Malcolm v1.7.0 development#74
Merged
Merged
Conversation
* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance idaholab#67 * use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs
- Zeek 3.0 - New parsers/analyzers, complete list: - Amazon.com, Inc.'s ICS protocol analyzers - Corelight's bro-xor-exe plugin - Corelight's community ID flow hashing plugin - J-Gras' Bro::AF_Packet plugin - Lexi Brent's EternalSafety plugin - MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK-Based Analytics (BZAR) script - Salesforce's gQUIC analyzer - Salesforce's HASSH SSH fingerprinting plugin - Salesforce's JA3 TLS fingerprinting plugin - SoftwareConsultingEmporium's Bro::LDAP analyzer - Dashboards for all new protocols - Documentation updates ------------------------------------------- * zeek updates: - use Zeek 3.0 - install Amazon Zeek ICS plugins (https://github.com/amzn?utf8=%E2%9C%93&q=zeek&type=&language=) - haven't yet looked at parsed fields list or built parsers/dashboards for new plugins, may be incomplete * should have existing field tweaks done now, need to do new logs * new logstash field definitions for the following: bacnet ethernet/ip s7comm known_certs known_hosts mqtt ntp profinet tds testing still in progress * hopefully fix issue with zeek not running with the override file * zeek-updates development (#69) * add WISE views for new zeek fields, using new format to define most of them https://molo.ch/wise#common-source-settings * added links in comments for different log types * working on new dashboards, not done yet * more work on new dashboards * more work on ICS stuff * more work on new zeek log types * updated navigation panel for new dashboards * updated version for 1.7.0 * more work on new zeek log types * more work on new zeek log types * updated navigation panel for new dashboards * sync sensor shared script with malcolm shared script * fix dockerfile * added patch for zeek pull #632 (zeek/zeek#632) Fix redef'ing a table with a new &default attribute * update documentation * documentation * a few other plugins i've researched * documentation * fix building of plugin * more work on new parsers (ldap) * fix some stuff with the ldap parsing * update dashboards
* working on a new method for doing the file carving stuff * maybe working now * fix supervisor options * comments * fix dockerfile * put a sleep in the main loopp so our CPUs don't melt * fix annoying clipit history clear timeout in ISO
* initial code, unchanged from time immemorial * initial code, unchanged from time immemorial * first pass at integrating changes * first pass at integrating changes * update auth_setup for htadmin changes * seems to be workign now
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.