zeek: enabled: False config: node: lb_procs: 0 pins_enabled: False pins: [] buffer: 128*1024*1024 zeekctl: MailTo: root@localhost MailConnectionSummary: 0 MinDiskSpace: 5 MailHostUpDown: 0 LogRotationInterval: 3600 LogExpireInterval: 0 StatsLogEnable: 1 StatsLogExpireInterval: 0 StatusCmdShowAll: 0 CrashExpireInterval: 0 SitePolicyScripts: local.zeek LogDir: /nsm/zeek/logs SpoolDir: /nsm/zeek/spool CfgDir: /opt/zeek/etc CompressLogs: 1 ZeekPort: 27760 local: load: - misc/loaded-scripts - tuning/defaults - misc/capture-loss - frameworks/software/vulnerable - frameworks/software/version-changes - protocols/ftp/software - protocols/smtp/software - protocols/ssh/software - protocols/http/software - protocols/dns/detect-external-names - protocols/ftp/detect - protocols/conn/known-hosts - protocols/conn/known-services - protocols/conn/vlan-logging - protocols/ssl/known-certs - protocols/ssl/validate-certs - protocols/ssl/log-hostcerts-only - protocols/ssh/geo-data - protocols/ssh/detect-bruteforcing - protocols/ssh/interesting-hostnames - protocols/http/detect-sqli - frameworks/files/hash-all-files - frameworks/files/detect-MHR - policy/frameworks/notice/extend-email/hostnames - policy/frameworks/notice/community-id - policy/protocols/conn/community-id-logging - ja3 - hassh - intel - cve-2020-0601 - securityonion/bpfconf - securityonion/file-extraction - oui-logging - icsnpp-modbus - icsnpp-dnp3 - icsnpp-bacnet - icsnpp-ethercat - icsnpp-enip - icsnpp-opcua-binary - icsnpp-bsap - icsnpp-s7comm - zeek-plugin-tds - zeek-plugin-profinet - zeek-spicy-wireguard - zeek-spicy-stun load-sigs: - frameworks/signatures/detect-windows-shells redef: - LogAscii::use_json = T; - CaptureLoss::watch_interval = 5 mins; networks: HOME_NET: - 192.168.0.0/16 - 10.0.0.0/8 - 172.16.0.0/12 file_extraction: - application/x-dosexec: exe - application/pdf: pdf - application/msword: doc - application/vnd.ms-powerpoint: doc - application/rtf: doc - application/vnd.ms-word.document.macroenabled.12: doc - application/vnd.ms-word.template.macroenabled.12: doc - application/vnd.ms-powerpoint.template.macroenabled.12: doc - application/vnd.ms-excel: doc - application/vnd.ms-excel.addin.macroenabled.12: doc - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - application/vnd.ms-excel.template.macroenabled.12: doc - application/vnd.ms-excel.sheet.macroenabled.12: doc - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - application/vnd.openxmlformats-officedocument.presentationml.template: doc - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - application/vnd.openxmlformats-officedocument: doc logging: excluded: - broker - capture_loss - ecat_arp_info - known_hosts - known_services - loaded_scripts - ntp - packet_filter - reporter - stats - stderr - stdout