Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

241
doc/script-reference/attributes.rst
View file

@ -1,241 +0,0 @@
Attributes
==========
The Bro scripting language supports the following attributes.
+-----------------------------+-----------------------------------------------+
| Name | Description |
+=============================+===============================================+
| :bro:attr:`&redef` |Redefine a global constant or extend a type. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&priority` |Specify priority for event handler or hook. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&log` |Mark a record field as to be written to a log. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&optional` |Allow a record field value to be missing. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&default` |Specify a default value. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&add_func` |Specify a function to call for each "redef +=".|
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&delete_func` |Same as "&add_func", except for "redef -=". |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&expire_func` |Specify a function to call when container |
| |element expires. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&read_expire` |Specify a read timeout interval. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&write_expire` |Specify a write timeout interval. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&create_expire` |Specify a creation timeout interval. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&synchronized` |Synchronize a variable across nodes. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&persistent` |Make a variable persistent (written to disk). |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&rotate_interval`|Rotate a file after specified interval. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&rotate_size` |Rotate a file after specified file size. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&encrypt` |Encrypt a file when writing to disk. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&raw_output` |Open file in raw mode (chars. are not escaped).|
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&mergeable` |Prefer set union for synchronized state. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&error_handler` |Used internally for reporter framework events. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&type_column` |Used by input framework for "port" type. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&deprecated` |Marks an identifier as deprecated. |
+-----------------------------+-----------------------------------------------+
Here is a more detailed explanation of each attribute:
.. bro:attr:: &redef
Allows use of a :bro:keyword:`redef` to redefine initial values of
global variables (i.e., variables declared either :bro:keyword:`global`
or :bro:keyword:`const`). Example::
const clever = T &redef;
global cache_size = 256 &redef;
Note that a variable declared "global" can also have its value changed
with assignment statements (doesn't matter if it has the "&redef"
attribute or not).
.. bro:attr:: &priority
Specifies the execution priority (as a signed integer) of a hook or
event handler. Higher values are executed before lower ones. The
default value is 0. Example::
event bro_init() &priority=10
{
print "high priority";
}
.. bro:attr:: &log
Writes a :bro:type:`record` field to the associated log stream.
.. bro:attr:: &optional
Allows a record field value to be missing (i.e., neither initialized nor
ever assigned a value).
In this example, the record could be instantiated with either
"myrec($a=127.0.0.1)" or "myrec($a=127.0.0.1, $b=80/tcp)"::
type myrec: record { a: addr; b: port &optional; };
The ``?$`` operator can be used to check if a record field has a value or
not (it returns a ``bool`` value of ``T`` if the field has a value,
and ``F`` if not).
.. bro:attr:: &default
Specifies a default value for a record field, container element, or a
function/hook/event parameter.
In this example, the record could be instantiated with either
"myrec($a=5, $c=3.14)" or "myrec($a=5, $b=53/udp, $c=3.14)"::
type myrec: record { a: count; b: port &default=80/tcp; c: double; };
In this example, the table will return the string ``"foo"`` for any
attempted access to a non-existing index::
global mytable: table[count] of string &default="foo";
When used with function/hook/event parameters, all of the parameters
with the "&default" attribute must come after all other parameters.
For example, the following function could be called either as "myfunc(5)"
or as "myfunc(5, 53/udp)"::
function myfunc(a: count, b: port &default=80/tcp)
{
print a, b;
}
.. bro:attr:: &add_func
Can be applied to an identifier with &redef to specify a function to
be called any time a "redef <id> += ..." declaration is parsed. The
function takes two arguments of the same type as the identifier, the first
being the old value of the variable and the second being the new
value given after the "+=" operator in the "redef" declaration. The
return value of the function will be the actual new value of the
variable after the "redef" declaration is parsed.
.. bro:attr:: &delete_func
Same as :bro:attr:`&add_func`, except for :bro:keyword:`redef` declarations
that use the "-=" operator.
.. bro:attr:: &expire_func
Called right before a container element expires. The function's
first parameter is of the same type of the container and the second
parameter the same type of the container's index. The return
value is an :bro:type:`interval` indicating the amount of additional
time to wait before expiring the container element at the given
index (which will trigger another execution of this function).
.. bro:attr:: &read_expire
Specifies a read expiration timeout for container elements. That is,
the element expires after the given amount of time since the last
time it has been read. Note that a write also counts as a read.
.. bro:attr:: &write_expire
Specifies a write expiration timeout for container elements. That
is, the element expires after the given amount of time since the
last time it has been written.
.. bro:attr:: &create_expire
Specifies a creation expiration timeout for container elements. That
is, the element expires after the given amount of time since it has
been inserted into the container, regardless of any reads or writes.
.. bro:attr:: &synchronized
Synchronizes variable accesses across nodes. The value of a
``&synchronized`` variable is automatically propagated to all peers
when it changes.
.. bro:attr:: &persistent
Makes a variable persistent, i.e., its value is written to disk (per
default at shutdown time).
.. bro:attr:: &rotate_interval
Rotates a file after a specified interval.
Note: This attribute is deprecated and will be removed in a future release.
.. bro:attr:: &rotate_size
Rotates a file after it has reached a given size in bytes.
Note: This attribute is deprecated and will be removed in a future release.
.. bro:attr:: &encrypt
Encrypts files right before writing them to disk.
Note: This attribute is deprecated and will be removed in a future release.
.. bro:attr:: &raw_output
Opens a file in raw mode, i.e., non-ASCII characters are not
escaped.
.. bro:attr:: &mergeable
Prefers merging sets on assignment for synchronized state. This
attribute is used in conjunction with :bro:attr:`&synchronized`
container types: when the same container is updated at two peers
with different values, the propagation of the state causes a race
condition, where the last update succeeds. This can cause
inconsistencies and can be avoided by unifying the two sets, rather
than merely overwriting the old value.
.. bro:attr:: &error_handler
Internally set on the events that are associated with the reporter
framework: :bro:id:`reporter_info`, :bro:id:`reporter_warning`, and
:bro:id:`reporter_error`. It prevents any handlers of those events
from being able to generate reporter messages that go through any of
those events (i.e., it prevents an infinite event recursion). Instead,
such nested reporter messages are output to stderr.
.. bro:attr:: &type_column
Used by the input framework. It can be used on columns of type
:bro:type:`port` (such a column only contains the port number) and
specifies the name of an additional column in
the input file which specifies the protocol of the port (tcp/udp/icmp).
In the following example, the input file would contain four columns
named "ip", "srcp", "proto", and "msg"::
type Idx: record {
ip: addr;
};
type Val: record {
srcp: port &type_column = "proto";
msg: string;
};
.. bro:attr:: &deprecated
The associated identifier is marked as deprecated and will be
removed in a future version of Bro. Look in the NEWS file for more
instructions to migrate code that uses deprecated functionality.

946
doc/script-reference/autogenerated-file-analyzer-index.rst
View file

@ -1,946 +0,0 @@
File Analyzers
==============
.. bro:type:: Files::Tag
:Type: :bro:type:`enum`
.. bro:enum:: Files::ANALYZER_DATA_EVENT Files::Tag
.. bro:enum:: Files::ANALYZER_ENTROPY Files::Tag
.. bro:enum:: Files::ANALYZER_EXTRACT Files::Tag
.. bro:enum:: Files::ANALYZER_MD5 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA1 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA256 Files::Tag
.. bro:enum:: Files::ANALYZER_PE Files::Tag
.. bro:enum:: Files::ANALYZER_UNIFIED2 Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REPLY Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REQUEST Files::Tag
.. bro:enum:: Files::ANALYZER_X509 Files::Tag
Bro::FileDataEvent
------------------
Delivers file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_DATA_EVENT`
Bro::FileEntropy
----------------
Entropy test file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_ENTROPY`
Events
++++++
.. bro:id:: file_entropy
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ent: :bro:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:f: The file.
:ent: The results of the entropy testing.
Bro::FileExtract
----------------
Extract file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_EXTRACT`
Events
++++++
.. bro:id:: file_extraction_limit
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`, limit: :bro:type:`count`, len: :bro:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:f: The file.
:args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:bro:see:`FileExtract::set_limit`.
:limit: The limit, in bytes, the extracted file is about to breach.
:len: The length of the file chunk about to be written.
.. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT
Functions
+++++++++
.. bro:id:: FileExtract::__set_limit
:Type: :bro:type:`function` (file_id: :bro:type:`string`, args: :bro:type:`any`, n: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`FileExtract::set_limit`.
Bro::FileHash
-------------
Hash file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_MD5`
:bro:enum:`Files::ANALYZER_SHA1`
:bro:enum:`Files::ANALYZER_SHA256`
Events
++++++
.. bro:id:: file_hash
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, kind: :bro:type:`string`, hash: :bro:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:f: The file.
:kind: The type of digest algorithm.
:hash: The result of the hashing.
.. bro:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256
Bro::PE
-------
Portable Executable analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_PE`
Events
++++++
.. bro:id:: pe_dos_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:f: The file.
:h: The parsed DOS header information.
.. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_dos_code
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, code: :bro:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:f: The file.
:code: The DOS stub
.. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_file_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:f: The file.
:h: The parsed file header information.
.. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. bro:id:: pe_optional_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:f: The file.
:h: The parsed optional header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. bro:id:: pe_section_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:f: The file.
:h: The parsed section header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
Bro::Unified2
-------------
Analyze Unified2 alert files.
Components
++++++++++
:bro:enum:`Files::ANALYZER_UNIFIED2`
Types
+++++
.. bro:type:: Unified2::IDSEvent
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
ts: :bro:type:`time`
signature_id: :bro:type:`count`
generator_id: :bro:type:`count`
signature_revision: :bro:type:`count`
classification_id: :bro:type:`count`
priority_id: :bro:type:`count`
src_ip: :bro:type:`addr`
dst_ip: :bro:type:`addr`
src_p: :bro:type:`port`
dst_p: :bro:type:`port`
impact_flag: :bro:type:`count`
impact: :bro:type:`count`
blocked: :bro:type:`count`
mpls_label: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
vlan_id: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
packet_action: :bro:type:`count` :bro:attr:`&optional`
Only available in "legacy" IDS events.
.. bro:type:: Unified2::Packet
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
event_second: :bro:type:`count`
packet_ts: :bro:type:`time`
link_type: :bro:type:`count`
data: :bro:type:`string`
Events
++++++
.. bro:id:: unified2_event
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ev: :bro:type:`Unified2::IDSEvent`)
Abstract all of the various Unified2 event formats into
a single event.
:f: The file.
:ev: TODO.
.. bro:id:: unified2_packet
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, pkt: :bro:type:`Unified2::Packet`)
The Unified2 packet format event.
:f: The file.
:pkt: TODO.
Bro::X509
---------
X509 and OCSP analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_OCSP_REPLY`
:bro:enum:`Files::ANALYZER_OCSP_REQUEST`
:bro:enum:`Files::ANALYZER_X509`
Types
+++++
.. bro:type:: X509::Certificate
:Type: :bro:type:`record`
version: :bro:type:`count` :bro:attr:`&log`
Version number.
serial: :bro:type:`string` :bro:attr:`&log`
Serial number.
subject: :bro:type:`string` :bro:attr:`&log`
Subject.
issuer: :bro:type:`string` :bro:attr:`&log`
Issuer.
cn: :bro:type:`string` :bro:attr:`&optional`
Last (most specific) common name.
not_valid_before: :bro:type:`time` :bro:attr:`&log`
Timestamp before when certificate is not valid.
not_valid_after: :bro:type:`time` :bro:attr:`&log`
Timestamp after when certificate is not valid.
key_alg: :bro:type:`string` :bro:attr:`&log`
Name of the key algorithm
sig_alg: :bro:type:`string` :bro:attr:`&log`
Name of the signature algorithm
key_type: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Key type, if key parseable by openssl (either rsa, dsa or ec)
key_length: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Key length in bits
exponent: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Exponent, if RSA-certificate
curve: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Curve, if EC-certificate
.. bro:type:: X509::Extension
:Type: :bro:type:`record`
name: :bro:type:`string`
Long name of extension. oid if name not known
short_name: :bro:type:`string` :bro:attr:`&optional`
Short name of extension if known
oid: :bro:type:`string`
Oid of extension
critical: :bro:type:`bool`
True if extension is critical
value: :bro:type:`string`
Extension content parsed to string for known extensions. Raw data otherwise.
.. bro:type:: X509::BasicConstraints
:Type: :bro:type:`record`
ca: :bro:type:`bool` :bro:attr:`&log`
CA flag set?
path_len: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Maximum path length
:Attributes: :bro:attr:`&log`
.. bro:type:: X509::SubjectAlternativeName
:Type: :bro:type:`record`
dns: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of DNS entries in SAN
uri: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of URI entries in SAN
email: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of email entries in SAN
ip: :bro:type:`addr_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of IP entries in SAN
other_fields: :bro:type:`bool`
True if the certificate contained other, not recognized or parsed name fields
.. bro:type:: X509::Result
:Type: :bro:type:`record`
result: :bro:type:`int`
OpenSSL result code
result_string: :bro:type:`string`
Result as string
chain_certs: :bro:type:`vector` of :bro:type:`opaque` of x509 :bro:attr:`&optional`
References to the final certificate chain, if verification successful. End-host certificate is first.
Result of an X509 certificate chain verification
Events
++++++
.. bro:id:: x509_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, cert_ref: :bro:type:`opaque` of x509, cert: :bro:type:`X509::Certificate`)
Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
connection handshake.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
certificate.
:cert: The parsed certificate information.
.. bro:see:: x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`)
Generated for X509 extensions seen in a certificate.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:ext: The parsed extension.
.. bro:see:: x509_certificate x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_basic_constraints
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::BasicConstraints`)
Generated for the X509 basic constraints extension seen in a certificate.
This extension can be used to identify the subject of a certificate as a CA.
:f: The file.
:ext: The parsed basic constraints extension.
.. bro:see:: x509_certificate x509_extension
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_subject_alternative_name
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::SubjectAlternativeName`)
Generated for the X509 subject alternative name extension seen in a certificate.
This extension can be used to allow additional entities to be bound to the
subject of the certificate. Usually it is used to specify one or multiple DNS
names for which a certificate is valid.
:f: The file.
:ext: The parsed subject alternative name extension.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
x509_get_certificate_string
.. bro:id:: x509_ocsp_ext_signed_certificate_timestamp
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`, logid: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, signature_algorithm: :bro:type:`count`, signature: :bro:type:`string`)
Generated for the signed_certificate_timestamp X509 extension as defined in
:rfc:`6962`. The extension is used to transmit signed proofs that are
used for Certificate Transparency. Raised when the extension is encountered
in an X.509 certificate or in an OCSP reply.
:f: The file.
:version: the version of the protocol to which the SCT conforms. Always
should be 0 (representing version 1)
:logid: 32 bit key id
:timestamp: the NTP Time when the entry was logged measured since
the epoch, ignoring leap seconds, in milliseconds.
:signature_and_hashalgorithm: signature and hash algorithm used for the
digitally_signed struct
:signature: signature part of the digitally_signed struct
.. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ext_subject_alternative_name
x509_get_certificate_string ssl_extension_signed_certificate_timestamp
sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`)
Event that is raised when encountering an OCSP request, e.g. in an HTTP
connection. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP Request.
:f: The file.
:req: version: the version of the OCSP request. Typically 0 (Version 1).
.. bro:see:: ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`)
Event that is raised when encountering an OCSP request for a certificate,
e.g. in an HTTP connection. See :rfc:`6960` for more details.
Note that a single OCSP request can contain requests for several certificates.
Thus this event can fire several times for one OCSP request, each time
requesting information for a different (or in theory even the same) certificate.
:f: The file.
:hashAlgorithm: The hash algorithm used for the issuerKeyHash.
:issuerKeyHash: Hash of the issuers public key.
:serialNumber: Serial number of the certificate for which the status is requested.
.. bro:see:: ocsp_request ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_status
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, status: :bro:type:`string`)
This event is raised when encountering an OCSP reply, e.g. in an HTTP
connection or a TLS extension. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP reply.
:f: The file.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
.. bro:see:: ocsp_request ocsp_request_certificate
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_bytes
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, resp_ref: :bro:type:`opaque` of ocsp_resp, status: :bro:type:`string`, version: :bro:type:`count`, responderId: :bro:type:`string`, producedAt: :bro:type:`time`, signatureAlgorithm: :bro:type:`string`, certs: :bro:type:`x509_opaque_vector`)
This event is raised when encountering an OCSP response that contains response information.
An OCSP reply can be encountered, for example, in an HTTP connection or
a TLS extension. See :rfc:`6960` for more details on OCSP.
:f: The file.
:req_ref: An opaque pointer to the underlying OpenSSL data structure of the
OCSP response.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
:version: Version of the OCSP response (typically - for version 1).
:responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
:producedAt: Time at which the reply was produced.
:signatureAlgorithm: Algorithm used for the OCSP signature.
:certs: Optional list of certificates that are sent with the OCSP response; these typically
are needed to perform validation of the reply.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`, certStatus: :bro:type:`string`, revokeTime: :bro:type:`time`, revokeReason: :bro:type:`string`, thisUpdate: :bro:type:`time`, nextUpdate: :bro:type:`time`)
This event is raised for each SingleResponse contained in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
:issuerNameHash: Hash of the issuer's distinguished name.
:issuerKeyHash: Hash of the issuer's public key.
:serialNumber: Serial number of the affected certificate.
:certStatus: Status of the certificate.
:revokeTime: Time the certificate was revoked, 0 if not revoked.
:revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
:thisUpdate: Time this response was generated.
:nextUpdate: Time next response will be ready; 0 if not supploed.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`, global_resp: :bro:type:`bool`)
This event is raised when an OCSP extension is encountered in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:ext: The parsed extension (same format as X.509 extensions).
:global_resp: T if extension encountered in the global response (in ResponseData),
F when encountered in a SingleResponse.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
Functions
+++++++++
.. bro:id:: x509_parse
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509) : :bro:type:`X509::Certificate`
Parses a certificate into an X509::Certificate structure.
:cert: The X509 certificate opaque handle.
:returns: A X509::Certificate structure.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_verify
x509_get_certificate_string
.. bro:id:: x509_get_certificate_string
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, pem: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`) : :bro:type:`string`
Returns the string form of a certificate.
:cert: The X509 certificate opaque handle.
:pem: A boolean that specifies if the certificate is returned
in pem-form (true), or as the raw ASN1 encoded binary
(false).
:returns: X509 certificate as a string.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
.. bro:id:: x509_ocsp_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, ocsp_reply: :bro:type:`string`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies an OCSP reply.
:certs: Specifies the certificate chain to use. Server certificate first.
:ocsp_reply: the ocsp reply to validate.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_verify
.. bro:id:: x509_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies a certificate.
:certs: Specifies a certificate chain that is being used to validate
the given certificate against the root store given in *root_certs*.
The host certificate has to be at index 0.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation. In case of success also returns the full
certificate chain.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_ocsp_verify sct_verify
.. bro:id:: sct_verify
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, logid: :bro:type:`string`, log_key: :bro:type:`string`, signature: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, issuer_key_hash: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
See RFC6962 for more details.
:cert: Certificate against which the SCT should be validated.
:logid: Log id of the SCT.
:log_key: Public key of the Log that issued the SCT proof.
:timestamp: Timestamp at which the proof was generated.
:hash_algorithm: Hash algorithm that was used for the SCT proof.
:issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
This only has to be provided if the SCT was encountered in an X.509
certificate extension; in that case, it is necessary for validation.
:returns: T if the validation could be performed succesfully, F otherwhise.
.. bro:see:: ssl_extension_signed_certificate_timestamp
x509_ocsp_ext_signed_certificate_timestamp
x509_verify
.. bro:id:: x509_subject_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the subject's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_issuer_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_issuer_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the issuer's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_spki_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the Subject Public Key Information of the certificate.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_issuer_name_hash
x509_verify sct_verify

309
doc/script-reference/autogenerated-package-index.rst
View file

@ -1,309 +0,0 @@
:doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
The logging framework provides a flexible key-value based logging interface.
:doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`
Support for postprocessors in the logging framework.
:doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`
The Broker communication framework facilitates connecting to remote Bro
instances to share state and transfer events.
:doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
The input framework provides a way to read previously stored data either as
an event stream or into a Bro table.
:doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`
The analyzer framework allows to dynamically enable or disable Bro's
protocol analyzers, as well as to manage the well-known ports which
automatically activate a particular analyzer for new connections.
:doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
The file analysis framework provides an interface for driving the analysis
of files, possibly independent of any network protocol over which they're
transported.
:doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`
:doc:`base/bif </scripts/base/bif/index>`
:doc:`base/bif/plugins </scripts/base/bif/plugins/index>`
:doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`
This framework is intended to create an output and filtering path for
internally generated messages/warnings/errors.
:doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
The notice framework enables Bro to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable. This decoupling of detection and reporting allows
Bro to be customized to the different needs that sites have.
:doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
The cluster framework provides for establishing and controlling a cluster
of Bro instances.
:doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
The control framework provides the foundation for providing "commands"
that can be taken remotely at runtime to modify a running Bro instance
or collect information from the running instance.
:doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
The NetControl framework provides a way for Bro to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.
:doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`
Plugins for the NetControl framework.
:doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
The OpenFlow framework exposes the data structures and functions
necessary to interface to OpenFlow capable hardware.
:doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`
Plugins for the OpenFlow framework.
:doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`
The DPD (dynamic protocol detection) activates port-independent protocol
detection and selectively disables analyzers if protocol violations occur.
:doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`
The signature framework provides for doing low-level pattern matching. While
signatures are not Bro's preferred detection tool, they sometimes come in
handy and are closer to what many people are familiar with from using
other NIDS.
:doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
The packet filter framework supports how Bro sets its BPF capture filter.
:doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
The software framework provides infrastructure for maintaining a table
of software versions seen on the network. The version parsing itself
is carried out by external protocol-specific scripts that feed into
this framework.
:doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
The intelligence framework provides a way to store and query intelligence
data (such as IP addresses or strings). Metadata can also be associated
with the intelligence.
:doc:`base/frameworks/config </scripts/base/frameworks/config/index>`
The configuration framework provides a way to change the Bro configuration
in "option" values at run-time.
:doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
The summary statistics framework provides a way to summarize large streams
of data into simple reduced measurements.
:doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
Plugins for the summary statistics framework.
:doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`
The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
:doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
Calls) protocol analysis.
:doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
:doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`
Support for Distributed Network Protocol (DNP3) analysis.
:doc:`base/protocols/dns </scripts/base/protocols/dns/index>`
Support for Domain Name System (DNS) protocol analysis.
:doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
Support for File Transfer Protocol (FTP) analysis.
:doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
:doc:`base/files/x509 </scripts/base/files/x509/index>`
Support for X509 certificates with the file analysis framework.
Also supports parsing OCSP requests and responses.
:doc:`base/files/hash </scripts/base/files/hash/index>`
Support for file hashes with the file analysis framework.
:doc:`base/protocols/http </scripts/base/protocols/http/index>`
Support for Hypertext Transfer Protocol (HTTP) analysis.
:doc:`base/protocols/imap </scripts/base/protocols/imap/index>`
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
mails from IMAP sessions, only X509 certificates.
:doc:`base/protocols/irc </scripts/base/protocols/irc/index>`
Support for Internet Relay Chat (IRC) protocol analysis.
:doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
Support for Kerberos protocol analysis.
:doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
Support for Modbus protocol analysis.
:doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`
Support for MySQL protocol analysis.
:doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`
Support for NT LAN Manager (NTLM) protocol analysis.
:doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`
Support for POP3 (Post Office Protocol) protocol analysis.
:doc:`base/protocols/radius </scripts/base/protocols/radius/index>`
Support for RADIUS protocol analysis.
:doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`
Support for Remote Desktop Protocol (RDP) analysis.
:doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`
Support for Remote FrameBuffer analysis. This includes all VNC servers.
:doc:`base/protocols/sip </scripts/base/protocols/sip/index>`
Support for Session Initiation Protocol (SIP) analysis.
:doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`
Support for Simple Network Management Protocol (SNMP) analysis.
:doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
Support for SMB protocol analysis.
:doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
Support for Simple Mail Transfer Protocol (SMTP) analysis.
:doc:`base/protocols/socks </scripts/base/protocols/socks/index>`
Support for Socket Secure (SOCKS) protocol analysis.
:doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Support for SSH protocol analysis.
:doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`
Support for Syslog protocol analysis.
:doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`
Provides DPD signatures for tunneling protocols that otherwise
wouldn't be detected at all.
:doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`
Support for the Extensible Messaging and Presence Protocol (XMPP).
Note that currently the XMPP analyzer only supports analyzing XMPP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
actual chat information from XMPP sessions, only X509 certificates.
:doc:`base/files/pe </scripts/base/files/pe/index>`
Support for Portable Executable (PE) file analysis.
:doc:`base/files/extract </scripts/base/files/extract/index>`
Support for extracting files with the file analysis framework.
:doc:`base/files/unified2 </scripts/base/files/unified2/index>`
Support for Unified2 files in the file analysis framework.
:doc:`broxygen </scripts/broxygen/index>`
This package is loaded during the process which automatically generates
reference documentation for all Bro scripts (i.e. "Broxygen"). Its only
purpose is to provide an easy way to load all known Bro scripts plus any
extra scripts needed or used by the documentation process.
:doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
Scripts that send data to the intelligence framework.
:doc:`policy/frameworks/notice </scripts/policy/frameworks/notice/index>`
:doc:`policy/integration/barnyard2 </scripts/policy/integration/barnyard2/index>`
Integration with Barnyard2.
:doc:`policy/integration/collective-intel </scripts/policy/integration/collective-intel/index>`
The scripts in this module are for deeper integration with the
Collective Intelligence Framework (CIF) since Bro's Intel framework
doesn't natively behave the same as CIF nor does it store and maintain
the same data in all cases.
:doc:`policy/misc/detect-traceroute </scripts/policy/misc/detect-traceroute/index>`
Detect hosts that are running traceroute.
:doc:`policy/tuning </scripts/policy/tuning/index>`
Miscellaneous tuning parameters.
:doc:`policy/tuning/defaults </scripts/policy/tuning/defaults/index>`
Sets various defaults, and prints warning messages to stdout under
certain conditions.
:doc:`policy/protocols/smb </scripts/policy/protocols/smb/index>`

14385
doc/script-reference/autogenerated-protocol-analyzer-index.rst
View file

File diff suppressed because it is too large Load diff

470
doc/script-reference/autogenerated-script-index.rst
View file

@ -1,470 +0,0 @@
.. toctree::
:maxdepth: 1
base/init-bare.bro </scripts/base/init-bare.bro>
base/bif/const.bif.bro </scripts/base/bif/const.bif.bro>
base/bif/types.bif.bro </scripts/base/bif/types.bif.bro>
base/bif/bro.bif.bro </scripts/base/bif/bro.bif.bro>
base/bif/stats.bif.bro </scripts/base/bif/stats.bif.bro>
base/bif/reporter.bif.bro </scripts/base/bif/reporter.bif.bro>
base/bif/strings.bif.bro </scripts/base/bif/strings.bif.bro>
base/bif/option.bif.bro </scripts/base/bif/option.bif.bro>
base/bif/plugins/Bro_SNMP.types.bif.bro </scripts/base/bif/plugins/Bro_SNMP.types.bif.bro>
base/bif/plugins/Bro_KRB.types.bif.bro </scripts/base/bif/plugins/Bro_KRB.types.bif.bro>
base/bif/event.bif.bro </scripts/base/bif/event.bif.bro>
base/init-frameworks-and-bifs.bro </scripts/base/init-frameworks-and-bifs.bro>
base/frameworks/logging/__load__.bro </scripts/base/frameworks/logging/__load__.bro>
base/frameworks/logging/main.bro </scripts/base/frameworks/logging/main.bro>
base/bif/logging.bif.bro </scripts/base/bif/logging.bif.bro>
base/frameworks/logging/postprocessors/__load__.bro </scripts/base/frameworks/logging/postprocessors/__load__.bro>
base/frameworks/logging/postprocessors/scp.bro </scripts/base/frameworks/logging/postprocessors/scp.bro>
base/frameworks/logging/postprocessors/sftp.bro </scripts/base/frameworks/logging/postprocessors/sftp.bro>
base/frameworks/logging/writers/ascii.bro </scripts/base/frameworks/logging/writers/ascii.bro>
base/frameworks/logging/writers/sqlite.bro </scripts/base/frameworks/logging/writers/sqlite.bro>
base/frameworks/logging/writers/none.bro </scripts/base/frameworks/logging/writers/none.bro>
base/frameworks/broker/__load__.bro </scripts/base/frameworks/broker/__load__.bro>
base/frameworks/broker/main.bro </scripts/base/frameworks/broker/main.bro>
base/bif/comm.bif.bro </scripts/base/bif/comm.bif.bro>
base/bif/messaging.bif.bro </scripts/base/bif/messaging.bif.bro>
base/frameworks/broker/store.bro </scripts/base/frameworks/broker/store.bro>
base/bif/data.bif.bro </scripts/base/bif/data.bif.bro>
base/bif/store.bif.bro </scripts/base/bif/store.bif.bro>
base/frameworks/broker/log.bro </scripts/base/frameworks/broker/log.bro>
base/frameworks/input/__load__.bro </scripts/base/frameworks/input/__load__.bro>
base/frameworks/input/main.bro </scripts/base/frameworks/input/main.bro>
base/bif/input.bif.bro </scripts/base/bif/input.bif.bro>
base/frameworks/input/readers/ascii.bro </scripts/base/frameworks/input/readers/ascii.bro>
base/frameworks/input/readers/raw.bro </scripts/base/frameworks/input/readers/raw.bro>
base/frameworks/input/readers/benchmark.bro </scripts/base/frameworks/input/readers/benchmark.bro>
base/frameworks/input/readers/binary.bro </scripts/base/frameworks/input/readers/binary.bro>
base/frameworks/input/readers/config.bro </scripts/base/frameworks/input/readers/config.bro>
base/frameworks/input/readers/sqlite.bro </scripts/base/frameworks/input/readers/sqlite.bro>
base/frameworks/analyzer/__load__.bro </scripts/base/frameworks/analyzer/__load__.bro>
base/frameworks/analyzer/main.bro </scripts/base/frameworks/analyzer/main.bro>
base/frameworks/packet-filter/utils.bro </scripts/base/frameworks/packet-filter/utils.bro>
base/bif/analyzer.bif.bro </scripts/base/bif/analyzer.bif.bro>
base/frameworks/files/__load__.bro </scripts/base/frameworks/files/__load__.bro>
base/frameworks/files/main.bro </scripts/base/frameworks/files/main.bro>
base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>
base/utils/site.bro </scripts/base/utils/site.bro>
base/utils/patterns.bro </scripts/base/utils/patterns.bro>
base/frameworks/files/magic/__load__.bro </scripts/base/frameworks/files/magic/__load__.bro>
base/bif/__load__.bro </scripts/base/bif/__load__.bro>
base/bif/broxygen.bif.bro </scripts/base/bif/broxygen.bif.bro>
base/bif/pcap.bif.bro </scripts/base/bif/pcap.bif.bro>
base/bif/bloom-filter.bif.bro </scripts/base/bif/bloom-filter.bif.bro>
base/bif/cardinality-counter.bif.bro </scripts/base/bif/cardinality-counter.bif.bro>
base/bif/top-k.bif.bro </scripts/base/bif/top-k.bif.bro>
base/bif/plugins/__load__.bro </scripts/base/bif/plugins/__load__.bro>
base/bif/plugins/Bro_ARP.events.bif.bro </scripts/base/bif/plugins/Bro_ARP.events.bif.bro>
base/bif/plugins/Bro_BackDoor.events.bif.bro </scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro>
base/bif/plugins/Bro_BitTorrent.events.bif.bro </scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro>
base/bif/plugins/Bro_ConnSize.events.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro>
base/bif/plugins/Bro_ConnSize.functions.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro>
base/bif/plugins/Bro_DCE_RPC.consts.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro>
base/bif/plugins/Bro_DCE_RPC.types.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro>
base/bif/plugins/Bro_DCE_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro>
base/bif/plugins/Bro_DHCP.events.bif.bro </scripts/base/bif/plugins/Bro_DHCP.events.bif.bro>
base/bif/plugins/Bro_DHCP.types.bif.bro </scripts/base/bif/plugins/Bro_DHCP.types.bif.bro>
base/bif/plugins/Bro_DNP3.events.bif.bro </scripts/base/bif/plugins/Bro_DNP3.events.bif.bro>
base/bif/plugins/Bro_DNS.events.bif.bro </scripts/base/bif/plugins/Bro_DNS.events.bif.bro>
base/bif/plugins/Bro_File.events.bif.bro </scripts/base/bif/plugins/Bro_File.events.bif.bro>
base/bif/plugins/Bro_Finger.events.bif.bro </scripts/base/bif/plugins/Bro_Finger.events.bif.bro>
base/bif/plugins/Bro_FTP.events.bif.bro </scripts/base/bif/plugins/Bro_FTP.events.bif.bro>
base/bif/plugins/Bro_FTP.functions.bif.bro </scripts/base/bif/plugins/Bro_FTP.functions.bif.bro>
base/bif/plugins/Bro_Gnutella.events.bif.bro </scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro>
base/bif/plugins/Bro_GSSAPI.events.bif.bro </scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro>
base/bif/plugins/Bro_GTPv1.events.bif.bro </scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro>
base/bif/plugins/Bro_HTTP.events.bif.bro </scripts/base/bif/plugins/Bro_HTTP.events.bif.bro>
base/bif/plugins/Bro_HTTP.functions.bif.bro </scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro>
base/bif/plugins/Bro_ICMP.events.bif.bro </scripts/base/bif/plugins/Bro_ICMP.events.bif.bro>
base/bif/plugins/Bro_Ident.events.bif.bro </scripts/base/bif/plugins/Bro_Ident.events.bif.bro>
base/bif/plugins/Bro_IMAP.events.bif.bro </scripts/base/bif/plugins/Bro_IMAP.events.bif.bro>
base/bif/plugins/Bro_InterConn.events.bif.bro </scripts/base/bif/plugins/Bro_InterConn.events.bif.bro>
base/bif/plugins/Bro_IRC.events.bif.bro </scripts/base/bif/plugins/Bro_IRC.events.bif.bro>
base/bif/plugins/Bro_KRB.events.bif.bro </scripts/base/bif/plugins/Bro_KRB.events.bif.bro>
base/bif/plugins/Bro_Login.events.bif.bro </scripts/base/bif/plugins/Bro_Login.events.bif.bro>
base/bif/plugins/Bro_Login.functions.bif.bro </scripts/base/bif/plugins/Bro_Login.functions.bif.bro>
base/bif/plugins/Bro_MIME.events.bif.bro </scripts/base/bif/plugins/Bro_MIME.events.bif.bro>
base/bif/plugins/Bro_Modbus.events.bif.bro </scripts/base/bif/plugins/Bro_Modbus.events.bif.bro>
base/bif/plugins/Bro_MySQL.events.bif.bro </scripts/base/bif/plugins/Bro_MySQL.events.bif.bro>
base/bif/plugins/Bro_NCP.events.bif.bro </scripts/base/bif/plugins/Bro_NCP.events.bif.bro>
base/bif/plugins/Bro_NCP.consts.bif.bro </scripts/base/bif/plugins/Bro_NCP.consts.bif.bro>
base/bif/plugins/Bro_NetBIOS.events.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro>
base/bif/plugins/Bro_NetBIOS.functions.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro>
base/bif/plugins/Bro_NTLM.types.bif.bro </scripts/base/bif/plugins/Bro_NTLM.types.bif.bro>
base/bif/plugins/Bro_NTLM.events.bif.bro </scripts/base/bif/plugins/Bro_NTLM.events.bif.bro>
base/bif/plugins/Bro_NTP.events.bif.bro </scripts/base/bif/plugins/Bro_NTP.events.bif.bro>
base/bif/plugins/Bro_POP3.events.bif.bro </scripts/base/bif/plugins/Bro_POP3.events.bif.bro>
base/bif/plugins/Bro_RADIUS.events.bif.bro </scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro>
base/bif/plugins/Bro_RDP.events.bif.bro </scripts/base/bif/plugins/Bro_RDP.events.bif.bro>
base/bif/plugins/Bro_RDP.types.bif.bro </scripts/base/bif/plugins/Bro_RDP.types.bif.bro>
base/bif/plugins/Bro_RFB.events.bif.bro </scripts/base/bif/plugins/Bro_RFB.events.bif.bro>
base/bif/plugins/Bro_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_RPC.events.bif.bro>
base/bif/plugins/Bro_SIP.events.bif.bro </scripts/base/bif/plugins/Bro_SIP.events.bif.bro>
base/bif/plugins/Bro_SNMP.events.bif.bro </scripts/base/bif/plugins/Bro_SNMP.events.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro>
base/bif/plugins/Bro_SMB.smb2_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro>
base/bif/plugins/Bro_SMB.events.bif.bro </scripts/base/bif/plugins/Bro_SMB.events.bif.bro>
base/bif/plugins/Bro_SMB.consts.bif.bro </scripts/base/bif/plugins/Bro_SMB.consts.bif.bro>
base/bif/plugins/Bro_SMB.types.bif.bro </scripts/base/bif/plugins/Bro_SMB.types.bif.bro>
base/bif/plugins/Bro_SMTP.events.bif.bro </scripts/base/bif/plugins/Bro_SMTP.events.bif.bro>
base/bif/plugins/Bro_SMTP.functions.bif.bro </scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro>
base/bif/plugins/Bro_SOCKS.events.bif.bro </scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro>
base/bif/plugins/Bro_SSH.types.bif.bro </scripts/base/bif/plugins/Bro_SSH.types.bif.bro>
base/bif/plugins/Bro_SSH.events.bif.bro </scripts/base/bif/plugins/Bro_SSH.events.bif.bro>
base/bif/plugins/Bro_SSL.types.bif.bro </scripts/base/bif/plugins/Bro_SSL.types.bif.bro>
base/bif/plugins/Bro_SSL.events.bif.bro </scripts/base/bif/plugins/Bro_SSL.events.bif.bro>
base/bif/plugins/Bro_SSL.functions.bif.bro </scripts/base/bif/plugins/Bro_SSL.functions.bif.bro>
base/bif/plugins/Bro_SteppingStone.events.bif.bro </scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro>
base/bif/plugins/Bro_Syslog.events.bif.bro </scripts/base/bif/plugins/Bro_Syslog.events.bif.bro>
base/bif/plugins/Bro_TCP.events.bif.bro </scripts/base/bif/plugins/Bro_TCP.events.bif.bro>
base/bif/plugins/Bro_TCP.functions.bif.bro </scripts/base/bif/plugins/Bro_TCP.functions.bif.bro>
base/bif/plugins/Bro_Teredo.events.bif.bro </scripts/base/bif/plugins/Bro_Teredo.events.bif.bro>
base/bif/plugins/Bro_UDP.events.bif.bro </scripts/base/bif/plugins/Bro_UDP.events.bif.bro>
base/bif/plugins/Bro_XMPP.events.bif.bro </scripts/base/bif/plugins/Bro_XMPP.events.bif.bro>
base/bif/plugins/Bro_FileEntropy.events.bif.bro </scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro>
base/bif/plugins/Bro_FileExtract.events.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro>
base/bif/plugins/Bro_FileExtract.functions.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro>
base/bif/plugins/Bro_FileHash.events.bif.bro </scripts/base/bif/plugins/Bro_FileHash.events.bif.bro>
base/bif/plugins/Bro_PE.events.bif.bro </scripts/base/bif/plugins/Bro_PE.events.bif.bro>
base/bif/plugins/Bro_Unified2.events.bif.bro </scripts/base/bif/plugins/Bro_Unified2.events.bif.bro>
base/bif/plugins/Bro_Unified2.types.bif.bro </scripts/base/bif/plugins/Bro_Unified2.types.bif.bro>
base/bif/plugins/Bro_X509.events.bif.bro </scripts/base/bif/plugins/Bro_X509.events.bif.bro>
base/bif/plugins/Bro_X509.types.bif.bro </scripts/base/bif/plugins/Bro_X509.types.bif.bro>
base/bif/plugins/Bro_X509.functions.bif.bro </scripts/base/bif/plugins/Bro_X509.functions.bif.bro>
base/bif/plugins/Bro_X509.ocsp_events.bif.bro </scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro>
base/bif/plugins/Bro_AsciiReader.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro>
base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro </scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro>
base/bif/plugins/Bro_BinaryReader.binary.bif.bro </scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro>
base/bif/plugins/Bro_ConfigReader.config.bif.bro </scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro>
base/bif/plugins/Bro_RawReader.raw.bif.bro </scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro>
base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro>
base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro>
base/bif/plugins/Bro_NoneWriter.none.bif.bro </scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro>
base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro>
base/init-default.bro </scripts/base/init-default.bro>
base/utils/active-http.bro </scripts/base/utils/active-http.bro>
base/utils/exec.bro </scripts/base/utils/exec.bro>
base/utils/addrs.bro </scripts/base/utils/addrs.bro>
base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>
base/utils/dir.bro </scripts/base/utils/dir.bro>
base/frameworks/reporter/__load__.bro </scripts/base/frameworks/reporter/__load__.bro>
base/frameworks/reporter/main.bro </scripts/base/frameworks/reporter/main.bro>
base/utils/paths.bro </scripts/base/utils/paths.bro>
base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>
base/utils/email.bro </scripts/base/utils/email.bro>
base/utils/files.bro </scripts/base/utils/files.bro>
base/utils/geoip-distance.bro </scripts/base/utils/geoip-distance.bro>
base/utils/hash_hrw.bro </scripts/base/utils/hash_hrw.bro>
base/utils/numbers.bro </scripts/base/utils/numbers.bro>
base/utils/queue.bro </scripts/base/utils/queue.bro>
base/utils/strings.bro </scripts/base/utils/strings.bro>
base/utils/thresholds.bro </scripts/base/utils/thresholds.bro>
base/utils/time.bro </scripts/base/utils/time.bro>
base/utils/urls.bro </scripts/base/utils/urls.bro>
base/frameworks/notice/__load__.bro </scripts/base/frameworks/notice/__load__.bro>
base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>
base/frameworks/cluster/__load__.bro </scripts/base/frameworks/cluster/__load__.bro>
base/frameworks/cluster/main.bro </scripts/base/frameworks/cluster/main.bro>
base/frameworks/control/__load__.bro </scripts/base/frameworks/control/__load__.bro>
base/frameworks/control/main.bro </scripts/base/frameworks/control/main.bro>
base/frameworks/cluster/pools.bro </scripts/base/frameworks/cluster/pools.bro>
base/frameworks/notice/weird.bro </scripts/base/frameworks/notice/weird.bro>
base/frameworks/notice/actions/drop.bro </scripts/base/frameworks/notice/actions/drop.bro>
base/frameworks/netcontrol/__load__.bro </scripts/base/frameworks/netcontrol/__load__.bro>
base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>
base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>
base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>
base/frameworks/netcontrol/plugins/__load__.bro </scripts/base/frameworks/netcontrol/plugins/__load__.bro>
base/frameworks/netcontrol/plugins/debug.bro </scripts/base/frameworks/netcontrol/plugins/debug.bro>
base/frameworks/netcontrol/plugins/openflow.bro </scripts/base/frameworks/netcontrol/plugins/openflow.bro>
base/frameworks/openflow/__load__.bro </scripts/base/frameworks/openflow/__load__.bro>
base/frameworks/openflow/consts.bro </scripts/base/frameworks/openflow/consts.bro>
base/frameworks/openflow/types.bro </scripts/base/frameworks/openflow/types.bro>
base/frameworks/openflow/main.bro </scripts/base/frameworks/openflow/main.bro>
base/frameworks/openflow/plugins/__load__.bro </scripts/base/frameworks/openflow/plugins/__load__.bro>
base/frameworks/openflow/plugins/ryu.bro </scripts/base/frameworks/openflow/plugins/ryu.bro>
base/utils/json.bro </scripts/base/utils/json.bro>
base/frameworks/openflow/plugins/log.bro </scripts/base/frameworks/openflow/plugins/log.bro>
base/frameworks/openflow/plugins/broker.bro </scripts/base/frameworks/openflow/plugins/broker.bro>
base/frameworks/openflow/non-cluster.bro </scripts/base/frameworks/openflow/non-cluster.bro>
base/frameworks/netcontrol/plugins/packetfilter.bro </scripts/base/frameworks/netcontrol/plugins/packetfilter.bro>
base/frameworks/netcontrol/plugins/broker.bro </scripts/base/frameworks/netcontrol/plugins/broker.bro>
base/frameworks/netcontrol/plugins/acld.bro </scripts/base/frameworks/netcontrol/plugins/acld.bro>
base/frameworks/netcontrol/drop.bro </scripts/base/frameworks/netcontrol/drop.bro>
base/frameworks/netcontrol/shunt.bro </scripts/base/frameworks/netcontrol/shunt.bro>
base/frameworks/netcontrol/catch-and-release.bro </scripts/base/frameworks/netcontrol/catch-and-release.bro>
base/frameworks/netcontrol/non-cluster.bro </scripts/base/frameworks/netcontrol/non-cluster.bro>
base/frameworks/notice/actions/email_admin.bro </scripts/base/frameworks/notice/actions/email_admin.bro>
base/frameworks/notice/actions/page.bro </scripts/base/frameworks/notice/actions/page.bro>
base/frameworks/notice/actions/add-geodata.bro </scripts/base/frameworks/notice/actions/add-geodata.bro>
base/frameworks/notice/actions/pp-alarms.bro </scripts/base/frameworks/notice/actions/pp-alarms.bro>
base/frameworks/dpd/__load__.bro </scripts/base/frameworks/dpd/__load__.bro>
base/frameworks/dpd/main.bro </scripts/base/frameworks/dpd/main.bro>
base/frameworks/signatures/__load__.bro </scripts/base/frameworks/signatures/__load__.bro>
base/frameworks/signatures/main.bro </scripts/base/frameworks/signatures/main.bro>
base/frameworks/packet-filter/__load__.bro </scripts/base/frameworks/packet-filter/__load__.bro>
base/frameworks/packet-filter/main.bro </scripts/base/frameworks/packet-filter/main.bro>
base/frameworks/packet-filter/netstats.bro </scripts/base/frameworks/packet-filter/netstats.bro>
base/frameworks/software/__load__.bro </scripts/base/frameworks/software/__load__.bro>
base/frameworks/software/main.bro </scripts/base/frameworks/software/main.bro>
base/frameworks/intel/__load__.bro </scripts/base/frameworks/intel/__load__.bro>
base/frameworks/intel/main.bro </scripts/base/frameworks/intel/main.bro>
base/frameworks/intel/files.bro </scripts/base/frameworks/intel/files.bro>
base/frameworks/intel/input.bro </scripts/base/frameworks/intel/input.bro>
base/frameworks/config/__load__.bro </scripts/base/frameworks/config/__load__.bro>
base/frameworks/config/main.bro </scripts/base/frameworks/config/main.bro>
base/frameworks/config/input.bro </scripts/base/frameworks/config/input.bro>
base/frameworks/config/weird.bro </scripts/base/frameworks/config/weird.bro>
base/frameworks/sumstats/__load__.bro </scripts/base/frameworks/sumstats/__load__.bro>
base/frameworks/sumstats/main.bro </scripts/base/frameworks/sumstats/main.bro>
base/frameworks/sumstats/plugins/__load__.bro </scripts/base/frameworks/sumstats/plugins/__load__.bro>
base/frameworks/sumstats/plugins/average.bro </scripts/base/frameworks/sumstats/plugins/average.bro>
base/frameworks/sumstats/plugins/hll_unique.bro </scripts/base/frameworks/sumstats/plugins/hll_unique.bro>
base/frameworks/sumstats/plugins/last.bro </scripts/base/frameworks/sumstats/plugins/last.bro>
base/frameworks/sumstats/plugins/max.bro </scripts/base/frameworks/sumstats/plugins/max.bro>
base/frameworks/sumstats/plugins/min.bro </scripts/base/frameworks/sumstats/plugins/min.bro>
base/frameworks/sumstats/plugins/sample.bro </scripts/base/frameworks/sumstats/plugins/sample.bro>
base/frameworks/sumstats/plugins/std-dev.bro </scripts/base/frameworks/sumstats/plugins/std-dev.bro>
base/frameworks/sumstats/plugins/variance.bro </scripts/base/frameworks/sumstats/plugins/variance.bro>
base/frameworks/sumstats/plugins/sum.bro </scripts/base/frameworks/sumstats/plugins/sum.bro>
base/frameworks/sumstats/plugins/topk.bro </scripts/base/frameworks/sumstats/plugins/topk.bro>
base/frameworks/sumstats/plugins/unique.bro </scripts/base/frameworks/sumstats/plugins/unique.bro>
base/frameworks/sumstats/non-cluster.bro </scripts/base/frameworks/sumstats/non-cluster.bro>
base/frameworks/tunnels/__load__.bro </scripts/base/frameworks/tunnels/__load__.bro>
base/frameworks/tunnels/main.bro </scripts/base/frameworks/tunnels/main.bro>
base/protocols/conn/__load__.bro </scripts/base/protocols/conn/__load__.bro>
base/protocols/conn/main.bro </scripts/base/protocols/conn/main.bro>
base/protocols/conn/contents.bro </scripts/base/protocols/conn/contents.bro>
base/protocols/conn/inactivity.bro </scripts/base/protocols/conn/inactivity.bro>
base/protocols/conn/polling.bro </scripts/base/protocols/conn/polling.bro>
base/protocols/conn/thresholds.bro </scripts/base/protocols/conn/thresholds.bro>
base/protocols/dce-rpc/__load__.bro </scripts/base/protocols/dce-rpc/__load__.bro>
base/protocols/dce-rpc/consts.bro </scripts/base/protocols/dce-rpc/consts.bro>
base/protocols/dce-rpc/main.bro </scripts/base/protocols/dce-rpc/main.bro>
base/protocols/dhcp/__load__.bro </scripts/base/protocols/dhcp/__load__.bro>
base/protocols/dhcp/consts.bro </scripts/base/protocols/dhcp/consts.bro>
base/protocols/dhcp/main.bro </scripts/base/protocols/dhcp/main.bro>
base/protocols/dnp3/__load__.bro </scripts/base/protocols/dnp3/__load__.bro>
base/protocols/dnp3/main.bro </scripts/base/protocols/dnp3/main.bro>
base/protocols/dnp3/consts.bro </scripts/base/protocols/dnp3/consts.bro>
base/protocols/dns/__load__.bro </scripts/base/protocols/dns/__load__.bro>
base/protocols/dns/consts.bro </scripts/base/protocols/dns/consts.bro>
base/protocols/dns/main.bro </scripts/base/protocols/dns/main.bro>
base/protocols/ftp/__load__.bro </scripts/base/protocols/ftp/__load__.bro>
base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>
base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>
base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>
base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>
base/protocols/ftp/files.bro </scripts/base/protocols/ftp/files.bro>
base/protocols/ftp/gridftp.bro </scripts/base/protocols/ftp/gridftp.bro>
base/protocols/ssl/__load__.bro </scripts/base/protocols/ssl/__load__.bro>
base/protocols/ssl/consts.bro </scripts/base/protocols/ssl/consts.bro>
base/protocols/ssl/main.bro </scripts/base/protocols/ssl/main.bro>
base/protocols/ssl/mozilla-ca-list.bro </scripts/base/protocols/ssl/mozilla-ca-list.bro>
base/protocols/ssl/ct-list.bro </scripts/base/protocols/ssl/ct-list.bro>
base/protocols/ssl/files.bro </scripts/base/protocols/ssl/files.bro>
base/files/x509/__load__.bro </scripts/base/files/x509/__load__.bro>
base/files/x509/main.bro </scripts/base/files/x509/main.bro>
base/files/hash/__load__.bro </scripts/base/files/hash/__load__.bro>
base/files/hash/main.bro </scripts/base/files/hash/main.bro>
base/protocols/http/__load__.bro </scripts/base/protocols/http/__load__.bro>
base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>
base/protocols/http/entities.bro </scripts/base/protocols/http/entities.bro>
base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>
base/protocols/http/files.bro </scripts/base/protocols/http/files.bro>
base/protocols/imap/__load__.bro </scripts/base/protocols/imap/__load__.bro>
base/protocols/imap/main.bro </scripts/base/protocols/imap/main.bro>
base/protocols/irc/__load__.bro </scripts/base/protocols/irc/__load__.bro>
base/protocols/irc/main.bro </scripts/base/protocols/irc/main.bro>
base/protocols/irc/dcc-send.bro </scripts/base/protocols/irc/dcc-send.bro>
base/protocols/irc/files.bro </scripts/base/protocols/irc/files.bro>
base/protocols/krb/__load__.bro </scripts/base/protocols/krb/__load__.bro>
base/protocols/krb/main.bro </scripts/base/protocols/krb/main.bro>
base/protocols/krb/consts.bro </scripts/base/protocols/krb/consts.bro>
base/protocols/krb/files.bro </scripts/base/protocols/krb/files.bro>
base/protocols/modbus/__load__.bro </scripts/base/protocols/modbus/__load__.bro>
base/protocols/modbus/consts.bro </scripts/base/protocols/modbus/consts.bro>
base/protocols/modbus/main.bro </scripts/base/protocols/modbus/main.bro>
base/protocols/mysql/__load__.bro </scripts/base/protocols/mysql/__load__.bro>
base/protocols/mysql/main.bro </scripts/base/protocols/mysql/main.bro>
base/protocols/mysql/consts.bro </scripts/base/protocols/mysql/consts.bro>
base/protocols/ntlm/__load__.bro </scripts/base/protocols/ntlm/__load__.bro>
base/protocols/ntlm/main.bro </scripts/base/protocols/ntlm/main.bro>
base/protocols/pop3/__load__.bro </scripts/base/protocols/pop3/__load__.bro>
base/protocols/radius/__load__.bro </scripts/base/protocols/radius/__load__.bro>
base/protocols/radius/main.bro </scripts/base/protocols/radius/main.bro>
base/protocols/radius/consts.bro </scripts/base/protocols/radius/consts.bro>
base/protocols/rdp/__load__.bro </scripts/base/protocols/rdp/__load__.bro>
base/protocols/rdp/consts.bro </scripts/base/protocols/rdp/consts.bro>
base/protocols/rdp/main.bro </scripts/base/protocols/rdp/main.bro>
base/protocols/rfb/__load__.bro </scripts/base/protocols/rfb/__load__.bro>
base/protocols/rfb/main.bro </scripts/base/protocols/rfb/main.bro>
base/protocols/sip/__load__.bro </scripts/base/protocols/sip/__load__.bro>
base/protocols/sip/main.bro </scripts/base/protocols/sip/main.bro>
base/protocols/snmp/__load__.bro </scripts/base/protocols/snmp/__load__.bro>
base/protocols/snmp/main.bro </scripts/base/protocols/snmp/main.bro>
base/protocols/smb/__load__.bro </scripts/base/protocols/smb/__load__.bro>
base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>
base/protocols/smb/const-dos-error.bro </scripts/base/protocols/smb/const-dos-error.bro>
base/protocols/smb/const-nt-status.bro </scripts/base/protocols/smb/const-nt-status.bro>
base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>
base/protocols/smb/smb1-main.bro </scripts/base/protocols/smb/smb1-main.bro>
base/protocols/smb/smb2-main.bro </scripts/base/protocols/smb/smb2-main.bro>
base/protocols/smb/files.bro </scripts/base/protocols/smb/files.bro>
base/protocols/smtp/__load__.bro </scripts/base/protocols/smtp/__load__.bro>
base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>
base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>
base/protocols/smtp/files.bro </scripts/base/protocols/smtp/files.bro>
base/protocols/socks/__load__.bro </scripts/base/protocols/socks/__load__.bro>
base/protocols/socks/consts.bro </scripts/base/protocols/socks/consts.bro>
base/protocols/socks/main.bro </scripts/base/protocols/socks/main.bro>
base/protocols/ssh/__load__.bro </scripts/base/protocols/ssh/__load__.bro>
base/protocols/ssh/main.bro </scripts/base/protocols/ssh/main.bro>
base/protocols/syslog/__load__.bro </scripts/base/protocols/syslog/__load__.bro>
base/protocols/syslog/consts.bro </scripts/base/protocols/syslog/consts.bro>
base/protocols/syslog/main.bro </scripts/base/protocols/syslog/main.bro>
base/protocols/tunnels/__load__.bro </scripts/base/protocols/tunnels/__load__.bro>
base/protocols/xmpp/__load__.bro </scripts/base/protocols/xmpp/__load__.bro>
base/protocols/xmpp/main.bro </scripts/base/protocols/xmpp/main.bro>
base/files/pe/__load__.bro </scripts/base/files/pe/__load__.bro>
base/files/pe/consts.bro </scripts/base/files/pe/consts.bro>
base/files/pe/main.bro </scripts/base/files/pe/main.bro>
base/files/extract/__load__.bro </scripts/base/files/extract/__load__.bro>
base/files/extract/main.bro </scripts/base/files/extract/main.bro>
base/files/unified2/__load__.bro </scripts/base/files/unified2/__load__.bro>
base/files/unified2/main.bro </scripts/base/files/unified2/main.bro>
base/misc/find-checksum-offloading.bro </scripts/base/misc/find-checksum-offloading.bro>
base/misc/find-filtered-trace.bro </scripts/base/misc/find-filtered-trace.bro>
base/misc/version.bro </scripts/base/misc/version.bro>
broxygen/__load__.bro </scripts/broxygen/__load__.bro>
test-all-policy.bro </scripts/test-all-policy.bro>
policy/frameworks/dpd/detect-protocols.bro </scripts/policy/frameworks/dpd/detect-protocols.bro>
policy/frameworks/dpd/packet-segment-logging.bro </scripts/policy/frameworks/dpd/packet-segment-logging.bro>
policy/frameworks/intel/do_notice.bro </scripts/policy/frameworks/intel/do_notice.bro>
policy/frameworks/intel/do_expire.bro </scripts/policy/frameworks/intel/do_expire.bro>
policy/frameworks/intel/whitelist.bro </scripts/policy/frameworks/intel/whitelist.bro>
policy/frameworks/intel/seen/__load__.bro </scripts/policy/frameworks/intel/seen/__load__.bro>
policy/frameworks/intel/seen/conn-established.bro </scripts/policy/frameworks/intel/seen/conn-established.bro>
policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>
policy/frameworks/intel/seen/dns.bro </scripts/policy/frameworks/intel/seen/dns.bro>
policy/frameworks/intel/seen/file-hashes.bro </scripts/policy/frameworks/intel/seen/file-hashes.bro>
policy/frameworks/intel/seen/file-names.bro </scripts/policy/frameworks/intel/seen/file-names.bro>
policy/frameworks/intel/seen/http-headers.bro </scripts/policy/frameworks/intel/seen/http-headers.bro>
policy/frameworks/intel/seen/http-url.bro </scripts/policy/frameworks/intel/seen/http-url.bro>
policy/frameworks/intel/seen/pubkey-hashes.bro </scripts/policy/frameworks/intel/seen/pubkey-hashes.bro>
policy/frameworks/intel/seen/ssl.bro </scripts/policy/frameworks/intel/seen/ssl.bro>
policy/frameworks/intel/seen/smtp.bro </scripts/policy/frameworks/intel/seen/smtp.bro>
policy/frameworks/intel/seen/smtp-url-extraction.bro </scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro>
policy/frameworks/intel/seen/x509.bro </scripts/policy/frameworks/intel/seen/x509.bro>
policy/frameworks/files/detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>
policy/frameworks/files/hash-all-files.bro </scripts/policy/frameworks/files/hash-all-files.bro>
policy/frameworks/files/entropy-test-all-files.bro </scripts/policy/frameworks/files/entropy-test-all-files.bro>
policy/frameworks/notice/__load__.bro </scripts/policy/frameworks/notice/__load__.bro>
policy/frameworks/notice/extend-email/hostnames.bro </scripts/policy/frameworks/notice/extend-email/hostnames.bro>
policy/files/x509/log-ocsp.bro </scripts/policy/files/x509/log-ocsp.bro>
policy/frameworks/packet-filter/shunt.bro </scripts/policy/frameworks/packet-filter/shunt.bro>
policy/frameworks/software/version-changes.bro </scripts/policy/frameworks/software/version-changes.bro>
policy/frameworks/software/vulnerable.bro </scripts/policy/frameworks/software/vulnerable.bro>
policy/frameworks/software/windows-version-detection.bro </scripts/policy/frameworks/software/windows-version-detection.bro>
policy/integration/barnyard2/__load__.bro </scripts/policy/integration/barnyard2/__load__.bro>
policy/integration/barnyard2/types.bro </scripts/policy/integration/barnyard2/types.bro>
policy/integration/barnyard2/main.bro </scripts/policy/integration/barnyard2/main.bro>
policy/integration/collective-intel/__load__.bro </scripts/policy/integration/collective-intel/__load__.bro>
policy/integration/collective-intel/main.bro </scripts/policy/integration/collective-intel/main.bro>
policy/misc/capture-loss.bro </scripts/policy/misc/capture-loss.bro>
policy/misc/detect-traceroute/__load__.bro </scripts/policy/misc/detect-traceroute/__load__.bro>
policy/misc/detect-traceroute/main.bro </scripts/policy/misc/detect-traceroute/main.bro>
policy/misc/load-balancing.bro </scripts/policy/misc/load-balancing.bro>
policy/misc/loaded-scripts.bro </scripts/policy/misc/loaded-scripts.bro>
policy/misc/profiling.bro </scripts/policy/misc/profiling.bro>
policy/misc/scan.bro </scripts/policy/misc/scan.bro>
policy/misc/stats.bro </scripts/policy/misc/stats.bro>
policy/misc/weird-stats.bro </scripts/policy/misc/weird-stats.bro>
policy/misc/trim-trace-file.bro </scripts/policy/misc/trim-trace-file.bro>
policy/protocols/conn/known-hosts.bro </scripts/policy/protocols/conn/known-hosts.bro>
policy/protocols/conn/known-services.bro </scripts/policy/protocols/conn/known-services.bro>
policy/protocols/conn/mac-logging.bro </scripts/policy/protocols/conn/mac-logging.bro>
policy/protocols/conn/vlan-logging.bro </scripts/policy/protocols/conn/vlan-logging.bro>
policy/protocols/conn/weirds.bro </scripts/policy/protocols/conn/weirds.bro>
policy/protocols/dhcp/msg-orig.bro </scripts/policy/protocols/dhcp/msg-orig.bro>
policy/protocols/dhcp/software.bro </scripts/policy/protocols/dhcp/software.bro>
policy/protocols/dhcp/sub-opts.bro </scripts/policy/protocols/dhcp/sub-opts.bro>
policy/protocols/dns/auth-addl.bro </scripts/policy/protocols/dns/auth-addl.bro>
policy/protocols/dns/detect-external-names.bro </scripts/policy/protocols/dns/detect-external-names.bro>
policy/protocols/ftp/detect-bruteforcing.bro </scripts/policy/protocols/ftp/detect-bruteforcing.bro>
policy/protocols/ftp/detect.bro </scripts/policy/protocols/ftp/detect.bro>
policy/protocols/ftp/software.bro </scripts/policy/protocols/ftp/software.bro>
policy/protocols/http/detect-sqli.bro </scripts/policy/protocols/http/detect-sqli.bro>
policy/protocols/http/detect-webapps.bro </scripts/policy/protocols/http/detect-webapps.bro>
policy/protocols/http/header-names.bro </scripts/policy/protocols/http/header-names.bro>
policy/protocols/http/software-browser-plugins.bro </scripts/policy/protocols/http/software-browser-plugins.bro>
policy/protocols/http/software.bro </scripts/policy/protocols/http/software.bro>
policy/protocols/http/var-extraction-cookies.bro </scripts/policy/protocols/http/var-extraction-cookies.bro>
policy/protocols/http/var-extraction-uri.bro </scripts/policy/protocols/http/var-extraction-uri.bro>
policy/protocols/krb/ticket-logging.bro </scripts/policy/protocols/krb/ticket-logging.bro>
policy/protocols/modbus/known-masters-slaves.bro </scripts/policy/protocols/modbus/known-masters-slaves.bro>
policy/protocols/modbus/track-memmap.bro </scripts/policy/protocols/modbus/track-memmap.bro>
policy/protocols/mysql/software.bro </scripts/policy/protocols/mysql/software.bro>
policy/protocols/rdp/indicate_ssl.bro </scripts/policy/protocols/rdp/indicate_ssl.bro>
policy/protocols/smb/log-cmds.bro </scripts/policy/protocols/smb/log-cmds.bro>
policy/protocols/smtp/blocklists.bro </scripts/policy/protocols/smtp/blocklists.bro>
policy/protocols/smtp/detect-suspicious-orig.bro </scripts/policy/protocols/smtp/detect-suspicious-orig.bro>
policy/protocols/smtp/entities-excerpt.bro </scripts/policy/protocols/smtp/entities-excerpt.bro>
policy/protocols/smtp/software.bro </scripts/policy/protocols/smtp/software.bro>
policy/protocols/ssh/detect-bruteforcing.bro </scripts/policy/protocols/ssh/detect-bruteforcing.bro>
policy/protocols/ssh/geo-data.bro </scripts/policy/protocols/ssh/geo-data.bro>
policy/protocols/ssh/interesting-hostnames.bro </scripts/policy/protocols/ssh/interesting-hostnames.bro>
policy/protocols/ssh/software.bro </scripts/policy/protocols/ssh/software.bro>
policy/protocols/ssl/expiring-certs.bro </scripts/policy/protocols/ssl/expiring-certs.bro>
policy/protocols/ssl/extract-certs-pem.bro </scripts/policy/protocols/ssl/extract-certs-pem.bro>
policy/protocols/ssl/heartbleed.bro </scripts/policy/protocols/ssl/heartbleed.bro>
policy/protocols/ssl/known-certs.bro </scripts/policy/protocols/ssl/known-certs.bro>
policy/protocols/ssl/log-hostcerts-only.bro </scripts/policy/protocols/ssl/log-hostcerts-only.bro>
policy/protocols/ssl/validate-certs.bro </scripts/policy/protocols/ssl/validate-certs.bro>
policy/protocols/ssl/validate-ocsp.bro </scripts/policy/protocols/ssl/validate-ocsp.bro>
policy/protocols/ssl/validate-sct.bro </scripts/policy/protocols/ssl/validate-sct.bro>
policy/protocols/ssl/weak-keys.bro </scripts/policy/protocols/ssl/weak-keys.bro>
policy/tuning/__load__.bro </scripts/policy/tuning/__load__.bro>
policy/tuning/defaults/__load__.bro </scripts/policy/tuning/defaults/__load__.bro>
policy/tuning/defaults/packet-fragments.bro </scripts/policy/tuning/defaults/packet-fragments.bro>
policy/tuning/defaults/warnings.bro </scripts/policy/tuning/defaults/warnings.bro>
policy/tuning/defaults/extracted_file_limits.bro </scripts/policy/tuning/defaults/extracted_file_limits.bro>
policy/tuning/json-logs.bro </scripts/policy/tuning/json-logs.bro>
policy/tuning/track-all-assets.bro </scripts/policy/tuning/track-all-assets.bro>
policy/protocols/ssl/notary.bro </scripts/policy/protocols/ssl/notary.bro>
policy/frameworks/control/controllee.bro </scripts/policy/frameworks/control/controllee.bro>
policy/frameworks/control/controller.bro </scripts/policy/frameworks/control/controller.bro>
policy/frameworks/files/extract-all-files.bro </scripts/policy/frameworks/files/extract-all-files.bro>
policy/misc/dump-events.bro </scripts/policy/misc/dump-events.bro>
policy/protocols/dhcp/deprecated_events.bro </scripts/policy/protocols/dhcp/deprecated_events.bro>
policy/protocols/smb/__load__.bro </scripts/policy/protocols/smb/__load__.bro>
broxygen/example.bro </scripts/broxygen/example.bro>

200
doc/script-reference/directives.rst
View file

@ -1,200 +0,0 @@
Directives
==========
The Bro scripting language supports a number of directives that can
affect which scripts will be loaded or which lines in a script will be
executed. Directives are evaluated before script execution begins.
.. bro:keyword:: @DEBUG
TODO
.. bro:keyword:: @DIR
Expands to the directory pathname where the current script is located.
Example::
print "Directory:", @DIR;
.. bro:keyword:: @FILENAME
Expands to the filename of the current script.
Example::
print "File:", @FILENAME;
.. bro:keyword:: @deprecated
Marks the current script as deprecated. This can be placed anywhere in
the script, but a good convention is to put it as the first line.
You can also supply additional comments.
Example::
@deprecated "Use '@load foo' instead"
.. bro:keyword:: @load
Loads the specified Bro script, specified as the relative pathname
of the file (relative to one of the directories in Bro's file search path).
If the Bro script filename ends with ".bro", then you don't need to
specify the file extension. The filename cannot contain any whitespace.
In this example, Bro will try to load a script
"policy/misc/capture-loss.bro" by looking in each directory in the file
search path (the file search path can be changed by setting the BROPATH
environment variable)::
@load policy/misc/capture-loss
If you specify the name of a directory instead of a filename, then
Bro will try to load a file in that directory called "__load__.bro"
(presumably that file will contain additional "@load" directives).
In this example, Bro will try to load a file "tuning/defaults/__load__.bro"
by looking in each directory in the file search path::
@load tuning/defaults
The purpose of this directive is to ensure that all script dependencies
are satisfied, and to avoid having to list every needed Bro script
on the command-line. Bro keeps track of which scripts have been
loaded, so it is not an error to load a script more than once (once
a script has been loaded, any subsequent "@load" directives
for that script are ignored).
.. bro:keyword:: @load-plugin
Activate a dynamic plugin with the specified plugin name. The specified
plugin must be located in Bro's plugin search path. Example::
@load-plugin Demo::Rot13
By default, Bro will automatically activate all dynamic plugins found
in the plugin search path (the search path can be changed by setting
the environment variable BRO_PLUGIN_PATH to a colon-separated list of
directories). However, in bare mode ("bro -b"), dynamic plugins can be
activated only by using "@load-plugin", or by specifying the full
plugin name on the Bro command-line (e.g., "bro Demo::Rot13"), or by
setting the environment variable BRO_PLUGIN_ACTIVATE to a
comma-separated list of plugin names.
.. bro:keyword:: @load-sigs
This works similarly to "@load", except that in this case the filename
represents a signature file (not a Bro script). If the signature filename
ends with ".sig", then you don't need to specify the file extension
in the "@load-sigs" directive. The filename cannot contain any
whitespace.
In this example, Bro will try to load a signature file
"base/protocols/ssl/dpd.sig"::
@load-sigs base/protocols/ssl/dpd
The format for a signature file is explained in the documentation for the
`Signature Framework <../frameworks/signatures.html>`_.
.. bro:keyword:: @unload
This specifies a Bro script that we don't want to load (so a subsequent
attempt to load the specified script will be skipped). However,
if the specified script has already been loaded, then this directive
has no affect.
In the following example, if the "policy/misc/capture-loss.bro" script
has not been loaded yet, then Bro will not load it::
@unload policy/misc/capture-loss
.. bro:keyword:: @prefixes
Specifies a filename prefix to use when looking for script files
to load automatically. The prefix cannot contain any whitespace.
In the following example, the prefix "cluster" is used and all prefixes
that were previously specified are not used::
@prefixes = cluster
In the following example, the prefix "cluster-manager" is used in
addition to any previously-specified prefixes::
@prefixes += cluster-manager
The way this works is that after Bro parses all script files, then for each
loaded script Bro will take the absolute path of the script and then
it removes the portion of the directory path that is in Bro's file
search path. Then it replaces each "/" character with a period "."
and then prepends the prefix (specified in the "@prefixes" directive)
followed by a period. The resulting filename is searched for in each
directory in Bro's file search path. If a matching file is found, then
the file is automatically loaded.
For example, if a script called "local.bro" has been loaded, and a prefix
of "test" was specified, then Bro will look for a file named
"test.local.bro" in each directory of Bro's file search path.
An alternative way to specify prefixes is to use the "-p" Bro
command-line option.
.. bro:keyword:: @if
The specified expression must evaluate to type :bro:type:`bool`. If the
value is true, then the following script lines (up to the next "@else"
or "@endif") are available to be executed.
Example::
@if ( ver == 2 )
print "version 2 detected";
@endif
.. bro:keyword:: @ifdef
This works like "@if", except that the result is true if the specified
identifier is defined.
Example::
@ifdef ( pi )
print "pi is defined";
@endif
.. bro:keyword:: @ifndef
This works exactly like "@ifdef", except that the result is true if the
specified identifier is not defined.
Example::
@ifndef ( pi )
print "pi is not defined";
@endif
.. bro:keyword:: @else
This directive is optional after an "@if", "@ifdef", or
"@ifndef". If present, it provides an else clause.
Example::
@ifdef ( pi )
print "pi is defined";
@else
print "pi is not defined";
@endif
.. bro:keyword:: @endif
This directive is required to terminate each "@if", "@ifdef", or
"@ifndef".

1
doc/script-reference/file-analyzers.rst
View file

@ -1 +0,0 @@
.. include:: autogenerated-file-analyzer-index.rst

21
doc/script-reference/index.rst
View file

@ -1,21 +0,0 @@
================
Script Reference
================
.. toctree::
:maxdepth: 1
operators
types
attributes
statements
directives
log-files
notices
proto-analyzers
file-analyzers
packages
scripts
Broxygen Example Script </scripts/broxygen/example.bro>

190
doc/script-reference/log-files.rst
View file

@ -1,190 +0,0 @@
=========
Log Files
=========
Listed below are the log files generated by Bro, including a brief description
of the log file and links to descriptions of the fields for each log
type.
Network Protocols
-----------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| conn.log | TCP/UDP/ICMP connections | :bro:type:`Conn::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dce_rpc.log | Distributed Computing Environment/RPC | :bro:type:`DCE_RPC::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dhcp.log | DHCP leases | :bro:type:`DHCP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dnp3.log | DNP3 requests and replies | :bro:type:`DNP3::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dns.log | DNS activity | :bro:type:`DNS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| kerberos.log | Kerberos | :bro:type:`KRB::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log | Modbus commands and responses | :bro:type:`Modbus::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | Tracks changes to Modbus holding | :bro:type:`Modbus::MemmapInfo` |
| | registers | |
+----------------------------+---------------------------------------+---------------------------------+
| mysql.log | MySQL | :bro:type:`MySQL::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ntlm.log | NT LAN Manager (NTLM) | :bro:type:`NTLM::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| rdp.log | RDP | :bro:type:`RDP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| rfb.log | Remote Framebuffer (RFB) | :bro:type:`RFB::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| sip.log | SIP | :bro:type:`SIP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| smb_cmd.log | SMB commands | :bro:type:`SMB::CmdInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| smb_files.log | SMB files | :bro:type:`SMB::FileInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| smb_mapping.log | SMB trees | :bro:type:`SMB::TreeInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| smtp.log | SMTP transactions | :bro:type:`SMTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| snmp.log | SNMP messages | :bro:type:`SNMP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log | SSH connections | :bro:type:`SSH::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssl.log | SSL/TLS handshake info | :bro:type:`SSL::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log | Syslog messages | :bro:type:`Syslog::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| tunnel.log | Tunneling protocol events | :bro:type:`Tunnel::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Files
-----
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| files.log | File analysis results | :bro:type:`Files::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` |
| | (OCSP). Only created if policy script | |
| | is loaded. | |
+----------------------------+---------------------------------------+---------------------------------+
| pe.log | Portable Executable (PE) | :bro:type:`PE::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| x509.log | X.509 certificate info | :bro:type:`X509::Info` |
+----------------------------+---------------------------------------+---------------------------------+
NetControl
----------
+------------------------------+---------------------------------------+------------------------------------------+
| Log File | Description | Field Descriptions |
+==============================+=======================================+==========================================+
| netcontrol.log | NetControl actions | :bro:type:`NetControl::Info` |
+------------------------------+---------------------------------------+------------------------------------------+
| netcontrol_drop.log | NetControl actions | :bro:type:`NetControl::DropInfo` |
+------------------------------+---------------------------------------+------------------------------------------+
| netcontrol_shunt.log | NetControl shunt actions | :bro:type:`NetControl::ShuntInfo` |
+------------------------------+---------------------------------------+------------------------------------------+
| netcontrol_catch_release.log | NetControl catch and release actions | :bro:type:`NetControl::CatchReleaseInfo` |
+------------------------------+---------------------------------------+------------------------------------------+
| openflow.log | OpenFlow debug log | :bro:type:`OpenFlow::Info` |
+------------------------------+---------------------------------------+------------------------------------------+
Detection
---------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| intel.log | Intelligence data matches | :bro:type:`Intel::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log | Signature matches | :bro:type:`Signatures::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| traceroute.log | Traceroute detection | :bro:type:`Traceroute::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Network Observations
--------------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| known_certs.log | SSL certificates | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Hosts that have completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and slaves | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Services running on hosts | :bro:type:`Known::ServicesInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Miscellaneous
-------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dpd.log | Dynamic protocol detection failures | :bro:type:`DPD::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log | Unexpected network-level activity | :bro:type:`Weird::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| weird_stats.log | Statistics about unexpected activity | :bro:type:`WeirdStats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Bro Diagnostics
---------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| broker.log | Peering status events between Bro or | :bro:type:`Broker::Info` |
| | Broker-enabled processes | |
+----------------------------+---------------------------------------+---------------------------------+
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| cluster.log | Bro cluster messages | :bro:type:`Cluster::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| config.log | Configuration option changes | :bro:type:`Config::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| packet_filter.log | List packet filters that were applied | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| prof.log | Profiling statistics (to create this | N/A |
| | log, load policy/misc/profiling.bro) | |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Internal error/warning/info messages | :bro:type:`Reporter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log | Memory/event/packet/lag statistics | :bro:type:`Stats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| stderr.log | Captures standard error when Bro is | N/A |
| | started from BroControl | |
+----------------------------+---------------------------------------+---------------------------------+
| stdout.log | Captures standard output when Bro is | N/A |
| | started from BroControl | |
+----------------------------+---------------------------------------+---------------------------------+

8
doc/script-reference/notices.rst
View file

@ -1,8 +0,0 @@
.. Not nice but I don't find a way to link to the notice index
.. directly from the upper level TOC tree.
Notices
=======
See the `Bro Notice Index <../bro-noticeindex.html>`_.

304
doc/script-reference/operators.rst
View file

@ -1,304 +0,0 @@
Operators
=========
The Bro scripting language supports the following operators. Note that
each data type only supports a subset of these operators. For more
details, see the documentation about the `data types <types.html>`_.
Relational operators
--------------------
The relational operators evaluate to type :bro:type:`bool`.
In addition to numeric operands, the relational operators also work with
operands of type :bro:type:`interval`, :bro:type:`time`, :bro:type:`string`,
:bro:type:`port`, :bro:type:`addr`, and :bro:type:`set`.
+------------------------------+--------------+
| Name | Syntax |
+==============================+==============+
| Equality | *a* == *b* |
+------------------------------+--------------+
| Inequality | *a* != *b* |
+------------------------------+--------------+
| Less than | *a* < *b* |
+------------------------------+--------------+
| Less than or equal | *a* <= *b* |
+------------------------------+--------------+
| Greater than | *a* > *b* |
+------------------------------+--------------+
| Greater than or equal | *a* >= *b* |
+------------------------------+--------------+
Logical operators
-----------------
The logical operators require operands of type :bro:type:`bool`, and
evaluate to type :bro:type:`bool`.
+------------------------------+--------------+
| Name | Syntax |
+==============================+==============+
| Logical AND | *a* && *b* |
+------------------------------+--------------+
| Logical OR | *a* \|\| *b* |
+------------------------------+--------------+
| Logical NOT | ! *a* |
+------------------------------+--------------+
Arithmetic operators
--------------------
+------------------------------+-------------+-------------------------------+
| Name | Syntax | Notes |
+==============================+=============+===============================+
| Addition | *a* + *b* | For :bro:type:`string` |
| | | operands, this performs |
| | | string concatenation. |
+------------------------------+-------------+-------------------------------+
| Subtraction | *a* - *b* | |
+------------------------------+-------------+-------------------------------+
| Multiplication | *a* \* *b* | |
+------------------------------+-------------+-------------------------------+
| Division | *a* / *b* | For :bro:type:`int` or |
| | | :bro:type:`count` operands, |
| | | the fractional part of the |
| | | result is dropped. |
+------------------------------+-------------+-------------------------------+
| Modulo | *a* % *b* | Operand types cannot be |
| | | "double". |
+------------------------------+-------------+-------------------------------+
| Unary plus | \+ *a* | |
+------------------------------+-------------+-------------------------------+
| Unary minus | \- *a* | |
+------------------------------+-------------+-------------------------------+
| Pre-increment | ++ *a* | Operand type cannot be |
| | | "double". |
+------------------------------+-------------+-------------------------------+
| Pre-decrement | ``--`` *a* | Operand type cannot be |
| | | "double". |
+------------------------------+-------------+-------------------------------+
| Absolute value | \| *a* \| | If operand is |
| | | :bro:type:`string`, |
| | | :bro:type:`set`, |
| | | :bro:type:`table`, or |
| | | :bro:type:`vector`, this |
| | | evaluates to number |
| | | of elements. |
+------------------------------+-------------+-------------------------------+
Bitwise operators
-----------------
The bitwise operators work with operands of type :bro:type:`count` or
``vector of count``, but the bitwise complement operator works with ``count``
only.
+------------------------------+-------------+
| Name | Syntax |
+==============================+=============+
| Bitwise AND | *a* & *b* |
+------------------------------+-------------+
| Bitwise OR | *a* | *b* |
+------------------------------+-------------+
| Bitwise XOR | *a* ^ *b* |
+------------------------------+-------------+
| Bitwise complement | ~ *a* |
+------------------------------+-------------+
Set operators
-------------
+------------------------------+-------------+
| Name | Syntax |
+==============================+=============+
| Set intersection | *s1* & *s2* |
+------------------------------+-------------+
| Set union | *s1* | *s2* |
+------------------------------+-------------+
| Set difference | *s1* - *s2* |
+------------------------------+-------------+
Assignment operators
--------------------
The assignment operators evaluate to the result of the assignment.
The "+=" operator can also be used to append an element to the end of a
vector. For example, ``v += e`` is equivalent to ``v[|v|] = e``.
+------------------------------+-------------+
| Name | Syntax |
+==============================+=============+
| Assignment | *a* = *b* |
+------------------------------+-------------+
| Addition assignment | *a* += *b* |
+------------------------------+-------------+
| Subtraction assignment | *a* -= *b* |
+------------------------------+-------------+
Record field operators
----------------------
The record field operators take a :bro:type:`record` as the first operand,
and a field name as the second operand. For both operators, the specified
field name must be in the declaration of the record type.
+------------------------------+-------------+-------------------------------+
| Name | Syntax | Notes |
+==============================+=============+===============================+
| Field access | *a* $ *b* | |
+------------------------------+-------------+-------------------------------+
| Field value existence test | *a* ?$ *b* | Evaluates to type |
| | | :bro:type:`bool`. |
| | | True if the specified field |
| | | has been assigned a value, or |
| | | false if not. |
+------------------------------+-------------+-------------------------------+
Pattern operators
-----------------
In the table below, *p* is a pattern, and *s* is a string.
+------------------------------+-------------+-------------------------------+
| Name | Syntax | Notes |
+==============================+=============+===============================+
| Exact matching | *p* == *s* | Evaluates to a boolean, |
| | | indicating if the entire |
| | | string exactly matches the |
| | | pattern. |
+------------------------------+-------------+-------------------------------+
| Embedded matching | *p* in *s* | Evaluates to a boolean, |
| | | indicating if pattern is |
| | | found somewhere in the string.|
+------------------------------+-------------+-------------------------------+
| Conjunction | *p1* & *p2* | Evaluates to a pattern that |
| | | represents matching p1 |
| | | followed by p2. |
+------------------------------+-------------+-------------------------------+
| Disjunction | *p1* | *p2* | Evaluates to a pattern that |
| | | represents matching p1 or p2. |
+------------------------------+-------------+-------------------------------+
Type casting
------------
The "as" operator performs type casting and the "is" operator checks if a
type cast is supported or not. For both operators, the first operand is a
value and the second operand is the name of a Bro script type (either built-in
or user-defined).
+------------------------------+-------------+-------------------------------+
| Name | Syntax | Notes |
+==============================+=============+===============================+
| Type cast | *v* as *t* | Cast value "v" into type "t". |
| | | Evaluates to the value casted |
| | | to the specified type. |
| | | If this is not a supported |
| | | cast, then a runtime error is |
| | | triggered. |
+------------------------------+-------------+-------------------------------+
| Check if a cast is supported | *v* is *t* | Evaluates to boolean. If true,|
| | | then "v as t" would succeed. |
+------------------------------+-------------+-------------------------------+
Only the following kinds of type casts are supported currently:
- Broker values (i.e., :bro:see:`Broker::Data` values returned from
functions such as :bro:id:`Broker::data`) can be casted to their
corresponding Bro script types.
- A value of declared type "any" can be casted to its actual underlying type.
- All values can be casted to their declared types (i.e., this is a no-op).
The function in this example tries to cast a value to a string::
function example(a: any)
{
local s: string;
if ( a is string )
s = (a as string);
}
Other operators
---------------
+--------------------------------+-------------------+------------------------+
| Name | Syntax | Notes |
+================================+===================+========================+
| Membership test | *a* in *b* |Evaluates to type |
| | |:bro:type:`bool`. Works |
| | |with :bro:type:`string`,|
| | |:bro:type:`pattern`, |
| | |:bro:type:`subnet`, |
| | |:bro:type:`set`, |
| | |:bro:type:`table`, or |
| | |:bro:type:`vector` |
| | |operands. Do not |
| | |confuse this use of "in"|
| | |with that used in a |
| | |:bro:keyword:`for` |
| | |statement. |
+--------------------------------+-------------------+------------------------+
| Non-membership test | *a* !in *b* |This is the logical NOT |
| | |of the "in" operator. |
| | |For example: "a !in b" |
| | |is equivalent to |
| | |"!(a in b)". |
+--------------------------------+-------------------+------------------------+
| Table or vector element access | *a* [ *b* ] |This operator can also |
| | |be used with a |
| | |:bro:type:`set`, but |
| | |only with the |
| | |:bro:keyword:`add` or |
| | |:bro:keyword:`delete` |
| | |statement. |
+--------------------------------+-------------------+------------------------+
| Substring extraction | *a* [ *b* : *c* ] |See the |
| | |:bro:type:`string` type |
| | |for more details. |
+--------------------------------+-------------------+------------------------+
| Create a deep copy | copy ( *a* ) |This is relevant only |
| | |for data types that are |
| | |assigned by reference, |
| | |such as |
| | |:bro:type:`vector`, |
| | |:bro:type:`set`, |
| | |:bro:type:`table`, |
| | |and :bro:type:`record`. |
+--------------------------------+-------------------+------------------------+
| Module namespace access | *a* \:\: *b* |The first operand is the|
| | |module name, and the |
| | |second operand is an |
| | |identifier that refers |
| | |to a global variable, |
| | |enumeration constant, or|
| | |user-defined type that |
| | |was exported from the |
| | |module. |
+--------------------------------+-------------------+------------------------+
| Conditional | *a* ? *b* : *c* |The first operand must |
| | |evaluate to type |
| | |:bro:type:`bool`. |
| | |If true, then the |
| | |second expression is |
| | |evaluated and is the |
| | |result of the entire |
| | |expression. Otherwise, |
| | |the third expression is |
| | |evaluated and is the |
| | |result of the entire |
| | |expression. The types of|
| | |the second and third |
| | |operands must be |
| | |compatible. |
+--------------------------------+-------------------+------------------------+

14
doc/script-reference/packages.rst
View file

@ -1,14 +0,0 @@
.. _script-packages:
Bro Package Index
=================
Bro has the following script packages (e.g. collections of related scripts in
a common directory). If the package directory contains a ``__load__.bro``
script, it supports being loaded in mass as a whole directory for convenience.
Packages/scripts in the ``base/`` directory are all loaded by default, while
ones in ``policy/`` provide functionality and customization options that are
more appropriate for users to decide whether they'd like to load it or not.
.. include:: autogenerated-package-index.rst

1
doc/script-reference/proto-analyzers.rst
View file

@ -1 +0,0 @@
.. include:: autogenerated-protocol-analyzer-index.rst

5
doc/script-reference/scripts.rst
View file

@ -1,5 +0,0 @@
================
Bro Script Index
================
.. include:: autogenerated-script-index.rst

723
doc/script-reference/statements.rst
View file

@ -1,723 +0,0 @@
Declarations and Statements
===========================
The Bro scripting language supports the following declarations and
statements.
Declarations
~~~~~~~~~~~~
+----------------------------+-----------------------------+
| Name | Description |
+============================+=============================+
| :bro:keyword:`module` | Change the current module |
+----------------------------+-----------------------------+
| :bro:keyword:`export` | Export identifiers from the |
| | current module |
+----------------------------+-----------------------------+
| :bro:keyword:`global` | Declare a global variable |
+----------------------------+-----------------------------+
| :bro:keyword:`const` | Declare a constant |
+----------------------------+-----------------------------+
| :bro:keyword:`option` | Declare a configuration |
| | option |
+----------------------------+-----------------------------+
| :bro:keyword:`type` | Declare a user-defined type |
+----------------------------+-----------------------------+
| :bro:keyword:`redef` | Redefine a global value or |
| | extend a user-defined type |
+----------------------------+-----------------------------+
| `function/event/hook`_ | Declare a function, event |
| | handler, or hook |
+----------------------------+-----------------------------+
Statements
~~~~~~~~~~
+----------------------------+------------------------+
| Name | Description |
+============================+========================+
| :bro:keyword:`local` | Declare a local |
| | variable |
+----------------------------+------------------------+
| :bro:keyword:`add`, | Add or delete |
| :bro:keyword:`delete` | elements |
+----------------------------+------------------------+
| :bro:keyword:`print` | Print to stdout or a |
| | file |
+----------------------------+------------------------+
| :bro:keyword:`for`, | Loop over each |
| :bro:keyword:`while`, | element in a container |
| :bro:keyword:`next`, | object (``for``), or |
| :bro:keyword:`break` | as long as a condition |
| | evaluates to true |
| | (``while``). |
+----------------------------+------------------------+
| :bro:keyword:`if` | Evaluate boolean |
| | expression and if true,|
| | execute a statement |
+----------------------------+------------------------+
| :bro:keyword:`switch`, | Evaluate expression |
| :bro:keyword:`break`, | and execute statement |
| :bro:keyword:`fallthrough` | with a matching value |
+----------------------------+------------------------+
| :bro:keyword:`when` | Asynchronous execution |
+----------------------------+------------------------+
| :bro:keyword:`event`, | Invoke or schedule |
| :bro:keyword:`schedule` | an event handler |
+----------------------------+------------------------+
| :bro:keyword:`return` | Return from function, |
| | hook, or event handler |
+----------------------------+------------------------+
Declarations
------------
Declarations cannot occur within a function, hook, or event handler.
Declarations must appear before any statements (except those statements
that are in a function, hook, or event handler) in the concatenation of
all loaded Bro scripts.
.. bro:keyword:: module
The "module" keyword is used to change the current module. This
affects the scope of any subsequently declared global identifiers.
Example::
module mymodule;
If a global identifier is declared after a "module" declaration,
then its scope ends at the end of the current Bro script or at the
next "module" declaration, whichever comes first. However, if a
global identifier is declared after a "module" declaration, but inside
an :bro:keyword:`export` block, then its scope ends at the end of the
last loaded Bro script, but it must be referenced using the namespace
operator (``::``) in other modules.
There can be any number of "module" declarations in a Bro script.
The same "module" declaration can appear in any number of different
Bro scripts.
.. bro:keyword:: export
An "export" block contains one or more declarations
(no statements are allowed in an "export" block) that the current
module is exporting. This enables these global identifiers to be visible
in other modules (but not prior to their declaration) via the namespace
operator (``::``). See the :bro:keyword:`module` keyword for a more
detailed explanation.
Example::
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
uid: string &log;
};
const conntime = 30sec &redef;
}
Note that the braces in an "export" block are always required
(they do not indicate a compound statement). Also, no semicolon is
needed to terminate an "export" block.
.. bro:keyword:: global
Variables declared with the "global" keyword will be global.
If a type is not specified, then an initializer is required so that
the type can be inferred. Likewise, if an initializer is not supplied,
then the type must be specified. In some cases, when the type cannot
be correctly inferred, the type must be specified even when an
initializer is present. Example::
global pi = 3.14;
global hosts: set[addr];
global ciphers: table[string] of string = table();
Variable declarations outside of any function, hook, or event handler are
required to use this keyword (unless they are declared with the
:bro:keyword:`const` keyword instead).
Definitions of functions, hooks, and event handlers are not allowed
to use the "global" keyword. However, function declarations (i.e., no
function body is provided) can use the "global" keyword.
The scope of a global variable begins where the declaration is located,
and extends through all remaining Bro scripts that are loaded (however,
see the :bro:keyword:`module` keyword for an explanation of how modules
change the visibility of global identifiers).
.. bro:keyword:: const
A variable declared with the "const" keyword will be constant.
Variables declared as constant are required to be initialized at the
time of declaration. Normally, the type is inferred from the initializer,
but the type can be explicitly specified. Example::
const pi = 3.14;
const ssh_port: port = 22/tcp;
The value of a constant cannot be changed. The only exception is if the
variable is a global constant and has the :bro:attr:`&redef`
attribute, but even then its value can be changed only with a
:bro:keyword:`redef`.
The scope of a constant is local if the declaration is in a
function, hook, or event handler, and global otherwise.
Note that the "const" keyword cannot be used with either the "local"
or "global" keywords (i.e., "const" replaces "local" and "global").
.. bro:keyword:: option
A variable declared with the "option" keyword is a configuration option.
Options are required to be initialized at the
time of declaration. Normally, the type is inferred from the initializer,
but the type can be explicitly specified. Example::
option hostname = "host-1";
option peers: set[addr] = {};
The initial value can be redefined with a :bro:keyword:`redef`.
The value of an option cannot be changed by an assignment statement, but
it can be changed by either the :bro:id:`Config::set_value` function or
by changing a config file specified in :bro:id:`Config::config_files`.
The scope of an option is global.
Note that an "option" declaration cannot also use the "local", "global",
or "const" keywords.
.. bro:keyword:: type
The "type" keyword is used to declare a user-defined type. The name
of this new type has global scope and can be used anywhere a built-in
type name can occur.
The "type" keyword is most commonly used when defining a
:bro:type:`record` or an :bro:type:`enum`, but is also useful when
dealing with more complex types.
Example::
type mytype: table[count] of table[addr, port] of string;
global myvar: mytype;
.. bro:keyword:: redef
There are several ways that "redef" can be used: to redefine the initial
value of a global variable or runtime option, to extend a record type or
enum type, or to specify a new event handler body that replaces all those
that were previously defined.
If you're using "redef" to redefine the initial value of a global variable
(defined using either :bro:keyword:`const` or :bro:keyword:`global`), then
the variable that you want to change must have the :bro:attr:`&redef`
attribute. You can use "redef" to redefine the initial value of a
runtime option (defined using :bro:keyword:`option`) even if it doesn't
have the :bro:attr:`&redef` attribute.
If the variable you're changing is a table, set, vector, or pattern, you can
use ``+=`` to add new elements, or you can use ``=`` to specify a new value
(all previous contents of the object are removed). If the variable you're
changing is a set or table, then you can use the ``-=`` operator to remove
the specified elements (nothing happens for specified elements that don't
exist). If the variable you are changing is not a table, set, or pattern,
then you must use the ``=`` operator.
Examples::
redef pi = 3.14;
redef set_of_ports += { 22/tcp, 53/udp };
If you're using "redef" to extend a record or enum, then you must
use the ``+=`` assignment operator.
For an enum, you can add more enumeration constants, and for a record
you can add more record fields (however, each record field in the "redef"
must have either the :bro:attr:`&optional` or :bro:attr:`&default`
attribute).
Examples::
redef enum color += { Blue, Red };
redef record MyRecord += { n2:int &optional; s2:string &optional; };
If you're using "redef" to specify a new event handler body that
replaces all those that were previously defined (i.e., any subsequently
defined event handler body will not be affected by this "redef"), then
the syntax is the same as a regular event handler definition except for
the presence of the "redef" keyword.
Example::
redef event myevent(s:string) { print "Redefined", s; }
.. _function/event/hook:
**function/event/hook**
For details on how to declare a :bro:type:`function`,
:bro:type:`event` handler, or :bro:type:`hook`,
see the documentation for those types.
Statements
----------
Statements (except those contained within a function, hook, or event
handler) can appear only after all global declarations in the concatenation
of all loaded Bro scripts.
Each statement in a Bro script must be terminated with a semicolon (with a
few exceptions noted below). An individual statement can span multiple
lines.
Here are the statements that the Bro scripting language supports.
.. bro:keyword:: add
The "add" statement is used to add an element to a :bro:type:`set`.
Nothing happens if the specified element already exists in the set.
Example::
local myset: set[string];
add myset["test"];
.. bro:keyword:: break
The "break" statement is used to break out of a :bro:keyword:`switch`,
:bro:keyword:`for`, or :bro:keyword:`while` statement.
.. bro:keyword:: delete
The "delete" statement is used to remove an element from a
:bro:type:`set` or :bro:type:`table`, or to remove a value from
a :bro:type:`record` field that has the :bro:attr:`&optional` attribute.
When attempting to remove an element from a set or table,
nothing happens if the specified index does not exist.
When attempting to remove a value from an "&optional" record field,
nothing happens if that field doesn't have a value.
Example::
local myset = set("this", "test");
local mytable = table(["key1"] = 80/tcp, ["key2"] = 53/udp);
local myrec = MyRecordType($a = 1, $b = 2);
delete myset["test"];
delete mytable["key1"];
# In this example, "b" must have the "&optional" attribute
delete myrec$b;
.. bro:keyword:: event
The "event" statement immediately queues invocation of an event handler.
Example::
event myevent("test", 5);
.. bro:keyword:: fallthrough
The "fallthrough" statement can be used as the last statement in a
"case" block to indicate that execution should continue into the
next "case" or "default" label.
For an example, see the :bro:keyword:`switch` statement.
.. bro:keyword:: for
A "for" loop iterates over each element in a string, set, vector, or
table and executes a statement for each iteration (note that the order
in which the loop iterates over the elements in a set or a table is
nondeterministic). However, no loop iterations occur if the string,
set, vector, or table is empty.
For each iteration of the loop, a loop variable will be assigned to an
element if the expression evaluates to a string or set, or an index if
the expression evaluates to a vector or table. Then the statement
is executed.
If the expression is a table or a set with more than one index, then the
loop variable must be specified as a comma-separated list of different
loop variables (one for each index), enclosed in brackets.
Note that the loop variable in a "for" statement is not allowed to be
a global variable, and it does not need to be declared prior to the "for"
statement. The type will be inferred from the elements of the
expression.
Currently, modifying a container's membership while iterating over it may
result in undefined behavior, so do not add or remove elements
inside the loop.
A :bro:keyword:`break` statement will immediately terminate the "for"
loop, and a :bro:keyword:`next` statement will skip to the next loop
iteration.
Example::
local myset = set(80/tcp, 81/tcp);
local mytable = table([10.0.0.1, 80/tcp]="s1", [10.0.0.2, 81/tcp]="s2");
for (p in myset)
print p;
for ([i,j] in mytable) {
if (mytable[i,j] == "done")
break;
if (mytable[i,j] == "skip")
next;
print i,j;
}
.. bro:keyword:: if
Evaluates a given expression, which must yield a :bro:type:`bool` value.
If true, then a specified statement is executed. If false, then
the statement is not executed. Example::
if ( x == 2 ) print "x is 2";
However, if the expression evaluates to false and if an "else" is
provided, then the statement following the "else" is executed. Example::
if ( x == 2 )
print "x is 2";
else
print "x is not 2";
.. bro:keyword:: local
A variable declared with the "local" keyword will be local. If a type
is not specified, then an initializer is required so that the type can
be inferred. Likewise, if an initializer is not supplied, then the
type must be specified.
Examples::
local x1 = 5.7;
local x2: double;
local x3: double = 5.7;
Variable declarations inside a function, hook, or event handler are
required to use this keyword (the only two exceptions are variables
declared with :bro:keyword:`const`, and variables implicitly declared in a
:bro:keyword:`for` statement).
The scope of a local variable starts at the location where it is declared
and persists to the end of the function, hook,
or event handler in which it is declared (this is true even if the
local variable was declared within a `compound statement`_ or is the loop
variable in a "for" statement).
.. bro:keyword:: next
The "next" statement can only appear within a :bro:keyword:`for` or
:bro:keyword:`while` loop. It causes execution to skip to the next
iteration.
.. bro:keyword:: print
The "print" statement takes a comma-separated list of one or more
expressions. Each expression in the list is evaluated and then converted
to a string. Then each string is printed, with each string separated by
a comma in the output.
Examples::
print 3.14;
print "Results", x, y;
By default, the "print" statement writes to the standard
output (stdout). However, if the first expression is of type
:bro:type:`file`, then "print" writes to that file.
If a string contains non-printable characters (i.e., byte values that are
not in the range 32 - 126), then the "print" statement converts each
non-printable character to an escape sequence before it is printed.
For more control over how the strings are formatted, see the :bro:id:`fmt`
function.
.. bro:keyword:: return
The "return" statement immediately exits the current function, hook, or
event handler. For a function, the specified expression (if any) is
evaluated and returned. A "return" statement in a hook or event handler
cannot return a value because event handlers and hooks do not have
return types.
Examples::
function my_func(): string
{
return "done";
}
event my_event(n: count)
{
if ( n == 0 ) return;
print n;
}
There is a special form of the "return" statement that is only allowed
in functions. Syntactically, it looks like a :bro:keyword:`when` statement
immediately preceded by the "return" keyword. This form of the "return"
statement is used to specify a function that delays its result (such a
function can only be called in the expression of a :bro:keyword:`when`
statement). The function returns at the time the "when"
statement's condition becomes true, and the function returns the value
that the "when" statement's body returns (or if the condition does
not become true within the specified timeout interval, then the function
returns the value that the "timeout" block returns).
Example::
global X: table[string] of count;
function a() : count
{
# This delays until condition becomes true.
return when ( "a" in X )
{
return X["a"];
}
timeout 30 sec
{
return 0;
}
}
event bro_init()
{
# Installs a trigger which fires if a() returns 42.
when ( a() == 42 )
print "expected result";
print "Waiting for a() to return...";
X["a"] = 42;
}
.. bro:keyword:: schedule
The "schedule" statement is used to raise a specified event with
specified parameters at a later time specified as an :bro:type:`interval`.
Example::
schedule 30sec { myevent(x, y, z) };
Note that the braces are always required (they do not indicate a
`compound statement`_).
Note that "schedule" is actually an expression that returns a value
of type "timer", but in practice the return value is not used.
.. bro:keyword:: switch
A "switch" statement evaluates a given expression and jumps to
the first "case" label which contains a matching value (the result of the
expression must be type-compatible with all of the values in all of the
"case" labels). If there is no matching value, then execution jumps to
the "default" label instead, and if there is no "default" label then
execution jumps out of the "switch" block.
Here is an example (assuming that "get_day_of_week" is a
function that returns a string)::
switch get_day_of_week()
{
case "Sa", "Su":
print "weekend";
fallthrough;
case "Mo", "Tu", "We", "Th", "Fr":
print "valid result";
break;
default:
print "invalid result";
break;
}
A "switch" block can have any number of "case" labels, and one
optional "default" label.
A "case" label can have a comma-separated list of
more than one value. A value in a "case" label can be an expression,
but it must be a constant expression (i.e., the expression can consist
only of constants).
Each "case" and the "default" block must
end with either a :bro:keyword:`break`, :bro:keyword:`fallthrough`, or
:bro:keyword:`return` statement (although "return" is allowed only
if the "switch" statement is inside a function, hook, or event handler).
Note that the braces in a "switch" statement are always required (these
do not indicate the presence of a `compound statement`_), and that no
semicolon is needed at the end of a "switch" statement.
There is an alternative form of the switch statement that supports
switching by type rather than value. This form of the switch statement
uses type-based versions of "case":
- "case type t: ...": Take branch if the value of the switch expression
could be casted to type t (where "t" is the name of a Bro script type,
either built-in or user-defined).
- "case type t as x: ...": Same as above, but the casted value is
available through ID "x".
Multiple types can be listed per branch, separated by commas (the "type"
keyword must be repeated for each type in the list).
Example::
function example(v: any)
{
switch (v) {
case type count as c:
print "It's a count", c;
break;
case type bool, type addr:
print "It's a bool or address";
break;
}
}
Note that a single switch statement switches either by type or by value,
but not both.
Also note that the type-based switch statement will trigger a runtime
error if any cast in any "case" is an unsupported cast (see the
documentation of the type casting operator "as").
.. bro:keyword:: when
Evaluates a given expression, which must result in a value of type
:bro:type:`bool`. When the value of the expression becomes available
and if the result is true, then a specified statement is executed.
In the following example, if the expression evaluates to true, then
the "print" statement is executed::
when ( (local x = foo()) && x == 42 )
print x;
However, if a timeout is specified, and if the expression does not
evaluate to true within the specified timeout interval, then the
statement following the "timeout" keyword is executed::
when ( (local x = foo()) && x == 42 )
print x;
timeout 5sec {
print "timeout";
}
Note that when a timeout is specified the braces are
always required (these do not indicate a `compound statement`_).
The expression in a "when" statement can contain a declaration of a local
variable but only if the declaration is written in the form
"local *var* = *init*" (example: "local x = myfunction()"). This form
of a local declaration is actually an expression, the result of which
is always a boolean true value.
The expression in a "when" statement can contain an asynchronous function
call such as :bro:id:`lookup_hostname` (in fact, this is the only place
such a function can be called), but it can also contain an ordinary
function call. When an asynchronous function call is in the expression,
then Bro will continue processing statements in the script following
the "when" statement, and when the result of the function call is available
Bro will finish evaluating the expression in the "when" statement.
See the :bro:keyword:`return` statement for an explanation of how to
create an asynchronous function in a Bro script.
.. bro:keyword:: while
A "while" loop iterates over a body statement as long as a given
condition remains true.
A :bro:keyword:`break` statement can be used at any time to immediately
terminate the "while" loop, and a :bro:keyword:`next` statement can be
used to skip to the next loop iteration.
Example::
local i = 0;
while ( i < 5 )
print ++i;
while ( some_cond() )
{
local finish_up = F;
if ( skip_ahead() )
next;
if ( finish_up )
break;
}
.. _compound statement:
**compound statement**
A compound statement is created by wrapping zero or more statements in
braces ``{ }``. Individual statements inside the braces need to be
terminated by a semicolon, but a semicolon is not needed at the end
(outside of the braces) of a compound statement.
A compound statement is required in order to execute more than one
statement in the body of a :bro:keyword:`for`, :bro:keyword:`while`,
:bro:keyword:`if`, or :bro:keyword:`when` statement.
Example::
if ( x == 2 ) {
print "x is 2";
++x;
}
Note that there are other places in the Bro scripting language that use
braces, but that do not indicate the presence of a compound
statement (these are noted in the documentation).
.. _null:
**null statement**
The null statement (executing it has no effect) consists of just a
semicolon. This might be useful during testing or debugging a Bro script
in places where a statement is required, but it is probably not useful
otherwise.
Example::
if ( x == 2 )
;

974
doc/script-reference/types.rst
View file

@ -1,974 +0,0 @@
Types
=====
The Bro scripting language supports the following built-in types:
+-----------------------+--------------------+
| Name | Description |
+=======================+====================+
| :bro:type:`bool` | Boolean |
+-----------------------+--------------------+
| :bro:type:`count`, | Numeric types |
| :bro:type:`int`, | |
| :bro:type:`double` | |
+-----------------------+--------------------+
| :bro:type:`time`, | Time types |
| :bro:type:`interval` | |
+-----------------------+--------------------+
| :bro:type:`string` | String |
+-----------------------+--------------------+
| :bro:type:`pattern` | Regular expression |
+-----------------------+--------------------+
| :bro:type:`port`, | Network types |
| :bro:type:`addr`, | |
| :bro:type:`subnet` | |
+-----------------------+--------------------+
| :bro:type:`enum` | Enumeration |
| | (user-defined type)|
+-----------------------+--------------------+
| :bro:type:`table`, | Container types |
| :bro:type:`set`, | |
| :bro:type:`vector`, | |
| :bro:type:`record` | |
+-----------------------+--------------------+
| :bro:type:`function`, | Executable types |
| :bro:type:`event`, | |
| :bro:type:`hook` | |
+-----------------------+--------------------+
| :bro:type:`file` | File type (only |
| | for writing) |
+-----------------------+--------------------+
| :bro:type:`opaque` | Opaque type (for |
| | some built-in |
| | functions) |
+-----------------------+--------------------+
| :bro:type:`any` | Any type (for |
| | functions or |
| | containers) |
+-----------------------+--------------------+
Here is a more detailed description of each type:
.. bro:type:: bool
Reflects a value with one of two meanings: true or false. The two
"bool" constants are ``T`` and ``F``.
The "bool" type supports the following operators: equality/inequality
(``==``, ``!=``), logical and/or (``&&``, ``||``), logical
negation (``!``), and absolute value (where ``|T|`` is 1, and ``|F|`` is 0,
and in both cases the result type is :bro:type:`count`).
.. bro:type:: int
A numeric type representing a 64-bit signed integer. An "int" constant
is a string of digits preceded by a "+" or "-" sign, e.g.
``-42`` or ``+5`` (the "+" sign is optional but see note about type
inferencing below). An "int" constant can also be written in
hexadecimal notation (in which case "0x" must be between the sign and
the hex digits), e.g. ``-0xFF`` or ``+0xabc123``.
The "int" type supports the following operators: arithmetic
operators (``+``, ``-``, ``*``, ``/``, ``%``), comparison operators
(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), assignment operators
(``=``, ``+=``, ``-=``), pre-increment (``++``), pre-decrement
(``--``), unary plus and minus (``+``, ``-``), and absolute value
(e.g., ``|-3|`` is 3, but the result type is :bro:type:`count`).
When using type inferencing use care so that the
intended type is inferred, e.g. "local size_difference = 0" will
infer ":bro:type:`count`", while "local size_difference = +0"
will infer "int".
.. bro:type:: count
A numeric type representing a 64-bit unsigned integer. A "count"
constant is a string of digits, e.g. ``1234`` or ``0``. A "count"
can also be written in hexadecimal notation (in which case "0x" must
precede the hex digits), e.g. ``0xff`` or ``0xABC123``.
The "count" type supports the same operators as the ":bro:type:`int`"
type, but a unary plus or minus applied to a "count" results in an
"int".
In addition, "count" types support bitwise operations. You can use
``&``, ``|``, and ``^`` for bitwise ``and``, ``or``, and ``xor``. You
can also use ``~`` for bitwise (one's) complement.
.. bro:type:: double
A numeric type representing a double-precision floating-point
number. Floating-point constants are written as a string of digits
with an optional decimal point, optional scale-factor in scientific
notation, and optional "+" or "-" sign. Examples are ``-1234``,
``-1234e0``, ``3.14159``, and ``.003E-23``.
The "double" type supports the following operators: arithmetic
operators (``+``, ``-``, ``*``, ``/``), comparison operators
(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), assignment operators
(``=``, ``+=``, ``-=``), unary plus and minus (``+``, ``-``), and
absolute value (e.g., ``|-3.14|`` is 3.14).
When using type inferencing use care so that the
intended type is inferred, e.g. "local size_difference = 5" will
infer ":bro:type:`count`", while "local size_difference = 5.0"
will infer "double".
.. bro:type:: time
A temporal type representing an absolute time. There is currently
no way to specify a ``time`` constant, but one can use the
:bro:id:`double_to_time`, :bro:id:`current_time`, or :bro:id:`network_time`
built-in functions to assign a value to a ``time``-typed variable.
Time values support the comparison operators (``==``, ``!=``, ``<``,
``<=``, ``>``, ``>=``). A ``time`` value can be subtracted from
another ``time`` value to produce an :bro:type:`interval` value. An
``interval`` value can be added to, or subtracted from, a ``time`` value
to produce a ``time`` value. The absolute value of a ``time`` value is
a :bro:type:`double` with the same numeric value.
.. bro:type:: interval
A temporal type representing a relative time. An ``interval``
constant can be written as a numeric constant followed by a time
unit where the time unit is one of ``usec``, ``msec``, ``sec``, ``min``,
``hr``, or ``day`` which respectively represent microseconds, milliseconds,
seconds, minutes, hours, and days. Whitespace between the numeric
constant and time unit is optional. Appending the letter "s" to the
time unit in order to pluralize it is also optional (to no semantic
effect). Examples of ``interval`` constants are ``3.5 min`` and
``3.5mins``. An ``interval`` can also be negated, for example
``-12 hr`` represents "twelve hours in the past".
Intervals support addition and subtraction, the comparison operators
(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), the assignment
operators (``=``, ``+=``, ``-=``), and unary plus and minus (``+``, ``-``).
Intervals also support division (in which case the result is a
:bro:type:`double` value). An ``interval`` can be multiplied or divided
by an arithmetic type (``count``, ``int``, or ``double``) to produce
an ``interval`` value. The absolute value of an ``interval`` is a
``double`` value equal to the number of seconds in the ``interval``
(e.g., ``|-1 min|`` is 60.0).
.. bro:type:: string
A type used to hold bytes which represent text and also can hold
arbitrary binary data.
String constants are created by enclosing text within a pair of double
quotes ("). A string constant cannot span multiple lines in a Bro script.
The backslash character (\\) introduces escape sequences. Bro recognizes
the following escape sequences: ``\\``, ``\n``, ``\t``, ``\v``, ``\b``,
``\r``, ``\f``, ``\a``, ``\ooo`` (where each 'o' is an octal digit),
``\xhh`` (where each 'h' is a hexadecimal digit). If Bro does not
recognize an escape sequence, Bro will ignore the backslash
("\\g" becomes "g").
Strings support concatenation (``+``), and assignment (``=``, ``+=``).
Strings also support the comparison operators (``==``, ``!=``, ``<``,
``<=``, ``>``, ``>=``). The number of characters in a string can be
found by enclosing the string within pipe characters (e.g., ``|"abc"|``
is 3). Substring searching can be performed using the "in" or "!in"
operators (e.g., "bar" in "foobar" yields true).
The subscript operator can extract a substring of a string. To do this,
specify the starting index to extract (if the starting index is omitted,
then zero is assumed), followed by a colon and index
one past the last character to extract (if the last index is omitted,
then the extracted substring will go to the end of the original string).
However, if both the colon and last index are omitted, then a string of
length one is extracted. String indexing is zero-based, but an index
of -1 refers to the last character in the string, and -2 refers to the
second-to-last character, etc. Here are a few examples::
local orig = "0123456789";
local second_char = orig[1]; # "1"
local last_char = orig[-1]; # "9"
local first_two_chars = orig[:2]; # "01"
local last_two_chars = orig[8:]; # "89"
local no_first_and_last = orig[1:9]; # "12345678"
local no_first = orig[1:]; # "123456789"
local no_last = orig[:-1]; # "012345678"
local copy_orig = orig[:]; # "0123456789"
Note that the subscript operator cannot be used to modify a string (i.e.,
it cannot be on the left side of an assignment operator).
.. bro:type:: pattern
A type representing regular-expression patterns that can be used
for fast text-searching operations. Pattern constants are created
by enclosing text within forward slashes (``/``) and use the same syntax
as the patterns supported by the `flex lexical analyzer
<http://westes.github.io/flex/manual/Patterns.html>`_. The speed of
regular expression matching does not depend on the complexity or
size of the patterns. Patterns support two types of matching, exact
and embedded.
In exact matching the ``==`` equality relational operator is used
with one "pattern" operand and one ":bro:type:`string`"
operand (order of operands does not matter) to check whether the full
string exactly matches the pattern. In exact matching, the ``^``
beginning-of-line and ``$`` end-of-line anchors are redundant since
the pattern is implicitly anchored to the beginning and end of the
line to facilitate an exact match. For example::
/foo|bar/ == "foo"
yields true, while::
/foo|bar/ == "foobar"
yields false. The ``!=`` operator would yield the negation of ``==``.
In embedded matching the ``in`` operator is used with one
"pattern" operand (which must be on the left-hand side) and
one ":bro:type:`string`" operand, but tests whether the pattern
appears anywhere within the given string. For example::
/foo|bar/ in "foobar"
yields true, while::
/^oob/ in "foobar"
is false since "oob" does not appear at the start of "foobar". The
``!in`` operator would yield the negation of ``in``.
You can create a disjunction (either-or) of two patterns
using the ``|`` operator. For example::
/foo/ | /bar/ in "foobar"
yields true, like in the similar example above. You can also
create the conjunction (concatenation) of patterns using the ``&``
operator. For example::
/foo/ & /bar/ in "foobar"
will yield true because the pattern /(foo)(bar)/ appears in
the string "foobar".
When specifying a pattern, you can add a final ``i`` specifier to
mark it as case-insensitive. For example, ``/foo|bar/i`` will match
"foo", "Foo", "BaR", etc.
You can also introduce a case-insensitive sub-pattern by enclosing it
in ``(?i:<pattern>)``. So, for example, ``/foo|(?i:bar)/`` will
match "foo" and "BaR", but *not* "Foo".
For both ways of specifying case-insensitivity, characters enclosed
in double quotes maintain their case-sensitivity. So for example
/"foo"/i will not match "Foo", but it will match "foo".
.. bro:type:: port
A type representing transport-level port numbers (besides TCP and
UDP ports, there is a concept of an ICMP "port" where the source
port is the ICMP message type and the destination port the ICMP
message code). A ``port`` constant is written as an unsigned integer
followed by one of ``/tcp``, ``/udp``, ``/icmp``, or ``/unknown``.
Ports support the comparison operators (``==``, ``!=``, ``<``, ``<=``,
``>``, ``>=``). When comparing order across transport-level protocols,
``unknown`` < ``tcp`` < ``udp`` < ``icmp``, for example ``65535/tcp``
is smaller than ``0/udp``.
Note that you can obtain the transport-level protocol type of a ``port``
with the :bro:id:`get_port_transport_proto` built-in function, and
the numeric value of a ``port`` with the :bro:id:`port_to_count`
built-in function.
.. bro:type:: addr
A type representing an IP address.
IPv4 address constants are written in "dotted quad" format,
``A1.A2.A3.A4``, where Ai all lie between 0 and 255.
IPv6 address constants are written as colon-separated hexadecimal form
as described by :rfc:`2373` (including the mixed notation with embedded
IPv4 addresses as dotted-quads in the lower 32 bits), but additionally
encased in square brackets. Some examples: ``[2001:db8::1]``,
``[::ffff:192.168.1.100]``, or
``[aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]``.
Note that IPv4-mapped IPv6 addresses (i.e., addresses with the first 80
bits zero, the next 16 bits one, and the remaining 32 bits are the IPv4
address) are treated internally as IPv4 addresses (for example,
``[::ffff:192.168.1.100]`` is equal to ``192.168.1.100``).
Addresses can be compared for equality (``==``, ``!=``),
and also for ordering (``<``, ``<=``, ``>``, ``>=``). The absolute value
of an address gives the size in bits (32 for IPv4, and 128 for IPv6).
Addresses can also be masked with ``/`` to produce a :bro:type:`subnet`:
.. sourcecode:: bro
local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;
if ( a/16 == s )
print "true";
And checked for inclusion within a :bro:type:`subnet` using ``in``
or ``!in``:
.. sourcecode:: bro
local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;
if ( a in s )
print "true";
You can check if a given ``addr`` is IPv4 or IPv6 using
the :bro:id:`is_v4_addr` and :bro:id:`is_v6_addr` built-in functions.
Note that hostname constants can also be used, but since a hostname can
correspond to multiple IP addresses, the type of such a variable is
"set[addr]". For example:
.. sourcecode:: bro
local a = www.google.com;
.. bro:type:: subnet
A type representing a block of IP addresses in CIDR notation. A
``subnet`` constant is written as an :bro:type:`addr` followed by a
slash (/) and then the network prefix size specified as a decimal
number. For example, ``192.168.0.0/16`` or ``[fe80::]/64``.
Subnets can be compared for equality (``==``, ``!=``). An
"addr" can be checked for inclusion in a subnet using
the ``in`` or ``!in`` operators.
.. bro:type:: enum
A type allowing the specification of a set of related values that
have no further structure. An example declaration:
.. sourcecode:: bro
type color: enum { Red, White, Blue, };
The last comma after ``Blue`` is optional. Both the type name ``color``
and the individual values (``Red``, etc.) have global scope.
Enumerations do not have associated values or ordering.
The only operations allowed on enumerations are equality comparisons
(``==``, ``!=``) and assignment (``=``).
.. bro:type:: table
An associate array that maps from one set of values to another. The
values being mapped are termed the *index* or *indices* and the
result of the mapping is called the *yield*. Indexing into tables
is very efficient, and internally it is just a single hash table
lookup.
The table declaration syntax is::
table [ type^+ ] of type
where *type^+* is one or more types, separated by commas. The
index type cannot be any of the following types: pattern, table, set,
vector, file, opaque, any.
Here is an example of declaring a table indexed by "count" values
and yielding "string" values:
.. sourcecode:: bro
global a: table[count] of string;
The yield type can also be more complex:
.. sourcecode:: bro
global a: table[count] of table[addr, port] of string;
which declares a table indexed by "count" and yielding
another "table" which is indexed by an "addr"
and "port" to yield a "string".
One way to initialize a table is by enclosing a set of initializers within
braces, for example:
.. sourcecode:: bro
global t: table[count] of string = {
[11] = "eleven",
[5] = "five",
};
A table constructor can also be used to create a table:
.. sourcecode:: bro
global t2 = table(
[192.168.0.2, 22/tcp] = "ssh",
[192.168.0.3, 80/tcp] = "http"
);
Table constructors can also be explicitly named by a type, which is
useful when a more complex index type could otherwise be
ambiguous:
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
b: count;
};
type MyTable: table[MyRec] of string;
global t3 = MyTable([[$b=5]] = "b5", [[$b=7]] = "b7");
Accessing table elements is provided by enclosing index values within
square brackets (``[]``), for example:
.. sourcecode:: bro
print t[11];
And membership can be tested with ``in`` or ``!in``:
.. sourcecode:: bro
if ( 13 in t )
...
if ( [192.168.0.2, 22/tcp] in t2 )
...
Add or overwrite individual table elements by assignment:
.. sourcecode:: bro
t[13] = "thirteen";
Remove individual table elements with :bro:keyword:`delete`:
.. sourcecode:: bro
delete t[13];
Nothing happens if the element with index value ``13`` isn't present in
the table.
The number of elements in a table can be obtained by placing the table
identifier between vertical pipe characters:
.. sourcecode:: bro
|t|
See the :bro:keyword:`for` statement for info on how to iterate over
the elements in a table.
.. bro:type:: set
A set is like a :bro:type:`table`, but it is a collection of indices
that do not map to any yield value. They are declared with the
syntax::
set [ type^+ ]
where *type^+* is one or more types separated by commas. The
index type cannot be any of the following types: pattern, table, set,
vector, file, opaque, any.
Sets can be initialized by listing elements enclosed by curly braces:
.. sourcecode:: bro
global s: set[port] = { 21/tcp, 23/tcp, 80/tcp, 443/tcp };
global s2: set[port, string] = { [21/tcp, "ftp"], [23/tcp, "telnet"] };
A set constructor (equivalent to above example) can also be used to
create a set:
.. sourcecode:: bro
global s3 = set(21/tcp, 23/tcp, 80/tcp, 443/tcp);
Set constructors can also be explicitly named by a type, which is
useful when a more complex index type could otherwise be
ambiguous:
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
b: count;
};
type MySet: set[MyRec];
global s4 = MySet([$b=1], [$b=2]);
Set membership is tested with ``in`` or ``!in``:
.. sourcecode:: bro
if ( 21/tcp in s )
...
if ( [21/tcp, "ftp"] !in s2 )
...
Elements are added with :bro:keyword:`add`:
.. sourcecode:: bro
add s[22/tcp];
Nothing happens if the element with value ``22/tcp`` was already present in
the set.
And removed with :bro:keyword:`delete`:
.. sourcecode:: bro
delete s[21/tcp];
Nothing happens if the element with value ``21/tcp`` isn't present in
the set.
The number of elements in a set can be obtained by placing the set
identifier between vertical pipe characters:
.. sourcecode:: bro
|s|
You can compute the union, intersection, or difference of two sets
using the ``|``, ``&``, and ``-`` operators.
You can compare sets for equality (they have exactly the same elements)
using ``==``. The ``<`` operator returns ``T`` if the lefthand operand
is a proper subset of the righthand operand. Similarly, ``<=``
returns ``T`` if the lefthand operator is a subset (not necessarily proper,
i.e., it may be equal to the righthand operand). The operators ``!=``,
``>`` and ``>=`` provide the expected complementary operations.
See the :bro:keyword:`for` statement for info on how to iterate over
the elements in a set.
.. bro:type:: vector
A vector is like a :bro:type:`table`, except its indices are non-negative
integers, starting from zero. A vector is declared like:
.. sourcecode:: bro
global v: vector of string;
And can be initialized with the vector constructor:
.. sourcecode:: bro
local v = vector("one", "two", "three");
Vector constructors can also be explicitly named by a type, which
is useful for when a more complex yield type could otherwise be
ambiguous.
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
b: count;
};
type MyVec: vector of MyRec;
global v2 = MyVec([$b=1], [$b=2], [$b=3]);
Accessing vector elements is provided by enclosing index values within
square brackets (``[]``), for example:
.. sourcecode:: bro
print v[2];
An element can be added to a vector by assigning the value (a value
that already exists at that index will be overwritten):
.. sourcecode:: bro
v[3] = "four";
The size of a vector (this is one greater than the highest index value, and
is normally equal to the number of elements in the vector) can be obtained
by placing the vector identifier between vertical pipe characters:
.. sourcecode:: bro
|v|
A particularly common operation on a vector is to append an element
to its end. You can do so using:
.. sourcecode:: bro
v += e;
where if e's type is ``X``, v's type is ``vector of X``. Note that
this expression is equivalent to:
.. sourcecode:: bro
v[|v|] = e;
The "in" operator can be used to check if a value has been assigned at a
specified index value in the vector. For example, if a vector has size 4,
then the expression ``3 in v`` would yield true and ``4 in v`` would yield
false.
Vectors of integral types (``int`` or ``count``) support the pre-increment
(``++``) and pre-decrement operators (``--``), which will increment or
decrement each element in the vector.
Vectors of arithmetic types (``int``, ``count``, or ``double``) can be
operands of the arithmetic operators (``+``, ``-``, ``*``, ``/``, ``%``),
but both operands must have the same number of elements (and the modulus
operator ``%`` cannot be used if either operand is a ``vector of double``).
The resulting vector contains the result of the operation applied to each
of the elements in the operand vectors.
Vectors of bool can be operands of the logical "and" (``&&``) and logical
"or" (``||``) operators (both operands must have same number of elements).
The resulting vector of bool is the logical "and" (or logical "or") of
each element of the operand vectors.
Vectors of type ``count`` can also be operands for the bitwise and/or/xor
operators, ``&``, ``|`` and ``^``.
See the :bro:keyword:`for` statement for info on how to iterate over
the elements in a vector.
.. bro:type:: record
A "record" is a collection of values. Each value has a field name
and a type. Values do not need to have the same type and the types
have no restrictions. Field names must follow the same syntax as
regular variable names (except that field names are allowed to be the
same as local or global variables). An example record type
definition:
.. sourcecode:: bro
type MyRecordType: record {
c: count;
s: string &optional;
};
Records can be initialized or assigned as a whole in three different ways.
When assigning a whole record value, all fields that are not
:bro:attr:`&optional` or have a :bro:attr:`&default` attribute must
be specified. First, there's a constructor syntax:
.. sourcecode:: bro
local r: MyRecordType = record($c = 7);
And the constructor can be explicitly named by type, too, which
is arguably more readable:
.. sourcecode:: bro
local r = MyRecordType($c = 42);
And the third way is like this:
.. sourcecode:: bro
local r: MyRecordType = [$c = 13, $s = "thirteen"];
Access to a record field uses the dollar sign (``$``) operator, and
record fields can be assigned with this:
.. sourcecode:: bro
local r: MyRecordType;
r$c = 13;
To test if a field that is :bro:attr:`&optional` has been assigned a
value, use the ``?$`` operator (it returns a :bro:type:`bool` value of
``T`` if the field has been assigned a value, or ``F`` if not):
.. sourcecode:: bro
if ( r ?$ s )
...
.. bro:type:: function
Function types in Bro are declared using::
function( argument* ): type
where *argument* is a (possibly empty) comma-separated list of
arguments, and *type* is an optional return type. For example:
.. sourcecode:: bro
global greeting: function(name: string): string;
Here ``greeting`` is an identifier with a certain function type.
The function body is not defined yet and ``greeting`` could even
have different function body values at different times. To define
a function including a body value, the syntax is like:
.. sourcecode:: bro
function greeting(name: string): string
{
return "Hello, " + name;
}
Note that in the definition above, it's not necessary for us to have
done the first (forward) declaration of ``greeting`` as a function
type, but when it is, the return type and argument list (including the
name of each argument) must match exactly.
Here is an example function that takes no parameters and does not
return a value:
.. sourcecode:: bro
function my_func()
{
print "my_func";
}
Function types don't need to have a name and can be assigned anonymously:
.. sourcecode:: bro
greeting = function(name: string): string { return "Hi, " + name; };
And finally, the function can be called like:
.. sourcecode:: bro
print greeting("Dave");
Function parameters may specify default values as long as they appear
last in the parameter list:
.. sourcecode:: bro
global foo: function(s: string, t: string &default="abc", u: count &default=0);
If a function was previously declared with default parameters, the
default expressions can be omitted when implementing the function
body and they will still be used for function calls that lack those
arguments.
.. sourcecode:: bro
function foo(s: string, t: string, u: count)
{
print s, t, u;
}
And calls to the function may omit the defaults from the argument list:
.. sourcecode:: bro
foo("test");
.. bro:type:: event
Event handlers are nearly identical in both syntax and semantics to
a :bro:type:`function`, with the two differences being that event
handlers have no return type since they never return a value, and
you cannot call an event handler.
Example:
.. sourcecode:: bro
event my_event(r: bool, s: string)
{
print "my_event", r, s;
}
Instead of directly calling an event handler from a script, event
handler bodies are executed when they are invoked by one of three
different methods:
- From the event engine
When the event engine detects an event for which you have
defined a corresponding event handler, it queues an event for
that handler. The handler is invoked as soon as the event
engine finishes processing the current packet and flushing the
invocation of other event handlers that were queued first.
- With the ``event`` statement from a script
Immediately queuing invocation of an event handler occurs like:
.. sourcecode:: bro
event password_exposed(user, password);
This assumes that ``password_exposed`` was previously declared
as an event handler type with compatible arguments.
- Via the :bro:keyword:`schedule` expression in a script
This delays the invocation of event handlers until some time in
the future. For example:
.. sourcecode:: bro
schedule 5 secs { password_exposed(user, password) };
Multiple event handler bodies can be defined for the same event handler
identifier and the body of each will be executed in turn. Ordering
of execution can be influenced with :bro:attr:`&priority`.
.. bro:type:: hook
A hook is another flavor of function that shares characteristics of
both a :bro:type:`function` and an :bro:type:`event`. They are like
events in that many handler bodies can be defined for the same hook
identifier and the order of execution can be enforced with
:bro:attr:`&priority`. They are more like functions in the way they
are invoked/called, because, unlike events, their execution is
immediate and they do not get scheduled through an event queue.
Also, a unique feature of a hook is that a given hook handler body
can short-circuit the execution of remaining hook handlers simply by
exiting from the body as a result of a :bro:keyword:`break` statement (as
opposed to a :bro:keyword:`return` or just reaching the end of the body).
A hook type is declared like::
hook( argument* )
where *argument* is a (possibly empty) comma-separated list of
arguments. For example:
.. sourcecode:: bro
global myhook: hook(s: string)
Here ``myhook`` is the hook type identifier and no hook handler
bodies have been defined for it yet. To define some hook handler
bodies the syntax looks like:
.. sourcecode:: bro
hook myhook(s: string) &priority=10
{
print "priority 10 myhook handler", s;
s = "bye";
}
hook myhook(s: string)
{
print "break out of myhook handling", s;
break;
}
hook myhook(s: string) &priority=-5
{
print "not going to happen", s;
}
Note that the first (forward) declaration of ``myhook`` as a hook
type isn't strictly required. Argument types must match for all
hook handlers and any forward declaration of a given hook.
To invoke immediate execution of all hook handler bodies, they
are called similarly to a function, except preceded by the ``hook``
keyword:
.. sourcecode:: bro
hook myhook("hi");
or
.. sourcecode:: bro
if ( hook myhook("hi") )
print "all handlers ran";
And the output would look like::
priority 10 myhook handler, hi
break out of myhook handling, bye
Note how the modification to arguments can be seen by remaining
hook handlers.
The return value of a hook call is an implicit :bro:type:`bool`
value with ``T`` meaning that all handlers for the hook were
executed and ``F`` meaning that only some of the handlers may have
executed due to one handler body exiting as a result of a ``break``
statement.
.. bro:type:: file
Bro supports writing to files, but not reading from them (to read from
files see the :doc:`/frameworks/input`). Files
can be opened using either the :bro:id:`open` or :bro:id:`open_for_append`
built-in functions, and closed using the :bro:id:`close` built-in
function. For example, declare, open, and write to a file and finally
close it like:
.. sourcecode:: bro
local f = open("myfile");
print f, "hello, world";
close(f);
Writing to files like this for logging usually isn't recommended, for better
logging support see :doc:`/frameworks/logging`.
.. bro:type:: opaque
A data type whose actual representation/implementation is
intentionally hidden, but whose values may be passed to certain
built-in functions that can actually access the internal/hidden resources.
Opaque types are differentiated from each other by qualifying them
like "opaque of md5" or "opaque of sha1".
An example use of this type is the set of built-in functions which
perform hashing:
.. sourcecode:: bro
local handle = md5_hash_init();
md5_hash_update(handle, "test");
md5_hash_update(handle, "testing");
print md5_hash_finish(handle);
Here the opaque type is used to provide a handle to a particular
resource which is calculating an MD5 hash incrementally over
time, but the details of that resource aren't relevant, it's only
necessary to have a handle as a way of identifying it and
distinguishing it from other such resources.
.. bro:type:: any
Used to bypass strong typing. For example, a function can take an
argument of type ``any`` when it may be of different types.
The only operation allowed on a variable of type ``any`` is assignment.
Note that users aren't expected to use this type. It's provided mainly
for use by some built-in functions and scripts included with Bro.
.. bro:type:: void
An internal Bro type (i.e., "void" is not a reserved keyword in the Bro
scripting language) representing the absence of a return type for a
function.