Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

24
doc/scripts/policy/frameworks/control/controllee.bro.rst
View file

@ -1,24 +0,0 @@
:tocdepth: 3
policy/frameworks/control/controllee.bro
========================================
.. bro:namespace:: Control
The controllee portion of the control framework. Load this script if remote
runtime control of the Bro process is desired.
A controllee only needs to load the controllee script in addition
to the specific analysis scripts desired. It may also need a node
configured as a controller node in the communications nodes configuration::
bro <scripts> frameworks/control/controllee
:Namespace: Control
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

23
doc/scripts/policy/frameworks/control/controller.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/frameworks/control/controller.bro
========================================
.. bro:namespace:: Control
This is a utility script that implements the controller interface for the
control framework. It's intended to be run to control a remote Bro
and then shutdown.
It's intended to be used from the command line like this::
bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
:Namespace: Control
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

125
doc/scripts/policy/frameworks/dpd/detect-protocols.bro.rst
View file

@ -1,125 +0,0 @@
:tocdepth: 3
policy/frameworks/dpd/detect-protocols.bro
==========================================
.. bro:namespace:: ProtocolDetector
Finds connections with protocols on non-standard ports with DPD.
:Namespace: ProtocolDetector
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Runtime Options
###############
===================================================================================== =
:bro:id:`ProtocolDetector::minimum_duration`: :bro:type:`interval` :bro:attr:`&redef`
:bro:id:`ProtocolDetector::minimum_volume`: :bro:type:`double` :bro:attr:`&redef`
:bro:id:`ProtocolDetector::suppress_servers`: :bro:type:`set` :bro:attr:`&redef`
:bro:id:`ProtocolDetector::valids`: :bro:type:`table` :bro:attr:`&redef`
===================================================================================== =
Constants
#########
================================================================ =
:bro:id:`ProtocolDetector::check_interval`: :bro:type:`interval`
================================================================ =
State Variables
###############
=============================================================================================== =
:bro:id:`ProtocolDetector::servers`: :bro:type:`table` :bro:attr:`&read_expire` = ``14.0 days``
=============================================================================================== =
Types
#####
=================================================== =
:bro:type:`ProtocolDetector::dir`: :bro:type:`enum`
=================================================== =
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Functions
#########
================================================================ =
:bro:id:`ProtocolDetector::found_protocol`: :bro:type:`function`
================================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: ProtocolDetector::minimum_duration
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``30.0 secs``
.. bro:id:: ProtocolDetector::minimum_volume
:Type: :bro:type:`double`
:Attributes: :bro:attr:`&redef`
:Default: ``4000.0``
.. bro:id:: ProtocolDetector::suppress_servers
:Type: :bro:type:`set` [:bro:type:`Analyzer::Tag`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
.. bro:id:: ProtocolDetector::valids
:Type: :bro:type:`table` [:bro:type:`Analyzer::Tag`, :bro:type:`addr`, :bro:type:`port`] of :bro:type:`ProtocolDetector::dir`
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Constants
#########
.. bro:id:: ProtocolDetector::check_interval
:Type: :bro:type:`interval`
:Default: ``5.0 secs``
State Variables
###############
.. bro:id:: ProtocolDetector::servers
:Type: :bro:type:`table` [:bro:type:`addr`, :bro:type:`port`, :bro:type:`string`] of :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&read_expire` = ``14.0 days``
:Default: ``{}``
Types
#####
.. bro:type:: ProtocolDetector::dir
:Type: :bro:type:`enum`
.. bro:enum:: ProtocolDetector::NONE ProtocolDetector::dir
.. bro:enum:: ProtocolDetector::INCOMING ProtocolDetector::dir
.. bro:enum:: ProtocolDetector::OUTGOING ProtocolDetector::dir
.. bro:enum:: ProtocolDetector::BOTH ProtocolDetector::dir
Functions
#########
.. bro:id:: ProtocolDetector::found_protocol
:Type: :bro:type:`function` (c: :bro:type:`connection`, atype: :bro:type:`Analyzer::Tag`, protocol: :bro:type:`string`) : :bro:type:`void`

43
doc/scripts/policy/frameworks/dpd/packet-segment-logging.bro.rst
View file

@ -1,43 +0,0 @@
:tocdepth: 3
policy/frameworks/dpd/packet-segment-logging.bro
================================================
.. bro:namespace:: DPD
This script enables logging of packet segment data when a protocol
parsing violation is encountered. The amount of data from the
packet logged is set by the :bro:see:`DPD::packet_segment_size` variable.
A caveat to logging packet data is that in some cases, the packet may
not be the packet that actually caused the protocol violation.
:Namespace: DPD
:Imports: :doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================== =====================================================
:bro:id:`DPD::packet_segment_size`: :bro:type:`int` :bro:attr:`&redef` Size of the packet segment to display in the DPD log.
====================================================================== =====================================================
Redefinitions
#############
========================================= =
:bro:type:`DPD::Info`: :bro:type:`record`
========================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: DPD::packet_segment_size
:Type: :bro:type:`int`
:Attributes: :bro:attr:`&redef`
:Default: ``255``
Size of the packet segment to display in the DPD log.

69
doc/scripts/policy/frameworks/files/detect-MHR.bro.rst
View file

@ -1,69 +0,0 @@
:tocdepth: 3
policy/frameworks/files/detect-MHR.bro
======================================
.. bro:namespace:: TeamCymruMalwareHashRegistry
Detect file downloads that have hash values matching files in Team
Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
:Namespace: TeamCymruMalwareHashRegistry
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`policy/frameworks/files/hash-all-files.bro </scripts/policy/frameworks/files/hash-all-files.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================================ ====================================================================
:bro:id:`TeamCymruMalwareHashRegistry::match_file_types`: :bro:type:`pattern` :bro:attr:`&redef` File types to attempt matching against the Malware Hash Registry.
:bro:id:`TeamCymruMalwareHashRegistry::match_sub_url`: :bro:type:`string` :bro:attr:`&redef` The Match notice has a sub message with a URL where you can get more
information about the file.
:bro:id:`TeamCymruMalwareHashRegistry::notice_threshold`: :bro:type:`count` :bro:attr:`&redef` The malware hash registry runs each malware sample through several
A/V engines.
================================================================================================ ====================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: TeamCymruMalwareHashRegistry::match_file_types
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/
File types to attempt matching against the Malware Hash Registry.
.. bro:id:: TeamCymruMalwareHashRegistry::match_sub_url
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"https://www.virustotal.com/en/search/?query=%s"``
The Match notice has a sub message with a URL where you can get more
information about the file. The %s will be replaced with the SHA-1
hash of the file.
.. bro:id:: TeamCymruMalwareHashRegistry::notice_threshold
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``10``
The malware hash registry runs each malware sample through several
A/V engines. Team Cymru returns a percentage to indicate how
many A/V engines flagged the sample as malicious. This threshold
allows you to require a minimum detection rate.

21
doc/scripts/policy/frameworks/files/entropy-test-all-files.bro.rst
View file

@ -1,21 +0,0 @@
:tocdepth: 3
policy/frameworks/files/entropy-test-all-files.bro
==================================================
.. bro:namespace:: Files
:Namespace: Files
Summary
~~~~~~~
Redefinitions
#############
============================================================== =
:bro:type:`Files::Info`: :bro:type:`record` :bro:attr:`&redef`
============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

15
doc/scripts/policy/frameworks/files/extract-all-files.bro.rst
View file

@ -1,15 +0,0 @@
:tocdepth: 3
policy/frameworks/files/extract-all-files.bro
=============================================
Extract all files to disk.
:Imports: :doc:`base/files/extract </scripts/base/files/extract/index>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

15
doc/scripts/policy/frameworks/files/hash-all-files.bro.rst
View file

@ -1,15 +0,0 @@
:tocdepth: 3
policy/frameworks/files/hash-all-files.bro
==========================================
Perform MD5 and SHA1 hashing on all files.
:Imports: :doc:`base/files/hash </scripts/base/files/hash/index>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

23
doc/scripts/policy/frameworks/intel/do_expire.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/do_expire.bro
=====================================
.. bro:namespace:: Intel
This script enables expiration for intelligence items.
:Namespace: Intel
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================================================= =
:bro:id:`Intel::item_expiration`: :bro:type:`interval` :bro:attr:`&redef`
========================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~

24
doc/scripts/policy/frameworks/intel/do_notice.bro.rst
View file

@ -1,24 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/do_notice.bro
=====================================
.. bro:namespace:: Intel
This script enables notice generation for intelligence matches.
:Namespace: Intel
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
Summary
~~~~~~~
Redefinitions
#############
=============================================== =
:bro:type:`Intel::MetaData`: :bro:type:`record`
:bro:type:`Notice::Type`: :bro:type:`enum`
=============================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/__load__.bro
=========================================
:Imports: :doc:`policy/frameworks/intel/seen/conn-established.bro </scripts/policy/frameworks/intel/seen/conn-established.bro>`, :doc:`policy/frameworks/intel/seen/dns.bro </scripts/policy/frameworks/intel/seen/dns.bro>`, :doc:`policy/frameworks/intel/seen/file-hashes.bro </scripts/policy/frameworks/intel/seen/file-hashes.bro>`, :doc:`policy/frameworks/intel/seen/file-names.bro </scripts/policy/frameworks/intel/seen/file-names.bro>`, :doc:`policy/frameworks/intel/seen/http-headers.bro </scripts/policy/frameworks/intel/seen/http-headers.bro>`, :doc:`policy/frameworks/intel/seen/http-url.bro </scripts/policy/frameworks/intel/seen/http-url.bro>`, :doc:`policy/frameworks/intel/seen/pubkey-hashes.bro </scripts/policy/frameworks/intel/seen/pubkey-hashes.bro>`, :doc:`policy/frameworks/intel/seen/smtp-url-extraction.bro </scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro>`, :doc:`policy/frameworks/intel/seen/smtp.bro </scripts/policy/frameworks/intel/seen/smtp.bro>`, :doc:`policy/frameworks/intel/seen/ssl.bro </scripts/policy/frameworks/intel/seen/ssl.bro>`, :doc:`policy/frameworks/intel/seen/x509.bro </scripts/policy/frameworks/intel/seen/x509.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/conn-established.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/conn-established.bro
=================================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/dns.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/dns.bro
====================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/file-hashes.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/file-hashes.bro
============================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/file-names.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/file-names.bro
===========================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/http-headers.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/http-headers.bro
=============================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/http-url.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/http-url.bro
=========================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

46
doc/scripts/policy/frameworks/intel/seen/index.rst
View file

@ -1,46 +0,0 @@
:orphan:
Package: policy/frameworks/intel/seen
=====================================
Scripts that send data to the intelligence framework.
:doc:`/scripts/policy/frameworks/intel/seen/__load__.bro`
:doc:`/scripts/policy/frameworks/intel/seen/conn-established.bro`
:doc:`/scripts/policy/frameworks/intel/seen/where-locations.bro`
:doc:`/scripts/policy/frameworks/intel/seen/dns.bro`
:doc:`/scripts/policy/frameworks/intel/seen/file-hashes.bro`
:doc:`/scripts/policy/frameworks/intel/seen/file-names.bro`
:doc:`/scripts/policy/frameworks/intel/seen/http-headers.bro`
:doc:`/scripts/policy/frameworks/intel/seen/http-url.bro`
:doc:`/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro`
:doc:`/scripts/policy/frameworks/intel/seen/ssl.bro`
:doc:`/scripts/policy/frameworks/intel/seen/smtp.bro`
:doc:`/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro`
:doc:`/scripts/policy/frameworks/intel/seen/x509.bro`

14
doc/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/pubkey-hashes.bro
==============================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/smtp-url-extraction.bro
====================================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`, :doc:`base/utils/urls.bro </scripts/base/utils/urls.bro>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/smtp.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/smtp.bro
=====================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`, :doc:`base/utils/email.bro </scripts/base/utils/email.bro>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/intel/seen/ssl.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/ssl.bro
====================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

20
doc/scripts/policy/frameworks/intel/seen/where-locations.bro.rst
View file

@ -1,20 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/where-locations.bro
================================================
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`Intel::Where`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

32
doc/scripts/policy/frameworks/intel/seen/x509.bro.rst
View file

@ -1,32 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/seen/x509.bro
=====================================
.. bro:namespace:: Intel
:Namespace: Intel
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================================== =============================================================================
:bro:id:`Intel::enable_x509_ext_subject_alternative_name`: :bro:type:`bool` :bro:attr:`&redef` Enables the extraction of subject alternate names from the X509 SAN DNS field
============================================================================================== =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Intel::enable_x509_ext_subject_alternative_name
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Enables the extraction of subject alternate names from the X509 SAN DNS field

23
doc/scripts/policy/frameworks/intel/whitelist.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/frameworks/intel/whitelist.bro
=====================================
.. bro:namespace:: Intel
This script enables whitelisting for intelligence items.
:Namespace: Intel
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
Summary
~~~~~~~
Redefinitions
#############
=============================================== =
:bro:type:`Intel::MetaData`: :bro:type:`record`
=============================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/policy/frameworks/notice/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
policy/frameworks/notice/__load__.bro
=====================================
:Imports: :doc:`policy/frameworks/notice/extend-email/hostnames.bro </scripts/policy/frameworks/notice/extend-email/hostnames.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

20
doc/scripts/policy/frameworks/notice/extend-email/hostnames.bro.rst
View file

@ -1,20 +0,0 @@
:tocdepth: 3
policy/frameworks/notice/extend-email/hostnames.bro
===================================================
.. bro:namespace:: Notice
Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action
by appending to the email the hostnames associated with
:bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
DNS lookup.
:Namespace: Notice
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/policy/frameworks/notice/index.rst
View file

@ -1,16 +0,0 @@
:orphan:
Package: policy/frameworks/notice
=================================
:doc:`/scripts/policy/frameworks/notice/__load__.bro`
:doc:`/scripts/policy/frameworks/notice/extend-email/hostnames.bro`
Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action
by appending to the email the hostnames associated with
:bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
DNS lookup.

99
doc/scripts/policy/frameworks/packet-filter/shunt.bro.rst
View file

@ -1,99 +0,0 @@
:tocdepth: 3
policy/frameworks/packet-filter/shunt.bro
=========================================
.. bro:namespace:: PacketFilter
:Namespace: PacketFilter
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
Summary
~~~~~~~
Redefinable Options
###################
============================================================================ ======================================================================
:bro:id:`PacketFilter::max_bpf_shunts`: :bro:type:`count` :bro:attr:`&redef` The maximum number of BPF based shunts that Bro is allowed to perform.
============================================================================ ======================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Functions
#########
======================================================================== ===========================================================================
:bro:id:`PacketFilter::current_shunted_conns`: :bro:type:`function` Retrieve the currently shunted connections.
:bro:id:`PacketFilter::current_shunted_host_pairs`: :bro:type:`function` Retrieve the currently shunted host pairs.
:bro:id:`PacketFilter::force_unshunt_host_pair`: :bro:type:`function` Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair`
function, but it forces an immediate filter update.
:bro:id:`PacketFilter::shunt_conn`: :bro:type:`function` Call this function to use BPF to shunt a connection (to prevent the
data packets from reaching Bro).
:bro:id:`PacketFilter::shunt_host_pair`: :bro:type:`function` This function will use a BPF expression to shunt traffic between
the two hosts given in the `conn_id` so that the traffic is never
exposed to Bro's traffic processing.
:bro:id:`PacketFilter::unshunt_host_pair`: :bro:type:`function` Remove shunting for a host pair given as a `conn_id`.
======================================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: PacketFilter::max_bpf_shunts
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``100``
The maximum number of BPF based shunts that Bro is allowed to perform.
Functions
#########
.. bro:id:: PacketFilter::current_shunted_conns
:Type: :bro:type:`function` () : :bro:type:`set` [:bro:type:`conn_id`]
Retrieve the currently shunted connections.
.. bro:id:: PacketFilter::current_shunted_host_pairs
:Type: :bro:type:`function` () : :bro:type:`set` [:bro:type:`conn_id`]
Retrieve the currently shunted host pairs.
.. bro:id:: PacketFilter::force_unshunt_host_pair
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`bool`
Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair`
function, but it forces an immediate filter update.
.. bro:id:: PacketFilter::shunt_conn
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`bool`
Call this function to use BPF to shunt a connection (to prevent the
data packets from reaching Bro). For TCP connections, control
packets are still allowed through so that Bro can continue logging
the connection and it can stop shunting once the connection ends.
.. bro:id:: PacketFilter::shunt_host_pair
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`bool`
This function will use a BPF expression to shunt traffic between
the two hosts given in the `conn_id` so that the traffic is never
exposed to Bro's traffic processing.
.. bro:id:: PacketFilter::unshunt_host_pair
:Type: :bro:type:`function` (id: :bro:type:`conn_id`) : :bro:type:`bool`
Remove shunting for a host pair given as a `conn_id`. The filter
is not immediately removed. It waits for the occasional filter
update done by the `PacketFilter` framework.

45
doc/scripts/policy/frameworks/software/version-changes.bro.rst
View file

@ -1,45 +0,0 @@
:tocdepth: 3
policy/frameworks/software/version-changes.bro
==============================================
.. bro:namespace:: Software
Provides the possibility to define software names that are interesting to
watch for changes. A notice is generated if software versions change on a
host.
:Namespace: Software
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Runtime Options
###############
=================================================================================== ====================================================================
:bro:id:`Software::interesting_version_changes`: :bro:type:`set` :bro:attr:`&redef` Some software is more interesting when the version changes and this
is a set of all software that should raise a notice when a different
version is seen on a host.
=================================================================================== ====================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Software::interesting_version_changes
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Some software is more interesting when the version changes and this
is a set of all software that should raise a notice when a different
version is seen on a host.

99
doc/scripts/policy/frameworks/software/vulnerable.bro.rst
View file

@ -1,99 +0,0 @@
:tocdepth: 3
policy/frameworks/software/vulnerable.bro
=========================================
.. bro:namespace:: Software
Provides a variable to define vulnerable versions of software and if
a version of that software is as old or older than the defined version a
notice will be generated.
:Namespace: Software
:Imports: :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================================ =============================================================
:bro:id:`Software::vulnerable_versions_update_endpoint`: :bro:type:`string` :bro:attr:`&redef` The DNS zone where runtime vulnerable software updates will
be loaded from.
:bro:id:`Software::vulnerable_versions_update_interval`: :bro:type:`interval` :bro:attr:`&redef` The interval at which vulnerable versions should grab updates
over DNS.
================================================================================================ =============================================================
Redefinable Options
###################
============================================================================= ===============================================================
:bro:id:`Software::vulnerable_versions`: :bro:type:`table` :bro:attr:`&redef` This is a table of software versions indexed by the name of the
software and a set of version ranges that are declared to be
vulnerable for that software.
============================================================================= ===============================================================
Types
#####
================================================================ =
:bro:type:`Software::VulnerableVersionRange`: :bro:type:`record`
================================================================ =
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Software::vulnerable_versions_update_endpoint
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``""``
The DNS zone where runtime vulnerable software updates will
be loaded from.
.. bro:id:: Software::vulnerable_versions_update_interval
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 hr``
The interval at which vulnerable versions should grab updates
over DNS.
Redefinable Options
###################
.. bro:id:: Software::vulnerable_versions
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`set` [:bro:type:`Software::VulnerableVersionRange`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
This is a table of software versions indexed by the name of the
software and a set of version ranges that are declared to be
vulnerable for that software.
Types
#####
.. bro:type:: Software::VulnerableVersionRange
:Type: :bro:type:`record`
min: :bro:type:`Software::Version` :bro:attr:`&optional`
The minimal version of a vulnerable version range. This
field can be undefined if all previous versions of a piece
of software are vulnerable.
max: :bro:type:`Software::Version`
The maximum vulnerable version. This field is deliberately
not optional because a maximum vulnerable version must
always be defined. This assumption may become incorrect
if all future versions of some software are to be considered
vulnerable. :)

89
doc/scripts/policy/frameworks/software/windows-version-detection.bro.rst
View file

@ -1,89 +0,0 @@
:tocdepth: 3
policy/frameworks/software/windows-version-detection.bro
========================================================
.. bro:namespace:: OS
Windows systems access a Microsoft Certificate Revocation List (CRL) periodically. The
user agent for these requests reveals which version of Crypt32.dll installed on the system,
which can uniquely identify the version of Windows that's running.
This script will log the version of Windows that was identified to the Software framework.
:Namespace: OS
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinable Options
###################
====================================================================== =
:bro:id:`OS::crypto_api_mapping`: :bro:type:`table` :bro:attr:`&redef`
====================================================================== =
Types
#####
========================================================== =
:bro:type:`Software::name_and_version`: :bro:type:`record`
========================================================== =
Redefinitions
#############
============================================ =
:bro:type:`Software::Type`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: OS::crypto_api_mapping
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`Software::name_and_version`
:Attributes: :bro:attr:`&redef`
:Default:
::
{
["Microsoft-CryptoAPI/5.131.3790.1830"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=1830, addl="XP x64 or Server 2003 SP1"]],
["Microsoft-CryptoAPI/5.131.2600.3205"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3205, addl="XP SP3 Beta 2"]],
["Microsoft-CryptoAPI/6.1"] = [name="Windows", version=[major=6, minor=1, minor2=<uninitialized>, minor3=<uninitialized>, addl="7 or Server 2008 R2"]],
["Microsoft-CryptoAPI/5.131.2600.2180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=2180, addl="XP SP2"]],
["Microsoft-CryptoAPI/5.131.2600.5508"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5508, addl="XP SP3 RC2 Update 2"]],
["Microsoft-CryptoAPI/5.131.3790.0"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=0, addl="XP x64 or Server 2003 SP0"]],
["Microsoft-CryptoAPI/6.0"] = [name="Windows", version=[major=6, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl="Vista or Server 2008"]],
["Microsoft-CryptoAPI/5.131.2195.6661"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6661, addl="2000 SP4"]],
["Microsoft-CryptoAPI/5.131.3790.5235"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=5235, addl="XP x64 or Server 2003 with MS13-095"]],
["Microsoft-CryptoAPI/6.4"] = [name="Windows", version=[major=6, minor=4, minor2=<uninitialized>, minor3=<uninitialized>, addl="10 Technical Preview"]],
["Microsoft-CryptoAPI/6.2"] = [name="Windows", version=[major=6, minor=2, minor2=<uninitialized>, minor3=<uninitialized>, addl="8 or Server 2012"]],
["Microsoft-CryptoAPI/5.131.2600.1106"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=1106, addl="XP SP1"]],
["Microsoft-CryptoAPI/5.131.2600.3311"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3311, addl="XP SP3 RC2 Update"]],
["Microsoft-CryptoAPI/10.0"] = [name="Windows", version=[major=10, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl=<uninitialized>]],
["Microsoft-CryptoAPI/5.131.2600.3180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3180, addl="XP SP3 Beta 1"]],
["Microsoft-CryptoAPI/5.131.3790.3959"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=3959, addl="XP x64 or Server 2003 SP2"]],
["Microsoft-CryptoAPI/6.3"] = [name="Windows", version=[major=6, minor=3, minor2=<uninitialized>, minor3=<uninitialized>, addl="8.1 or Server 2012 R2"]],
["Microsoft-CryptoAPI/5.131.2195.6824"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6824, addl="2000 with MS04-11"]],
["Microsoft-CryptoAPI/5.131.2195.6926"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6926, addl="2000 with Hotfix 98830"]],
["Microsoft-CryptoAPI/5.131.2600.3282"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3282, addl="XP SP3 RC1 Update"]],
["Microsoft-CryptoAPI/5.131.2600.3300"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3300, addl="XP SP3 RC2"]],
["Microsoft-CryptoAPI/5.131.2600.3264"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3264, addl="XP SP3 RC1"]],
["Microsoft-CryptoAPI/5.131.2600.5512"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5512, addl="XP SP3"]],
["Microsoft-CryptoAPI/5.131.2600.0"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=0, addl="XP SP0"]],
["Microsoft-CryptoAPI/5.131.2600.3249"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3249, addl="XP SP3 RC Beta"]]
}
Types
#####
.. bro:type:: Software::name_and_version
:Type: :bro:type:`record`
name: :bro:type:`string`
version: :bro:type:`Software::Version`