##! Zeek local site policy. Customize as appropriate. ##! ##! See https://github.com/zeek/zeekctl ##! https://docs.zeek.org/en/stable/script-reference/scripts.html ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T; global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T; global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T; global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T; global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T; global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T; global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T; global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T; global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T; global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T; global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T; global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T; global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T; redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @load tuning/defaults @load misc/scan @load frameworks/software/vulnerable @load frameworks/software/version-changes @load frameworks/software/windows-version-detection @load-sigs frameworks/signatures/detect-windows-shells @load protocols/conn/known-hosts @load protocols/conn/known-services @load protocols/dhcp/software @load protocols/dns/detect-external-names @load protocols/ftp/detect @load protocols/ftp/detect-bruteforcing.zeek @load protocols/ftp/software @load protocols/http/detect-sqli @load protocols/http/detect-webapps @load protocols/http/software @load protocols/http/software-browser-plugins @load protocols/mysql/software @load protocols/ssl/weak-keys @load protocols/smb/log-cmds @load protocols/smtp/software @load protocols/ssh/detect-bruteforcing @load protocols/ssh/geo-data @load protocols/ssh/interesting-hostnames @load protocols/ssh/software @load protocols/ssl/known-certs @load protocols/ssl/log-hostcerts-only @if (!disable_ssl_validate_certs) @load protocols/ssl/validate-certs @endif @if (!disable_track_all_assets) @load tuning/track-all-assets.zeek @endif @if (!disable_hash_all_files) @load frameworks/files/hash-all-files @endif @load policy/protocols/conn/vlan-logging @load policy/protocols/conn/mac-logging @load policy/protocols/modbus/known-masters-slaves @load policy/protocols/mqtt @load ./login.zeek @if (!disable_best_guess_ics) @load ./guess.zeek @endif @load packages event zeek_init() &priority=-5 { if (disable_spicy_dhcp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP); } if (disable_spicy_dns) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DNS); } if (disable_spicy_http) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP); } if (disable_spicy_ipsec) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_TCP); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_UDP); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP); } if (disable_spicy_ldap) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP); } if (disable_spicy_openvpn) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_MD5); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA1); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA256); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA512); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_MD5); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA1); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256); Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512); } if (disable_spicy_tftp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_TFTP); } if (disable_spicy_wireguard) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD); } } @if (!disable_log_passwords) redef HTTP::default_capture_password = T; redef FTP::default_capture_password = T; redef SOCKS::default_capture_password = T; redef SNIFFPASS::log_password_plaintext = T; @endif redef SNIFFPASS::notice_log_enable = F;