mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
f389fb42c3
- Removed the note from local-manager.bro about setting the notice policy there. The notice framework changed and this isn't necessary anymore.
70 lines
2.6 KiB
Text
70 lines
2.6 KiB
Text
##! Local site policy. Customize as appropriate.
|
|
##!
|
|
##! This file will not be overwritten when upgrading or reinstalling!
|
|
|
|
# This script logs which scripts were loaded during each run.
|
|
@load misc/loaded-scripts
|
|
|
|
# Apply the default tuning scripts for common tuning settings.
|
|
@load tuning/defaults
|
|
|
|
# Generate notices when vulnerable versions of software are discovered.
|
|
# The default is to only monitor software found in the address space defined
|
|
# as "local". Refer to the software framework's documentation for more
|
|
# information.
|
|
@load frameworks/software/vulnerable
|
|
|
|
# Example vulnerable software. This needs to be updated and maintained over
|
|
# time as new vulnerabilities are discovered.
|
|
redef Software::vulnerable_versions += {
|
|
["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
|
|
["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"],
|
|
};
|
|
|
|
# Detect software changing (e.g. attacker installing hacked SSHD).
|
|
@load frameworks/software/version-changes
|
|
|
|
# This adds signatures to detect cleartext forward and reverse windows shells.
|
|
redef signature_files += "frameworks/signatures/detect-windows-shells.sig";
|
|
|
|
# Uncomment the following line to begin receiving (by default hourly) emails
|
|
# containing all of your notices.
|
|
# redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };
|
|
|
|
# Load all of the scripts that detect software in various protocols.
|
|
@load protocols/ftp/software
|
|
@load protocols/smtp/software
|
|
@load protocols/ssh/software
|
|
@load protocols/http/software
|
|
# The detect-webapps script could possibly cause performance trouble when
|
|
# running on live traffic. Enable it cautiously.
|
|
#@load protocols/http/detect-webapps
|
|
|
|
# This script detects DNS results pointing toward your Site::local_nets
|
|
# where the name is not part of your local DNS zone and is being hosted
|
|
# externally. Requires that the Site::local_zones variable is defined.
|
|
@load protocols/dns/detect-external-names
|
|
|
|
# Script to detect various activity in FTP sessions.
|
|
@load protocols/ftp/detect
|
|
|
|
# Scripts that do asset tracking.
|
|
@load protocols/conn/known-hosts
|
|
@load protocols/conn/known-services
|
|
@load protocols/ssl/known-certs
|
|
|
|
# This script enables SSL/TLS certificate validation.
|
|
@load protocols/ssl/validate-certs
|
|
|
|
# If you have libGeoIP support built in, do some geographic detections and
|
|
# logging for SSH traffic.
|
|
@load protocols/ssh/geo-data
|
|
# Detect hosts doing SSH bruteforce attacks.
|
|
@load protocols/ssh/detect-bruteforcing
|
|
# Detect logins using "interesting" hostnames.
|
|
@load protocols/ssh/interesting-hostnames
|
|
|
|
# Detect MD5 sums in Team Cymru's Malware Hash Registry.
|
|
@load protocols/http/detect-MHR
|
|
# Detect SQL injection attacks.
|
|
@load protocols/http/detect-sqli
|