config/zeek.env.example

# Specifies a comma-separated list of the networks that Zeek considers "local",
#   for Site::local_nets and networks.cfg. e.g., 1.2.3.0/24,5.6.7.0/24.
#   Note that by default, Zeek considers IANA-registered private address space
#   such as 10/8 and 192.168/16 site-local.
ZEEK_LOCAL_NETS=
# Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable)
ZEEK_INTEL_ITEM_EXPIRATION=-1min
# When querying a TAXII or MISP feed, only process threat indicators that have
#   been created or modified since the time represented by this value;
#   it may be either a fixed date/time (01/01/2021) or relative interval (30 days ago)
ZEEK_INTEL_FEED_SINCE=
# Specifies a cron expression indicating the refresh interval for generating the
#   Zeek Intelligence Framework files ('' disables automatic refresh)
ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
# Number of threads to use for querying feeds for generating Zeek Intelligence Framework files
ZEEK_INTEL_REFRESH_THREADS=2
# Determines the file extraction behavior for file transfers detected by Zeek
ZEEK_EXTRACTOR_MODE=none
# Whether or not to use polling vs. native inotify API to watch for files
EXTRACTED_FILE_WATCHER_POLLING=false
# When polling, seconds of inactivity to assume a file is closed and ready for processing
EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC=10
# Whether or not files extant in ./zeek-logs/extract_files/ will be ignored on startup
EXTRACTED_FILE_IGNORE_EXISTING=false
# Determines the behavior for preservation of Zeek-extracted files
EXTRACTED_FILE_PRESERVATION=quarantined
# The minimum size (in bytes) for files to be extracted by Zeek
EXTRACTED_FILE_MIN_BYTES=64
# The maximum size (in bytes) for files to be extracted by Zeek
EXTRACTED_FILE_MAX_BYTES=134217728
# Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files
VTOT_REQUESTS_PER_MINUTE=4
CLAMD_MAX_REQUESTS=8
YARA_MAX_REQUESTS=8
CAPA_MAX_REQUESTS=4
# Whether or not YARA will scan Zeek-extracted files
EXTRACTED_FILE_ENABLE_YARA=false
# Whether or not the default YARA ruleset will be ignored and only custom rules used
EXTRACTED_FILE_YARA_CUSTOM_ONLY=false
# Whether or not capa will scan Zeek-extracted executables
EXTRACTED_FILE_ENABLE_CAPA=false
# Whether or not capa will be extra verbose
EXTRACTED_FILE_CAPA_VERBOSE=false
# Whether or not ClamAV will scan Zeek-extracted executables
EXTRACTED_FILE_ENABLE_CLAMAV=false
# Whether or not to regularly update rule definitions for file scanning engines
EXTRACTED_FILE_UPDATE_RULES=false
# Verbosity flag for extracted file pipeline debugging (e.g., -v, -vv, -vvv, etc.)
EXTRACTED_FILE_PIPELINE_VERBOSITY=
# Whether or not to serve the directory containing Zeek-extracted over HTTP at ./extracted-files/
EXTRACTED_FILE_HTTP_SERVER_ENABLE=false
# Whether or not Zeek-extracted files served over HTTP will be archived in a Zip file
EXTRACTED_FILE_HTTP_SERVER_ZIP=false
# HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
# Environment variables for tweaking Zeek at runtime (see local.zeek)
#   Set to any non-blank value to disable the corresponding feature
ZEEK_DISABLE_HASH_ALL_FILES=
ZEEK_DISABLE_LOG_PASSWORDS=
ZEEK_DISABLE_SSL_VALIDATE_CERTS=
ZEEK_DISABLE_TRACK_ALL_ASSETS=
ZEEK_DISABLE_SPICY_DHCP=true
ZEEK_DISABLE_SPICY_DNS=true
ZEEK_DISABLE_SPICY_HTTP=true
ZEEK_DISABLE_SPICY_IPSEC=
ZEEK_DISABLE_SPICY_LDAP=
ZEEK_DISABLE_SPICY_OPENVPN=
ZEEK_DISABLE_SPICY_QUIC=true
ZEEK_DISABLE_SPICY_STUN=
ZEEK_DISABLE_SPICY_TAILSCALE=
ZEEK_DISABLE_SPICY_TFTP=
ZEEK_DISABLE_SPICY_WIREGUARD=
ZEEK_DISABLE_ICS_ALL=
ZEEK_DISABLE_ICS_BACNET=
ZEEK_DISABLE_ICS_BSAP=
ZEEK_DISABLE_ICS_DNP3=
ZEEK_DISABLE_ICS_ENIP=
ZEEK_DISABLE_ICS_ETHERCAT=
ZEEK_DISABLE_ICS_GENISYS=
ZEEK_DISABLE_ICS_OPCUA_BINARY=
ZEEK_DISABLE_ICS_MODBUS=
ZEEK_DISABLE_ICS_PROFINET=
ZEEK_DISABLE_ICS_S7COMM=
ZEEK_DISABLE_ICS_SYNCHROPHASOR=
ZEEK_SYNCHROPHASOR_PORTS=
ZEEK_SYNCHROPHASOR_DETAILED=
ZEEK_GENISYS_PORTS=
ZEEK_ENIP_PORTS=
ZEEK_DISABLE_BEST_GUESS_ICS=true