Zeek Package Index¶
Zeek has the following script packages (e.g. collections of related scripts in
a common directory). If the package directory contains a
script, it supports being loaded in mass as a whole directory for convenience.
Packages/scripts in the
base/ directory are all loaded by default, while
policy/ provide functionality and customization options that are
more appropriate for users to decide whether they’d like to load it or not.
The logging framework provides a flexible key-value based logging interface.
Support for postprocessors in the logging framework.
The Broker communication framework facilitates connecting to remote Zeek instances to share state and transfer events.
The input framework provides a way to read previously stored data either as an event stream or into a Zeek table.
The cluster framework provides for establishing and controlling a cluster of Zeek instances.
The control framework provides the foundation for providing “commands” that can be taken remotely at runtime to modify a running Zeek instance or collect information from the running instance.
The configuration framework provides a way to change the Zeek configuration in “option” values at run-time.
The analyzer framework allows to dynamically enable or disable Zeek’s protocol analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.
The file analysis framework provides an interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.
This framework is intended to create an output and filtering path for internally generated messages/warnings/errors.
The notice framework enables Zeek to “notice” things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows Zeek to be customized to the different needs that sites have.
The signature framework provides for doing low-level pattern matching. While signatures are not Zeek’s preferred detection tool, they sometimes come in handy and are closer to what many people are familiar with from using other NIDS.
The packet filter framework supports how Zeek sets its BPF capture filter.
The software framework provides infrastructure for maintaining a table of software versions seen on the network. The version parsing itself is carried out by external protocol-specific scripts that feed into this framework.
The intelligence framework provides a way to store and query intelligence data (such as IP addresses or strings). Metadata can also be associated with the intelligence.
The summary statistics framework provides a way to summarize large streams of data into simple reduced measurements.
Plugins for the summary statistics framework.
The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).
The OpenFlow framework exposes the data structures and functions necessary to interface to OpenFlow capable hardware.
Plugins for the OpenFlow framework.
The NetControl framework provides a way for Zeek to interact with networking hard- and software, e.g. for dropping and shunting IP addresses/connections, etc.
Plugins for the NetControl framework.
Support for connection (TCP, UDP, or ICMP) analysis.
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure Calls) protocol analysis.
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
Support for Distributed Network Protocol (DNP3) analysis.
Support for Domain Name System (DNS) protocol analysis.
Support for File Transfer Protocol (FTP) analysis.
Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
Support for X509 certificates with the file analysis framework. Also supports parsing OCSP requests and responses.
Support for file hashes with the file analysis framework.
Support for Hypertext Transfer Protocol (HTTP) analysis.
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get mails from IMAP sessions, only X509 certificates.
Support for Internet Relay Chat (IRC) protocol analysis.
Support for Kerberos protocol analysis.
Support for Modbus protocol analysis.
Support for MQTT protocol analysis.
Support for MySQL protocol analysis.
Support for NT LAN Manager (NTLM) protocol analysis.
Support for POP3 (Post Office Protocol) protocol analysis.
Support for RADIUS protocol analysis.
Support for Remote Desktop Protocol (RDP) analysis.
Support for Remote FrameBuffer analysis. This includes all VNC servers.
Support for Session Initiation Protocol (SIP) analysis.
Support for Simple Network Management Protocol (SNMP) analysis.
Support for SMB protocol analysis.
Support for Simple Mail Transfer Protocol (SMTP) analysis.
Support for Socket Secure (SOCKS) protocol analysis.
Support for SSH protocol analysis.
Support for Syslog protocol analysis.
Provides DPD signatures for tunneling protocols that otherwise wouldn’t be detected at all.
Support for the Extensible Messaging and Presence Protocol (XMPP).
Note that currently the XMPP analyzer only supports analyzing XMPP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get actual chat information from XMPP sessions, only X509 certificates.
Support for Portable Executable (PE) file analysis.
Support for extracting files with the file analysis framework.
This package is loaded during the process which automatically generates reference documentation for all Zeek scripts (i.e. “Zeekygen”). Its only purpose is to provide an easy way to load all known Zeek scripts plus any extra scripts needed or used by the documentation process.
Scripts that send data to the intelligence framework.
The scripts in this module are for deeper integration with the Collective Intelligence Framework (CIF) since Zeek’s Intel framework doesn’t natively behave the same as CIF nor does it store and maintain the same data in all cases.
Detect hosts that are running traceroute.
Miscellaneous tuning parameters.
Sets various defaults, and prints warning messages to stdout under certain conditions.