Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

42
doc/scripts/policy/protocols/smtp/blocklists.bro.rst
View file

@ -1,42 +0,0 @@
:tocdepth: 3
policy/protocols/smtp/blocklists.bro
====================================
.. bro:namespace:: SMTP
Watch for various SPAM blocklist URLs in SMTP error messages.
:Namespace: SMTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================ =
:bro:id:`SMTP::blocklist_error_messages`: :bro:type:`pattern` :bro:attr:`&redef`
================================================================================ =
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMTP::blocklist_error_messages
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?(spamhaus\.org\/)$?)|(^?(sophos\.com\/security\/)$?))$?)|(^?(spamcop\.net\/bl)$?))$?)|(^?(cbl\.abuseat\.org\/)$?))$?)|(^?(sorbs\.net\/)$?))$?)|(^?(bsn\.borderware\.com\/)$?))$?)|(^?(mail-abuse\.com\/)$?))$?)|(^?(b\.barracudacentral\.com\/)$?))$?)|(^?(psbl\.surriel\.com\/)$?))$?)|(^?(antispam\.imp\.ch\/)$?))$?)|(^?(dyndns\.com\/.*spam)$?))$?)|(^?(rbl\.knology\.net\/)$?))$?)|(^?(intercept\.datapacket\.net\/)$?))$?)|(^?(uceprotect\.net\/)$?))$?)|(^?(hostkarma\.junkemailfilter\.com\/)$?))$?/

49
doc/scripts/policy/protocols/smtp/detect-suspicious-orig.bro.rst
View file

@ -1,49 +0,0 @@
:tocdepth: 3
policy/protocols/smtp/detect-suspicious-orig.bro
================================================
.. bro:namespace:: SMTP
:Namespace: SMTP
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================== ===================================================================
:bro:id:`SMTP::suspicious_origination_countries`: :bro:type:`set` :bro:attr:`&redef` Places where it's suspicious for mail to originate from represented
as all-capital, two character country codes (e.g., US).
:bro:id:`SMTP::suspicious_origination_networks`: :bro:type:`set` :bro:attr:`&redef`
==================================================================================== ===================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMTP::suspicious_origination_countries
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``
Places where it's suspicious for mail to originate from represented
as all-capital, two character country codes (e.g., US). It requires
Bro to be built with GeoIP support.
.. bro:id:: SMTP::suspicious_origination_networks
:Type: :bro:type:`set` [:bro:type:`subnet`]
:Attributes: :bro:attr:`&redef`
:Default: ``{}``

43
doc/scripts/policy/protocols/smtp/entities-excerpt.bro.rst
View file

@ -1,43 +0,0 @@
:tocdepth: 3
policy/protocols/smtp/entities-excerpt.bro
==========================================
.. bro:namespace:: SMTP
This script is for optionally adding a body excerpt to the SMTP
entities log.
:Namespace: SMTP
:Imports: :doc:`base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================ ===================================================================
:bro:id:`SMTP::default_entity_excerpt_len`: :bro:type:`count` :bro:attr:`&redef` This is the default value for how much of the entity body should be
included for all MIME entities.
================================================================================ ===================================================================
Redefinitions
#############
============================================ =
:bro:type:`SMTP::Entity`: :bro:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMTP::default_entity_excerpt_len
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``0``
This is the default value for how much of the entity body should be
included for all MIME entities. The lesser of this value and
:bro:see:`default_file_bof_buffer_size` will be used.

71
doc/scripts/policy/protocols/smtp/software.bro.rst
View file

@ -1,71 +0,0 @@
:tocdepth: 3
policy/protocols/smtp/software.bro
==================================
.. bro:namespace:: SMTP
This script feeds software detected through email into the software
framework. Mail clients and webmail interfaces are the only thing
currently detected.
TODO:
* Find some heuristic to determine if email was sent through
a MS Exchange webmail interface as opposed to a desktop client.
:Namespace: SMTP
:Imports: :doc:`base/frameworks/software/main.bro </scripts/base/frameworks/software/main.bro>`, :doc:`base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================== ===================================================================
:bro:id:`SMTP::detect_clients_in_messages_from`: :bro:type:`Host` :bro:attr:`&redef` Assuming that local mail servers are more trustworthy with the
headers they insert into message envelopes, this default makes Bro
not attempt to detect software in inbound message bodies.
:bro:id:`SMTP::webmail_user_agents`: :bro:type:`pattern` :bro:attr:`&redef` A regular expression to match USER-AGENT-like headers to find if a
message was sent with a webmail interface.
==================================================================================== ===================================================================
Redefinitions
#############
============================================ =
:bro:type:`SMTP::Info`: :bro:type:`record`
:bro:type:`Software::Type`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMTP::detect_clients_in_messages_from
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``LOCAL_HOSTS``
Assuming that local mail servers are more trustworthy with the
headers they insert into message envelopes, this default makes Bro
not attempt to detect software in inbound message bodies. If mail
coming in from external addresses gives incorrect data in
the Received headers, it could populate your SOFTWARE logging stream
with incorrect data. If you would like to detect mail clients for
incoming messages (network traffic originating from a non-local
address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
.. bro:id:: SMTP::webmail_user_agents
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/
A regular expression to match USER-AGENT-like headers to find if a
message was sent with a webmail interface.