Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

176
doc/scripts/policy/protocols/conn/known-hosts.bro.rst
View file

@ -1,176 +0,0 @@
:tocdepth: 3
policy/protocols/conn/known-hosts.bro
=====================================
.. bro:namespace:: Known
This script logs hosts that Bro determines have performed complete TCP
handshakes and logs the address once per day (by default). The log that
is output provides an easy way to determine a count of the IP addresses in
use on a network per day.
:Namespace: Known
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ =======================================================
:bro:id:`Known::host_store_timeout`: :bro:type:`interval` :bro:attr:`&redef` The timeout interval to use for operations against
:bro:see:`Known::host_store`.
:bro:id:`Known::host_tracking`: :bro:type:`Host` :bro:attr:`&redef` The hosts whose existence should be logged and tracked.
============================================================================ =======================================================
Redefinable Options
###################
=========================================================================== ===================================================================
:bro:id:`Known::host_store_expiry`: :bro:type:`interval` :bro:attr:`&redef` The expiry interval of new entries in :bro:see:`Known::host_store`.
:bro:id:`Known::host_store_name`: :bro:type:`string` :bro:attr:`&redef` The Broker topic name to use for :bro:see:`Known::host_store`.
:bro:id:`Known::use_host_store`: :bro:type:`bool` :bro:attr:`&redef` Toggles between different implementations of this script.
=========================================================================== ===================================================================
State Variables
###############
=================================================================================================== =================================================================
:bro:id:`Known::host_store`: :bro:type:`Cluster::StoreInfo` Holds the set of all known hosts.
:bro:id:`Known::hosts`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef` The set of all known addresses to store for preventing duplicate
logging of addresses.
=================================================================================================== =================================================================
Types
#####
================================================ ========================================================================
:bro:type:`Known::HostsInfo`: :bro:type:`record` The record type which contains the column fields of the known-hosts log.
================================================ ========================================================================
Redefinitions
#############
===================================== ==========================================
:bro:type:`Log::ID`: :bro:type:`enum` The known-hosts logging stream identifier.
===================================== ==========================================
Events
######
=================================================== =======================================================================
:bro:id:`Known::log_known_hosts`: :bro:type:`event` An event that can be handled to access the :bro:type:`Known::HostsInfo`
record as it is sent on to the logging framework.
=================================================== =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Known::host_store_timeout
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:bro:see:`Known::host_store`.
.. bro:id:: Known::host_tracking
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``ALL_HOSTS``
The hosts whose existence should be logged and tracked.
See :bro:type:`Host` for possible choices.
Redefinable Options
###################
.. bro:id:: Known::host_store_expiry
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :bro:see:`Known::host_store`.
This also changes the interval at which hosts get logged.
.. bro:id:: Known::host_store_name
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"bro/known/hosts"``
The Broker topic name to use for :bro:see:`Known::host_store`.
.. bro:id:: Known::use_host_store
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Bro set
with keys uniformly distributed over proxy nodes in cluster
operation.
State Variables
###############
.. bro:id:: Known::host_store
:Type: :bro:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path=""], rocksdb=[path=""]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Holds the set of all known hosts. Keys in the store are addresses
and their associated value will always be the "true" boolean.
.. bro:id:: Known::hosts
:Type: :bro:type:`set` [:bro:type:`addr`]
:Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
:Default: ``{}``
The set of all known addresses to store for preventing duplicate
logging of addresses. It can also be used from other scripts to
inspect if an address has been seen in use.
Maintain the list of known hosts for 24 hours so that the existence
of each individual address is logged each day.
In cluster operation, this set is distributed uniformly across
proxy nodes.
Types
#####
.. bro:type:: Known::HostsInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The timestamp at which the host was detected.
host: :bro:type:`addr` :bro:attr:`&log`
The address that was detected originating or responding to a
TCP connection.
The record type which contains the column fields of the known-hosts log.
Events
######
.. bro:id:: Known::log_known_hosts
:Type: :bro:type:`event` (rec: :bro:type:`Known::HostsInfo`)
An event that can be handled to access the :bro:type:`Known::HostsInfo`
record as it is sent on to the logging framework.

199
doc/scripts/policy/protocols/conn/known-services.bro.rst
View file

@ -1,199 +0,0 @@
:tocdepth: 3
policy/protocols/conn/known-services.bro
========================================
.. bro:namespace:: Known
This script logs and tracks services. In the case of this script, a service
is defined as an IP address and port which has responded to and fully
completed a TCP handshake with another host. If a protocol is detected
during the session, the protocol will also be logged.
:Namespace: Known
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ======================================================
:bro:id:`Known::service_store_timeout`: :bro:type:`interval` :bro:attr:`&redef` The timeout interval to use for operations against
:bro:see:`Known::service_store`.
:bro:id:`Known::service_tracking`: :bro:type:`Host` :bro:attr:`&redef` The hosts whose services should be tracked and logged.
=============================================================================== ======================================================
Redefinable Options
###################
============================================================================== ======================================================================
:bro:id:`Known::service_store_expiry`: :bro:type:`interval` :bro:attr:`&redef` The expiry interval of new entries in :bro:see:`Known::service_store`.
:bro:id:`Known::service_store_name`: :bro:type:`string` :bro:attr:`&redef` The Broker topic name to use for :bro:see:`Known::service_store`.
:bro:id:`Known::use_service_store`: :bro:type:`bool` :bro:attr:`&redef` Toggles between different implementations of this script.
============================================================================== ======================================================================
State Variables
###############
=================================================================================== ====================================================================
:bro:id:`Known::service_store`: :bro:type:`Cluster::StoreInfo` Holds the set of all known services.
:bro:id:`Known::services`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` Tracks the set of daily-detected services for preventing the logging
of duplicates, but can also be inspected by other scripts for
different purposes.
=================================================================================== ====================================================================
Types
#####
=================================================== ======================================================================
:bro:type:`Known::AddrPortPair`: :bro:type:`record`
:bro:type:`Known::ServicesInfo`: :bro:type:`record` The record type which contains the column fields of the known-services
log.
=================================================== ======================================================================
Redefinitions
#############
========================================== =============================================
:bro:type:`Log::ID`: :bro:type:`enum` The known-services logging stream identifier.
:bro:type:`connection`: :bro:type:`record`
========================================== =============================================
Events
######
====================================================== =======================================================================
:bro:id:`Known::log_known_services`: :bro:type:`event` Event that can be handled to access the :bro:type:`Known::ServicesInfo`
record as it is sent on to the logging framework.
====================================================== =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Known::service_store_timeout
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:bro:see:`Known::service_store`.
.. bro:id:: Known::service_tracking
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``ALL_HOSTS``
The hosts whose services should be tracked and logged.
See :bro:type:`Host` for possible choices.
Redefinable Options
###################
.. bro:id:: Known::service_store_expiry
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :bro:see:`Known::service_store`.
This also changes the interval at which services get logged.
.. bro:id:: Known::service_store_name
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"bro/known/services"``
The Broker topic name to use for :bro:see:`Known::service_store`.
.. bro:id:: Known::use_service_store
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Bro set
with keys uniformly distributed over proxy nodes in cluster
operation.
State Variables
###############
.. bro:id:: Known::service_store
:Type: :bro:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path=""], rocksdb=[path=""]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Holds the set of all known services. Keys in the store are
:bro:type:`Known::AddrPortPair` and their associated value is
always the boolean value of "true".
.. bro:id:: Known::services
:Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`port`]
:Attributes: :bro:attr:`&create_expire` = ``1.0 day``
:Default: ``{}``
Tracks the set of daily-detected services for preventing the logging
of duplicates, but can also be inspected by other scripts for
different purposes.
In cluster operation, this set is uniformly distributed across
proxy nodes.
This set is automatically populated and shouldn't be directly modified.
Types
#####
.. bro:type:: Known::AddrPortPair
:Type: :bro:type:`record`
host: :bro:type:`addr`
p: :bro:type:`port`
.. bro:type:: Known::ServicesInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The time at which the service was detected.
host: :bro:type:`addr` :bro:attr:`&log`
The host address on which the service is running.
port_num: :bro:type:`port` :bro:attr:`&log`
The port number on which the service is running.
port_proto: :bro:type:`transport_proto` :bro:attr:`&log`
The transport-layer protocol which the service uses.
service: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log`
A set of protocols that match the service's connection payloads.
The record type which contains the column fields of the known-services
log.
Events
######
.. bro:id:: Known::log_known_services
:Type: :bro:type:`event` (rec: :bro:type:`Known::ServicesInfo`)
Event that can be handled to access the :bro:type:`Known::ServicesInfo`
record as it is sent on to the logging framework.

23
doc/scripts/policy/protocols/conn/mac-logging.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/protocols/conn/mac-logging.bro
=====================================
.. bro:namespace:: Conn
This script adds link-layer address (MAC) information to the connection logs
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`Conn::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

23
doc/scripts/policy/protocols/conn/vlan-logging.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/protocols/conn/vlan-logging.bro
======================================
.. bro:namespace:: Conn
This script adds VLAN information to the connection log.
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`Conn::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

27
doc/scripts/policy/protocols/conn/weirds.bro.rst
View file

@ -1,27 +0,0 @@
:tocdepth: 3
policy/protocols/conn/weirds.bro
================================
.. bro:namespace:: Conn
This script handles core generated connection related "weird" events to
push weird information about connections into the weird framework.
For live operational deployments, this can frequently cause load issues
due to large numbers of these events and quite possibly shouldn't be
loaded.
:Namespace: Conn
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~