From 5608a42fd927aa89274f1eb2e324b05a6da23a69 Mon Sep 17 00:00:00 2001 From: tylabs Date: Fri, 20 Mar 2020 15:05:00 -0400 Subject: [PATCH] updated for zeek 3.1.1 --- CLUSTER.md | 20 +-- INSTALL.md | 54 +++---- LICENSE | 2 +- README.md | 22 +-- __load__.bro | 3 - __load__.zeek | 3 + config.bro => config.zeek | 8 +- scripts/{dovehawk.bro => dovehawk.zeek} | 145 +++++++----------- ...vehawk_expire.bro => dovehawk_expire.zeek} | 4 +- signatures/signatures.sig | 1 + bro-pkg.meta => zkg.meta | 2 +- 11 files changed, 122 insertions(+), 142 deletions(-) delete mode 100644 __load__.bro create mode 100644 __load__.zeek rename config.bro => config.zeek (70%) rename scripts/{dovehawk.bro => dovehawk.zeek} (80%) rename scripts/{dovehawk_expire.bro => dovehawk_expire.zeek} (98%) rename bro-pkg.meta => zkg.meta (94%) diff --git a/CLUSTER.md b/CLUSTER.md index b62e570..5d8fa8d 100644 --- a/CLUSTER.md +++ b/CLUSTER.md @@ -19,7 +19,7 @@ Zeek requires the same OS type, dependent libraries and Zeek version across the ### On manager: -bro-manager# ssh-keygen +zeek-manager# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): [ Press Enter ] Enter passphrase (empty for no passphrase): [ Press Enter ] @@ -51,9 +51,9 @@ See INSTALL.md ## Setup your cluster: -Note: to use a single standalone server and still use broctl, leave this file unchanged. +Note: to use a single standalone server and still use zeekctl, leave this file unchanged. -Edit /usr/local/bro/etc/node.cfg:: +Edit /usr/local/zeek/etc/node.cfg:: [manager] type=manager host=10.100.1.69 @@ -92,29 +92,29 @@ interface=eth0 ## All: Deploy and Run Dovehawk on workers: -/usr/local/bro/bin/broctl deploy +/usr/local/zeek/bin/zeekctl deploy Check status: -/usr/local/bro/bin/broctl status +/usr/local/zeek/bin/zeekctl status Stop: -/usr/local/bro/bin/broctl stop +/usr/local/zeek/bin/zeekctl stop Restart / read latest signatures: -/usr/local/bro/bin/broctl restart +/usr/local/zeek/bin/zeekctl restart ## All: Logs viewing: -/usr/local/bro/logs or /usr/local/bro/spool +/usr/local/zeek/logs or /usr/local/zeek/spool ## All: Cron To keep everything running and also force the reimport of content signatures: -*/5 * * * * /usr/local/bro/bin/broctl cron -1 22 * * * /usr/local/bro/bin/broctl deploy > /dev/null 2>&1 +*/5 * * * * /usr/local/zeek/bin/zeekctl cron +1 22 * * * /usr/local/zeek/bin/zeekctl deploy > /dev/null 2>&1 diff --git a/INSTALL.md b/INSTALL.md index 8a86584..bc4bee4 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -7,7 +7,7 @@ Adversary Threat Hunting with Zeek (formerly Bro IDS) and MISP. MISP: Version 2.5 includes the Zeek datamodel required to handle content signatures. -Zeek NSM: tested with version version >2.5.3. +Zeek NSM: tested with version version >= 3.1.1. Curl: command line tool for accessing web content, tested with curl 7.54.0. @@ -16,68 +16,68 @@ Curl: command line tool for accessing web content, tested with curl 7.54.0. Download latest release from GitHub -Edit config.bro and add your MISP API key, your MISP_URL and optional Slack Web Hook URL. +Edit config.zeek and add your MISP API key, your MISP_URL and optional Slack Web Hook URL. -Locally launch Zeek: bro -i en0 path_to_dovehawk +Locally launch Zeek: zeek -i en0 path_to_dovehawk -## Quick Start - Install package using bro package manager. +## Quick Start - Install package using zeek package manager. -bro-pkg install https://github.com/tylabs/dovehawk +zpkg install https://github.com/tylabs/dovehawk -Run package to get local directory: bro -i en0 dovehawk +Run package to get local directory: zeek -i en0 dovehawk -Edit config.bro and add your MISP API key, your MISP_URL and optional Slack Web Hook URL. +Edit config.zeek and add your MISP API key, your MISP_URL and optional Slack Web Hook URL. -Run: bro -i en0 dovehawk +Run: zeek -i en0 dovehawk ## Detailed Install -Install bro: brew install bro / yum install bro +Install zeek: brew install zeek / yum install zeek -Install bro-pkg: sudo pip install bro-pkg +Install zkg (Zeek package manager): sudo pip install zkg -Setup bro-pkg: bro-pkg autoconfig +Setup zkg: zkg autoconfig -bro-pkg install https://github.com/tylabs/dovehawk +zkg install https://github.com/tylabs/dovehawk -check the install: bro -i en0 dovehawk +check the install: zeek -i en0 dovehawk -edit misp_config.bro to include your MISP API key, MISP URL and optional Slack Web Hook. +edit config.zeek to include your MISP API key, MISP URL and optional Slack Web Hook. -edit broctl local config: /usr/local/share/bro/site/local.bro: +edit zeekctl local config: /usr/local/share/zeek/site/local.zeek: -add: @load [FULL PATH]/dovehawk #ie /usr/local/Cellar/bro/2.5.4/share/bro/site/dovehawk/ +add: @load [FULL PATH]/dovehawk #ie /usr/local/Cellar/zeek/3.1.1/share/zeek/site/dovehawk/ check eth interface setting: /usr/local/etc/node.cfg -run: broctl deploy +run: zeekctl deploy -cronjob add: */5 * * * * /usr/local/bin/broctl cron +cronjob add: */5 * * * * /usr/local/bin/zeekctl cron -restart bro: /usr/local/bin/broctl restart +restart zeek: /usr/local/bin/zeekctl restart -cronjob to restart bro to reimport signatures: 1 */4 * * * /usr/local/bin/broctl restart +cronjob to restart zeek to reimport signatures: 1 */4 * * * /usr/local/bin/zeekctl restart ## Monitoring and context -The bro module outputs hits to the console, logs to file, and could send metadata to another web hook. +The zeek module outputs hits to the console, logs to file, and could send metadata to another web hook. ## Usage -If running bro directly, reference the dovehawk folder: +If running zeek directly, reference the dovehawk folder: -sudo bro -i en1 [FULL PATH]/dovehawk +sudo zeek -i en1 [FULL PATH]/dovehawk -If running using the broctl interface, edit the local.bro configuration file in /usr/local/bro/share/bro/site and, at the bottom, add the line: +If running using the zeekctl interface, edit the local.zeek configuration file in /usr/local/zeek/share/zeek/site and, at the bottom, add the line: @load [FULL PATH]/dovehawk -then run the broctl deploy sequence to have the scripts installed. +then run the zeekctl deploy sequence to have the scripts installed. ## Zeek Tips @@ -89,7 +89,7 @@ When running locally (ie running Zeek on the same system you are generating traf Add "Log::default_writer=Log::WRITER_NONE" to the command. -bro -i en0 dovehawk Log::default_writer=Log::WRITER_NONE +zeek -i en0 dovehawk Log::default_writer=Log::WRITER_NONE ## Zeek Health and Clusters @@ -99,7 +99,7 @@ Depending on the bandwidth - the NETSTATS info will show if dropped packets are ## Maintenance -For long term monitoring, if not disabling logs as above, use broctl to launch, rotate logs, and restart after crashes. +For long term monitoring, if not disabling logs as above, use zeekctl to launch, rotate logs, and restart after crashes. diff --git a/LICENSE b/LICENSE index 6a34742..a40a638 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright 2018, 2019 Cancyber Inc., Michael Kortekaas @mrkortek, Tyler McLellan @tylabs +Copyright 2018, 2019 Cancyber Inc., Michael Kortekaas @mrkortek, Copyright 2020 Tyler McLellan @tylabs Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 5f4c119..84692a4 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Threat Hunting with Zeek (Bro) and MISP This module uses Zeek's built-in Intelligence Framework to load and monitor signatures from MISP automatically. Indicators are downloaded from MISP every 4 hours and hits, called sightings, are reported back to MISP immediately. The module also includes a customized version of Jan Grashoefer's expiration code to remove indicators after they are deleted from MISP. -Indicators are downloaded and read into memory. Content signatures in signatures.sig are MISP Network Activity->zeek items downloaded from MISP. The event text should start with "MISP:" (see Sample Content Signature section for an example). Zeek must be restarted to ingest the content signatures. To do this automatically we recommend restarting Zeek using broctl and a restart cron described in included file [INSTALL.md](INSTALL.md) +Indicators are downloaded and read into memory. Content signatures in signatures.sig are MISP Network Activity->zeek items downloaded from MISP. The event text should start with "MISP:" (see Sample Content Signature section for an example). Zeek must be restarted to ingest the content signatures. To do this automatically we recommend restarting Zeek using zeekctl and a restart cron described in included file [INSTALL.md](INSTALL.md) Optional Slack.com web hook reporting. @@ -42,14 +42,14 @@ Optional Slack.com web hook reporting. ## Sample Content Signature -```bro +```zeek signature eicar_test_content { ip-proto == tcp payload /.*X5O\!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR\-STANDARD\-ANTIVIRUS\-TEST\-FILE\!\$H\+H\*/ event "MISP: eicar test file in TCP plain text" } ``` -*Note: Zeek's default setting is to buffer the [first 1024 bytes of a TCP connection](https://www.bro.org/sphinx-git/frameworks/signatures.html) so signature's should be written with that in mind.* +*Note: Zeek's default setting is to buffer the [first 1024 bytes of a TCP connection](https://www.zeek.org/sphinx-git/frameworks/signatures.html) so signature's should be written with that in mind.* ## Indicator Expiration @@ -57,50 +57,50 @@ Indicators are downloaded automatically every 4 hours and are assigned an expiry If an indicator is hit after expiration but before the cleanup, it will trigger a hit/sighting, but the indicator is then deleted immediately so no further hits will occur. -Intervals are set in config.bro. +Intervals are set in config.zeek. ### Setting for expired indicator cleanup (should be less then signature_refresh_period) -```bro +```zeek redef Intel::item_expiration = 4.5 hr ``` ### Setting for MISP download interval -```bro +```zeek global signature_refresh_period = 4hr &redef; ``` ### Setting for indicator expiration: (should be slightly more than signature_refresh_period) -```bro +```zeek redef Intel::item_expiration = 4.5 hr; ``` ### Maximum number of hits for an individual item per refresh period -```bro +```zeek global MAX_HITS: int = 100; ``` ### Maximum number of DNS hits for an individual item per refresh period -```bro +```zeek global MAX_DNS_HITS: int = 2; ``` ### Maximum number of inbound IP hits for an individual item per refresh period -```bro +```zeek global MAX_SCAN_HITS: int = 2; ``` ### Ignore hits in SSL certificate when domains don't match the sni host -```bro +```zeek global IGNORE_SNI_MISMATCH: bool = T; ``` diff --git a/__load__.bro b/__load__.bro deleted file mode 100644 index dd265bc..0000000 --- a/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load ./scripts/dovehawk_expire.bro -@load ./scripts/dovehawk.bro - diff --git a/__load__.zeek b/__load__.zeek new file mode 100644 index 0000000..c13f146 --- /dev/null +++ b/__load__.zeek @@ -0,0 +1,3 @@ +@load ./scripts/dovehawk_expire +@load ./scripts/dovehawk + diff --git a/config.bro b/config.zeek similarity index 70% rename from config.bro rename to config.zeek index 9498b54..3330c2c 100644 --- a/config.bro +++ b/config.zeek @@ -5,8 +5,10 @@ redef Intel::item_expiration = 4.5 hr; export { global APIKEY = "===your misp key from Event Actions->Automation==="; - global MISP_URL = "https://yourmispsite.com/"; #attributes/bro/download/all + global MISP_URL = "https://yourmispsite.com/"; #script will append attributes/text/download/zeek global SLACK_URL = ""; #optional web hook for Slack + global SIG_PREFIX = "MISP:"; #prefix for our signatures to hook alerts + # Maximum number of hits per indicator item before suppressing remote alerts global MAX_HITS: int = 100; @@ -18,6 +20,10 @@ export { #ignore hits in SSL certificate when domains don't match the sni host global IGNORE_SNI_MISMATCH: bool = T; + #skip signature download if recent + global SKIP_SIGNATURE_DOWNLOAD: bool = T; + + global signature_refresh_period = 4hr &redef; diff --git a/scripts/dovehawk.bro b/scripts/dovehawk.zeek similarity index 80% rename from scripts/dovehawk.bro rename to scripts/dovehawk.zeek index eb8d533..26fb6f5 100644 --- a/scripts/dovehawk.bro +++ b/scripts/dovehawk.zeek @@ -1,4 +1,4 @@ -##! Dovehawk Zeek Module V 1.01.003 2019 12 17 @tylabs dovehawk.io +##! Dovehawk Zeek Module V 1.02.001 2020 03 20 @tylabs dovehawk.io # This module downloads Zeek Intelligence Framework items and Signature Framework Zeek items from MISP. # Sightings are reported back to MISP and optionally to a Slack webhook. # This script could be easily modified to send hits to a central database / web dashboard or to add in indicators from other sources. @@ -6,8 +6,8 @@ module dovehawk; -@load ../config.bro -@load ./dovehawk_expire.bro +@load ../config +@load ./dovehawk_expire @load-sigs ../signatures/signatures.sig @@ -15,10 +15,11 @@ module dovehawk; @load base/frameworks/intel @load frameworks/intel/do_notice @load base/utils/directions-and-hosts +@load base/misc/version export { - global DH_VERSION = "1.01.003"; + global DH_VERSION = "1.02.001"; #removed randomness added to internal + double_to_interval(rand(1200)) global load_signatures: function(); @@ -31,15 +32,15 @@ export { # Modelled on the original function from ActiveHTTP but they stripped out the newlines and joined # everything together. Need to keep the original string vector to process individual lines. -# Original Source: https://github.com/bro/bro/blob/master/scripts/base/utils/active-http.bro +# Original Source: https://github.com/zeek/zeek/blob/master/scripts/base/utils/active-http.zeek function request2curl(r: ActiveHTTP::Request, bodyfile: string, headersfile: string): string { local cmd = fmt("curl --header \"Authorization: %s\" -s -g -o \"%s\" -D \"%s\" -X \"%s\"", - str_shell_escape(dovehawk::APIKEY), - str_shell_escape(bodyfile), - str_shell_escape(headersfile), - str_shell_escape(r$method)); + safe_shell_quote(dovehawk::APIKEY), + safe_shell_quote(bodyfile), + safe_shell_quote(headersfile), + safe_shell_quote(r$method)); cmd = fmt("%s -m %.0f", cmd, r$max_time); @@ -50,9 +51,9 @@ function request2curl(r: ActiveHTTP::Request, bodyfile: string, headersfile: str if ( r?$addl_curl_args ) cmd = fmt("%s %s", cmd, r$addl_curl_args); - cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url)); + cmd = fmt("%s \"%s\"", cmd, safe_shell_quote(r$url)); # Make sure file will exist even if curl did not write one. - cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile)); + cmd = fmt("%s && touch %s", cmd, safe_shell_quote(bodyfile)); return cmd; } @@ -88,54 +89,56 @@ function load_sigs_misp() { ]; local fname = "signatures.sig"; - local check = "find " + @DIR + "/../signatures/" + fname + " -mmin +60 | egrep ."; - when ( local r = Exec::run([$cmd=check]) ) - { - if (r$exit_code != 0) { - print "INFO: file is recent not updating: " + fname; - return; - } - - - print "Downloading Signatures..."; - when ( local lines = strings_request(request) ) { - if (|lines| >= 0 ) { - print "Updating File " + fname; - # Directory variable appends period for some reason - # but guard that it may not exist in future. - local tmp_fname = @DIR + "/../signatures/." + fname; - local final_fname = @DIR + "/../signatures/" + fname; - local f = open(tmp_fname); - local cnt = 0; - enable_raw_output(f); - print f,"# Dovehawk.io Content Signatures - Sig events should have \"MISP:\" prefix\n\n"; - - for (line in lines) { - # don't write lines with double ## at start - if (|lines[line]| >= 1 && lines[line][0] != "#" && lines[line][1] != "#") { - print f,gsub(lines[line], /\x0d/, "") + "\n"; #remove extra newlines Zeek doesn't like - if (sub_bytes(lines[line], 0, 10) == "signature ") - cnt += 1; + if (!dovehawk::SKIP_SIGNATURE_DOWNLOAD) { + local check = "find " + @DIR + "/../signatures/" + fname + " -mmin +60 | egrep ."; + when (local r = Exec::run([$cmd=check]) ) + { + if (r$exit_code != 0) { + print "INFO: file is recent not updating: " + fname; + return; + } + } + } + + + print "Downloading Signatures..."; + when ( local lines = strings_request(request) ) { + if (|lines| >= 0 ) { + print "Updating File " + fname; + # Directory variable appends period for some reason + # but guard that it may not exist in future. + local tmp_fname = @DIR + "/../signatures/." + fname; + local final_fname = @DIR + "/../signatures/" + fname; + local f = open(tmp_fname); + local cnt = 0; + enable_raw_output(f); + print f,"# Dovehawk.io Content Signatures - Sig events should have SIG_PREFIX prefix\n\n"; + + for (line in lines) { + # don't write lines with double ## at start + if (|lines[line]| >= 1 && lines[line][0] != "#" && lines[line][1] != "#") { + print f,gsub(lines[line], /\x0d/, "") + "\n"; #remove extra newlines Zeek doesn't like + if (sub_bytes(lines[line], 0, 10) == "signature ") + cnt += 1; } } - close(f); + close(f); - if (unlink(final_fname)) { - if (rename(tmp_fname,final_fname)) { - print " Finished Updating File: " + fname; - } else { - print "ERROR: Could not rename tmp file for signature update: " + tmp_fname; - } + if (unlink(final_fname)) { + if (rename(tmp_fname,final_fname)) { + print " Finished Updating File: " + fname; } else { - print "WARNING: Could not unlink file for signature update: " + final_fname; + print "ERROR: Could not rename tmp file for signature update: " + tmp_fname; } - print fmt(" Signatures file contains: %d signatures", |cnt|); - } else { - print "WARNING: Signature update download failed"; + print "WARNING: Could not unlink file for signature update: " + final_fname; } + print fmt(" Signatures file contains: %d signatures", |cnt|); + } else { + print "WARNING: Signature update download failed"; } + } } @@ -148,7 +151,7 @@ function load_sigs_misp() { # Special option to load all the hash strings combined as a single file function load_all_misp() { local request: ActiveHTTP::Request = [ - $url = MISP_URL + "attributes/bro/download/all" + $url = MISP_URL + "attributes/bro/download/all" #this will probably change to zeek eventually ]; print "Downloading Indicators..."; @@ -267,7 +270,7 @@ function register_hit(hitvalue: string, desc: string) { $url=url_string, $method="POST", $client_data=post_data, - $addl_curl_args = fmt("--header \"Authorization: %s\" --header \"Content-Type: application/json\" --header \"Accept: application/json\"", str_shell_escape(dovehawk::APIKEY)) + $addl_curl_args = fmt("--header \"Authorization: %s\" --header \"Content-Type: application/json\" --header \"Accept: application/json\"", safe_shell_quote(dovehawk::APIKEY)) ]; when ( local resp = ActiveHTTP::request(request) ) { @@ -348,18 +351,6 @@ function startup_intel() { event do_reload_signatures() { -@if( /^2\./ in bro_version() ) - if (bro_is_terminating()) { - - print "Zeek Terminating - Cancelling Scheduled Signature Downloads"; - } else { - - load_signatures(); - - schedule signature_refresh_period { do_reload_signatures() }; - - } -@else if (zeek_is_terminating()) { print "Zeek Terminating - Cancelling Scheduled Signature Downloads"; } else { @@ -368,9 +359,6 @@ event do_reload_signatures() { schedule signature_refresh_period { do_reload_signatures() }; } - -@endif - } @@ -382,13 +370,13 @@ function load_signatures() { local ns = get_net_stats(); print fmt("NETSTATS: pkts_dropped=%d pkts_recvd=%d pkts_link=%d bytes_recvd=%d", ns$pkts_dropped, ns$pkts_recvd, ns$pkts_link, ns$bytes_recvd); - slack_hit("", fmt("%s: Dovehawk: Zeek %s Downloading Signatures %s [%s]. pkts_dropped=%d pkts_recvd=%d pkts_link=%d bytes_recvd=%d", gethostname(), bro_version(), strftime("%Y/%m/%d %H:%M:%S", network_time()), DH_VERSION, ns$pkts_dropped, ns$pkts_recvd, ns$pkts_link, ns$bytes_recvd)); + slack_hit("", fmt("%s: Dovehawk: Zeek %s Downloading Signatures %s [%s]. pkts_dropped=%d pkts_recvd=%d pkts_link=%d bytes_recvd=%d", gethostname(), Version::number, strftime("%Y/%m/%d %H:%M:%S", network_time()), DH_VERSION, ns$pkts_dropped, ns$pkts_recvd, ns$pkts_link, ns$bytes_recvd)); print fmt("Local Directory: %s", @DIR); print fmt("MISP Server: %s", MISP_URL); if (MISP_URL == "https://yourmispsite.com/" || MISP_URL == "") { - print "Please edit misp_config.bro to include your MISP API key and URL"; + print "Please edit config.zeek to include your MISP API key and URL"; exit(1); } @@ -398,7 +386,7 @@ function load_signatures() { # Download Zeek content signatures MISP->Network Activity->Zeek items load_sigs_misp(); - # Force output into stdout.log when using broctl + # Force output into stdout.log when using zeekctl flush_all(); } @@ -409,7 +397,7 @@ event signature_match(state: signature_state, msg: string, data: string) local sig_id = state$sig_id; # Ensure this is a MISP signature - if (strstr(msg,"MISP:") == 0) { + if (strstr(msg, dovehawk::SIG_PREFIX) == 0) { return; } @@ -580,20 +568,6 @@ event signature_match(state: signature_state, msg: string, data: string) } -# version 3 will deprecate some of the bro_ functions -@if( /^2\./ in bro_version() ) -event bro_init() -{ - #run signature downloads on the manager only. indicators are automatically shared to workers - if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) { - startup_intel(); - event do_reload_signatures(); - } else if ( !Cluster::is_enabled() ) { - startup_intel(); - schedule signature_refresh_period {do_reload_signatures()}; - } -} -@else event zeek_init() { #run signature downloads on the manager only. indicators are automatically shared to workers @@ -605,7 +579,6 @@ event zeek_init() schedule signature_refresh_period {do_reload_signatures()}; } } -@endif event file_new(f: fa_file) diff --git a/scripts/dovehawk_expire.bro b/scripts/dovehawk_expire.zeek similarity index 98% rename from scripts/dovehawk_expire.bro rename to scripts/dovehawk_expire.zeek index 5e1ac05..43b74e8 100644 --- a/scripts/dovehawk_expire.bro +++ b/scripts/dovehawk_expire.zeek @@ -1,4 +1,4 @@ -##! Dovehawk Zeek Module - Intel Framework Extension V 1.01.002 2019 08 02 @tylabs +##! Dovehawk Zeek Module - Intel Framework Extension V 1.02.001 2020 03 20 @tylabs # dovehawk.io # ##! This script adds per item expiration for MISP intel items. This @@ -33,7 +33,7 @@ export { } -@load ./dovehawk.bro +@load ./dovehawk hook extend_match(info: Info, s: Seen, items: set[Item]) diff --git a/signatures/signatures.sig b/signatures/signatures.sig index bc3e5ec..c0670ee 100644 --- a/signatures/signatures.sig +++ b/signatures/signatures.sig @@ -17,6 +17,7 @@ signature cancyber-gh0st { payload /^Gh0st/ tcp-state originator event "MISP: Gh0stRat header in tcp" +} # Plugx Variants signature cancyber-plugx_http { diff --git a/bro-pkg.meta b/zkg.meta similarity index 94% rename from bro-pkg.meta rename to zkg.meta index 3490d53..b3567f2 100644 --- a/bro-pkg.meta +++ b/zkg.meta @@ -2,4 +2,4 @@ script_dir = . description = MISP+Zeek. Dovehawk is a Zeek Module to import MISP indicators to the Intel Framework and Signature Framework automatically. Reports sightings directly back to MISP as they happen. Supports Zeek Clusters. tags = intel, MISP, sightings, signatures, threat intelligence, threat intel, cyber -version = 1.01.001 \ No newline at end of file +version = 1.02.001 \ No newline at end of file