Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

116
doc/scripts/base/utils/active-http.bro.rst
View file

@ -1,116 +0,0 @@
:tocdepth: 3
base/utils/active-http.bro
==========================
.. bro:namespace:: ActiveHTTP
A module for performing active HTTP requests and
getting the reply at runtime.
:Namespace: ActiveHTTP
:Imports: :doc:`base/utils/exec.bro </scripts/base/utils/exec.bro>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== =================================================
:bro:id:`ActiveHTTP::default_max_time`: :bro:type:`interval` :bro:attr:`&redef` The default timeout for HTTP requests.
:bro:id:`ActiveHTTP::default_method`: :bro:type:`string` :bro:attr:`&redef` The default HTTP method/verb to use for requests.
=============================================================================== =================================================
Types
#####
==================================================== =
:bro:type:`ActiveHTTP::Request`: :bro:type:`record`
:bro:type:`ActiveHTTP::Response`: :bro:type:`record`
==================================================== =
Functions
#########
=================================================== ========================================
:bro:id:`ActiveHTTP::request`: :bro:type:`function` Perform an HTTP request according to the
:bro:type:`ActiveHTTP::Request` record.
=================================================== ========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: ActiveHTTP::default_max_time
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 min``
The default timeout for HTTP requests.
.. bro:id:: ActiveHTTP::default_method
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"GET"``
The default HTTP method/verb to use for requests.
Types
#####
.. bro:type:: ActiveHTTP::Request
:Type: :bro:type:`record`
url: :bro:type:`string`
The URL being requested.
method: :bro:type:`string` :bro:attr:`&default` = :bro:see:`ActiveHTTP::default_method` :bro:attr:`&optional`
The HTTP method/verb to use for the request.
client_data: :bro:type:`string` :bro:attr:`&optional`
Data to send to the server in the client body. Keep in
mind that you will probably need to set the *method* field
to "POST" or "PUT".
max_time: :bro:type:`interval` :bro:attr:`&default` = :bro:see:`ActiveHTTP::default_max_time` :bro:attr:`&optional`
Timeout for the request.
addl_curl_args: :bro:type:`string` :bro:attr:`&optional`
Additional curl command line arguments. Be very careful
with this option since shell injection could take place
if careful handling of untrusted data is not applied.
.. bro:type:: ActiveHTTP::Response
:Type: :bro:type:`record`
code: :bro:type:`count`
Numeric response code from the server.
msg: :bro:type:`string`
String response message from the server.
body: :bro:type:`string` :bro:attr:`&optional`
Full body of the response.
headers: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string` :bro:attr:`&optional`
All headers returned by the server.
Functions
#########
.. bro:id:: ActiveHTTP::request
:Type: :bro:type:`function` (req: :bro:type:`ActiveHTTP::Request`) : :bro:type:`ActiveHTTP::Response`
Perform an HTTP request according to the
:bro:type:`ActiveHTTP::Request` record. This is an asynchronous
function and must be called within a "when" statement.
:req: A record instance representing all options for an HTTP request.
:returns: A record with the full response message.

190
doc/scripts/base/utils/addrs.bro.rst
View file

@ -1,190 +0,0 @@
:tocdepth: 3
base/utils/addrs.bro
====================
Functions for parsing and manipulating IP and MAC addresses.
Summary
~~~~~~~
Constants
#########
============================================================ =
:bro:id:`ip_addr_regex`: :bro:type:`pattern`
:bro:id:`ipv4_addr_regex`: :bro:type:`pattern`
:bro:id:`ipv6_8hex_regex`: :bro:type:`pattern`
:bro:id:`ipv6_addr_regex`: :bro:type:`pattern`
:bro:id:`ipv6_compressed_hex4dec_regex`: :bro:type:`pattern`
:bro:id:`ipv6_compressed_hex_regex`: :bro:type:`pattern`
:bro:id:`ipv6_hex4dec_regex`: :bro:type:`pattern`
============================================================ =
Functions
#########
========================================================================= =========================================================================
:bro:id:`addr_to_uri`: :bro:type:`function` Returns the string representation of an IP address suitable for inclusion
in a URI.
:bro:id:`extract_ip_addresses`: :bro:type:`function` Extracts all IP (v4 or v6) address strings from a given string.
:bro:id:`find_ip_addresses`: :bro:type:`function` :bro:attr:`&deprecated` Extracts all IP (v4 or v6) address strings from a given string.
:bro:id:`has_valid_octets`: :bro:type:`function` Checks if all elements of a string array are a valid octet value.
:bro:id:`is_valid_ip`: :bro:type:`function` Checks if a string appears to be a valid IPv4 or IPv6 address.
:bro:id:`normalize_mac`: :bro:type:`function` Given a string, extracts the hex digits and returns a MAC address in
the format: 00:a0:32:d7:81:8f.
========================================================================= =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: ip_addr_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?([[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3})$?)|(^?(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})$?))$?)|(^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?))$?))$?)|(^?((([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?))$?)|(^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?))$?/
.. bro:id:: ipv4_addr_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?([[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3})$?/
.. bro:id:: ipv6_8hex_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})$?/
.. bro:id:: ipv6_addr_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})$?)|(^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?))$?))$?)|(^?((([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?))$?)|(^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?))$?/
.. bro:id:: ipv6_compressed_hex4dec_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?/
.. bro:id:: ipv6_compressed_hex_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?((([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?))$?/
.. bro:id:: ipv6_hex4dec_regex
:Type: :bro:type:`pattern`
:Default:
::
/^?((([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+))$?/
Functions
#########
.. bro:id:: addr_to_uri
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`string`
Returns the string representation of an IP address suitable for inclusion
in a URI. For IPv4, this does no special formatting, but for IPv6, the
address is included in square brackets.
:a: the address to make suitable for URI inclusion.
:returns: the string representation of the address suitable for URI inclusion.
.. bro:id:: extract_ip_addresses
:Type: :bro:type:`function` (input: :bro:type:`string`) : :bro:type:`string_vec`
Extracts all IP (v4 or v6) address strings from a given string.
:input: a string that may contain an IP address anywhere within it.
:returns: an array containing all valid IP address strings found in *input*.
.. bro:id:: find_ip_addresses
:Type: :bro:type:`function` (input: :bro:type:`string`) : :bro:type:`string_array`
:Attributes: :bro:attr:`&deprecated`
Extracts all IP (v4 or v6) address strings from a given string.
:input: a string that may contain an IP address anywhere within it.
:returns: an array containing all valid IP address strings found in *input*.
.. bro:id:: has_valid_octets
:Type: :bro:type:`function` (octets: :bro:type:`string_vec`) : :bro:type:`bool`
Checks if all elements of a string array are a valid octet value.
:octets: an array of strings to check for valid octet values.
:returns: T if every element is between 0 and 255, inclusive, else F.
.. bro:id:: is_valid_ip
:Type: :bro:type:`function` (ip_str: :bro:type:`string`) : :bro:type:`bool`
Checks if a string appears to be a valid IPv4 or IPv6 address.
:ip_str: the string to check for valid IP formatting.
:returns: T if the string is a valid IPv4 or IPv6 address format.
.. bro:id:: normalize_mac
:Type: :bro:type:`function` (a: :bro:type:`string`) : :bro:type:`string`
Given a string, extracts the hex digits and returns a MAC address in
the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex
digits, an empty string is returned.
:a: the string to normalize.
:returns: a normalized MAC address, or an empty string in the case of an error.

54
doc/scripts/base/utils/conn-ids.bro.rst
View file

@ -1,54 +0,0 @@
:tocdepth: 3
base/utils/conn-ids.bro
=======================
.. bro:namespace:: GLOBAL
Simple functions for generating ASCII strings from connection IDs.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================== ====================================================================
:bro:id:`directed_id_string`: :bro:type:`function` Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the
second argument is T or F, respectively.
:bro:id:`id_string`: :bro:type:`function` Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection originator
on the left to the responder on the right.
:bro:id:`reverse_id_string`: :bro:type:`function` Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection responder
on the right to the originator on the left.
================================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: directed_id_string
:Type: :bro:type:`function` (id: :bro:type:`conn_id`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the
second argument is T or F, respectively.
.. bro:id:: id_string
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`string`
Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection originator
on the left to the responder on the right.
.. bro:id:: reverse_id_string
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`string`
Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection responder
on the right to the originator on the left.

62
doc/scripts/base/utils/dir.bro.rst
View file

@ -1,62 +0,0 @@
:tocdepth: 3
base/utils/dir.bro
==================
.. bro:namespace:: Dir
:Namespace: Dir
:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/utils/exec.bro </scripts/base/utils/exec.bro>`, :doc:`base/utils/paths.bro </scripts/base/utils/paths.bro>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================== =====================================================================
:bro:id:`Dir::polling_interval`: :bro:type:`interval` :bro:attr:`&redef` The default interval this module checks for files in directories when
using the :bro:see:`Dir::monitor` function.
======================================================================== =====================================================================
Functions
#########
============================================ ==============================================================
:bro:id:`Dir::monitor`: :bro:type:`function` Register a directory to monitor with a callback that is called
every time a previously unseen file is seen.
============================================ ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Dir::polling_interval
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``30.0 secs``
The default interval this module checks for files in directories when
using the :bro:see:`Dir::monitor` function.
Functions
#########
.. bro:id:: Dir::monitor
:Type: :bro:type:`function` (dir: :bro:type:`string`, callback: :bro:type:`function` (fname: :bro:type:`string`) : :bro:type:`void`, poll_interval: :bro:type:`interval` :bro:attr:`&default` = :bro:see:`Dir::polling_interval` :bro:attr:`&optional`) : :bro:type:`void`
Register a directory to monitor with a callback that is called
every time a previously unseen file is seen. If a file is deleted
and seen to be gone, then the file is available for being seen again
in the future.
:dir: The directory to monitor for files.
:callback: Callback that gets executed with each file name
that is found. Filenames are provided with the full path.
:poll_interval: An interval at which to check for new files.

109
doc/scripts/base/utils/directions-and-hosts.bro.rst
View file

@ -1,109 +0,0 @@
:tocdepth: 3
base/utils/directions-and-hosts.bro
===================================
:Imports: :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Types
#####
======================================= =
:bro:type:`Direction`: :bro:type:`enum`
:bro:type:`Host`: :bro:type:`enum`
======================================= =
Functions
#########
==================================================== ======================================================================
:bro:id:`addr_matches_host`: :bro:type:`function` Checks whether a given host (IP address) matches a given host type.
:bro:id:`id_matches_direction`: :bro:type:`function` Checks whether a given connection is of a given direction with respect
to the locally-monitored network.
==================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Direction
:Type: :bro:type:`enum`
.. bro:enum:: INBOUND Direction
The connection originator is not within the locally-monitored
network, but the other endpoint is.
.. bro:enum:: OUTBOUND Direction
The connection originator is within the locally-monitored network,
but the other endpoint is not.
.. bro:enum:: BIDIRECTIONAL Direction
Only one endpoint is within the locally-monitored network, meaning
the connection is either outbound or inbound.
.. bro:enum:: NO_DIRECTION Direction
This value doesn't match any connection.
.. bro:type:: Host
:Type: :bro:type:`enum`
.. bro:enum:: LOCAL_HOSTS Host
A host within the locally-monitored network.
.. bro:enum:: REMOTE_HOSTS Host
A host not within the locally-monitored network.
.. bro:enum:: ALL_HOSTS Host
Any host.
.. bro:enum:: NO_HOSTS Host
This value doesn't match any host.
Functions
#########
.. bro:id:: addr_matches_host
:Type: :bro:type:`function` (ip: :bro:type:`addr`, h: :bro:type:`Host`) : :bro:type:`bool`
Checks whether a given host (IP address) matches a given host type.
:ip: address of a host.
:h: a host type.
:returns: T if the given host matches the given type, else F.
.. bro:id:: id_matches_direction
:Type: :bro:type:`function` (id: :bro:type:`conn_id`, d: :bro:type:`Direction`) : :bro:type:`bool`
Checks whether a given connection is of a given direction with respect
to the locally-monitored network.
:id: a connection record containing the originator/responder hosts.
:d: a direction with respect to the locally-monitored network.
:returns: T if the two connection endpoints match the given direction, else F.

78
doc/scripts/base/utils/email.bro.rst
View file

@ -1,78 +0,0 @@
:tocdepth: 3
base/utils/email.bro
====================
Summary
~~~~~~~
Functions
#########
========================================================== ===========================================================================
:bro:id:`extract_email_addrs_set`: :bro:type:`function` Extract mail addresses out of address specifications conforming to RFC5322.
:bro:id:`extract_email_addrs_vec`: :bro:type:`function` Extract mail addresses out of address specifications conforming to RFC5322.
:bro:id:`extract_first_email_addr`: :bro:type:`function` Extract the first email address from a string.
:bro:id:`split_mime_email_addresses`: :bro:type:`function` Split email addresses from MIME headers.
========================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: extract_email_addrs_set
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`set` [:bro:type:`string`]
Extract mail addresses out of address specifications conforming to RFC5322.
:str: A string potentially containing email addresses.
:returns: A set of extracted email addresses. An empty set is returned
if no email addresses are discovered.
.. bro:id:: extract_email_addrs_vec
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`string_vec`
Extract mail addresses out of address specifications conforming to RFC5322.
:str: A string potentially containing email addresses.
:returns: A vector of extracted email addresses. An empty vector is returned
if no email addresses are discovered.
.. bro:id:: extract_first_email_addr
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`string`
Extract the first email address from a string.
:str: A string potentially containing email addresses.
:returns: An email address or empty string if none found.
.. bro:id:: split_mime_email_addresses
:Type: :bro:type:`function` (line: :bro:type:`string`) : :bro:type:`set` [:bro:type:`string`]
Split email addresses from MIME headers. The email addresses will
include the display name and email address as it was given by the mail
mail client. Note that this currently does not account for MIME group
addresses and won't handle them correctly. The group name will show up
as part of an email address.
:str: The argument from a MIME header.
:returns: A set of addresses or empty string if none found.

91
doc/scripts/base/utils/exec.bro.rst
View file

@ -1,91 +0,0 @@
:tocdepth: 3
base/utils/exec.bro
===================
.. bro:namespace:: Exec
A module for executing external command line programs.
:Namespace: Exec
:Imports: :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
Summary
~~~~~~~
Types
#####
============================================= =
:bro:type:`Exec::Command`: :bro:type:`record`
:bro:type:`Exec::Result`: :bro:type:`record`
============================================= =
Functions
#########
========================================= ======================================================
:bro:id:`Exec::run`: :bro:type:`function` Function for running command line programs and getting
output.
========================================= ======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Exec::Command
:Type: :bro:type:`record`
cmd: :bro:type:`string`
The command line to execute. Use care to avoid injection
attacks (i.e., if the command uses untrusted/variable data,
sanitize it with :bro:see:`str_shell_escape`).
stdin: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`
Provide standard input to the program as a string.
read_files: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&optional`
If additional files are required to be read in as part of the
output of the command they can be defined here.
uid: :bro:type:`string` :bro:attr:`&default` = ``rFj3eGxkRR5`` :bro:attr:`&optional`
The unique id for tracking executors.
.. bro:type:: Exec::Result
:Type: :bro:type:`record`
exit_code: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Exit code from the program.
signal_exit: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
True if the command was terminated with a signal.
stdout: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&optional`
Each line of standard output.
stderr: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&optional`
Each line of standard error.
files: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string_vec` :bro:attr:`&optional`
If additional files were requested to be read in
the content of the files will be available here.
Functions
#########
.. bro:id:: Exec::run
:Type: :bro:type:`function` (cmd: :bro:type:`Exec::Command`) : :bro:type:`Exec::Result`
Function for running command line programs and getting
output. This is an asynchronous function which is meant
to be run with the `when` statement.
:cmd: The command to run. Use care to avoid injection attacks!
:returns: A record representing the full results from the
external program execution.

39
doc/scripts/base/utils/files.bro.rst
View file

@ -1,39 +0,0 @@
:tocdepth: 3
base/utils/files.bro
====================
:Imports: :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`
Summary
~~~~~~~
Functions
#########
========================================================================= ======================================================================
:bro:id:`extract_filename_from_content_disposition`: :bro:type:`function` For CONTENT-DISPOSITION headers, this function can be used to extract
the filename.
:bro:id:`generate_extraction_filename`: :bro:type:`function` This function can be used to generate a consistent filename for when
contents of a file, stream, or connection are being extracted to disk.
========================================================================= ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: extract_filename_from_content_disposition
:Type: :bro:type:`function` (data: :bro:type:`string`) : :bro:type:`string`
For CONTENT-DISPOSITION headers, this function can be used to extract
the filename.
.. bro:id:: generate_extraction_filename
:Type: :bro:type:`function` (prefix: :bro:type:`string`, c: :bro:type:`connection`, suffix: :bro:type:`string`) : :bro:type:`string`
This function can be used to generate a consistent filename for when
contents of a file, stream, or connection are being extracted to disk.

42
doc/scripts/base/utils/geoip-distance.bro.rst
View file

@ -1,42 +0,0 @@
:tocdepth: 3
base/utils/geoip-distance.bro
=============================
Functions to calculate distance between two locations, based on GeoIP data.
Summary
~~~~~~~
Functions
#########
===================================================== ==========================================================================
:bro:id:`haversine_distance_ip`: :bro:type:`function` Returns the distance between two IP addresses using the haversine formula,
based on GeoIP database locations.
===================================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: haversine_distance_ip
:Type: :bro:type:`function` (a1: :bro:type:`addr`, a2: :bro:type:`addr`) : :bro:type:`double`
Returns the distance between two IP addresses using the haversine formula,
based on GeoIP database locations. Requires Bro to be built with GeoIP.
:a1: First IP address.
:a2: Second IP address.
:returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
is not available for either of the IP addresses.
.. bro:see:: haversine_distance lookup_location

92
doc/scripts/base/utils/hash_hrw.bro.rst
View file

@ -1,92 +0,0 @@
:tocdepth: 3
base/utils/hash_hrw.bro
=======================
.. bro:namespace:: HashHRW
An implementation of highest random weight (HRW) hashing, also called
rendezvous hashing. See
`<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
:Namespace: HashHRW
Summary
~~~~~~~
Types
#####
================================================= ===================================================================
:bro:type:`HashHRW::Pool`: :bro:type:`record` A collection of sites to distribute keys across.
:bro:type:`HashHRW::Site`: :bro:type:`record` A site/node is a unique location to which you want a subset of keys
to be distributed.
:bro:type:`HashHRW::SiteTable`: :bro:type:`table` A table of sites, indexed by their id.
================================================= ===================================================================
Functions
#########
================================================= ========================================
:bro:id:`HashHRW::add_site`: :bro:type:`function` Add a site to a pool.
:bro:id:`HashHRW::get_site`: :bro:type:`function` Returns: the site to which the key maps.
:bro:id:`HashHRW::rem_site`: :bro:type:`function` Remove a site from a pool.
================================================= ========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: HashHRW::Pool
:Type: :bro:type:`record`
sites: :bro:type:`HashHRW::SiteTable` :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
A collection of sites to distribute keys across.
.. bro:type:: HashHRW::Site
:Type: :bro:type:`record`
id: :bro:type:`count`
A unique identifier for the site, should not exceed what
can be contained in a 32-bit integer.
user_data: :bro:type:`any` :bro:attr:`&optional`
Other data to associate with the site.
A site/node is a unique location to which you want a subset of keys
to be distributed.
.. bro:type:: HashHRW::SiteTable
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`HashHRW::Site`
A table of sites, indexed by their id.
Functions
#########
.. bro:id:: HashHRW::add_site
:Type: :bro:type:`function` (pool: :bro:type:`HashHRW::Pool`, site: :bro:type:`HashHRW::Site`) : :bro:type:`bool`
Add a site to a pool.
:returns: F is the site is already in the pool, else T.
.. bro:id:: HashHRW::get_site
:Type: :bro:type:`function` (pool: :bro:type:`HashHRW::Pool`, key: :bro:type:`any`) : :bro:type:`HashHRW::Site`
:returns: the site to which the key maps.
.. bro:id:: HashHRW::rem_site
:Type: :bro:type:`function` (pool: :bro:type:`HashHRW::Pool`, site: :bro:type:`HashHRW::Site`) : :bro:type:`bool`
Remove a site from a pool.
:returns: F if the site is not in the pool, else T.

39
doc/scripts/base/utils/json.bro.rst
View file

@ -1,39 +0,0 @@
:tocdepth: 3
base/utils/json.bro
===================
Functions to assist with generating JSON data from Bro data scructures.
:Imports: :doc:`base/utils/strings.bro </scripts/base/utils/strings.bro>`
Summary
~~~~~~~
Functions
#########
======================================= ============================================================
:bro:id:`to_json`: :bro:type:`function` A function to convert arbitrary Bro data into a JSON string.
======================================= ============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: to_json
:Type: :bro:type:`function` (v: :bro:type:`any`, only_loggable: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`, field_escape_pattern: :bro:type:`pattern` :bro:attr:`&default` = ``/^?(^_)$?/`` :bro:attr:`&optional`) : :bro:type:`string`
A function to convert arbitrary Bro data into a JSON string.
:v: The value to convert to JSON. Typically a record.
:only_loggable: If the v value is a record this will only cause
fields with the &log attribute to be included in the JSON.
:returns: a JSON formatted string.

37
doc/scripts/base/utils/numbers.bro.rst
View file

@ -1,37 +0,0 @@
:tocdepth: 3
base/utils/numbers.bro
======================
Summary
~~~~~~~
Functions
#########
============================================= =================================
:bro:id:`extract_count`: :bro:type:`function` Extract an integer from a string.
============================================= =================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: extract_count
:Type: :bro:type:`function` (s: :bro:type:`string`, get_first: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`) : :bro:type:`count`
Extract an integer from a string.
:s: The string to search for a number.
:get_first: Provide `F` if you would like the last number found.
:returns: The request integer from the given string or 0 if
no integer was found.

96
doc/scripts/base/utils/paths.bro.rst
View file

@ -1,96 +0,0 @@
:tocdepth: 3
base/utils/paths.bro
====================
Functions to parse and manipulate UNIX style paths and directories.
Summary
~~~~~~~
Constants
#########
================================================ =
:bro:id:`absolute_path_pat`: :bro:type:`pattern`
================================================ =
Functions
#########
===================================================== ======================================================================
:bro:id:`build_path`: :bro:type:`function` Constructs a path to a file given a directory and a file name.
:bro:id:`build_path_compressed`: :bro:type:`function` Returns a compressed path to a file given a directory and file name.
:bro:id:`compress_path`: :bro:type:`function` Compresses a given path by removing '..'s and the parent directory it
references and also removing dual '/'s and extraneous '/./'s.
:bro:id:`extract_path`: :bro:type:`function` Given an arbitrary string, extracts a single, absolute path (directory
with filename).
===================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: absolute_path_pat
:Type: :bro:type:`pattern`
:Default:
::
/^?((\/|[A-Za-z]:[\\\/]).*)$?/
Functions
#########
.. bro:id:: build_path
:Type: :bro:type:`function` (dir: :bro:type:`string`, file_name: :bro:type:`string`) : :bro:type:`string`
Constructs a path to a file given a directory and a file name.
:dir: the directory in which the file lives.
:file_name: the name of the file.
:returns: the concatenation of the directory path and file name, or just
the file name if it's already an absolute path.
.. bro:id:: build_path_compressed
:Type: :bro:type:`function` (dir: :bro:type:`string`, file_name: :bro:type:`string`) : :bro:type:`string`
Returns a compressed path to a file given a directory and file name.
See :bro:id:`build_path` and :bro:id:`compress_path`.
.. bro:id:: compress_path
:Type: :bro:type:`function` (dir: :bro:type:`string`) : :bro:type:`string`
Compresses a given path by removing '..'s and the parent directory it
references and also removing dual '/'s and extraneous '/./'s.
:dir: a path string, either relative or absolute.
:returns: a compressed version of the input path.
.. bro:id:: extract_path
:Type: :bro:type:`function` (input: :bro:type:`string`) : :bro:type:`string`
Given an arbitrary string, extracts a single, absolute path (directory
with filename).
.. todo:: Make this work on Window's style directories.
:input: a string that may contain an absolute path.
:returns: the first absolute path found in input string, else an empty string.

89
doc/scripts/base/utils/patterns.bro.rst
View file

@ -1,89 +0,0 @@
:tocdepth: 3
base/utils/patterns.bro
=======================
.. bro:namespace:: GLOBAL
Functions for creating and working with patterns.
:Namespace: GLOBAL
Summary
~~~~~~~
Types
#####
================================================== =
:bro:type:`PatternMatchResult`: :bro:type:`record`
================================================== =
Functions
#########
============================================= =========================================================================
:bro:id:`match_pattern`: :bro:type:`function` Matches the given pattern against the given string, returning
a :bro:type:`PatternMatchResult` record.
:bro:id:`set_to_regex`: :bro:type:`function` Given a pattern as a string with two tildes (~~) contained in it, it will
return a pattern with string set's elements OR'd together where the
double-tilde was given (this function only works at or before init time).
============================================= =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: PatternMatchResult
:Type: :bro:type:`record`
matched: :bro:type:`bool`
T if a match was found, F otherwise.
str: :bro:type:`string`
Portion of string that first matched.
off: :bro:type:`count`
1-based offset where match starts.
Functions
#########
.. bro:id:: match_pattern
:Type: :bro:type:`function` (s: :bro:type:`string`, p: :bro:type:`pattern`) : :bro:type:`PatternMatchResult`
Matches the given pattern against the given string, returning
a :bro:type:`PatternMatchResult` record.
For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
``[matched=T, str=f, off=1]``, because the *first* match is for
zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``
returns ``[matched=T, str=oob, off=2]``.
:s: a string to match against.
:p: a pattern to match.
:returns: a record indicating the match status.
.. bro:id:: set_to_regex
:Type: :bro:type:`function` (ss: :bro:type:`set` [:bro:type:`string`], pat: :bro:type:`string`) : :bro:type:`pattern`
Given a pattern as a string with two tildes (~~) contained in it, it will
return a pattern with string set's elements OR'd together where the
double-tilde was given (this function only works at or before init time).
:ss: a set of strings to OR together.
:pat: the pattern containing a "~~" in it. If a literal backslash is
included, it needs to be escaped with another backslash due to Bro's
string parsing reducing it to a single backslash upon rendering.
:returns: the input pattern with "~~" replaced by OR'd elements of input set.

164
doc/scripts/base/utils/queue.bro.rst
View file

@ -1,164 +0,0 @@
:tocdepth: 3
base/utils/queue.bro
====================
.. bro:namespace:: Queue
A FIFO queue.
:Namespace: Queue
Summary
~~~~~~~
Types
#####
=============================================== ==========================================
:bro:type:`Queue::Queue`: :bro:type:`record` The internal data structure for the queue.
:bro:type:`Queue::Settings`: :bro:type:`record` Settings for initializing the queue.
=============================================== ==========================================
Redefinitions
#############
============================================ =
:bro:type:`Queue::Queue`: :bro:type:`record`
============================================ =
Functions
#########
================================================= ==============================================================
:bro:id:`Queue::get`: :bro:type:`function` Get a value from the end of a queue.
:bro:id:`Queue::get_vector`: :bro:type:`function` Get the contents of the queue as a vector.
:bro:id:`Queue::init`: :bro:type:`function` Initialize a queue record structure.
:bro:id:`Queue::len`: :bro:type:`function` Get the number of items in a queue.
:bro:id:`Queue::merge`: :bro:type:`function` Merge two queues together.
:bro:id:`Queue::peek`: :bro:type:`function` Peek at the value at the end of the queue without removing it.
:bro:id:`Queue::put`: :bro:type:`function` Put a value onto the beginning of a queue.
================================================= ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Queue::Queue
:Type: :bro:type:`record`
initialized: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
vals: :bro:type:`table` [:bro:type:`count`] of :bro:type:`any` :bro:attr:`&optional`
settings: :bro:type:`Queue::Settings` :bro:attr:`&optional`
top: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
bottom: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
size: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The internal data structure for the queue.
.. bro:type:: Queue::Settings
:Type: :bro:type:`record`
max_len: :bro:type:`count` :bro:attr:`&optional`
If a maximum length is set for the queue
it will maintain itself at that
maximum length automatically.
Settings for initializing the queue.
Functions
#########
.. bro:id:: Queue::get
:Type: :bro:type:`function` (q: :bro:type:`Queue::Queue`) : :bro:type:`any`
Get a value from the end of a queue.
:q: The queue to get the value from.
:returns: The value gotten from the queue.
.. bro:id:: Queue::get_vector
:Type: :bro:type:`function` (q: :bro:type:`Queue::Queue`, ret: :bro:type:`vector` of :bro:type:`any`) : :bro:type:`void`
Get the contents of the queue as a vector.
:q: The queue.
:ret: A vector containing the current contents of the queue
as the type of ret.
.. bro:id:: Queue::init
:Type: :bro:type:`function` (s: :bro:type:`Queue::Settings` :bro:attr:`&default` = ``[]`` :bro:attr:`&optional`) : :bro:type:`Queue::Queue`
Initialize a queue record structure.
:s: A record which configures the queue.
:returns: An opaque queue record.
.. bro:id:: Queue::len
:Type: :bro:type:`function` (q: :bro:type:`Queue::Queue`) : :bro:type:`count`
Get the number of items in a queue.
:q: The queue.
:returns: The length of the queue.
.. bro:id:: Queue::merge
:Type: :bro:type:`function` (q1: :bro:type:`Queue::Queue`, q2: :bro:type:`Queue::Queue`) : :bro:type:`Queue::Queue`
Merge two queues together. If any settings are applied
to the queues, the settings from *q1* are used for the new
merged queue.
:q1: The first queue. Settings are taken from here.
:q2: The second queue.
:returns: A new queue from merging the other two together.
.. bro:id:: Queue::peek
:Type: :bro:type:`function` (q: :bro:type:`Queue::Queue`) : :bro:type:`any`
Peek at the value at the end of the queue without removing it.
:q: The queue to get the value from.
:returns: The value at the end of the queue.
.. bro:id:: Queue::put
:Type: :bro:type:`function` (q: :bro:type:`Queue::Queue`, val: :bro:type:`any`) : :bro:type:`void`
Put a value onto the beginning of a queue.
:q: The queue to put the value into.
:val: The value to insert into the queue.

188
doc/scripts/base/utils/site.bro.rst
View file

@ -1,188 +0,0 @@
:tocdepth: 3
base/utils/site.bro
===================
.. bro:namespace:: Site
Definitions describing a site - which networks and DNS zones are "local"
and "neighbors", and servers running particular services.
:Namespace: Site
:Imports: :doc:`base/utils/patterns.bro </scripts/base/utils/patterns.bro>`
Summary
~~~~~~~
Runtime Options
###############
========================================================================= ======================================================================
:bro:id:`Site::local_admins`: :bro:type:`table` :bro:attr:`&redef` If local network administrators are known and they have responsibility
for defined address space, then a mapping can be defined here between
networks for which they have responsibility and a set of email
addresses.
:bro:id:`Site::local_nets`: :bro:type:`set` :bro:attr:`&redef` Networks that are considered "local".
:bro:id:`Site::local_zones`: :bro:type:`set` :bro:attr:`&redef` DNS zones that are considered "local".
:bro:id:`Site::neighbor_nets`: :bro:type:`set` :bro:attr:`&redef` Networks that are considered "neighbors".
:bro:id:`Site::neighbor_zones`: :bro:type:`set` :bro:attr:`&redef` DNS zones that are considered "neighbors".
:bro:id:`Site::private_address_space`: :bro:type:`set` :bro:attr:`&redef` Address space that is considered private and unrouted.
========================================================================= ======================================================================
State Variables
###############
=================================================== =====================================================================
:bro:id:`Site::local_nets_table`: :bro:type:`table` This is used for retrieving the subnet when using multiple entries in
:bro:id:`Site::local_nets`.
=================================================== =====================================================================
Functions
#########
====================================================== =================================================================
:bro:id:`Site::get_emails`: :bro:type:`function` Function that returns a comma-separated list of email addresses
that are considered administrators for the IP address provided as
an argument.
:bro:id:`Site::is_local_addr`: :bro:type:`function` Function that returns true if an address corresponds to one of
the local networks, false if not.
:bro:id:`Site::is_local_name`: :bro:type:`function` Function that returns true if a host name is within a local
DNS zone.
:bro:id:`Site::is_neighbor_addr`: :bro:type:`function` Function that returns true if an address corresponds to one of
the neighbor networks, false if not.
:bro:id:`Site::is_neighbor_name`: :bro:type:`function` Function that returns true if a host name is within a neighbor
DNS zone.
:bro:id:`Site::is_private_addr`: :bro:type:`function` Function that returns true if an address corresponds to one of
the private/unrouted networks, false if not.
====================================================== =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Site::local_admins
:Type: :bro:type:`table` [:bro:type:`subnet`] of :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
If local network administrators are known and they have responsibility
for defined address space, then a mapping can be defined here between
networks for which they have responsibility and a set of email
addresses.
.. bro:id:: Site::local_nets
:Type: :bro:type:`set` [:bro:type:`subnet`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Networks that are considered "local". Note that BroControl sets
this automatically.
.. bro:id:: Site::local_zones
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
DNS zones that are considered "local".
.. bro:id:: Site::neighbor_nets
:Type: :bro:type:`set` [:bro:type:`subnet`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Networks that are considered "neighbors".
.. bro:id:: Site::neighbor_zones
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
DNS zones that are considered "neighbors".
.. bro:id:: Site::private_address_space
:Type: :bro:type:`set` [:bro:type:`subnet`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
192.168.0.0/16,
127.0.0.0/8,
::1/128,
172.16.0.0/12,
10.0.0.0/8,
fe80::/10,
100.64.0.0/10
}
Address space that is considered private and unrouted.
By default it has RFC defined non-routable IPv4 address space.
State Variables
###############
.. bro:id:: Site::local_nets_table
:Type: :bro:type:`table` [:bro:type:`subnet`] of :bro:type:`subnet`
:Default: ``{}``
This is used for retrieving the subnet when using multiple entries in
:bro:id:`Site::local_nets`. It's populated automatically from there.
A membership query can be done with an
:bro:type:`addr` and the table will yield the subnet it was found
within.
Functions
#########
.. bro:id:: Site::get_emails
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`string`
Function that returns a comma-separated list of email addresses
that are considered administrators for the IP address provided as
an argument.
The function inspects :bro:id:`Site::local_admins`.
.. bro:id:: Site::is_local_addr
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`bool`
Function that returns true if an address corresponds to one of
the local networks, false if not.
The function inspects :bro:id:`Site::local_nets`.
.. bro:id:: Site::is_local_name
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`bool`
Function that returns true if a host name is within a local
DNS zone.
The function inspects :bro:id:`Site::local_zones`.
.. bro:id:: Site::is_neighbor_addr
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`bool`
Function that returns true if an address corresponds to one of
the neighbor networks, false if not.
The function inspects :bro:id:`Site::neighbor_nets`.
.. bro:id:: Site::is_neighbor_name
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`bool`
Function that returns true if a host name is within a neighbor
DNS zone.
The function inspects :bro:id:`Site::neighbor_zones`.
.. bro:id:: Site::is_private_addr
:Type: :bro:type:`function` (a: :bro:type:`addr`) : :bro:type:`bool`
Function that returns true if an address corresponds to one of
the private/unrouted networks, false if not.
The function inspects :bro:id:`Site::private_address_space`.

82
doc/scripts/base/utils/strings.bro.rst
View file

@ -1,82 +0,0 @@
:tocdepth: 3
base/utils/strings.bro
======================
Functions to assist with small string analysis and manipulation that can
be implemented as Bro functions and don't need to be implemented as built-in
functions.
Summary
~~~~~~~
Functions
#########
================================================ =============================================================================
:bro:id:`cut_tail`: :bro:type:`function` Cut a number of characters from the end of the given string.
:bro:id:`is_string_binary`: :bro:type:`function` Returns true if the given string is at least 25% composed of 8-bit
characters.
:bro:id:`join_string_set`: :bro:type:`function` Join a set of strings together, with elements delimited by a constant string.
:bro:id:`string_escape`: :bro:type:`function` Given a string, returns an escaped version.
================================================ =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: cut_tail
:Type: :bro:type:`function` (s: :bro:type:`string`, tail_len: :bro:type:`count`) : :bro:type:`string`
Cut a number of characters from the end of the given string.
:s: a string to trim.
:tail_len: the number of characters to remove from the end of the string.
:returns: the given string with *tail_len* characters removed from the end.
.. bro:id:: is_string_binary
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`bool`
Returns true if the given string is at least 25% composed of 8-bit
characters.
.. bro:id:: join_string_set
:Type: :bro:type:`function` (ss: :bro:type:`set` [:bro:type:`string`], j: :bro:type:`string`) : :bro:type:`string`
Join a set of strings together, with elements delimited by a constant string.
:ss: a set of strings to join.
:j: the string used to join set elements.
:returns: a string composed of all elements of the set, delimited by the
joining string.
.. bro:id:: string_escape
:Type: :bro:type:`function` (s: :bro:type:`string`, chars: :bro:type:`string`) : :bro:type:`string`
Given a string, returns an escaped version.
:s: a string to escape.
:chars: a string containing all the characters that need to be escaped.
:returns: a string with all occurrences of any character in *chars* escaped
using ``\``, and any literal ``\`` characters likewise escaped.

107
doc/scripts/base/utils/thresholds.bro.rst
View file

@ -1,107 +0,0 @@
:tocdepth: 3
base/utils/thresholds.bro
=========================
.. bro:namespace:: GLOBAL
Functions for using multiple thresholds with a counting tracker. For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between. You can use
the :bro:id:`check_threshold` function to define your threshold points
and the :bro:type:`TrackCount` variable where you are keeping track of your
counter.
:Namespace: GLOBAL
Summary
~~~~~~~
Redefinable Options
###################
========================================================================== ==========================================================
:bro:id:`default_notice_thresholds`: :bro:type:`vector` :bro:attr:`&redef` The thresholds you would like to use as defaults with the
:bro:id:`default_check_threshold` function.
========================================================================== ==========================================================
Types
#####
========================================== =
:bro:type:`TrackCount`: :bro:type:`record`
========================================== =
Functions
#########
======================================================= ====================================================================
:bro:id:`check_threshold`: :bro:type:`function` This will check if a :bro:type:`TrackCount` variable has crossed any
thresholds in a given set.
:bro:id:`default_check_threshold`: :bro:type:`function` This will use the :bro:id:`default_notice_thresholds` variable to
check a :bro:type:`TrackCount` variable to see if it has crossed
another threshold.
:bro:id:`new_track_count`: :bro:type:`function`
======================================================= ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: default_notice_thresholds
:Type: :bro:type:`vector` of :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default:
::
[30, 100, 1000, 10000, 100000, 1000000, 10000000]
The thresholds you would like to use as defaults with the
:bro:id:`default_check_threshold` function.
Types
#####
.. bro:type:: TrackCount
:Type: :bro:type:`record`
n: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The counter for the number of times something has happened.
index: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The index of the vector where the counter currently is. This
is used to track which threshold is currently being watched
for.
Functions
#########
.. bro:id:: check_threshold
:Type: :bro:type:`function` (v: :bro:type:`vector` of :bro:type:`count`, tracker: :bro:type:`TrackCount`) : :bro:type:`bool`
This will check if a :bro:type:`TrackCount` variable has crossed any
thresholds in a given set.
:v: a vector holding counts that represent thresholds.
:tracker: the record being used to track event counter and currently
monitored threshold value.
:returns: T if a threshold has been crossed, else F.
.. bro:id:: default_check_threshold
:Type: :bro:type:`function` (tracker: :bro:type:`TrackCount`) : :bro:type:`bool`
This will use the :bro:id:`default_notice_thresholds` variable to
check a :bro:type:`TrackCount` variable to see if it has crossed
another threshold.
.. bro:id:: new_track_count
:Type: :bro:type:`function` () : :bro:type:`TrackCount`

29
doc/scripts/base/utils/time.bro.rst
View file

@ -1,29 +0,0 @@
:tocdepth: 3
base/utils/time.bro
===================
Summary
~~~~~~~
Functions
#########
===================================================== ========================================================================
:bro:id:`duration_to_mins_secs`: :bro:type:`function` Given an interval, returns a string representing the minutes and seconds
in the interval (for example, "3m34s").
===================================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: duration_to_mins_secs
:Type: :bro:type:`function` (dur: :bro:type:`interval`) : :bro:type:`string`
Given an interval, returns a string representing the minutes and seconds
in the interval (for example, "3m34s").

103
doc/scripts/base/utils/urls.bro.rst
View file

@ -1,103 +0,0 @@
:tocdepth: 3
base/utils/urls.bro
===================
Functions for URL handling.
Summary
~~~~~~~
Redefinable Options
###################
=========================================================== ======================================================
:bro:id:`url_regex`: :bro:type:`pattern` :bro:attr:`&redef` A regular expression for matching and extracting URLs.
=========================================================== ======================================================
Types
#####
=================================== ============================================
:bro:type:`URI`: :bro:type:`record` A URI, as parsed by :bro:id:`decompose_uri`.
=================================== ============================================
Functions
#########
============================================================ ==================================================
:bro:id:`decompose_uri`: :bro:type:`function`
:bro:id:`find_all_urls`: :bro:type:`function` Extracts URLs discovered in arbitrary text.
:bro:id:`find_all_urls_without_scheme`: :bro:type:`function` Extracts URLs discovered in arbitrary text without
the URL scheme included.
============================================================ ==================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: url_regex
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?(^([a-zA-Z\-]{3,5})(:\/\/[^\/?#"'\r\n><]*)([^?#"'\r\n><]*)([^[:blank:]\r\n"'><]*|\??[^"'\r\n><]*))$?/
A regular expression for matching and extracting URLs.
Types
#####
.. bro:type:: URI
:Type: :bro:type:`record`
scheme: :bro:type:`string` :bro:attr:`&optional`
The URL's scheme..
netlocation: :bro:type:`string`
The location, which could be a domain name or an IP address. Left empty if not
specified.
portnum: :bro:type:`count` :bro:attr:`&optional`
Port number, if included in URI.
path: :bro:type:`string`
Full including the file name. Will be '/' if there's not path given.
file_name: :bro:type:`string` :bro:attr:`&optional`
Full file name, including extension, if there is a file name.
file_base: :bro:type:`string` :bro:attr:`&optional`
The base filename, without extension, if there is a file name.
file_ext: :bro:type:`string` :bro:attr:`&optional`
The filename's extension, if there is a file name.
params: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string` :bro:attr:`&optional`
A table of all query parameters, mapping their keys to values, if there's a
query.
A URI, as parsed by :bro:id:`decompose_uri`.
Functions
#########
.. bro:id:: decompose_uri
:Type: :bro:type:`function` (uri: :bro:type:`string`) : :bro:type:`URI`
.. bro:id:: find_all_urls
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`string_set`
Extracts URLs discovered in arbitrary text.
.. bro:id:: find_all_urls_without_scheme
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`string_set`
Extracts URLs discovered in arbitrary text without
the URL scheme included.