dfir

Zeek's default base scripts currently disable analyzers, for protocols which support encryption, after the protocol's handshake and once a connection begins using encryption. Module namespaces which do this include SSL, SSH, and RDP. These namespaces each export a boolean option named disable_analyzer_after_detection which controls some logic that wraps a call to the [disable_analyzer](htt

It would be convenient if deploy_timesketch.sh also started the containers at the end of the run.

I was wondering the benefit of using Modular File Management vs Single Config File Management? Why do you consider it easier to use multiple files and then compile? Trying to figure out what the best case is for my use case. Thanks. #

Right now a lot of the logging from the tasks does not get propagated back to the user, so we should make sure that all of the tasks are adding logs and errors to the results so that at minimum the data gets put into the worker-log.txt. Ideally we would store this info in datastore so that the clients could query it later (this part is in #115).