[Zeek] BZAR Update - Config Options for Detection, Reporting, and Whitelisting
Fernandez, Mark I
mfernandez at mitre.org
Mon Feb 17 09:45:50 PST 2020
All,
New update to BZAR is available. As presented at ZeekWeek 2019, we improved the whitelisting capability to ignore activity based on IP address, IP subnet, or hostname., and we added configuration options to toggle on/off detection and reporting of each ATT&CK indicator. These new features allow for very granular control of the whitelists and toggle switches. As a result, we split some of the script files to make the code more manageable. See the CHANGES file for more information.
For the new version, use the Zeek package manager or download from the following URL:
* https://github.com/mitre-attack/bzar
Please let me know if you encounter any errors. BZAR still uses the .bro file extension for the scripts, so you may see some deprecation warnings, but it should run as expected. We'll make BZAR fully compliant with Zeek 3.0 soon.
Mark I. Fernandez
The MITRE Corporation
mfernandez at mitre.org<mailto:mfernandez at mitre.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200217/21b93a4e/attachment-0001.html
More information about the Zeek
mailing list