zeek
zeek copied to clipboard
zeek
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
I'm not entirely sure about this one, but it fixes the problem reported in #163. The problem was that we're passing just unscoped event name into the `EventExpr` constructor, so...
We currently have coverage for raw packets, pop3, and dns (in a fashion). It would be good to expand our coverage to other major protocols. I'm currently thinking at least...
This is a script-only change that unrolls File::Info records into multiple files.log entries if the same file was seen over different connections by single worker. Consequently, the File::Info record gets...
Recently saw some malicious traffic with invalid TFO (TCP Fast Open) cookie length - 2 bytes. This traffic was picked up by a suri alert for "TCP options invalid length"....
Concretely, the proxies in below scenario take ~16seconds to start and it seems the workers are giving up after `10 * ZEEK_DEFAULT_CONNECT_RETRY` connect attempts. This reproduces with Zeek 5.0.0, but...
### WARNING: This is very much a draft. This is being put up now so others can experiment, comment, etc.. See the list of known issues at the end that...
Recently in June 2022, [RFC9114](https://www.rfc-editor.org/rfc/rfc9114.html) was passed. This means that the next version of HTTP, HTTP/3, will use QUIC (RFC8999-9002) as its underlying transport protocol. QUIC is currently used by...
I have attached [zeek-dpdcrash.tar.gz](https://github.com/zeek/zeek/files/8119913/zeek-dpdcrash.tar.gz) that contains a zkg package directory (based off of [bbannier/package-template-spicy](https://github.com/bbannier/package-template-spicy)). The core of the issue seems to be: ``` signature dpd_crash_message { ip-proto == tcp payload...
Doing more with Broker stores. Below script inserts 1000 entries into a broker backed table (sqlite) and sets Broker::scheduler_policy to "stealing" The very first run populating the database takes ~0.5seconds...