Dovehawk is a Zeek module that automatically imports MISP indicators and reports Sightings
Added config options for self-signed MISP/ignore certificate warnings and a cluster name for the MISP Source ID when adding sightings.
Several updates to support Zeek v3.1.1 and higher. Removed older references to Bro functions.
The next release will not be backwards compatible with Zeek 3.0 and lower. See Release 1.02.001 for Zeek 3.1 and higher.
This version includes additional metadata from indicator and content signature hits to help evaluate the activity remotely. Limit repeated low value indicator hits such as DNS requests and inbound scans.
This version includes support to use the built in transparent cluster from the Intelligence Framework so that in clusters a single manager will download indicators rather than all workers.
Additional metadata is now included for hits - http, dns, ssl, smtp metadata is collected when a hit occurs.
New features:
Updated to support the Bro Package Manager https://packages.bro.org and now with support for the new MISP Network Activity->bro datatype for Bro signatures in addition to indicators. Prefix the content signature event with MISP: to include them in sightings reports.
The first version of Dovehawk Bro module - includes support for downloading indicators from MISP and reporting sightings back to MISP with some additional metadata printed to the console.