Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Zeek Intelligence Framework

To quote Zeek’s Intelligence Framework documentation, “The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item.” Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.

Hedgehog Linux doesn’t come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On startup, The subdirectories under /opt/sensor/sensor_ctl/zeek/intel which contain their own __load__.zeek file will be @load-ed as-is, while subdirectories containing “loose” intelligence files will be loaded automatically with a redef Intel::read_files directive.

Note that Hedgehog Linux does not manage updates for these intelligence files. You should use the update mechanism suggested by your feeds’ maintainers to keep them up to date. Adding and deleting intelligence files under this directory will take effect upon restarting Zeek.

See Zeek Intelligence Framework in the main Malcolm documentation for more information.