mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
290 lines
10 KiB
Text
290 lines
10 KiB
Text
# @TEST-EXEC: bro local-`cat $DIST/VERSION | sed 's/\([0-9].[0-9]\).*/\1/g'`.bro
|
|
|
|
# This tests the compatibility of the past release's site/local.bro
|
|
# script with the current version of Bro. If the test fails because
|
|
# it doesn't find the right file, that means everything stayed
|
|
# compatibile between releases, so just add a TEST-START-FILE with
|
|
# the contents the latest Bro version's site/local.bro script.
|
|
# If the test fails while loading the old local.bro, it usually
|
|
# indicates a note will need to be made in NEWS explaining to users
|
|
# how to migrate to the new version and this test's TEST-START-FILE
|
|
# should be updated with the latest contents of site/local.bro.
|
|
|
|
@TEST-START-FILE local-2.5.bro
|
|
##! Local site policy. Customize as appropriate.
|
|
##!
|
|
##! This file will not be overwritten when upgrading or reinstalling!
|
|
|
|
# This script logs which scripts were loaded during each run.
|
|
@load misc/loaded-scripts
|
|
|
|
# Apply the default tuning scripts for common tuning settings.
|
|
@load tuning/defaults
|
|
|
|
# Estimate and log capture loss.
|
|
@load misc/capture-loss
|
|
|
|
# Enable logging of memory, packet and lag statistics.
|
|
@load misc/stats
|
|
|
|
# Load the scan detection script.
|
|
@load misc/scan
|
|
|
|
# Detect traceroute being run on the network. This could possibly cause
|
|
# performance trouble when there are a lot of traceroutes on your network.
|
|
# Enable cautiously.
|
|
#@load misc/detect-traceroute
|
|
|
|
# Generate notices when vulnerable versions of software are discovered.
|
|
# The default is to only monitor software found in the address space defined
|
|
# as "local". Refer to the software framework's documentation for more
|
|
# information.
|
|
@load frameworks/software/vulnerable
|
|
|
|
# Detect software changing (e.g. attacker installing hacked SSHD).
|
|
@load frameworks/software/version-changes
|
|
|
|
# This adds signatures to detect cleartext forward and reverse windows shells.
|
|
@load-sigs frameworks/signatures/detect-windows-shells
|
|
|
|
# Load all of the scripts that detect software in various protocols.
|
|
@load protocols/ftp/software
|
|
@load protocols/smtp/software
|
|
@load protocols/ssh/software
|
|
@load protocols/http/software
|
|
# The detect-webapps script could possibly cause performance trouble when
|
|
# running on live traffic. Enable it cautiously.
|
|
#@load protocols/http/detect-webapps
|
|
|
|
# This script detects DNS results pointing toward your Site::local_nets
|
|
# where the name is not part of your local DNS zone and is being hosted
|
|
# externally. Requires that the Site::local_zones variable is defined.
|
|
@load protocols/dns/detect-external-names
|
|
|
|
# Script to detect various activity in FTP sessions.
|
|
@load protocols/ftp/detect
|
|
|
|
# Scripts that do asset tracking.
|
|
@load protocols/conn/known-hosts
|
|
@load protocols/conn/known-services
|
|
@load protocols/ssl/known-certs
|
|
|
|
# This script enables SSL/TLS certificate validation.
|
|
@load protocols/ssl/validate-certs
|
|
|
|
# This script prevents the logging of SSL CA certificates in x509.log
|
|
@load protocols/ssl/log-hostcerts-only
|
|
|
|
# Uncomment the following line to check each SSL certificate hash against the ICSI
|
|
# certificate notary service; see http://notary.icsi.berkeley.edu .
|
|
# @load protocols/ssl/notary
|
|
|
|
# If you have libGeoIP support built in, do some geographic detections and
|
|
# logging for SSH traffic.
|
|
@load protocols/ssh/geo-data
|
|
# Detect hosts doing SSH bruteforce attacks.
|
|
@load protocols/ssh/detect-bruteforcing
|
|
# Detect logins using "interesting" hostnames.
|
|
@load protocols/ssh/interesting-hostnames
|
|
|
|
# Detect SQL injection attacks.
|
|
@load protocols/http/detect-sqli
|
|
|
|
#### Network File Handling ####
|
|
|
|
# Enable MD5 and SHA1 hashing for all files.
|
|
@load frameworks/files/hash-all-files
|
|
|
|
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
|
|
@load frameworks/files/detect-MHR
|
|
|
|
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
|
|
# this might impact performance a bit.
|
|
# @load policy/protocols/ssl/heartbleed
|
|
|
|
# Uncomment the following line to enable logging of connection VLANs. Enabling
|
|
# this adds two VLAN fields to the conn.log file.
|
|
# @load policy/protocols/conn/vlan-logging
|
|
|
|
# Uncomment the following line to enable logging of link-layer addresses. Enabling
|
|
# this adds the link-layer address for each connection endpoint to the conn.log file.
|
|
# @load policy/protocols/conn/mac-logging
|
|
|
|
# Uncomment the following line to enable the SMB analyzer. The analyzer
|
|
# is currently considered a preview and therefore not loaded by default.
|
|
# @load policy/protocols/smb
|
|
@TEST-END-FILE
|
|
|
|
@TEST-START-FILE local-2.4.bro
|
|
##! Local site policy. Customize as appropriate.
|
|
##!
|
|
##! This file will not be overwritten when upgrading or reinstalling!
|
|
|
|
# This script logs which scripts were loaded during each run.
|
|
@load misc/loaded-scripts
|
|
|
|
# Apply the default tuning scripts for common tuning settings.
|
|
@load tuning/defaults
|
|
|
|
# Load the scan detection script.
|
|
@load misc/scan
|
|
|
|
# Detect traceroute being run on the network.
|
|
@load misc/detect-traceroute
|
|
|
|
# Generate notices when vulnerable versions of software are discovered.
|
|
# The default is to only monitor software found in the address space defined
|
|
# as "local". Refer to the software framework's documentation for more
|
|
# information.
|
|
@load frameworks/software/vulnerable
|
|
|
|
# Detect software changing (e.g. attacker installing hacked SSHD).
|
|
@load frameworks/software/version-changes
|
|
|
|
# This adds signatures to detect cleartext forward and reverse windows shells.
|
|
@load-sigs frameworks/signatures/detect-windows-shells
|
|
|
|
# Load all of the scripts that detect software in various protocols.
|
|
@load protocols/ftp/software
|
|
@load protocols/smtp/software
|
|
@load protocols/ssh/software
|
|
@load protocols/http/software
|
|
# The detect-webapps script could possibly cause performance trouble when
|
|
# running on live traffic. Enable it cautiously.
|
|
#@load protocols/http/detect-webapps
|
|
|
|
# This script detects DNS results pointing toward your Site::local_nets
|
|
# where the name is not part of your local DNS zone and is being hosted
|
|
# externally. Requires that the Site::local_zones variable is defined.
|
|
@load protocols/dns/detect-external-names
|
|
|
|
# Script to detect various activity in FTP sessions.
|
|
@load protocols/ftp/detect
|
|
|
|
# Scripts that do asset tracking.
|
|
@load protocols/conn/known-hosts
|
|
@load protocols/conn/known-services
|
|
@load protocols/ssl/known-certs
|
|
|
|
# This script enables SSL/TLS certificate validation.
|
|
@load protocols/ssl/validate-certs
|
|
|
|
# This script prevents the logging of SSL CA certificates in x509.log
|
|
@load protocols/ssl/log-hostcerts-only
|
|
|
|
# Uncomment the following line to check each SSL certificate hash against the ICSI
|
|
# certificate notary service; see http://notary.icsi.berkeley.edu .
|
|
# @load protocols/ssl/notary
|
|
|
|
# If you have libGeoIP support built in, do some geographic detections and
|
|
# logging for SSH traffic.
|
|
@load protocols/ssh/geo-data
|
|
# Detect hosts doing SSH bruteforce attacks.
|
|
@load protocols/ssh/detect-bruteforcing
|
|
# Detect logins using "interesting" hostnames.
|
|
@load protocols/ssh/interesting-hostnames
|
|
|
|
# Detect SQL injection attacks.
|
|
@load protocols/http/detect-sqli
|
|
|
|
#### Network File Handling ####
|
|
|
|
# Enable MD5 and SHA1 hashing for all files.
|
|
@load frameworks/files/hash-all-files
|
|
|
|
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
|
|
@load frameworks/files/detect-MHR
|
|
|
|
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
|
|
# this might impact performance a bit.
|
|
# @load policy/protocols/ssl/heartbleed
|
|
@TEST-END-FILE
|
|
|
|
@TEST-START-FILE local-2.3.bro
|
|
##! Local site policy. Customize as appropriate.
|
|
##!
|
|
##! This file will not be overwritten when upgrading or reinstalling!
|
|
|
|
# This script logs which scripts were loaded during each run.
|
|
@load misc/loaded-scripts
|
|
|
|
# Apply the default tuning scripts for common tuning settings.
|
|
@load tuning/defaults
|
|
|
|
# Load the scan detection script.
|
|
@load misc/scan
|
|
|
|
# Log some information about web applications being used by users
|
|
# on your network.
|
|
@load misc/app-stats
|
|
|
|
# Detect traceroute being run on the network.
|
|
@load misc/detect-traceroute
|
|
|
|
# Generate notices when vulnerable versions of software are discovered.
|
|
# The default is to only monitor software found in the address space defined
|
|
# as "local". Refer to the software framework's documentation for more
|
|
# information.
|
|
@load frameworks/software/vulnerable
|
|
|
|
# Detect software changing (e.g. attacker installing hacked SSHD).
|
|
@load frameworks/software/version-changes
|
|
|
|
# This adds signatures to detect cleartext forward and reverse windows shells.
|
|
@load-sigs frameworks/signatures/detect-windows-shells
|
|
|
|
# Load all of the scripts that detect software in various protocols.
|
|
@load protocols/ftp/software
|
|
@load protocols/smtp/software
|
|
@load protocols/ssh/software
|
|
@load protocols/http/software
|
|
# The detect-webapps script could possibly cause performance trouble when
|
|
# running on live traffic. Enable it cautiously.
|
|
#@load protocols/http/detect-webapps
|
|
|
|
# This script detects DNS results pointing toward your Site::local_nets
|
|
# where the name is not part of your local DNS zone and is being hosted
|
|
# externally. Requires that the Site::local_zones variable is defined.
|
|
@load protocols/dns/detect-external-names
|
|
|
|
# Script to detect various activity in FTP sessions.
|
|
@load protocols/ftp/detect
|
|
|
|
# Scripts that do asset tracking.
|
|
@load protocols/conn/known-hosts
|
|
@load protocols/conn/known-services
|
|
@load protocols/ssl/known-certs
|
|
|
|
# This script enables SSL/TLS certificate validation.
|
|
@load protocols/ssl/validate-certs
|
|
|
|
# This script prevents the logging of SSL CA certificates in x509.log
|
|
@load protocols/ssl/log-hostcerts-only
|
|
|
|
# Uncomment the following line to check each SSL certificate hash against the ICSI
|
|
# certificate notary service; see http://notary.icsi.berkeley.edu .
|
|
# @load protocols/ssl/notary
|
|
|
|
# If you have libGeoIP support built in, do some geographic detections and
|
|
# logging for SSH traffic.
|
|
@load protocols/ssh/geo-data
|
|
# Detect hosts doing SSH bruteforce attacks.
|
|
@load protocols/ssh/detect-bruteforcing
|
|
# Detect logins using "interesting" hostnames.
|
|
@load protocols/ssh/interesting-hostnames
|
|
|
|
# Detect SQL injection attacks.
|
|
@load protocols/http/detect-sqli
|
|
|
|
#### Network File Handling ####
|
|
|
|
# Enable MD5 and SHA1 hashing for all files.
|
|
@load frameworks/files/hash-all-files
|
|
|
|
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
|
|
@load frameworks/files/detect-MHR
|
|
|
|
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
|
|
# this might impact performance a bit.
|
|
# @load policy/protocols/ssl/heartbleed
|
|
@TEST-END-FILE
|