security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding additional zeek categories to sort out false positive matching

Browse Source
This commit is contained in:
Tim Shelton
2022-05-10 03:39:16 +00:00
parent c64197233d
commit ad727e11e9
1 changed files with 301 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/hawk.yml
+301
View File
@@ -235,6 +235,307 @@ logsources:
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs