Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/frameworks/notice/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
base/frameworks/notice/__load__.bro
===================================
:Imports: :doc:`base/frameworks/notice/actions/add-geodata.bro </scripts/base/frameworks/notice/actions/add-geodata.bro>`, :doc:`base/frameworks/notice/actions/drop.bro </scripts/base/frameworks/notice/actions/drop.bro>`, :doc:`base/frameworks/notice/actions/email_admin.bro </scripts/base/frameworks/notice/actions/email_admin.bro>`, :doc:`base/frameworks/notice/actions/page.bro </scripts/base/frameworks/notice/actions/page.bro>`, :doc:`base/frameworks/notice/actions/pp-alarms.bro </scripts/base/frameworks/notice/actions/pp-alarms.bro>`, :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/frameworks/notice/weird.bro </scripts/base/frameworks/notice/weird.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

45
doc/scripts/base/frameworks/notice/actions/add-geodata.bro.rst
View file

@ -1,45 +0,0 @@
:tocdepth: 3
base/frameworks/notice/actions/add-geodata.bro
==============================================
.. bro:namespace:: Notice
This script adds geographic location data to notices for the "remote"
host in a connection. It does make the assumption that one of the
addresses in a connection is "local" and one is "remote" which is
probably a safe assumption to make in most cases. If both addresses
are remote, it will use the $src address.
:Namespace: Notice
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== ===============================================================
:bro:id:`Notice::lookup_location_types`: :bro:type:`set` :bro:attr:`&redef` Notice types which should have the "remote" location looked up.
=========================================================================== ===============================================================
Redefinitions
#############
============================================ =
:bro:type:`Notice::Action`: :bro:type:`enum`
:bro:type:`Notice::Info`: :bro:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Notice::lookup_location_types
:Type: :bro:type:`set` [:bro:type:`Notice::Type`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Notice types which should have the "remote" location looked up.
If GeoIP support is not built in, this does nothing.

25
doc/scripts/base/frameworks/notice/actions/drop.bro.rst
View file

@ -1,25 +0,0 @@
:tocdepth: 3
base/frameworks/notice/actions/drop.bro
=======================================
.. bro:namespace:: Notice
This script extends the built in notice code to implement the IP address
dropping functionality.
:Namespace: Notice
:Imports: :doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`, :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:bro:type:`Notice::Action`: :bro:type:`enum`
:bro:type:`Notice::Info`: :bro:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

26
doc/scripts/base/frameworks/notice/actions/email_admin.bro.rst
View file

@ -1,26 +0,0 @@
:tocdepth: 3
base/frameworks/notice/actions/email_admin.bro
==============================================
.. bro:namespace:: Notice
Adds a new notice action type which can be used to email notices
to the administrators of a particular address space as set by
:bro:id:`Site::local_admins` if the notice contains a source
or destination address that lies within their space.
:Namespace: Notice
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:bro:type:`Notice::Action`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

41
doc/scripts/base/frameworks/notice/actions/page.bro.rst
View file

@ -1,41 +0,0 @@
:tocdepth: 3
base/frameworks/notice/actions/page.bro
=======================================
.. bro:namespace:: Notice
Allows configuration of a pager email address to which notices can be sent.
:Namespace: Notice
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ======================================================================
:bro:id:`Notice::mail_page_dest`: :bro:type:`string` :bro:attr:`&redef` Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE`
action.
======================================================================= ======================================================================
Redefinitions
#############
============================================ =
:bro:type:`Notice::Action`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Notice::mail_page_dest
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``""``
Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE`
action.

92
doc/scripts/base/frameworks/notice/actions/pp-alarms.bro.rst
View file

@ -1,92 +0,0 @@
:tocdepth: 3
base/frameworks/notice/actions/pp-alarms.bro
============================================
.. bro:namespace:: Notice
Notice extension that mails out a pretty-printed version of alarm.log
in regular intervals, formatted for better human readability. If activated,
that replaces the default summary mail having the raw log output.
:Namespace: Notice
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`
Summary
~~~~~~~
Redefinable Options
###################
================================================================================= ==============================================
:bro:id:`Notice::mail_dest_pretty_printed`: :bro:type:`string` :bro:attr:`&redef` Address to send the pretty-printed reports to.
:bro:id:`Notice::pretty_print_alarms`: :bro:type:`bool` :bro:attr:`&redef` Activate pretty-printed alarm summaries.
================================================================================= ==============================================
State Variables
###############
============================================================================ ==================================================================
:bro:id:`Notice::flag_nets`: :bro:type:`set` :bro:attr:`&redef` If an address from one of these networks is reported, we mark
the entry with an additional quote symbol (i.e., ">").
:bro:id:`Notice::force_email_summaries`: :bro:type:`bool` :bro:attr:`&redef` Force generating mail file, even if reading from traces or no mail
destination is defined.
============================================================================ ==================================================================
Functions
#########
============================================================================= =====================================
:bro:id:`Notice::pretty_print_alarm`: :bro:type:`function` :bro:attr:`&redef` Function that renders a single alarm.
============================================================================= =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: Notice::mail_dest_pretty_printed
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``""``
Address to send the pretty-printed reports to. Default if not set is
:bro:id:`Notice::mail_dest`.
Note that this is overridden by the BroControl MailAlarmsTo option.
.. bro:id:: Notice::pretty_print_alarms
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Activate pretty-printed alarm summaries.
State Variables
###############
.. bro:id:: Notice::flag_nets
:Type: :bro:type:`set` [:bro:type:`subnet`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
If an address from one of these networks is reported, we mark
the entry with an additional quote symbol (i.e., ">"). Many MUAs
then highlight such lines differently.
.. bro:id:: Notice::force_email_summaries
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
Force generating mail file, even if reading from traces or no mail
destination is defined. This is mainly for testing.
Functions
#########
.. bro:id:: Notice::pretty_print_alarm
:Type: :bro:type:`function` (out: :bro:type:`file`, n: :bro:type:`Notice::Info`) : :bro:type:`void`
:Attributes: :bro:attr:`&redef`
Function that renders a single alarm. Can be overridden.

62
doc/scripts/base/frameworks/notice/index.rst
View file

@ -1,62 +0,0 @@
:orphan:
Package: base/frameworks/notice
===============================
The notice framework enables Bro to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable. This decoupling of detection and reporting allows
Bro to be customized to the different needs that sites have.
:doc:`/scripts/base/frameworks/notice/__load__.bro`
:doc:`/scripts/base/frameworks/notice/main.bro`
This is the notice framework which enables Bro to "notice" things which
are odd or potentially bad. Decisions of the meaning of various notices
need to be done per site because Bro does not ship with assumptions about
what is bad activity for sites. More extensive documentation about using
the notice framework can be found in :doc:`/frameworks/notice`.
:doc:`/scripts/base/frameworks/notice/weird.bro`
This script provides a default set of actions to take for "weird activity"
events generated from Bro's event engine. Weird activity is defined as
unusual or exceptional activity that can indicate malformed connections,
traffic that doesn't conform to a particular protocol, malfunctioning
or misconfigured hardware, or even an attacker attempting to avoid/confuse
a sensor. Without context, it's hard to judge whether a particular
category of weird activity is interesting, but this script provides
a starting point for the user.
:doc:`/scripts/base/frameworks/notice/actions/drop.bro`
This script extends the built in notice code to implement the IP address
dropping functionality.
:doc:`/scripts/base/frameworks/notice/actions/email_admin.bro`
Adds a new notice action type which can be used to email notices
to the administrators of a particular address space as set by
:bro:id:`Site::local_admins` if the notice contains a source
or destination address that lies within their space.
:doc:`/scripts/base/frameworks/notice/actions/page.bro`
Allows configuration of a pager email address to which notices can be sent.
:doc:`/scripts/base/frameworks/notice/actions/add-geodata.bro`
This script adds geographic location data to notices for the "remote"
host in a connection. It does make the assumption that one of the
addresses in a connection is "local" and one is "remote" which is
probably a safe assumption to make in most cases. If both addresses
are remote, it will use the $src address.
:doc:`/scripts/base/frameworks/notice/actions/pp-alarms.bro`
Notice extension that mails out a pretty-printed version of alarm.log
in regular intervals, formatted for better human readability. If activated,
that replaces the default summary mail having the raw log output.

1063
doc/scripts/base/frameworks/notice/main.bro.rst
View file

File diff suppressed because it is too large Load diff

412
doc/scripts/base/frameworks/notice/weird.bro.rst
View file

@ -1,412 +0,0 @@
:tocdepth: 3
base/frameworks/notice/weird.bro
================================
.. bro:namespace:: Weird
This script provides a default set of actions to take for "weird activity"
events generated from Bro's event engine. Weird activity is defined as
unusual or exceptional activity that can indicate malformed connections,
traffic that doesn't conform to a particular protocol, malfunctioning
or misconfigured hardware, or even an attacker attempting to avoid/confuse
a sensor. Without context, it's hard to judge whether a particular
category of weird activity is interesting, but this script provides
a starting point for the user.
:Namespace: Weird
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================ ==============================================================
:bro:id:`Weird::ignore_hosts`: :bro:type:`set` :bro:attr:`&redef` To completely ignore a specific weird for a host, add the host
and weird name into this set.
:bro:id:`Weird::weird_do_not_ignore_repeats`: :bro:type:`set` :bro:attr:`&redef` Don't ignore repeats for weirds in this set.
================================================================================ ==============================================================
Redefinable Options
###################
================================================================================================================================= ==============================================================
:bro:id:`Weird::actions`: :bro:type:`table` :bro:attr:`&default` = ``Weird::ACTION_LOG`` :bro:attr:`&optional` :bro:attr:`&redef` A table specifying default/recommended actions per weird type.
================================================================================================================================= ==============================================================
State Variables
###############
============================================================================================================ ====================================================================
:bro:id:`Weird::did_log`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef` A state set which tracks unique weirds solely by name to reduce
duplicate logging.
:bro:id:`Weird::did_notice`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef` A state set which tracks unique weirds solely by name to reduce
duplicate notices from being raised.
:bro:id:`Weird::weird_ignore`: :bro:type:`set` :bro:attr:`&create_expire` = ``10.0 mins`` :bro:attr:`&redef` This table is used to track identifier and name pairs that should be
temporarily ignored because the problem has already been reported.
============================================================================================================ ====================================================================
Types
#####
=========================================== =======================================================================
:bro:type:`Weird::Action`: :bro:type:`enum` Types of actions that may be taken when handling weird activity events.
:bro:type:`Weird::Info`: :bro:type:`record` The record which is used for representing and logging weirds.
=========================================== =======================================================================
Redefinitions
#############
========================================== ====================================
:bro:type:`Log::ID`: :bro:type:`enum` The weird logging stream identifier.
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== ====================================
Events
######
============================================= ==============================================================
:bro:id:`Weird::log_weird`: :bro:type:`event` Handlers of this event are invoked once per write to the weird
logging stream before the data is actually written.
============================================= ==============================================================
Functions
#########
============================================ =
:bro:id:`Weird::weird`: :bro:type:`function`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Weird::ignore_hosts
:Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
To completely ignore a specific weird for a host, add the host
and weird name into this set.
.. bro:id:: Weird::weird_do_not_ignore_repeats
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"bad_ICMP_checksum",
"bad_TCP_checksum",
"bad_IP_checksum",
"bad_UDP_checksum"
}
Don't ignore repeats for weirds in this set. For example,
it's handy keeping track of clustered checksum errors.
Redefinable Options
###################
.. bro:id:: Weird::actions
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`Weird::Action`
:Attributes: :bro:attr:`&default` = ``Weird::ACTION_LOG`` :bro:attr:`&optional` :bro:attr:`&redef`
:Default:
::
{
["DNS_AAAA_neg_length"] = Weird::ACTION_LOG,
["partial_ftp_request"] = Weird::ACTION_LOG,
["repeated_SYN_reply_wo_ack"] = Weird::ACTION_LOG,
["bad_UDP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
["line_terminated_with_single_LF"] = Weird::ACTION_LOG,
["truncated_IP"] = Weird::ACTION_LOG,
["DNS_truncated_len_lt_hdr_len"] = Weird::ACTION_LOG,
["excessive_data_without_further_acks"] = Weird::ACTION_LOG,
["pop3_malformed_auth_plain"] = Weird::ACTION_LOG,
["excess_netbios_hdr_len"] = Weird::ACTION_LOG,
["irc_invalid_whois_channel_line"] = Weird::ACTION_LOG,
["bad_RPC"] = Weird::ACTION_LOG_PER_ORIG,
["unknown_netbios_type"] = Weird::ACTION_LOG,
["HTTP_chunked_transfer_for_multipart_message"] = Weird::ACTION_LOG,
["RST_storm"] = Weird::ACTION_LOG,
["bad_IP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
["excessively_small_fragment"] = Weird::ACTION_LOG_PER_ORIG,
["bad_rsh_prolog"] = Weird::ACTION_LOG,
["pop3_client_sending_server_commands"] = Weird::ACTION_LOG,
["unexpected_multiple_HTTP_requests"] = Weird::ACTION_LOG,
["irc_invalid_topic_reply"] = Weird::ACTION_LOG,
["irc_invalid_squery_message_format"] = Weird::ACTION_LOG,
["bad_SYN_ack"] = Weird::ACTION_LOG,
["contentline_size_exceeded"] = Weird::ACTION_LOG,
["above_hole_data_without_any_acks"] = Weird::ACTION_LOG,
["bad_HTTP_reply"] = Weird::ACTION_LOG,
["DNS_RR_length_mismatch"] = Weird::ACTION_LOG,
["SMB_parsing_error"] = Weird::ACTION_LOG,
["multiple_HTTP_request_elements"] = Weird::ACTION_LOG,
["FIN_after_reset"] = Weird::ACTION_IGNORE,
["SYN_after_partial"] = Weird::ACTION_NOTICE_PER_ORIG,
["baroque_SYN"] = Weird::ACTION_LOG,
["DNS_label_forward_compress_offset"] = Weird::ACTION_LOG_PER_ORIG,
["connection_originator_SYN_ack"] = Weird::ACTION_LOG_PER_ORIG,
["irc_invalid_dcc_message_format"] = Weird::ACTION_LOG,
["unmatched_HTTP_reply"] = Weird::ACTION_LOG,
["unpaired_RPC_response"] = Weird::ACTION_LOG,
["SYN_inside_connection"] = Weird::ACTION_LOG,
["irc_invalid_who_message_format"] = Weird::ACTION_LOG,
["irc_invalid_reply_number"] = Weird::ACTION_LOG,
["pop3_client_command_unknown"] = Weird::ACTION_LOG,
["bad_ICMP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
["DNS_RR_unknown_type"] = Weird::ACTION_LOG,
["excessively_large_fragment"] = Weird::ACTION_LOG,
["DNS_label_len_gt_name_len"] = Weird::ACTION_LOG_PER_ORIG,
["DNS_label_len_gt_pkt"] = Weird::ACTION_LOG_PER_ORIG,
["partial_ident_request"] = Weird::ACTION_LOG,
["excess_RPC"] = Weird::ACTION_LOG_PER_ORIG,
["line_terminated_with_single_CR"] = Weird::ACTION_LOG,
["unknown_HTTP_method"] = Weird::ACTION_LOG,
["bad_ident_request"] = Weird::ACTION_LOG,
["crud_trailing_HTTP_request"] = Weird::ACTION_LOG,
["irc_invalid_whois_operator_line"] = Weird::ACTION_LOG,
["unexpected_server_HTTP_data"] = Weird::ACTION_LOG,
["irc_invalid_njoin_line"] = Weird::ACTION_LOG,
["irc_invalid_mode_message_format"] = Weird::ACTION_LOG,
["pop3_bad_base64_encoding"] = Weird::ACTION_LOG,
["responder_RPC_call"] = Weird::ACTION_LOG_PER_ORIG,
["fragment_size_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
["successful_RPC_reply_to_invalid_request"] = Weird::ACTION_NOTICE_PER_ORIG,
["irc_line_too_short"] = Weird::ACTION_LOG,
["irc_invalid_kick_message_format"] = Weird::ACTION_LOG,
["repeated_SYN_with_ack"] = Weird::ACTION_LOG,
["partial_finger_request"] = Weird::ACTION_LOG,
["irc_invalid_join_line"] = Weird::ACTION_LOG,
["premature_connection_reuse"] = Weird::ACTION_LOG,
["netbios_raw_session_msg"] = Weird::ACTION_LOG,
["incompletely_captured_fragment"] = Weird::ACTION_LOG,
["malformed_ssh_version"] = Weird::ACTION_LOG,
["netbios_client_session_reply"] = Weird::ACTION_LOG,
["bad_TCP_header_len"] = Weird::ACTION_LOG,
["unescaped_%_in_URI"] = Weird::ACTION_LOG,
["netbios_server_session_request"] = Weird::ACTION_LOG,
["irc_too_many_invalid"] = Weird::ACTION_LOG,
["irc_invalid_names_line"] = Weird::ACTION_LOG,
["RPC_rexmit_inconsistency"] = Weird::ACTION_LOG,
["smb_andx_command_failed_to_parse"] = Weird::ACTION_LOG,
["irc_invalid_invite_message_format"] = Weird::ACTION_LOG,
["spontaneous_FIN"] = Weird::ACTION_IGNORE,
["DNS_truncated_quest_too_short"] = Weird::ACTION_LOG,
["SSL_many_server_names"] = Weird::ACTION_LOG,
["FIN_storm"] = Weird::ACTION_NOTICE_PER_ORIG,
["data_before_established"] = Weird::ACTION_LOG,
["SYN_after_reset"] = Weird::ACTION_LOG,
["double_%_in_URI"] = Weird::ACTION_LOG,
["DNS_truncated_ans_too_short"] = Weird::ACTION_LOG,
["DNS_Conn_count_too_large"] = Weird::ACTION_LOG,
["data_after_reset"] = Weird::ACTION_LOG,
["RPC_underflow"] = Weird::ACTION_LOG,
["unexpected_client_HTTP_data"] = Weird::ACTION_LOG,
["originator_RPC_reply"] = Weird::ACTION_LOG_PER_ORIG,
["DNS_label_too_long"] = Weird::ACTION_LOG_PER_ORIG,
["SYN_with_data"] = Weird::ACTION_LOG_PER_ORIG,
["RST_with_data"] = Weird::ACTION_LOG,
["bad_HTTP_version"] = Weird::ACTION_LOG,
["pending_data_when_closed"] = Weird::ACTION_LOG,
["rlogin_text_after_rejected"] = Weird::ACTION_LOG,
["FIN_advanced_last_seq"] = Weird::ACTION_LOG,
["transaction_subcmd_missing"] = Weird::ACTION_LOG,
["fragment_protocol_inconsistency"] = Weird::ACTION_LOG,
["invalid_irc_global_users_reply"] = Weird::ACTION_LOG,
["ident_request_addendum"] = Weird::ACTION_LOG,
["window_recision"] = Weird::ACTION_LOG,
["spontaneous_RST"] = Weird::ACTION_IGNORE,
["truncated_header"] = Weird::ACTION_LOG,
["UDP_datagram_length_mismatch"] = Weird::ACTION_LOG_PER_ORIG,
["fragment_with_DF"] = Weird::ACTION_LOG,
["SYN_after_close"] = Weird::ACTION_LOG,
["SYN_seq_jump"] = Weird::ACTION_LOG,
["irc_invalid_notice_message_format"] = Weird::ACTION_LOG,
["irc_invalid_command"] = Weird::ACTION_LOG,
["DNS_NAME_too_long"] = Weird::ACTION_LOG,
["inflate_failed"] = Weird::ACTION_LOG,
["base64_illegal_encoding"] = Weird::ACTION_LOG,
["internally_truncated_header"] = Weird::ACTION_LOG,
["pop3_server_sending_client_commands"] = Weird::ACTION_LOG,
["irc_invalid_who_line"] = Weird::ACTION_LOG,
["irc_invalid_privmsg_message_format"] = Weird::ACTION_LOG,
["pop3_server_command_unknown"] = Weird::ACTION_LOG,
["fragment_overlap"] = Weird::ACTION_LOG_PER_ORIG,
["bad_rlogin_prolog"] = Weird::ACTION_LOG,
["bad_ident_port"] = Weird::ACTION_LOG,
["irc_invalid_line"] = Weird::ACTION_LOG,
["HTTP_overlapping_messages"] = Weird::ACTION_LOG,
["simultaneous_open"] = Weird::ACTION_LOG_PER_CONN,
["unsolicited_SYN_response"] = Weird::ACTION_IGNORE,
["DNS_RR_bad_length"] = Weird::ACTION_LOG,
["TCP_christmas"] = Weird::ACTION_LOG,
["inappropriate_FIN"] = Weird::ACTION_LOG,
["irc_invalid_oper_message_format"] = Weird::ACTION_LOG,
["no_smb_session_using_parsesambamsg"] = Weird::ACTION_LOG,
["illegal_%_at_end_of_URI"] = Weird::ACTION_LOG,
["active_connection_reuse"] = Weird::ACTION_LOG,
["bad_TCP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
["fragment_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
["malformed_ssh_identification"] = Weird::ACTION_LOG,
["DNS_truncated_RR_rdlength_lt_len"] = Weird::ACTION_LOG,
["possible_split_routing"] = Weird::ACTION_LOG,
["irc_line_size_exceeded"] = Weird::ACTION_LOG,
["bad_RPC_program"] = Weird::ACTION_LOG,
["bad_ident_reply"] = Weird::ACTION_LOG,
["HTTP_bad_chunk_size"] = Weird::ACTION_LOG,
["unescaped_special_URI_char"] = Weird::ACTION_LOG,
["HTTP_version_mismatch"] = Weird::ACTION_LOG,
["irc_invalid_whois_message_format"] = Weird::ACTION_LOG,
["rsh_text_after_rejected"] = Weird::ACTION_LOG,
["partial_RPC"] = Weird::ACTION_LOG_PER_ORIG,
["truncated_ARP"] = Weird::ACTION_LOG,
["truncated_NTP"] = Weird::ACTION_LOG,
["irc_invalid_whois_user_line"] = Weird::ACTION_LOG,
["NUL_in_line"] = Weird::ACTION_LOG,
["deficit_netbios_hdr_len"] = Weird::ACTION_LOG
}
A table specifying default/recommended actions per weird type.
State Variables
###############
.. bro:id:: Weird::did_log
:Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
:Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
:Default: ``{}``
A state set which tracks unique weirds solely by name to reduce
duplicate logging. This is deliberately not synchronized because it
could cause overload during storms.
.. bro:id:: Weird::did_notice
:Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
:Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
:Default: ``{}``
A state set which tracks unique weirds solely by name to reduce
duplicate notices from being raised.
.. bro:id:: Weird::weird_ignore
:Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
:Attributes: :bro:attr:`&create_expire` = ``10.0 mins`` :bro:attr:`&redef`
:Default: ``{}``
This table is used to track identifier and name pairs that should be
temporarily ignored because the problem has already been reported.
This helps reduce the volume of high volume weirds by only allowing
a unique weird every ``create_expire`` interval.
Types
#####
.. bro:type:: Weird::Action
:Type: :bro:type:`enum`
.. bro:enum:: Weird::ACTION_UNSPECIFIED Weird::Action
A dummy action indicating the user does not care what
internal decision is made regarding a given type of weird.
.. bro:enum:: Weird::ACTION_IGNORE Weird::Action
No action is to be taken.
.. bro:enum:: Weird::ACTION_LOG Weird::Action
Log the weird event every time it occurs.
.. bro:enum:: Weird::ACTION_LOG_ONCE Weird::Action
Log the weird event only once.
.. bro:enum:: Weird::ACTION_LOG_PER_CONN Weird::Action
Log the weird event once per connection.
.. bro:enum:: Weird::ACTION_LOG_PER_ORIG Weird::Action
Log the weird event once per originator host.
.. bro:enum:: Weird::ACTION_NOTICE Weird::Action
Always generate a notice associated with the weird event.
.. bro:enum:: Weird::ACTION_NOTICE_ONCE Weird::Action
Generate a notice associated with the weird event only once.
.. bro:enum:: Weird::ACTION_NOTICE_PER_CONN Weird::Action
Generate a notice for the weird event once per connection.
.. bro:enum:: Weird::ACTION_NOTICE_PER_ORIG Weird::Action
Generate a notice for the weird event once per originator host.
Types of actions that may be taken when handling weird activity events.
.. bro:type:: Weird::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The time when the weird occurred.
uid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
If a connection is associated with this weird, this will be
the connection's unique ID.
id: :bro:type:`conn_id` :bro:attr:`&log` :bro:attr:`&optional`
conn_id for the optional connection.
conn: :bro:type:`connection` :bro:attr:`&optional`
A shorthand way of giving the uid and id to a weird.
name: :bro:type:`string` :bro:attr:`&log`
The name of the weird that occurred.
addl: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Additional information accompanying the weird if any.
notice: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicate if this weird was also turned into a notice.
peer: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional` :bro:attr:`&default` = :bro:see:`peer_description`
The peer that originated this weird. This is helpful in
cluster deployments if a particular cluster node is having
trouble to help identify which node is having trouble.
identifier: :bro:type:`string` :bro:attr:`&optional`
This field is to be provided when a weird is generated for
the purpose of deduplicating weirds. The identifier string
should be unique for a single instance of the weird. This field
is used to define when a weird is conceptually a duplicate of
a previous weird.
The record which is used for representing and logging weirds.
Events
######
.. bro:id:: Weird::log_weird
:Type: :bro:type:`event` (rec: :bro:type:`Weird::Info`)
Handlers of this event are invoked once per write to the weird
logging stream before the data is actually written.
:rec: The weird columns about to be logged to the weird stream.
Functions
#########
.. bro:id:: Weird::weird
:Type: :bro:type:`function` (w: :bro:type:`Weird::Info`) : :bro:type:`void`