Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

98
doc/scripts/policy/protocols/http/detect-sqli.bro.rst
View file

@ -1,98 +0,0 @@
:tocdepth: 3
policy/protocols/http/detect-sqli.bro
=====================================
.. bro:namespace:: HTTP
SQL injection attack detection in HTTP.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinable Options
###################
=============================================================================== ================================================================
:bro:id:`HTTP::collect_SQLi_samples`: :bro:type:`count` :bro:attr:`&redef` Collecting samples will add extra data to notice emails
by collecting some sample SQL injection url paths.
:bro:id:`HTTP::match_sql_injection_uri`: :bro:type:`pattern` :bro:attr:`&redef` Regular expression is used to match URI based SQL injections.
:bro:id:`HTTP::sqli_requests_interval`: :bro:type:`interval` :bro:attr:`&redef` Interval at which to watch for the
:bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
:bro:id:`HTTP::sqli_requests_threshold`: :bro:type:`double` :bro:attr:`&redef` Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
=============================================================================== ================================================================
Redefinitions
#############
========================================== =
:bro:type:`HTTP::Tags`: :bro:type:`enum`
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Hooks
#####
============================================= =======================================================================
:bro:id:`HTTP::sqli_policy`: :bro:type:`hook` A hook that can be used to prevent specific requests from being counted
as an injection attempt.
============================================= =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: HTTP::collect_SQLi_samples
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``5``
Collecting samples will add extra data to notice emails
by collecting some sample SQL injection url paths. Disable
sample collection by setting this value to 0.
.. bro:id:: HTTP::match_sql_injection_uri
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?([\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+)$?)|(^?([\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?))$?)|(^?([\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\()$?))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/
Regular expression is used to match URI based SQL injections.
.. bro:id:: HTTP::sqli_requests_interval
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``5.0 mins``
Interval at which to watch for the
:bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
At the end of each interval the counter is reset.
.. bro:id:: HTTP::sqli_requests_threshold
:Type: :bro:type:`double`
:Attributes: :bro:attr:`&redef`
:Default: ``50.0``
Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
Hooks
#####
.. bro:id:: HTTP::sqli_policy
:Type: :bro:type:`hook` (c: :bro:type:`connection`, method: :bro:type:`string`, unescaped_URI: :bro:type:`string`) : :bro:type:`bool`
A hook that can be used to prevent specific requests from being counted
as an injection attempt. Use a 'break' statement to exit the hook
early and ignore the request.

25
doc/scripts/policy/protocols/http/detect-webapps.bro.rst
View file

@ -1,25 +0,0 @@
:tocdepth: 3
policy/protocols/http/detect-webapps.bro
========================================
.. bro:namespace:: HTTP
Detect and log web applications through the software framework.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================================================= =
:bro:id:`Signatures::ignored_ids`: :bro:type:`pattern` :bro:attr:`&redef`
:bro:type:`Software::Info`: :bro:type:`record`
:bro:type:`Software::Type`: :bro:type:`enum`
========================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~

50
doc/scripts/policy/protocols/http/header-names.bro.rst
View file

@ -1,50 +0,0 @@
:tocdepth: 3
policy/protocols/http/header-names.bro
======================================
.. bro:namespace:: HTTP
Extract and include the header names used for each request in the HTTP
logging stream. The headers in the logging stream will be stored in the
same order which they were seen on the wire.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ =====================================================================
:bro:id:`HTTP::log_client_header_names`: :bro:type:`bool` :bro:attr:`&redef` A boolean value to determine if client header names are to be logged.
:bro:id:`HTTP::log_server_header_names`: :bro:type:`bool` :bro:attr:`&redef` A boolean value to determine if server header names are to be logged.
============================================================================ =====================================================================
Redefinitions
#############
========================================== =
:bro:type:`HTTP::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: HTTP::log_client_header_names
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
A boolean value to determine if client header names are to be logged.
.. bro:id:: HTTP::log_server_header_names
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
A boolean value to determine if server header names are to be logged.

25
doc/scripts/policy/protocols/http/software-browser-plugins.bro.rst
View file

@ -1,25 +0,0 @@
:tocdepth: 3
policy/protocols/http/software-browser-plugins.bro
==================================================
.. bro:namespace:: HTTP
Detect browser plugins as they leak through requests to Omniture
advertising servers.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:bro:type:`HTTP::Info`: :bro:type:`record`
:bro:type:`Software::Type`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

43
doc/scripts/policy/protocols/http/software.bro.rst
View file

@ -1,43 +0,0 @@
:tocdepth: 3
policy/protocols/http/software.bro
==================================
.. bro:namespace:: HTTP
Software identification and extraction for HTTP traffic.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== ===============================================================
:bro:id:`HTTP::ignored_user_agents`: :bro:type:`pattern` :bro:attr:`&redef` The pattern of HTTP User-Agents which you would like to ignore.
=========================================================================== ===============================================================
Redefinitions
#############
============================================ =
:bro:type:`Software::Type`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: HTTP::ignored_user_agents
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?(NO_DEFAULT)$?/
The pattern of HTTP User-Agents which you would like to ignore.

23
doc/scripts/policy/protocols/http/var-extraction-cookies.bro.rst
View file

@ -1,23 +0,0 @@
:tocdepth: 3
policy/protocols/http/var-extraction-cookies.bro
================================================
.. bro:namespace:: HTTP
Extracts and logs variable names from cookies sent by clients.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`, :doc:`base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`HTTP::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

24
doc/scripts/policy/protocols/http/var-extraction-uri.bro.rst
View file

@ -1,24 +0,0 @@
:tocdepth: 3
policy/protocols/http/var-extraction-uri.bro
============================================
.. bro:namespace:: HTTP
Extracts and logs variables from the requested URI in the default HTTP
logging stream.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`HTTP::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~