dovehawk.io

DoveHawk Zeek Project

The DoveHawk Project provides threat hunting automation capabilities using Zeek Network Security Monitor, MISP Malware Information Sharing Platform, and your own threat intelligence.

Sticker 1 Sticker 2

DoveHawk Zeek-MISP

The DoveHawk Module handles downloading and importing MISP indicators into Zeek (Bro) every 4 hours and reports back MISP sightings for any hits. Hunt malware and adversaries on your network with your own threat intelligence leveraging the community power of MISP.

Support for a transparent cluster to download indicators from MISP in the cluster manager which will automatically distribute them to all workers.

Github

Latest Release v1.01

DoveHawk Passive DNS

Capture pDNS data with Zeek to a central database to run historical checks for malware domains and also to quality check new indicators against normal activity. This module aggregates dns queries from all hosts over a 16 minute period to anonymize activity.

Github

DoveHawk Anonymized Outbound Flow

Capture partial netflow data with Zeek to a central database to run historical checks for malware activity and also to quality check new indicators against normal activity. This module sums outbound flow from all hosts over a 10 minute period to anonymize activity. All sessions from all hosts and combined into a single count of outgoing traffic bytes per IP. Inbound traffic is not counted.

Github

DoveHawk AWS Lambda Connector

Serverless Python Lambda Function to use as a API Gateway to import passive DNS and anonymized netflow into an RDS database.

Github

Info

Zeek - The open source network security monitor.

Zeek Package Manager - Zeek Packages to add on functionality.

Zeek Cluster and Recommended Hardware

MISP Project - MISP is the open source threat intelligence platform.

MISP Sightings - Sightings are feedback on threat intelligence activity seen.

Contact

@tylabs Tyler McLellan