BZAR Update - Config Options for Detection, Reporting, and Whitelisting


New update to BZAR is available. As presented at ZeekWeek 2019, we improved the whitelisting capability to ignore activity based on IP address, IP subnet, or hostname., and we added configuration options to toggle on/off detection and reporting of each ATT&CK indicator. These new features allow for very granular control of the whitelists and toggle switches. As a result, we split some of the script files to make the code more manageable. See the CHANGES file for more information.

For the new version, use the Zeek package manager or download from the following URL:

Please let me know if you encounter any errors. BZAR still uses the .bro file extension for the scripts, so you may see some deprecation warnings, but it should run as expected. We’ll make BZAR fully compliant with Zeek 3.0 soon.

Mark I. Fernandez

The MITRE Corporation