From 39d5f72a6243f0438b988b59793e4f03fa483915 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 19 Nov 2024 16:08:36 -0700 Subject: [PATCH] added some other corelight packages for detecting various CVEs --- Dockerfiles/zeek.Dockerfile | 2 +- docs/components.md | 21 ++------------------- shared/bin/zeek_install_plugins.sh | 14 +++++++++++++- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index d3253806c..6bad6c7c2 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -183,7 +183,7 @@ RUN groupadd --gid ${DEFAULT_GID} ${PUSER} && \ # sanity checks to make sure the plugins installed and copied over correctly # these ENVs should match the third party scripts/plugins installed by zeek_install_plugins.sh ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_HART_IP_UDP|ANALYZER_SPICY_HART_IP_TCP|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_SPICY_GE_SRTP|ANALYZER_SPICY_PROFINET_IO_CM|ANALYZER_S7COMM_TCP|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS|Seiso::Kafka)" -ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja4/main|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)" +ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-1675/main|CVE-2021-31166/detect|CVE-2021-38647/omigod|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-21907/main|cve-2022-22954/main|CVE-2022-23270-PPTP/main|CVE-2022-24491/main|CVE-2022-24497/main|cve-2022-26809/main|CVE-2022-26937/main|CVE-2022-30216/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja4/main|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-agenttesla-detector/main|zeek-asyncrat-detector/main|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-netsupport-detector/main|zeek-quasarrat-detector/main|zeek-sniffpass/__load__|zeek-strrat-detector/main|zerologon/main)\.(zeek|bro)" RUN mkdir -p /tmp/logs && \ cd /tmp/logs && \ diff --git a/docs/components.md b/docs/components.md index aa297a20b..1127c9382 100644 --- a/docs/components.md +++ b/docs/components.md @@ -29,29 +29,12 @@ Malcolm leverages the following excellent open source tools, among others. * [Florian Roth](https://github.com/Neo23x0)'s [Signature-Base](https://github.com/Neo23x0/signature-base) Yara ruleset * [Bart Blaze](https://github.com/bartblaze)'s [Yara ruleset](https://github.com/bartblaze/Yara-rules) * [ReversingLabs'](https://github.com/reversinglabs) [Yara ruleset](https://github.com/reversinglabs/reversinglabs-yara-rules) -* These Zeek plugins: +* These [Zeek packages]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_install_plugins.sh): * some of Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers * Andrew Klaus's [Sniffpass](https://github.com/cybera/zeek-sniffpass) plugin for detecting cleartext passwords in HTTP POST requests * Andrew Klaus's [zeek-httpattacks](https://github.com/precurse/zeek-httpattacks) plugin for detecting noncompliant HTTP requests * ICS protocol analyzers for Zeek published by [DHS CISA](https://github.com/cisagov/ICSNPP) and [Idaho National Lab](https://github.com/idaholab/ICSNPP) - * Corelight's ["bad neighbor" (CVE-2020-16898)](https://github.com/corelight/CVE-2020-16898) plugin - * Corelight's ["Log4Shell" (CVE-2021-44228)](https://github.com/corelight/cve-2021-44228) plugin - * Corelight's ["OMIGOD" (CVE-2021-38647)](https://github.com/corelight/CVE-2021-38647) plugin - * Corelight's [Apache HTTP server 2.4.49-2.4.50 path traversal/RCE vulnerability (CVE-2021-41773)](https://github.com/corelight/CVE-2021-41773) plugin - * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin - * Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin - * Corelight's [DCE/RPC remote code execution vulnerability (CVE-2022-26809)](https://github.com/corelight/cve-2022-26809) plugin - * Corelight's [HASSH](https://github.com/corelight/hassh) SSH fingerprinting plugin - * Corelight's [HTTP More Filenames](https://github.com/corelight/http-more-files-names) plugin - * Corelight's [HTTP protocol stack vulnerability (CVE-2021-31166)](https://github.com/corelight/CVE-2021-31166) plugin - * Corelight's [OpenSSL RCE buffer overrun vulnerability (CVE-2022-3602)](https://github.com/corelight/CVE-2022-3602) plugin - * Corelight's [pingback](https://github.com/corelight/pingback) plugin - * Corelight's [ripple20](https://github.com/corelight/ripple20) plugin - * Corelight's [QuasarRAT](https://github.com/corelight/zeek-quasarrat-detector) plugin - * Corelight's [SIGred](https://github.com/corelight/SIGred) plugin - * Corelight's [VMware Workspace ONE Access and Identity Manager RCE vulnerability (CVE-2022-22954)](https://github.com/corelight/cve-2022-22954) plugin - * Corelight's [Zerologon](https://github.com/corelight/zerologon) plugin - * Corelight's [Microsoft Excel privilege escalation detection (CVE-2021-42292)](https://github.com/corelight/CVE-2021-42292) plugin + * Many packages developed by [Corelight, Inc.](https://github.com/corelight) * FoxIO's [JA4+](https://blog.foxio.io/ja4%2B-network-fingerprinting) network fingerprinting plugin * J-Gras' [Zeek::AF_Packet](https://github.com/J-Gras/zeek-af_packet-plugin) plugin * Johanna Amann's [CVE-2020-0601](https://github.com/0xxon/cve-2020-0601) ECC certificate validation plugin and [CVE-2020-13777](https://github.com/0xxon/cve-2020-13777) GnuTLS unencrypted session ticket detection plugin diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index dee07380a..1f8ec0edb 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -105,34 +105,46 @@ ZKG_GITHUB_URLS=( "https://github.com/cisagov/icsnpp-synchrophasor" "https://github.com/corelight/callstranger-detector" "https://github.com/corelight/CVE-2020-16898" + "https://github.com/corelight/CVE-2021-1675" "https://github.com/corelight/CVE-2021-31166" "https://github.com/corelight/CVE-2021-38647" "https://github.com/corelight/CVE-2021-41773" "https://github.com/corelight/CVE-2021-42292" "https://github.com/corelight/cve-2021-44228" + "https://github.com/corelight/cve-2022-21907" "https://github.com/corelight/cve-2022-22954" + "https://github.com/corelight/CVE-2022-23270-PPTP" + "https://github.com/corelight/CVE-2022-24491" + "https://github.com/corelight/CVE-2022-24497" "https://github.com/corelight/cve-2022-26809" + "https://github.com/corelight/CVE-2022-26937" + "https://github.com/corelight/CVE-2022-30216" "https://github.com/corelight/CVE-2022-3602" "https://github.com/corelight/hassh" "https://github.com/corelight/http-more-files-names" "https://github.com/corelight/pingback" "https://github.com/corelight/ripple20" "https://github.com/corelight/SIGRed" + "https://github.com/corelight/zeek-agenttesla-detector" + "https://github.com/corelight/zeek-asyncrat-detector" + # "https://github.com/corelight/zeek-long-connections" + "https://github.com/corelight/zeek-netsupport-detector" "https://github.com/corelight/zeek-quasarrat-detector" "https://github.com/corelight/zeek-spicy-ipsec" "https://github.com/corelight/zeek-spicy-openvpn" "https://github.com/corelight/zeek-spicy-ospf" "https://github.com/corelight/zeek-spicy-stun" "https://github.com/corelight/zeek-spicy-wireguard" + "https://github.com/corelight/zeek-strrat-detector" "https://github.com/corelight/zeek-xor-exe-plugin|master" "https://github.com/corelight/zerologon" "https://github.com/cybera/zeek-sniffpass" "https://github.com/FoxIO-LLC/ja4|main" "https://github.com/mmguero-dev/bzar" + "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer" "https://github.com/ncsa/bro-is-darknet" "https://github.com/ncsa/bro-simple-scan" "https://github.com/precurse/zeek-httpattacks" - "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer" "https://github.com/SeisoLLC/zeek-kafka" "https://github.com/zeek/spicy-tftp|main" "https://github.com/zeek/spicy-zip|main"