Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/frameworks/notice
History
Arne Welzel 3ac877e20d scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state() 
This is similar to what the external corelight/zeek-smb-clear-state script
does, but leverages the smb2_discarded_messages_state() event instead of
regularly checking on the state of SMB connections.

The pcap was created using the dperson/samba container image and mounting
a share with Linux's CIFS filesystem, then copying the content of a
directory with 100 files. The test uses a BPF filter to imitate mostly
"half-duplex" traffic.
2023-05-03 11:22:01 +02:00
..
actions Spelling fixes: scripts 2022-11-02 17:36:39 -04:00
__load__.zeek GH-379: move catch-and-release and unified2 scripts to policy/ 2019-06-05 13:33:45 -07:00
main.zeek frameworks/notice: Handle fa_file with no or more than a single connection better 2022-12-06 11:17:30 +01:00
README More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
weird.zeek scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state() 2023-05-03 11:22:01 +02:00

README 

The notice framework enables Zeek to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable.  This decoupling of detection and reporting allows
Zeek to be customized to the different needs that sites have.