-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest-all-policy.zeek
More file actions
177 lines (173 loc) · 7.52 KB
/
Copy pathtest-all-policy.zeek
File metadata and controls
177 lines (173 loc) · 7.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# This file loads ALL policy scripts that are part of the Zeek distribution.
#
# This is rarely makes sense, and is for testing only.
#
# Note that we have a unit test that makes sure that all policy files shipped are
# actually loaded here. If we have files that are part of the distribution yet
# can't be loaded here, these must still be listed here with their load command
# commented out.
# The base/ scripts are all loaded by default and not included here.
@load frameworks/analyzer/debug-logging.zeek
@load frameworks/analyzer/detect-protocols.zeek
@load frameworks/analyzer/packet-segment-logging.zeek
# @load frameworks/control/controllee.zeek
# @load frameworks/control/controller.zeek
@load frameworks/cluster/backend/broker/__load__.zeek
@load frameworks/cluster/backend/broker/backpressure.zeek
@load frameworks/cluster/backend/broker/main.zeek
@load frameworks/cluster/backend/broker/telemetry.zeek
@ifdef ( Cluster::CLUSTER_BACKEND_ZEROMQ )
@load frameworks/cluster/backend/zeromq/__load__.zeek
@load frameworks/cluster/backend/zeromq/connect.zeek
@load frameworks/cluster/backend/zeromq/main.zeek
@endif
@load frameworks/cluster/experimental.zeek
# Loaded via the above through test-all-policy-cluster.test
# when running as a manager, creates cluster.log entries
# even in non-cluster mode if loaded like the below.
# @load frameworks/cluster/nodes-experimental/manager.zeek
# @load frameworks/cluster/websocket/server.zeek
@load frameworks/management/agent/__load__.zeek
@load frameworks/management/agent/api.zeek
@load frameworks/management/agent/boot.zeek
@load frameworks/management/agent/config.zeek
# @load frameworks/management/agent/main.zeek
@load frameworks/management/controller/__load__.zeek
@load frameworks/management/controller/api.zeek
@load frameworks/management/controller/boot.zeek
@load frameworks/management/controller/config.zeek
# @load frameworks/management/controller/main.zeek
@load frameworks/management/__load__.zeek
@load frameworks/management/config.zeek
@load frameworks/management/log.zeek
@load frameworks/management/persistence.zeek
# @load frameworks/management/node/__load__.zeek
@load frameworks/management/node/api.zeek
@load frameworks/management/node/config.zeek
# @load frameworks/management/node/main.zeek
@load frameworks/management/supervisor/__load__.zeek
@load frameworks/management/supervisor/api.zeek
@load frameworks/management/supervisor/config.zeek
@load frameworks/management/supervisor/main.zeek
@load frameworks/management/request.zeek
@load frameworks/management/types.zeek
@load frameworks/management/util.zeek
@load frameworks/intel/do_notice.zeek
@load frameworks/intel/do_expire.zeek
@load frameworks/intel/whitelist.zeek
@load frameworks/intel/removal.zeek
@load frameworks/intel/seen/__load__.zeek
@load frameworks/intel/seen/conn-established.zeek
@load frameworks/intel/seen/dns.zeek
@load frameworks/intel/seen/file-hashes.zeek
@load frameworks/intel/seen/file-names.zeek
@load frameworks/intel/seen/http-headers.zeek
@load frameworks/intel/seen/http-url.zeek
@load frameworks/intel/seen/manage-event-groups.zeek
@load frameworks/intel/seen/pubkey-hashes.zeek
@load frameworks/intel/seen/smb-filenames.zeek
@load frameworks/intel/seen/smtp-url-extraction.zeek
@load frameworks/intel/seen/smtp.zeek
@load frameworks/intel/seen/ssl.zeek
@load frameworks/intel/seen/where-locations.zeek
@load frameworks/intel/seen/x509.zeek
@load frameworks/netcontrol/catch-and-release.zeek
@load frameworks/files/detect-MHR.zeek
@load frameworks/files/entropy-test-all-files.zeek
#@load frameworks/files/extract-all-files.zeek
@load frameworks/files/hash-all-files.zeek
@load frameworks/notice/__load__.zeek
@load frameworks/notice/actions/drop.zeek
@load frameworks/notice/community-id.zeek
@load frameworks/notice/extend-email/hostnames.zeek
@load files/x509/disable-certificate-events-known-certs.zeek
@load frameworks/packet-filter/shunt.zeek
# @load frameworks/signatures/iso-9660.zeek
@load frameworks/software/version-changes.zeek
@load frameworks/software/vulnerable.zeek
# @load frameworks/spicy/record-spicy-batch.zeek
# @load frameworks/spicy/resource-usage.zeek
@load frameworks/software/windows-version-detection.zeek
@load frameworks/storage/backend/redis/__load__.zeek
@load frameworks/storage/backend/redis/main.zeek
@load frameworks/storage/backend/sqlite/__load__.zeek
@load frameworks/storage/backend/sqlite/main.zeek
@load frameworks/telemetry/log.zeek
@load integration/collective-intel/__load__.zeek
@load integration/collective-intel/main.zeek
@load misc/capture-loss.zeek
@load misc/detect-traceroute/__load__.zeek
@load misc/detect-traceroute/main.zeek
# @load misc/dump-events.zeek
@load misc/loaded-scripts.zeek
@load misc/profiling.zeek
@load misc/stats.zeek
@load misc/weird-stats.zeek
@load misc/trim-trace-file.zeek
@load misc/unknown-protocols.zeek
# @load misc/systemd-generator.zeek
@load protocols/conn/community-id-logging.zeek
@load protocols/conn/disable-unknown-ip-proto-support.zeek
@load protocols/conn/failed-service-logging.zeek
@load protocols/conn/ip-proto-name-logging.zeek
@load protocols/conn/known-hosts.zeek
@load protocols/conn/known-services.zeek
@load protocols/conn/mac-logging.zeek
@load protocols/conn/vlan-logging.zeek
@load protocols/conn/pppoe-session-id-logging.zeek
@load protocols/conn/weirds.zeek
#@load frameworks/conn_key/vlan_fivetuple.zeek
#@load protocols/conn/speculative-service.zeek
@load protocols/dhcp/msg-orig.zeek
@load protocols/dhcp/software.zeek
@load protocols/dhcp/sub-opts.zeek
@load protocols/dns/auth-addl.zeek
@load protocols/dns/detect-external-names.zeek
#@load protocols/dns/disable-opcode-log-fields.zeek
@load protocols/dns/log-original-query-case.zeek
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/detect.zeek
@load protocols/ftp/software.zeek
@load protocols/http/detect-sql-injection.zeek
@load protocols/http/detect-webapps.zeek
@load protocols/http/header-names.zeek
@load protocols/http/software-browser-plugins.zeek
@load protocols/http/software.zeek
@load protocols/http/var-extraction-cookies.zeek
@load protocols/http/var-extraction-uri.zeek
@load protocols/krb/ticket-logging.zeek
@load protocols/krb/md5-ticket-logging.zeek
@load protocols/modbus/known-masters-slaves.zeek
@load protocols/modbus/track-memmap.zeek
@load protocols/mysql/software.zeek
@load protocols/rdp/indicate_ssl.zeek
@load protocols/smb/log-cmds.zeek
@load protocols/smtp/blocklists.zeek
@load protocols/smtp/detect-suspicious-orig.zeek
@load protocols/smtp/entities-excerpt.zeek
@load protocols/smtp/software.zeek
@load protocols/ssh/detect-bruteforcing.zeek
@load protocols/ssh/geo-data.zeek
@load protocols/ssh/interesting-hostnames.zeek
@load protocols/ssh/md5-host-key-logging.zeek
@load protocols/ssh/software.zeek
@load protocols/ssl/certificate-request-info.zeek
@load protocols/ssl/decryption.zeek
@load protocols/ssl/expiring-certs.zeek
@load protocols/ssl/heartbleed.zeek
@load protocols/ssl/known-certs.zeek
@load protocols/ssl/log-certs-base64.zeek
@load protocols/ssl/ssl-log-ext.zeek
@load protocols/ssl/log-hostcerts-only.zeek
@load protocols/ssl/validate-certs.zeek
@load protocols/ssl/validate-ocsp.zeek
@load protocols/ssl/validate-sct.zeek
@load protocols/ssl/weak-keys.zeek
@load tuning/json-logs.zeek
@load tuning/track-all-assets.zeek
# Disable cluster backend by switching to the none backend after loading
# all the scripts in order to skip initialization of cluster backend that
# ended up being selected. Cluster backends may keep the IO loop alive once
# registered due to registering IO sources and loading test-all-policy should
# not result in such behavior.
redef Cluster::backend = Cluster::CLUSTER_BACKEND_NONE;