-
Notifications
You must be signed in to change notification settings - Fork 339
/
Copy pathzeek.env.example
106 lines (106 loc) · 4.68 KB
/
zeek.env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Specifies a comma-separated list of the networks that Zeek considers "local",
# for Site::local_nets and networks.cfg. e.g., 1.2.3.0/24,5.6.7.0/24.
# Note that by default, Zeek considers IANA-registered private address space
# such as 10/8 and 192.168/16 site-local.
ZEEK_LOCAL_NETS=
# Set to true to indicate that Zeek should output logs in JSON format
ZEEK_JSON=
# Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable)
ZEEK_INTEL_ITEM_EXPIRATION=-1min
# When querying a threat intelligence feed, only process threat indicators that have
# been created or modified since the time represented by this value;
# it may be either a fixed date/time (01/01/2021) or relative interval (30 days ago)
ZEEK_INTEL_FEED_SINCE=
# Whether or not to require SSL certificate verification when querying an intelligence feed
ZEEK_INTEL_FEED_SSL_CERTIFICATE_VERIFICATION=false
# Number of threads to use for querying feeds for generating Zeek Intelligence Framework files
ZEEK_INTEL_REFRESH_THREADS=2
# Determines the file extraction behavior for file transfers detected by Zeek
ZEEK_EXTRACTOR_MODE=none
# Whether or not to use polling vs. native inotify API to watch for files
EXTRACTED_FILE_WATCHER_POLLING=false
# When polling, seconds of inactivity to assume a file is closed and ready for processing
EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC=10
# Whether or not files extant in ./zeek-logs/extract_files/ will be ignored on startup
EXTRACTED_FILE_IGNORE_EXISTING=false
# Determines the behavior for preservation of Zeek-extracted files
EXTRACTED_FILE_PRESERVATION=quarantined
# The minimum size (in bytes) for files to be extracted by Zeek
EXTRACTED_FILE_MIN_BYTES=64
# The maximum size (in bytes) for files to be extracted by Zeek
EXTRACTED_FILE_MAX_BYTES=134217728
# Prune ./zeek-logs/extract_files/ when it exceeds this size...
EXTRACTED_FILE_PRUNE_THRESHOLD_MAX_SIZE=1TB
# ... or when the *total* disk usage exceeds this percentage
EXTRACTED_FILE_PRUNE_THRESHOLD_TOTAL_DISK_USAGE_PERCENT=0
# Interval in seconds for checking whether to prune ./zeek-logs/extract_files/
EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS=300
# Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files
VTOT_REQUESTS_PER_MINUTE=4
CLAMD_MAX_REQUESTS=8
YARA_MAX_REQUESTS=8
CAPA_MAX_REQUESTS=4
# Whether or not YARA will scan Zeek-extracted files
EXTRACTED_FILE_ENABLE_YARA=false
# Whether or not the default YARA ruleset will be ignored and only custom rules used
EXTRACTED_FILE_YARA_CUSTOM_ONLY=false
# Whether or not capa will scan Zeek-extracted executables
EXTRACTED_FILE_ENABLE_CAPA=false
# Whether or not capa will be extra verbose
EXTRACTED_FILE_CAPA_VERBOSE=false
# Whether or not ClamAV will scan Zeek-extracted executables
EXTRACTED_FILE_ENABLE_CLAMAV=false
# Whether or not to regularly update rule definitions for file scanning engines
EXTRACTED_FILE_UPDATE_RULES=false
# Verbosity flag for extracted file pipeline debugging (e.g., -v, -vv, -vvv, etc.)
EXTRACTED_FILE_PIPELINE_VERBOSITY=
# Whether or not to serve the directory containing Zeek-extracted over HTTP at ./extracted-files/
EXTRACTED_FILE_HTTP_SERVER_ENABLE=false
# Whether or not Zeek-extracted files served over HTTP will be archived in a Zip file
EXTRACTED_FILE_HTTP_SERVER_ZIP=false
# Whether or not to use libmagic to show MIME types for Zeek-extracted files served
EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
# HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
# Adjust how often the JA4SSH hash is calculated
ZEEK_JA4SSH_PACKET_COUNT=200
# Environment variables for tweaking Zeek at runtime (see local.zeek)
# Set to true to disable the corresponding feature
ZEEK_DISABLE_HASH_ALL_FILES=
ZEEK_DISABLE_LOG_PASSWORDS=
ZEEK_DISABLE_SSL_VALIDATE_CERTS=
ZEEK_DISABLE_TRACK_ALL_ASSETS=
ZEEK_DISABLE_DETECT_ROUTERS=true
ZEEK_DISABLE_SPICY_IPSEC=
ZEEK_DISABLE_SPICY_LDAP=
ZEEK_DISABLE_SPICY_OPENVPN=
ZEEK_DISABLE_SPICY_QUIC=true
ZEEK_DISABLE_SPICY_STUN=
ZEEK_DISABLE_SPICY_TAILSCALE=
ZEEK_DISABLE_SPICY_TFTP=
ZEEK_DISABLE_SPICY_WIREGUARD=
ZEEK_DISABLE_ICS_ALL=
ZEEK_DISABLE_ICS_BACNET=
ZEEK_DISABLE_ICS_BSAP=
ZEEK_DISABLE_ICS_DNP3=
ZEEK_DISABLE_ICS_ENIP=
ZEEK_DISABLE_ICS_ETHERCAT=
ZEEK_DISABLE_ICS_GENISYS=true
ZEEK_DISABLE_ICS_GE_SRTP=true
ZEEK_DISABLE_ICS_HART_IP=
ZEEK_DISABLE_ICS_OMRON_FINS=
ZEEK_DISABLE_ICS_OPCUA_BINARY=
ZEEK_DISABLE_ICS_MODBUS=
ZEEK_DISABLE_ICS_PROFINET=
ZEEK_DISABLE_ICS_PROFINET_IO_CM=
ZEEK_DISABLE_ICS_S7COMM=
ZEEK_DISABLE_ICS_SYNCHROPHASOR=
ZEEK_SYNCHROPHASOR_PORTS=
ZEEK_SYNCHROPHASOR_DETAILED=
ZEEK_OMRON_FINS_DETAILED=true
ZEEK_GENISYS_PORTS=
ZEEK_ENIP_PORTS=
ZEEK_DISABLE_BEST_GUESS_ICS=true
ZEEK_KAFKA_ENABLED=
ZEEK_KAFKA_BROKERS=kafka.local:9091
ZEEK_KAFKA_TOPIC=zeek