mitre-attack/bzar]
description = BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting.
script_dir = scripts
tags = bzar, att&ck, attack, analytics, cyber analytics repository, car, smb, rpc, dce-rpc
url = https://github.com/mitre-attack/bzar
version = master

[mitre/icap]
build_command = ./configure --bro-dist=%(bro_dist)s && make
depends = 
	bro >=2.5.0
description = Internet Content Adaptation Protocol (ICAP) Analyzer for Bro and Zeek.
script_dir = scripts
tags = bro plugin, zeek plugin, protocol analyzer, internet content adaptation protocol, icap, https plain text
url = https://github.com/mitre/icap
version = master

[mitrecnd/bro-http2]
build_command = ./configure && make
depends = 
	zeek >=3.0.0
description = A HTTP2 protocol analyzer for the Zeek NSM.
external_depends = 
	libnghttp2>=1.11.0
	libbrotlidec>=1.0.0
script_dir = scripts
tags = zeek plugin, protocol analyzer, http2, intel
test_command = make test
url = https://github.com/MITRECND/bro-http2
version = 0.6.1

[mvlnetdev/dportmatch]
credits = M. van Leeuwen
depends = 
	zeek >=2.6.3
description = Zeek package to add a destination port to the meta fields in Zeek. It creates a notice when both the intel and the destination port matches. This adds a feature that can be used to reduce false positives.
script_dir = scripts
tags = Zeek package, dport, port, intel, dport match
url = https://github.com/mvlnetdev/dportmatch
version = main

[ncsa/bro-doctor]
depends = 
	j-gras/add-node-names *
description = A broctl plugin that helps you troubleshoot common problems
	For cluster-related checks, the package "add-node-names" is recommended.
plugin_dir = .
tags = broctl plugin, troubleshoot
url = https://github.com/ncsa/bro-doctor
version = 2.0.4

[ncsa/bro-interface-setup]
description = A broctl plugin that helps you setup capture interfaces
plugin_dir = .
tags = bro plugin, interface, mtu
url = https://github.com/ncsa/bro-interface-setup
version = master

[ncsa/bro-is-darknet]
description = This plugin adds a Site::is_darknet function.
	This is useful for scripts that track scan attempts or other probes.
	It can handle purely dark address space as well as honeynet space.
script_dir = scripts
tags = bro plugin, site, darknet
test_command = (cd testing && btest -d)
url = https://github.com/ncsa/bro-is-darknet
version = 2.1

[ncsa/bro-simple-scan]
depends = 
	zeek >=3.0.0
	ncsa/bro-is-darknet >=2.0
description = Simple, high performance tcp scan detection
script_dir = scripts
tags = bro plugin, scan detection
test_command = (cd testing && btest -d)
url = https://github.com/ncsa/bro-simple-scan
version = 4.0

[ncsa/bro-zeromq-writer]
build_command = ./configure --with-zmq=%(ZEROMQ_PREFIX)s && make
description = ZeroMQ log writer.
external_depends = 
	zeromq >=3.2.0
script_dir = scripts/NCSA/ZeroMQWriter
tags = zeek plugin, log writer, zeromq, zmq, 0mq, json
test_command = make test
user_vars = 
	ZEROMQ_PREFIX [/usr/local] "ZeroMQ install prefix"
url = https://github.com/ncsa/bro-zeromq-writer
version = master

[nskelsey/aaalm]
description = Tag and group devices based on a LAN's structure
script_dir = scripts
tags = topology, mapping, visualization, traceroute
version = master
url = https://github.com/nskelsey/aaalm

[ntop/bro-pf_ring]
build_command = ( ./configure --bro-dist=%(bro_dist)s && make )
description = Packet source plugin that provides native PF_RING support.
plugin_dir = build
script_dir = scripts
tags = packet source, plugin, pf_ring
test_command = ( cd tests && btest -d )
url = https://github.com/ntop/bro-pf_ring
version = master

[nttcom/zeek-parser-Bacnet]
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of icsnpp-bacnet.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of icsnpp-bacnet in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-Bacnet
version = main

[nttcom/zeek-parser-CCLinkFieldBasic]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of spicy_cc_link_basic.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of spicy_cc_link_basic in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CCLinkFieldBasic
version = main

[nttcom/zeek-parser-CCLinkIENoIP]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-CCLinkIENoIP.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-CCLinkIENoIP in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CCLinkIENoIP
version = main

[nttcom/zeek-parser-CCLinkTSNPTP]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-CCLinkTSNPTP.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-CCLinkTSNPTP in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CCLinkTSNPTP
version = main

[nttcom/zeek-parser-CCLinkTSNSLMP]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-CCLinkTSNSLMP.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-CCLinkTSNSLMP in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CCLinkTSNSLMP
version = main

[nttcom/zeek-parser-CIFS-COM]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of test.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of test in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CIFS-COM
version = main

[nttcom/zeek-parser-CIFS-NBNS-COM]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-NBNS.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-NBNS in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-CIFS-NBNS-COM
version = main

[nttcom/zeek-parser-DHCPv4-COM]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-DHCPv4-COM.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-DHCPv4-COM in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-DHCPv4-COM
version = main

[nttcom/zeek-parser-DHCPv6-COM]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-DHCPV6.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-DHCPV6 in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-DHCPv6-COM
version = main

[nttcom/zeek-parser-SSDP-COM]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of zeek-parser-SSDP.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of zeek-parser-SSDP in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/nttcom/zeek-parser-SSDP-COM
version = main

[pgaulon/zeek-notice-slack]
aliases = zeek-notice-slack bro-notice-slack
description = Zeek Notices through Slack webhook
tags = zeek plugin, notices, slack webhook
url = https://github.com/pgaulon/zeek-notice-slack
version = 1.0.2

[pgaulon/zeekjs-notice-slack]
depends = zeekjs *
description = Package extending the Notice Framework to include to send Notices via Slack webhooks.
summary = Zeek Notices via Slack webhooks
tags = zeekjs, zeek plugin, notices, slack, webhook
url = https://github.com/pgaulon/zeekjs-notice-slack
version = v0.0.5

[precurse/zeek-httpattacks]
description = Checks for HTTP anomalies typically used for attacking.
script_dir = scripts
tags = http, detection
version = master
url = https://github.com/precurse/zeek-httpattacks

[qintel/qsentry-zeek]
aliases = qsentry-zeek qsentry qintel
credits = Qintel Integrations <integrations-support@qintel.com>
description = Adds Qintel QSentry metadata to intel logs.
script_dir = qsentry
tags = log, logging, intel, qintel, qsentry, intelligenece, threat intelligence, ti
url = https://github.com/qintel/qsentry-zeek
version = 1.0.0

[reshadp/zeek-log-add-mac-addresses]
description = Add MAC address to all logs.
script_dir = scripts
tags = log extend mac
url = https://github.com/reshadp/zeek-log-add-mac-addresses
version = main

[rvictory/zeek-new-domains]
credits = Ryan Victory
depends = 
	sethhall/domain-tld *
description = Monitors for new domains being queried for and raises a notice for them
script_dir = scripts
tags = DNS
version = master
url = https://github.com/rvictory/zeek-new-domains

[saiiman/zeek-exfil-detect]
build_command = ./configure && cd build && make
depends = 
	zeek >=5.1.0
description = This package offers the possibility of exfiltration detection through statistical analysis methods.
	For this purpose, all connections are added to a baseline, subdivided according to their source
	ip address and destination port. The baseline is then used to perform statistical anomaly detection.
	Anomalies in the baseline are considered as data exfiltrations.
	The severity of the anomaly is recorded using a score between 0 and 1.
script_dir = scripts
suggests = 
	https://github.com/salesforce/ja3 branch=master
summary = This package offers the possibility of exfiltration detection through statistical analysis methods.
tags = conn, exfil, exfiltration, TA0010
test_command = cd testing && btest -c btest.cfg
url = https://github.com/SECUINFRA/zeek-exfil-detect
version = main

[salesforce/bro-sysmon]
description = Zeek-Sysmon contains a python script that will read in a file, parse JSON Windows Event Logs, generate Zeek events, and forward them to Zeek.  Default Zeek-Sysmon scripts log output to files.
script_dir = bro
tags = broker, Windows, Event Logs, Sysmon, logging
version = master
url = https://github.com/salesforce/bro-sysmon

[salesforce/GQUIC_Protocol_Analyzer]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = Protocol analyzer that detects, dissects, fingerprints, and logs GQUIC traffic
script_dir = scripts/Salesforce/GQUIC
url = https://github.com/salesforce/GQUIC_Protocol_Analyzer
version = master

[salesforce/ja3]
description = JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log. These fingerprints can easily be shared as threat intelligence or used as correlation items for enhanced alerting and analysis. This package also adds JA3 to the Zeek Intel Framework.
	https://github.com/salesforce/ja3
script_dir = zeek
tags = intel, ssl, logging
version = master
url = https://github.com/salesforce/ja3

[sandialabs/gait]
description = Adds fields to conn and ssl logs useful for fingeprinting and timing analysis
script_dir = zeek
tags = conn, tcp, ssl, fingerprinting
version = main
url = https://github.com/sandialabs/gait

[seisollc/zeek-kafka]
build_command = ./configure --with-librdkafka=%(LIBRDKAFKA_ROOT)s && make
depends = 
	zeek >=4.0.0
	zkg >=2.0
description = A Zeek log writer plugin that publishes to Kafka.
external_depends = 
	librdkafka ~1.4.2
plugin_dir = build
script_dir = build/scripts/Seiso/Kafka
tags = log writer, zeek plugin, kafka
test_command = cd tests && btest -d
user_vars = 
	LIBRDKAFKA_ROOT [/usr/local] "Path to librdkafka installation tree root"
version = v1.2.0
url = https://github.com/seisollc/zeek-kafka

[sethhall/bro-myricom]
build_command = ( ./configure --bro-dist=%(bro_dist)s && make )
depends = 
	bro-pkg >=1.2
description = Packet source plugin that provides native Myricom SNF v3+v4 support.
plugin_dir = build/Bro_Myricom.tgz
script_dir = scripts.not_used
tags = packet source, plugin, myricom
test_command = ( cd tests && btest -d )
url = https://github.com/sethhall/bro-myricom
version = 1.0.4

[sethhall/credit-card-exposure]
description = Detect credit card numbers in HTTP and SMTP with Bro.
script_dir = scripts
tags = credit cards, dlp, http, smtp, files
test_command = ( cd tests && btest -d )
version = 2.0.0
url = https://github.com/sethhall/credit-card-exposure

[sethhall/domain-tld]
description = A library for getting the "effective tld" of a domain name.
script_dir = scripts
tags = library, domain
url = https://github.com/sethhall/domain-tld
version = v1.2.2

[sethhall/ssn-exposure]
description = Detect US Social Security numbers in HTTP and SMTP with Bro.
script_dir = scripts
tags = ssn, social security number, dlp, files
version = 1.0.1
url = https://github.com/sethhall/ssn-exposure

[sethhall/unknown-mime-type-discovery]
description = Help Zeek by finding unidentified file types.
script_dir = scripts
tags = files, signature
url = https://github.com/sethhall/unknown-mime-type-discovery
version = v1.0.0

[sethhall/zeek-log-all-http-headers]
aliases = zeek-log-all-http-headers
depends = zkg >=2.0.7
description = Add all HTTP headers and values to the HTTP log.
script_dir = scripts
tags = http
version = v1.0.0
url = https://github.com/sethhall/zeek-log-all-http-headers

[sfinlon/cif-zeek]
aliases = cif-zeek cif
credits = Scott Finlon <finlon@gmail.com>
description = Adds Collective Intelligence Framework (CIF) metadata to intel logs.
script_dir = scripts
tags = log, logging, intel, intelligenece, threat intelligence, ti, CIF
url = https://github.com/sfinlon/cif-zeek
version = 1.0.1

[shodan/shodan-zeek]
build_command = ./configure && make
description = Get IP address information from the Shodan InternetDB.
script_dir = scripts
tags = zeek plugin, zeek scripting
url = https://gitlab.com/shodan-public/shodan-zeek/
version = master

[sithari/icmp-exfil-detection]
credits = Rakesh Passa <rakesh4500@gmail.com>
depends = 
	zeek >=3.2.0
description = Detects exfiltration of data over ICMP and writes to notice.log with the details of the exfil like duration, exfil size, source/dest ip, etc.
script_dir = scripts
tags = ICMP, exfil, exfiltration, protocol misuse
version = main
url = https://github.com/sithari/icmp-exfil-detection

[srozb/dns_axfr]
description = Find and notice DNS zone transfer attempts.
script_dir = scripts
tags = dns recon
version = master
url = https://github.com/srozb/dns_axfr

[srozb/http_csp]
description = HTTP Content-Security-Policy report parser
script_dir = scripts
tags = CSP intel
url = https://github.com/srozb/http_csp
version = 1.0.1

[stevesmoot/zeek_metainfo]
description = Create schemas in many forms for local Zeek installation/configuration.  JSON, markup text, Avro, html so far.
script_dir = scripts
tags = schema, docs, json, avro
test_command = (cd testing && btest -d)
url = https://github.com/corelight/zeek_metainfo
version = main

[stevesmoot/appid]
build_command = make all
credits = Steve Smoot <smoot@corelight.com>
depends = 
	zeek/sethhall/domain-tld *
description = Leverage nDPI and other info to make informed guess at the application for a connection.
script_dir = .
tags = nDPI application
url = https://github.com/stevesmoot/appid
version = master

[stevesmoot/localcountry]
depends = 
	zeek >=4.0.0
description = TODO: A more detailed description of LocalCountry.
	It can span multiple lines, with this indentation.
script_dir = scripts
summary = TODO: A summary of LocalCountry in one line
test_command = cd testing && btest -c btest.cfg
url = https://github.com/stevesmoot/localcountry
version = main

[stratosphereips/zeek-package-ARP]
description = Zeek Package that supports adding arp.log to zeek log files
tags = zeek plugin, arp, features extraction
version = 1.0.0
url = https://github.com/stratosphereips/zeek-package-ARP

[stratosphereips/zeek-package-detect-DoH]
description = Detect DoH servers by adding a is_DoH field in ssl.log and add timeout to them so that the DoH connection won't take too long
tags = zeek plugin, DoH, features extraction, ssl, DNS
version = 1.0.0
url = https://github.com/stratosphereips/zeek-package-detect-DoH

[stratosphereips/zeek-package-IRC]
description = Zeek Package that extracts features of IRC communication
tags = zeek plugin, irc, features extraction
version = v1.6
url = https://github.com/stratosphereips/zeek-package-IRC

[stratosphereips/zeek-package-log-gateway-IP]
description = This script gets the gateway IP information taken from the dhcp logs, and adds a notice.log entry if the gateway address is identified
tags = zeek plugin, Gateway IP, features extraction, notice
version = 1.0.0
url = https://github.com/stratosphereips/zeek-package-log-gateway-IP

[tenzir/zeek-mac-ages]
script_dir = scripts/tenzir/mac-ages
tags = conn, mac
url = https://github.com/tenzir/zeek-mac-ages
version = master

[tenzir/zeek-tenzir]
aliases = tenzir
depends = 
	zeek >=4.0.0
description = This package is the official Zeek integration for Tenzir.
script_dir = scripts
summary = The official Tenzir integration for Zeek
tags = tenzir, pipelines, logs, log shipping, postprocessor, rotation
url = https://github.com/tenzir/zeek-tenzir
version = master

[theflakes/bro-large_uploads]
credits = Brian Kellogg
description = Raise notices on outgoing files over X bytes in size.
	Also raise notices for multiple large outgoing Tx's in Y time frame.
tags = notices, uploads, conn
url = https://github.com/theflakes/bro-large_uploads
version = master

[theparanoids/rdfp]
credits = Jeff Atkinson <neslog@gmail.com>,
	Copyright Verizon Media Group 2020
description = The script will create a new log which will log the details which build the fingerprint and some additional information. The fingerprint is created by concatenating extracted fields from different data packets.  https://github.com/yahoo/rdfp
script_dir = scripts
url = https://github.com/theparanoids/rdfp
version = master

[thibaultbl/variation_coefficient]
alias = coefficient_variation variation_coefficient
credits = T. BLANC
description = Implementing coefficient of variation (standard deviation / average), sort of relative standard deviation.
script_dir = scripts
tags = statistics, stats, sumstats, standard_deviation, variance
url = https://github.com/thibaultbl/variation_coefficient
version = main

[ukncsc/zeek-plugin-ikev2]
build_command = ( ./configure --bro-dist=%(bro_dist)s  && make )
depends = 
	zeek >=3.0.0
description = Plugin that enables parsing of the IKEv2 protocol
script_dir = scripts
tags = zeek plugin, protocol analyzer, log writer, vpn, ike, ikev2
test_command = ( cd tests && btest -d )
url = https://github.com/ukncsc/zeek-plugin-ikev2
version = v0.1

[vitalyrepin/uap-bro]
build_command = ./configure --bro-dist=%(bro_dist)s  && make
config_files = build/scripts/init.bro
depends = 
	bro >=2.5.0
	bro-pkg >=1.2
description = User Agent Parser - Bro implementation based on uap-core
external_depends = 
	libyaml-cpp-dev ~0.5.2
	libboost-regex-dev ~1.58.0
plugin_dir = build
script_dir = build/scripts/VR/UAP
tags = bro plugin, uap, user_agent
test_command = ( cd tests && btest -d )
version = master
url = https://github.com/vitalyrepin/uap-bro

[zeek-packages/zeek-agent-v2]
build_command = git describe --always --long | sed 's/-[^-]*$//' >scripts/version.dat || true
depends = 
	zeek >=4.0.0
description = 
script_dir = scripts
summary = Framework collecting Zeek Agent information from endpoints
test_command = make test
version = v2.3.0-dev
url = https://github.com/zeek-packages/zeek-agent-v2

[zeek/hello-world]
depends = 
	zeek >=4.0.0
description = A test package to verify that your Zeek installation
	can install packages successfully.
script_dir = scripts
summary = Hello World!
test_command = cd testing && btest -c btest.cfg
url = https://github.com/zeek/hello-world
version = v1.0.0

[zeek/osquery-framework]
depends = 
	zeek >=3.0.0-rc1
description = Osquery script framework for communicating with osquery endpoints
script_dir = osquery-framework
tags = osquery
version = v0.4
url = https://github.com/zeek/osquery-framework

[zeek/spicy-analyzers]
depends = http://github.com/zeek/spicy-dhcp >=0.0.1
	http://github.com/zeek/spicy-dns >=0.0.2
	http://github.com/zeek/spicy-http >=0.0.1
	http://github.com/zeek/spicy-pe >=0.0.3
	http://github.com/zeek/spicy-png >=0.0.2
	http://github.com/zeek/spicy-tftp >=0.0.1
	http://github.com/zeek/spicy-zip >=0.0.1
description = Meta package for a number of Spicy-based analyzers.
summary = Meta package for a number of Spicy-based analyzers
url = https://github.com/zeek/spicy-analyzers
version = v0.2.33

[zeek/spicy-dhcp]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the DHCP protocol.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the DHCP protocol
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-dhcp
version = v0.0.11

[zeek/spicy-dns]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the DNS protocol.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the DNS protocol
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-dns
version = v0.0.9

[zeek/spicy-http]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the HTTP protocol.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the HTTP protocol
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-http
version = v0.0.9

[zeek/spicy-ldap]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = An LDAP analyzer based on Spicy
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = LDAP analyzer
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-ldap
version = v0.0.16

[zeek/spicy-pe]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the Portable Executable (PE) image format
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the Portable Executable (PE) image format
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-pe
version = v0.0.12

[zeek/spicy-plugin]
build_command = unset -v CXX CXXFLAGS LD LDFLAGS && mkdir -p build && cd build && cmake .. && make -j "${SPICY_ZKG_PROCESSES:-4}"
depends = zeek >=5.0.0
executables = build/bin/spicyz
plugin_dir = build
script_dir = scripts/Zeek/Spicy
test_command = unset -v CXX CXXFLAGS LD LDFLAGS && cd tests && btest -d -j "${SPICY_ZKG_PROCESSES:-4}"
url = https://github.com/zeek/spicy-plugin
version = v1.5.3

[zeek/spicy-png]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the PNG file format.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the PNG file format
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-png
version = v0.0.6

[zeek/spicy-tftp]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
depends = 
	zeek >=4.0.0
description = Spicy-based analyzer for the TFTP protocol.
script_dir = scripts
summary = Spicy-based analyzer for the TFTP protocol
test_command = cd testing && btest -c btest.cfg
url = https://github.com/zeek/spicy-tftp
version = v0.0.5

[zeek/spicy-zip]
build_command = mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .
description = Spicy-based analyzer for the ZIP file format.
plugin_dir = build/spicy-modules
script_dir = analyzer
summary = Spicy-based analyzer for the ZIP file format
test_command = cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)
url = https://github.com/zeek/spicy-zip
version = v0.0.7

[zeek/zeek-af_packet-plugin]
build_command = ./configure && make
depends = 
	zkg >=2.0
	zeek >=4.0.0
description = This plugin provides native AF_Packet support for Zeek.
plugin_dir = build/Zeek_AF_Packet.tgz
script_dir = scripts/af_packet
tags = zeek plugin, zeekctl plugin, packet source, af_packet
test_command = cd tests && btest -d
url = https://github.com/zeek/zeek-af_packet-plugin
version = 4.0.0

[zeek/zeek-more-hashes]
build_command = ./configure && cd build && make
description = Additional hashing functions for Zeek, started with MurmurHash3.
name = MoreHashes
plugin_dir = build
script_dir = ./scripts/Zeek/MoreHashes
tags = mmh3
test_command = cd tests && btest -d -c btest.cfg
url = https://github.com/zeek/zeek-more-hashes
version = v0.2.0

[zeek/zeek-netmap]
build_command = ./configure --with-netmap=%(netmap_root_dir)s && cd build && make
depends = 
	zeek >=3.1.0
description = Packet source plugin that provides native Netmap support.
plugin_dir = build
tags = packet source, plugin, netmap
test_command = cd tests && btest -d -c btest.cfg
user_vars = 
	netmap_root_dir [] "Root directory of Netmap installation"
url = https://github.com/zeek/zeek-netmap
version = v2.0.1

[zeek/zeek-perf-support]
build_command = ./configure && cmake --build build
description = 
summary = perf support
test_command = cd testing && btest -c btest.cfg
url = https://github.com/zeek/zeek-perf-support
version = v0.2.0