BZAR Scipts Loaded?

[sjnhawk]

I've looked through the documentation regarding Zeek BZAR scripts, and I'm trying to figure out whether they are loaded. The documentation says that "Please note that the MITRE BZAR scripts are disabled by default." and that you can configure them through "Administration –> Configuration –> zeek" however, it doesn't provide additional information on how to configure them.

I think that I should be looking at "load-sigs" or "load" under the Zeek configuration, which currently has:

load-sigs:
frameworks/signatures/detect-windows-shells

load:
misc/loaded-scripts tuning/defaults misc/capture-loss frameworks/software/vulnerable frameworks/software/version-changes protocols/ftp/software protocols/smtp/software protocols/ssh/software protocols/http/software protocols/dns/detect-external-names protocols/ftp/detect protocols/conn/known-hosts protocols/conn/known-services protocols/conn/vlan-logging protocols/ssl/known-certs protocols/ssl/validate-certs protocols/ssl/log-hostcerts-only protocols/ssh/geo-data protocols/ssh/detect-bruteforcing protocols/ssh/interesting-hostnames protocols/http/detect-sqli frameworks/files/hash-all-files frameworks/files/detect-MHR policy/frameworks/notice/extend-email/hostnames ja3 hassh intel cve-2020-0601 securityonion/bpfconf securityonion/communityid securityonion/file-extraction oui-logging icsnpp-modbus icsnpp-dnp3 icsnpp-bacnet icsnpp-ethercat icsnpp-enip icsnpp-opcua-binary icsnpp-bsap icsnpp-s7comm zeek-plugin-tds zeek-plugin-profinet zeek-spicy-wireguard zeek-spicy-stun
Does one of these options include the BZAR scripts? I've looked at #11298 however, that doesn't really help identify how to load them.

Thanks!

[cm-ops]

If you placed the configuration as explained in the documentation you can grep bzar in /nsm/zeek/logs/current/loaded_scripts.log after you restart Zeek. The configuration is under Administration > configuration > zeek > config > local > load