zeek:
  enabled: True
  config:
    node:
      lb_procs: 0
      pins_enabled: False
      pins: []
      buffer: 128*1024*1024
    zeekctl:
      MailTo: root@localhost
      MailConnectionSummary: 1
      MinDiskSpace: 5
      MailHostUpDown: 1
      LogRotationInterval: 3600
      LogExpireInterval: 0
      StatsLogEnable: 1
      StatsLogExpireInterval: 0
      StatusCmdShowAll: 0
      CrashExpireInterval: 0
      SitePolicyScripts: local.zeek
      LogDir: /nsm/zeek/logs
      SpoolDir: /nsm/zeek/spool
      CfgDir: /opt/zeek/etc
      CompressLogs: 1
      ZeekPort: 27760
    local:
      load:
        - misc/loaded-scripts
        - tuning/defaults
        - misc/capture-loss
        - misc/stats
        - frameworks/software/vulnerable
        - frameworks/software/version-changes
        - protocols/ftp/software
        - protocols/smtp/software
        - protocols/ssh/software
        - protocols/http/software
        - protocols/dns/detect-external-names
        - protocols/ftp/detect
        - protocols/conn/known-hosts
        - protocols/conn/known-services
        - protocols/conn/vlan-logging
        - protocols/ssl/known-certs
        - protocols/ssl/validate-certs
        - protocols/ssl/log-hostcerts-only
        - protocols/ssh/geo-data
        - protocols/ssh/detect-bruteforcing
        - protocols/ssh/interesting-hostnames
        - protocols/http/detect-sqli
        - frameworks/files/hash-all-files
        - frameworks/files/detect-MHR
        - policy/frameworks/notice/extend-email/hostnames
        - ja3
        - hassh
        - intel
        - cve-2020-0601
        - securityonion/bpfconf
        - securityonion/communityid
        - securityonion/file-extraction
        - oui-logging
        - icsnpp-modbus
        - icsnpp-dnp3
        - icsnpp-bacnet
        - icsnpp-ethercat
        - icsnpp-enip
        - icsnpp-opcua-binary
        - icsnpp-bsap
        - icsnpp-s7comm
        - zeek-plugin-tds
        - zeek-plugin-profinet
        - zeek-spicy-wireguard
        - zeek-spicy-stun
      load-sigs:
        - frameworks/signatures/detect-windows-shells
      redef:
        - LogAscii::use_json = T;
        - CaptureLoss::watch_interval = 5 mins;
    networks:
      HOME_NET: 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
  file_extraction:
    - application/x-dosexec: exe
    - application/pdf: pdf
    - application/msword: doc
    - application/vnd.ms-powerpoint: doc
    - application/rtf: doc
    - application/vnd.ms-word.document.macroenabled.12: doc
    - application/vnd.ms-word.template.macroenabled.12: doc
    - application/vnd.ms-powerpoint.template.macroenabled.12: doc
    - application/vnd.ms-excel: doc
    - application/vnd.ms-excel.addin.macroenabled.12: doc
    - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
    - application/vnd.ms-excel.template.macroenabled.12: doc
    - application/vnd.ms-excel.sheet.macroenabled.12: doc
    - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
    - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
    - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
    - application/vnd.openxmlformats-officedocument.presentationml.template: doc
    - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
    - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
    - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
    - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
    - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
    - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
    - application/vnd.openxmlformats-officedocument: doc