zeek/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek at e5367ba820b95dba7acc018d4d865b1c2f91163d - Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00

Arne Welzel 4027c70e2b Merge branch 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek

* 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek:
  coalesce smtp handlers for ADDR
  Add fine-grained groups for Intel events

(cherry picked from commit d5e1dc27c6)

2025-05-16 11:57:00 +02:00

12 lines

323 B

Text

Raw Blame History

 @load base/frameworks/intel
 @load base/protocols/ssh
 @load ./where-locations
 event ssh_server_host_key(c: connection, hash: string) &group="Intel::PUBKEY_HASH"
 	{
 	local seen = Intel::Seen($indicator=hash,
 				 $indicator_type=Intel::PUBKEY_HASH,
 				 $conn=c,
 				 $where=SSH::IN_SERVER_HOST_KEY);
 	Intel::seen(seen);
 	}