Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Remove broxygen Sphinx integration

Browse source 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
This commit is contained in:
Jon Siwek 2018-12-17 16:25:41 -06:00
parent 9e5e9d04b7
commit 7e9d48f532
549 changed files with 89909 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

949
doc/script-reference/autogenerated-file-analyzer-index.rst Normal file
View file

@ -0,0 +1,949 @@
File Analyzers
==============
.. contents::
:depth: 2
.. bro:type:: Files::Tag
:Type: :bro:type:`enum`
.. bro:enum:: Files::ANALYZER_DATA_EVENT Files::Tag
.. bro:enum:: Files::ANALYZER_ENTROPY Files::Tag
.. bro:enum:: Files::ANALYZER_EXTRACT Files::Tag
.. bro:enum:: Files::ANALYZER_MD5 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA1 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA256 Files::Tag
.. bro:enum:: Files::ANALYZER_PE Files::Tag
.. bro:enum:: Files::ANALYZER_UNIFIED2 Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REPLY Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REQUEST Files::Tag
.. bro:enum:: Files::ANALYZER_X509 Files::Tag
Bro::FileDataEvent
------------------
Delivers file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_DATA_EVENT`
Bro::FileEntropy
----------------
Entropy test file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_ENTROPY`
Events
++++++
.. bro:id:: file_entropy
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ent: :bro:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:f: The file.
:ent: The results of the entropy testing.
Bro::FileExtract
----------------
Extract file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_EXTRACT`
Events
++++++
.. bro:id:: file_extraction_limit
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`, limit: :bro:type:`count`, len: :bro:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:f: The file.
:args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:bro:see:`FileExtract::set_limit`.
:limit: The limit, in bytes, the extracted file is about to breach.
:len: The length of the file chunk about to be written.
.. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT
Functions
+++++++++
.. bro:id:: FileExtract::__set_limit
:Type: :bro:type:`function` (file_id: :bro:type:`string`, args: :bro:type:`any`, n: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`FileExtract::set_limit`.
Bro::FileHash
-------------
Hash file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_MD5`
:bro:enum:`Files::ANALYZER_SHA1`
:bro:enum:`Files::ANALYZER_SHA256`
Events
++++++
.. bro:id:: file_hash
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, kind: :bro:type:`string`, hash: :bro:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:f: The file.
:kind: The type of digest algorithm.
:hash: The result of the hashing.
.. bro:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256
Bro::PE
-------
Portable Executable analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_PE`
Events
++++++
.. bro:id:: pe_dos_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:f: The file.
:h: The parsed DOS header information.
.. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_dos_code
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, code: :bro:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:f: The file.
:code: The DOS stub
.. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_file_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:f: The file.
:h: The parsed file header information.
.. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. bro:id:: pe_optional_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:f: The file.
:h: The parsed optional header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. bro:id:: pe_section_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:f: The file.
:h: The parsed section header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
Bro::Unified2
-------------
Analyze Unified2 alert files.
Components
++++++++++
:bro:enum:`Files::ANALYZER_UNIFIED2`
Types
+++++
.. bro:type:: Unified2::IDSEvent
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
ts: :bro:type:`time`
signature_id: :bro:type:`count`
generator_id: :bro:type:`count`
signature_revision: :bro:type:`count`
classification_id: :bro:type:`count`
priority_id: :bro:type:`count`
src_ip: :bro:type:`addr`
dst_ip: :bro:type:`addr`
src_p: :bro:type:`port`
dst_p: :bro:type:`port`
impact_flag: :bro:type:`count`
impact: :bro:type:`count`
blocked: :bro:type:`count`
mpls_label: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
vlan_id: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
packet_action: :bro:type:`count` :bro:attr:`&optional`
Only available in "legacy" IDS events.
.. bro:type:: Unified2::Packet
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
event_second: :bro:type:`count`
packet_ts: :bro:type:`time`
link_type: :bro:type:`count`
data: :bro:type:`string`
Events
++++++
.. bro:id:: unified2_event
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ev: :bro:type:`Unified2::IDSEvent`)
Abstract all of the various Unified2 event formats into
a single event.
:f: The file.
:ev: TODO.
.. bro:id:: unified2_packet
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, pkt: :bro:type:`Unified2::Packet`)
The Unified2 packet format event.
:f: The file.
:pkt: TODO.
Bro::X509
---------
X509 and OCSP analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_OCSP_REPLY`
:bro:enum:`Files::ANALYZER_OCSP_REQUEST`
:bro:enum:`Files::ANALYZER_X509`
Types
+++++
.. bro:type:: X509::Certificate
:Type: :bro:type:`record`
version: :bro:type:`count` :bro:attr:`&log`
Version number.
serial: :bro:type:`string` :bro:attr:`&log`
Serial number.
subject: :bro:type:`string` :bro:attr:`&log`
Subject.
issuer: :bro:type:`string` :bro:attr:`&log`
Issuer.
cn: :bro:type:`string` :bro:attr:`&optional`
Last (most specific) common name.
not_valid_before: :bro:type:`time` :bro:attr:`&log`
Timestamp before when certificate is not valid.
not_valid_after: :bro:type:`time` :bro:attr:`&log`
Timestamp after when certificate is not valid.
key_alg: :bro:type:`string` :bro:attr:`&log`
Name of the key algorithm
sig_alg: :bro:type:`string` :bro:attr:`&log`
Name of the signature algorithm
key_type: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Key type, if key parseable by openssl (either rsa, dsa or ec)
key_length: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Key length in bits
exponent: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Exponent, if RSA-certificate
curve: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Curve, if EC-certificate
.. bro:type:: X509::Extension
:Type: :bro:type:`record`
name: :bro:type:`string`
Long name of extension. oid if name not known
short_name: :bro:type:`string` :bro:attr:`&optional`
Short name of extension if known
oid: :bro:type:`string`
Oid of extension
critical: :bro:type:`bool`
True if extension is critical
value: :bro:type:`string`
Extension content parsed to string for known extensions. Raw data otherwise.
.. bro:type:: X509::BasicConstraints
:Type: :bro:type:`record`
ca: :bro:type:`bool` :bro:attr:`&log`
CA flag set?
path_len: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Maximum path length
:Attributes: :bro:attr:`&log`
.. bro:type:: X509::SubjectAlternativeName
:Type: :bro:type:`record`
dns: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of DNS entries in SAN
uri: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of URI entries in SAN
email: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of email entries in SAN
ip: :bro:type:`addr_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of IP entries in SAN
other_fields: :bro:type:`bool`
True if the certificate contained other, not recognized or parsed name fields
.. bro:type:: X509::Result
:Type: :bro:type:`record`
result: :bro:type:`int`
OpenSSL result code
result_string: :bro:type:`string`
Result as string
chain_certs: :bro:type:`vector` of :bro:type:`opaque` of x509 :bro:attr:`&optional`
References to the final certificate chain, if verification successful. End-host certificate is first.
Result of an X509 certificate chain verification
Events
++++++
.. bro:id:: x509_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, cert_ref: :bro:type:`opaque` of x509, cert: :bro:type:`X509::Certificate`)
Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
connection handshake.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
certificate.
:cert: The parsed certificate information.
.. bro:see:: x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`)
Generated for X509 extensions seen in a certificate.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:ext: The parsed extension.
.. bro:see:: x509_certificate x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_basic_constraints
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::BasicConstraints`)
Generated for the X509 basic constraints extension seen in a certificate.
This extension can be used to identify the subject of a certificate as a CA.
:f: The file.
:ext: The parsed basic constraints extension.
.. bro:see:: x509_certificate x509_extension
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_subject_alternative_name
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::SubjectAlternativeName`)
Generated for the X509 subject alternative name extension seen in a certificate.
This extension can be used to allow additional entities to be bound to the
subject of the certificate. Usually it is used to specify one or multiple DNS
names for which a certificate is valid.
:f: The file.
:ext: The parsed subject alternative name extension.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
x509_get_certificate_string
.. bro:id:: x509_ocsp_ext_signed_certificate_timestamp
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`, logid: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, signature_algorithm: :bro:type:`count`, signature: :bro:type:`string`)
Generated for the signed_certificate_timestamp X509 extension as defined in
:rfc:`6962`. The extension is used to transmit signed proofs that are
used for Certificate Transparency. Raised when the extension is encountered
in an X.509 certificate or in an OCSP reply.
:f: The file.
:version: the version of the protocol to which the SCT conforms. Always
should be 0 (representing version 1)
:logid: 32 bit key id
:timestamp: the NTP Time when the entry was logged measured since
the epoch, ignoring leap seconds, in milliseconds.
:signature_and_hashalgorithm: signature and hash algorithm used for the
digitally_signed struct
:signature: signature part of the digitally_signed struct
.. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ext_subject_alternative_name
x509_get_certificate_string ssl_extension_signed_certificate_timestamp
sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`)
Event that is raised when encountering an OCSP request, e.g. in an HTTP
connection. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP Request.
:f: The file.
:req: version: the version of the OCSP request. Typically 0 (Version 1).
.. bro:see:: ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`)
Event that is raised when encountering an OCSP request for a certificate,
e.g. in an HTTP connection. See :rfc:`6960` for more details.
Note that a single OCSP request can contain requests for several certificates.
Thus this event can fire several times for one OCSP request, each time
requesting information for a different (or in theory even the same) certificate.
:f: The file.
:hashAlgorithm: The hash algorithm used for the issuerKeyHash.
:issuerKeyHash: Hash of the issuers public key.
:serialNumber: Serial number of the certificate for which the status is requested.
.. bro:see:: ocsp_request ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_status
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, status: :bro:type:`string`)
This event is raised when encountering an OCSP reply, e.g. in an HTTP
connection or a TLS extension. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP reply.
:f: The file.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
.. bro:see:: ocsp_request ocsp_request_certificate
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_bytes
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, resp_ref: :bro:type:`opaque` of ocsp_resp, status: :bro:type:`string`, version: :bro:type:`count`, responderId: :bro:type:`string`, producedAt: :bro:type:`time`, signatureAlgorithm: :bro:type:`string`, certs: :bro:type:`x509_opaque_vector`)
This event is raised when encountering an OCSP response that contains response information.
An OCSP reply can be encountered, for example, in an HTTP connection or
a TLS extension. See :rfc:`6960` for more details on OCSP.
:f: The file.
:req_ref: An opaque pointer to the underlying OpenSSL data structure of the
OCSP response.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
:version: Version of the OCSP response (typically - for version 1).
:responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
:producedAt: Time at which the reply was produced.
:signatureAlgorithm: Algorithm used for the OCSP signature.
:certs: Optional list of certificates that are sent with the OCSP response; these typically
are needed to perform validation of the reply.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`, certStatus: :bro:type:`string`, revokeTime: :bro:type:`time`, revokeReason: :bro:type:`string`, thisUpdate: :bro:type:`time`, nextUpdate: :bro:type:`time`)
This event is raised for each SingleResponse contained in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
:issuerNameHash: Hash of the issuer's distinguished name.
:issuerKeyHash: Hash of the issuer's public key.
:serialNumber: Serial number of the affected certificate.
:certStatus: Status of the certificate.
:revokeTime: Time the certificate was revoked, 0 if not revoked.
:revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
:thisUpdate: Time this response was generated.
:nextUpdate: Time next response will be ready; 0 if not supploed.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`, global_resp: :bro:type:`bool`)
This event is raised when an OCSP extension is encountered in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:ext: The parsed extension (same format as X.509 extensions).
:global_resp: T if extension encountered in the global response (in ResponseData),
F when encountered in a SingleResponse.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
Functions
+++++++++
.. bro:id:: x509_parse
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509) : :bro:type:`X509::Certificate`
Parses a certificate into an X509::Certificate structure.
:cert: The X509 certificate opaque handle.
:returns: A X509::Certificate structure.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_verify
x509_get_certificate_string
.. bro:id:: x509_get_certificate_string
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, pem: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`) : :bro:type:`string`
Returns the string form of a certificate.
:cert: The X509 certificate opaque handle.
:pem: A boolean that specifies if the certificate is returned
in pem-form (true), or as the raw ASN1 encoded binary
(false).
:returns: X509 certificate as a string.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
.. bro:id:: x509_ocsp_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, ocsp_reply: :bro:type:`string`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies an OCSP reply.
:certs: Specifies the certificate chain to use. Server certificate first.
:ocsp_reply: the ocsp reply to validate.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_verify
.. bro:id:: x509_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies a certificate.
:certs: Specifies a certificate chain that is being used to validate
the given certificate against the root store given in *root_certs*.
The host certificate has to be at index 0.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation. In case of success also returns the full
certificate chain.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_ocsp_verify sct_verify
.. bro:id:: sct_verify
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, logid: :bro:type:`string`, log_key: :bro:type:`string`, signature: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, issuer_key_hash: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
See RFC6962 for more details.
:cert: Certificate against which the SCT should be validated.
:logid: Log id of the SCT.
:log_key: Public key of the Log that issued the SCT proof.
:timestamp: Timestamp at which the proof was generated.
:hash_algorithm: Hash algorithm that was used for the SCT proof.
:issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
This only has to be provided if the SCT was encountered in an X.509
certificate extension; in that case, it is necessary for validation.
:returns: T if the validation could be performed succesfully, F otherwhise.
.. bro:see:: ssl_extension_signed_certificate_timestamp
x509_ocsp_ext_signed_certificate_timestamp
x509_verify
.. bro:id:: x509_subject_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the subject's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_issuer_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_issuer_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the issuer's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_spki_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the Subject Public Key Information of the certificate.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_issuer_name_hash
x509_verify sct_verify

309
doc/script-reference/autogenerated-package-index.rst Normal file
View file

@ -0,0 +1,309 @@
:doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
The logging framework provides a flexible key-value based logging interface.
:doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`
Support for postprocessors in the logging framework.
:doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`
The Broker communication framework facilitates connecting to remote Bro
instances to share state and transfer events.
:doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
The input framework provides a way to read previously stored data either as
an event stream or into a Bro table.
:doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`
The analyzer framework allows to dynamically enable or disable Bro's
protocol analyzers, as well as to manage the well-known ports which
automatically activate a particular analyzer for new connections.
:doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
The file analysis framework provides an interface for driving the analysis
of files, possibly independent of any network protocol over which they're
transported.
:doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`
:doc:`base/bif </scripts/base/bif/index>`
:doc:`base/bif/plugins </scripts/base/bif/plugins/index>`
:doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`
This framework is intended to create an output and filtering path for
internally generated messages/warnings/errors.
:doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
The notice framework enables Bro to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable. This decoupling of detection and reporting allows
Bro to be customized to the different needs that sites have.
:doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
The cluster framework provides for establishing and controlling a cluster
of Bro instances.
:doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
The control framework provides the foundation for providing "commands"
that can be taken remotely at runtime to modify a running Bro instance
or collect information from the running instance.
:doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
The NetControl framework provides a way for Bro to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.
:doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`
Plugins for the NetControl framework.
:doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
The OpenFlow framework exposes the data structures and functions
necessary to interface to OpenFlow capable hardware.
:doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`
Plugins for the OpenFlow framework.
:doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`
The DPD (dynamic protocol detection) activates port-independent protocol
detection and selectively disables analyzers if protocol violations occur.
:doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`
The signature framework provides for doing low-level pattern matching. While
signatures are not Bro's preferred detection tool, they sometimes come in
handy and are closer to what many people are familiar with from using
other NIDS.
:doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
The packet filter framework supports how Bro sets its BPF capture filter.
:doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
The software framework provides infrastructure for maintaining a table
of software versions seen on the network. The version parsing itself
is carried out by external protocol-specific scripts that feed into
this framework.
:doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
The intelligence framework provides a way to store and query intelligence
data (such as IP addresses or strings). Metadata can also be associated
with the intelligence.
:doc:`base/frameworks/config </scripts/base/frameworks/config/index>`
The configuration framework provides a way to change the Bro configuration
in "option" values at run-time.
:doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
The summary statistics framework provides a way to summarize large streams
of data into simple reduced measurements.
:doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
Plugins for the summary statistics framework.
:doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`
The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
:doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
Calls) protocol analysis.
:doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
:doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`
Support for Distributed Network Protocol (DNP3) analysis.
:doc:`base/protocols/dns </scripts/base/protocols/dns/index>`
Support for Domain Name System (DNS) protocol analysis.
:doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
Support for File Transfer Protocol (FTP) analysis.
:doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
:doc:`base/files/x509 </scripts/base/files/x509/index>`
Support for X509 certificates with the file analysis framework.
Also supports parsing OCSP requests and responses.
:doc:`base/files/hash </scripts/base/files/hash/index>`
Support for file hashes with the file analysis framework.
:doc:`base/protocols/http </scripts/base/protocols/http/index>`
Support for Hypertext Transfer Protocol (HTTP) analysis.
:doc:`base/protocols/imap </scripts/base/protocols/imap/index>`
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
mails from IMAP sessions, only X509 certificates.
:doc:`base/protocols/irc </scripts/base/protocols/irc/index>`
Support for Internet Relay Chat (IRC) protocol analysis.
:doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
Support for Kerberos protocol analysis.
:doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
Support for Modbus protocol analysis.
:doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`
Support for MySQL protocol analysis.
:doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`
Support for NT LAN Manager (NTLM) protocol analysis.
:doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`
Support for POP3 (Post Office Protocol) protocol analysis.
:doc:`base/protocols/radius </scripts/base/protocols/radius/index>`
Support for RADIUS protocol analysis.
:doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`
Support for Remote Desktop Protocol (RDP) analysis.
:doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`
Support for Remote FrameBuffer analysis. This includes all VNC servers.
:doc:`base/protocols/sip </scripts/base/protocols/sip/index>`
Support for Session Initiation Protocol (SIP) analysis.
:doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`
Support for Simple Network Management Protocol (SNMP) analysis.
:doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
Support for SMB protocol analysis.
:doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
Support for Simple Mail Transfer Protocol (SMTP) analysis.
:doc:`base/protocols/socks </scripts/base/protocols/socks/index>`
Support for Socket Secure (SOCKS) protocol analysis.
:doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Support for SSH protocol analysis.
:doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`
Support for Syslog protocol analysis.
:doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`
Provides DPD signatures for tunneling protocols that otherwise
wouldn't be detected at all.
:doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`
Support for the Extensible Messaging and Presence Protocol (XMPP).
Note that currently the XMPP analyzer only supports analyzing XMPP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
actual chat information from XMPP sessions, only X509 certificates.
:doc:`base/files/pe </scripts/base/files/pe/index>`
Support for Portable Executable (PE) file analysis.
:doc:`base/files/extract </scripts/base/files/extract/index>`
Support for extracting files with the file analysis framework.
:doc:`base/files/unified2 </scripts/base/files/unified2/index>`
Support for Unified2 files in the file analysis framework.
:doc:`broxygen </scripts/broxygen/index>`
This package is loaded during the process which automatically generates
reference documentation for all Bro scripts (i.e. "Broxygen"). Its only
purpose is to provide an easy way to load all known Bro scripts plus any
extra scripts needed or used by the documentation process.
:doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
Scripts that send data to the intelligence framework.
:doc:`policy/frameworks/notice </scripts/policy/frameworks/notice/index>`
:doc:`policy/integration/barnyard2 </scripts/policy/integration/barnyard2/index>`
Integration with Barnyard2.
:doc:`policy/integration/collective-intel </scripts/policy/integration/collective-intel/index>`
The scripts in this module are for deeper integration with the
Collective Intelligence Framework (CIF) since Bro's Intel framework
doesn't natively behave the same as CIF nor does it store and maintain
the same data in all cases.
:doc:`policy/misc/detect-traceroute </scripts/policy/misc/detect-traceroute/index>`
Detect hosts that are running traceroute.
:doc:`policy/tuning </scripts/policy/tuning/index>`
Miscellaneous tuning parameters.
:doc:`policy/tuning/defaults </scripts/policy/tuning/defaults/index>`
Sets various defaults, and prints warning messages to stdout under
certain conditions.
:doc:`policy/protocols/smb </scripts/policy/protocols/smb/index>`

14388
doc/script-reference/autogenerated-protocol-analyzer-index.rst Normal file
View file

File diff suppressed because it is too large Load diff

470
doc/script-reference/autogenerated-script-index.rst Normal file
View file

@ -0,0 +1,470 @@
.. toctree::
:maxdepth: 1
base/init-bare.bro </scripts/base/init-bare.bro>
base/bif/const.bif.bro </scripts/base/bif/const.bif.bro>
base/bif/types.bif.bro </scripts/base/bif/types.bif.bro>
base/bif/bro.bif.bro </scripts/base/bif/bro.bif.bro>
base/bif/stats.bif.bro </scripts/base/bif/stats.bif.bro>
base/bif/reporter.bif.bro </scripts/base/bif/reporter.bif.bro>
base/bif/strings.bif.bro </scripts/base/bif/strings.bif.bro>
base/bif/option.bif.bro </scripts/base/bif/option.bif.bro>
base/bif/plugins/Bro_SNMP.types.bif.bro </scripts/base/bif/plugins/Bro_SNMP.types.bif.bro>
base/bif/plugins/Bro_KRB.types.bif.bro </scripts/base/bif/plugins/Bro_KRB.types.bif.bro>
base/bif/event.bif.bro </scripts/base/bif/event.bif.bro>
base/init-frameworks-and-bifs.bro </scripts/base/init-frameworks-and-bifs.bro>
base/frameworks/logging/__load__.bro </scripts/base/frameworks/logging/__load__.bro>
base/frameworks/logging/main.bro </scripts/base/frameworks/logging/main.bro>
base/bif/logging.bif.bro </scripts/base/bif/logging.bif.bro>
base/frameworks/logging/postprocessors/__load__.bro </scripts/base/frameworks/logging/postprocessors/__load__.bro>
base/frameworks/logging/postprocessors/scp.bro </scripts/base/frameworks/logging/postprocessors/scp.bro>
base/frameworks/logging/postprocessors/sftp.bro </scripts/base/frameworks/logging/postprocessors/sftp.bro>
base/frameworks/logging/writers/ascii.bro </scripts/base/frameworks/logging/writers/ascii.bro>
base/frameworks/logging/writers/sqlite.bro </scripts/base/frameworks/logging/writers/sqlite.bro>
base/frameworks/logging/writers/none.bro </scripts/base/frameworks/logging/writers/none.bro>
base/frameworks/broker/__load__.bro </scripts/base/frameworks/broker/__load__.bro>
base/frameworks/broker/main.bro </scripts/base/frameworks/broker/main.bro>
base/bif/comm.bif.bro </scripts/base/bif/comm.bif.bro>
base/bif/messaging.bif.bro </scripts/base/bif/messaging.bif.bro>
base/frameworks/broker/store.bro </scripts/base/frameworks/broker/store.bro>
base/bif/data.bif.bro </scripts/base/bif/data.bif.bro>
base/bif/store.bif.bro </scripts/base/bif/store.bif.bro>
base/frameworks/broker/log.bro </scripts/base/frameworks/broker/log.bro>
base/frameworks/input/__load__.bro </scripts/base/frameworks/input/__load__.bro>
base/frameworks/input/main.bro </scripts/base/frameworks/input/main.bro>
base/bif/input.bif.bro </scripts/base/bif/input.bif.bro>
base/frameworks/input/readers/ascii.bro </scripts/base/frameworks/input/readers/ascii.bro>
base/frameworks/input/readers/raw.bro </scripts/base/frameworks/input/readers/raw.bro>
base/frameworks/input/readers/benchmark.bro </scripts/base/frameworks/input/readers/benchmark.bro>
base/frameworks/input/readers/binary.bro </scripts/base/frameworks/input/readers/binary.bro>
base/frameworks/input/readers/config.bro </scripts/base/frameworks/input/readers/config.bro>
base/frameworks/input/readers/sqlite.bro </scripts/base/frameworks/input/readers/sqlite.bro>
base/frameworks/analyzer/__load__.bro </scripts/base/frameworks/analyzer/__load__.bro>
base/frameworks/analyzer/main.bro </scripts/base/frameworks/analyzer/main.bro>
base/frameworks/packet-filter/utils.bro </scripts/base/frameworks/packet-filter/utils.bro>
base/bif/analyzer.bif.bro </scripts/base/bif/analyzer.bif.bro>
base/frameworks/files/__load__.bro </scripts/base/frameworks/files/__load__.bro>
base/frameworks/files/main.bro </scripts/base/frameworks/files/main.bro>
base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>
base/utils/site.bro </scripts/base/utils/site.bro>
base/utils/patterns.bro </scripts/base/utils/patterns.bro>
base/frameworks/files/magic/__load__.bro </scripts/base/frameworks/files/magic/__load__.bro>
base/bif/__load__.bro </scripts/base/bif/__load__.bro>
base/bif/broxygen.bif.bro </scripts/base/bif/broxygen.bif.bro>
base/bif/pcap.bif.bro </scripts/base/bif/pcap.bif.bro>
base/bif/bloom-filter.bif.bro </scripts/base/bif/bloom-filter.bif.bro>
base/bif/cardinality-counter.bif.bro </scripts/base/bif/cardinality-counter.bif.bro>
base/bif/top-k.bif.bro </scripts/base/bif/top-k.bif.bro>
base/bif/plugins/__load__.bro </scripts/base/bif/plugins/__load__.bro>
base/bif/plugins/Bro_ARP.events.bif.bro </scripts/base/bif/plugins/Bro_ARP.events.bif.bro>
base/bif/plugins/Bro_BackDoor.events.bif.bro </scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro>
base/bif/plugins/Bro_BitTorrent.events.bif.bro </scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro>
base/bif/plugins/Bro_ConnSize.events.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro>
base/bif/plugins/Bro_ConnSize.functions.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro>
base/bif/plugins/Bro_DCE_RPC.consts.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro>
base/bif/plugins/Bro_DCE_RPC.types.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro>
base/bif/plugins/Bro_DCE_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro>
base/bif/plugins/Bro_DHCP.events.bif.bro </scripts/base/bif/plugins/Bro_DHCP.events.bif.bro>
base/bif/plugins/Bro_DHCP.types.bif.bro </scripts/base/bif/plugins/Bro_DHCP.types.bif.bro>
base/bif/plugins/Bro_DNP3.events.bif.bro </scripts/base/bif/plugins/Bro_DNP3.events.bif.bro>
base/bif/plugins/Bro_DNS.events.bif.bro </scripts/base/bif/plugins/Bro_DNS.events.bif.bro>
base/bif/plugins/Bro_File.events.bif.bro </scripts/base/bif/plugins/Bro_File.events.bif.bro>
base/bif/plugins/Bro_Finger.events.bif.bro </scripts/base/bif/plugins/Bro_Finger.events.bif.bro>
base/bif/plugins/Bro_FTP.events.bif.bro </scripts/base/bif/plugins/Bro_FTP.events.bif.bro>
base/bif/plugins/Bro_FTP.functions.bif.bro </scripts/base/bif/plugins/Bro_FTP.functions.bif.bro>
base/bif/plugins/Bro_Gnutella.events.bif.bro </scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro>
base/bif/plugins/Bro_GSSAPI.events.bif.bro </scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro>
base/bif/plugins/Bro_GTPv1.events.bif.bro </scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro>
base/bif/plugins/Bro_HTTP.events.bif.bro </scripts/base/bif/plugins/Bro_HTTP.events.bif.bro>
base/bif/plugins/Bro_HTTP.functions.bif.bro </scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro>
base/bif/plugins/Bro_ICMP.events.bif.bro </scripts/base/bif/plugins/Bro_ICMP.events.bif.bro>
base/bif/plugins/Bro_Ident.events.bif.bro </scripts/base/bif/plugins/Bro_Ident.events.bif.bro>
base/bif/plugins/Bro_IMAP.events.bif.bro </scripts/base/bif/plugins/Bro_IMAP.events.bif.bro>
base/bif/plugins/Bro_InterConn.events.bif.bro </scripts/base/bif/plugins/Bro_InterConn.events.bif.bro>
base/bif/plugins/Bro_IRC.events.bif.bro </scripts/base/bif/plugins/Bro_IRC.events.bif.bro>
base/bif/plugins/Bro_KRB.events.bif.bro </scripts/base/bif/plugins/Bro_KRB.events.bif.bro>
base/bif/plugins/Bro_Login.events.bif.bro </scripts/base/bif/plugins/Bro_Login.events.bif.bro>
base/bif/plugins/Bro_Login.functions.bif.bro </scripts/base/bif/plugins/Bro_Login.functions.bif.bro>
base/bif/plugins/Bro_MIME.events.bif.bro </scripts/base/bif/plugins/Bro_MIME.events.bif.bro>
base/bif/plugins/Bro_Modbus.events.bif.bro </scripts/base/bif/plugins/Bro_Modbus.events.bif.bro>
base/bif/plugins/Bro_MySQL.events.bif.bro </scripts/base/bif/plugins/Bro_MySQL.events.bif.bro>
base/bif/plugins/Bro_NCP.events.bif.bro </scripts/base/bif/plugins/Bro_NCP.events.bif.bro>
base/bif/plugins/Bro_NCP.consts.bif.bro </scripts/base/bif/plugins/Bro_NCP.consts.bif.bro>
base/bif/plugins/Bro_NetBIOS.events.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro>
base/bif/plugins/Bro_NetBIOS.functions.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro>
base/bif/plugins/Bro_NTLM.types.bif.bro </scripts/base/bif/plugins/Bro_NTLM.types.bif.bro>
base/bif/plugins/Bro_NTLM.events.bif.bro </scripts/base/bif/plugins/Bro_NTLM.events.bif.bro>
base/bif/plugins/Bro_NTP.events.bif.bro </scripts/base/bif/plugins/Bro_NTP.events.bif.bro>
base/bif/plugins/Bro_POP3.events.bif.bro </scripts/base/bif/plugins/Bro_POP3.events.bif.bro>
base/bif/plugins/Bro_RADIUS.events.bif.bro </scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro>
base/bif/plugins/Bro_RDP.events.bif.bro </scripts/base/bif/plugins/Bro_RDP.events.bif.bro>
base/bif/plugins/Bro_RDP.types.bif.bro </scripts/base/bif/plugins/Bro_RDP.types.bif.bro>
base/bif/plugins/Bro_RFB.events.bif.bro </scripts/base/bif/plugins/Bro_RFB.events.bif.bro>
base/bif/plugins/Bro_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_RPC.events.bif.bro>
base/bif/plugins/Bro_SIP.events.bif.bro </scripts/base/bif/plugins/Bro_SIP.events.bif.bro>
base/bif/plugins/Bro_SNMP.events.bif.bro </scripts/base/bif/plugins/Bro_SNMP.events.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro>
base/bif/plugins/Bro_SMB.smb2_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro>
base/bif/plugins/Bro_SMB.events.bif.bro </scripts/base/bif/plugins/Bro_SMB.events.bif.bro>
base/bif/plugins/Bro_SMB.consts.bif.bro </scripts/base/bif/plugins/Bro_SMB.consts.bif.bro>
base/bif/plugins/Bro_SMB.types.bif.bro </scripts/base/bif/plugins/Bro_SMB.types.bif.bro>
base/bif/plugins/Bro_SMTP.events.bif.bro </scripts/base/bif/plugins/Bro_SMTP.events.bif.bro>
base/bif/plugins/Bro_SMTP.functions.bif.bro </scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro>
base/bif/plugins/Bro_SOCKS.events.bif.bro </scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro>
base/bif/plugins/Bro_SSH.types.bif.bro </scripts/base/bif/plugins/Bro_SSH.types.bif.bro>
base/bif/plugins/Bro_SSH.events.bif.bro </scripts/base/bif/plugins/Bro_SSH.events.bif.bro>
base/bif/plugins/Bro_SSL.types.bif.bro </scripts/base/bif/plugins/Bro_SSL.types.bif.bro>
base/bif/plugins/Bro_SSL.events.bif.bro </scripts/base/bif/plugins/Bro_SSL.events.bif.bro>
base/bif/plugins/Bro_SSL.functions.bif.bro </scripts/base/bif/plugins/Bro_SSL.functions.bif.bro>
base/bif/plugins/Bro_SteppingStone.events.bif.bro </scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro>
base/bif/plugins/Bro_Syslog.events.bif.bro </scripts/base/bif/plugins/Bro_Syslog.events.bif.bro>
base/bif/plugins/Bro_TCP.events.bif.bro </scripts/base/bif/plugins/Bro_TCP.events.bif.bro>
base/bif/plugins/Bro_TCP.functions.bif.bro </scripts/base/bif/plugins/Bro_TCP.functions.bif.bro>
base/bif/plugins/Bro_Teredo.events.bif.bro </scripts/base/bif/plugins/Bro_Teredo.events.bif.bro>
base/bif/plugins/Bro_UDP.events.bif.bro </scripts/base/bif/plugins/Bro_UDP.events.bif.bro>
base/bif/plugins/Bro_XMPP.events.bif.bro </scripts/base/bif/plugins/Bro_XMPP.events.bif.bro>
base/bif/plugins/Bro_FileEntropy.events.bif.bro </scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro>
base/bif/plugins/Bro_FileExtract.events.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro>
base/bif/plugins/Bro_FileExtract.functions.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro>
base/bif/plugins/Bro_FileHash.events.bif.bro </scripts/base/bif/plugins/Bro_FileHash.events.bif.bro>
base/bif/plugins/Bro_PE.events.bif.bro </scripts/base/bif/plugins/Bro_PE.events.bif.bro>
base/bif/plugins/Bro_Unified2.events.bif.bro </scripts/base/bif/plugins/Bro_Unified2.events.bif.bro>
base/bif/plugins/Bro_Unified2.types.bif.bro </scripts/base/bif/plugins/Bro_Unified2.types.bif.bro>
base/bif/plugins/Bro_X509.events.bif.bro </scripts/base/bif/plugins/Bro_X509.events.bif.bro>
base/bif/plugins/Bro_X509.types.bif.bro </scripts/base/bif/plugins/Bro_X509.types.bif.bro>
base/bif/plugins/Bro_X509.functions.bif.bro </scripts/base/bif/plugins/Bro_X509.functions.bif.bro>
base/bif/plugins/Bro_X509.ocsp_events.bif.bro </scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro>
base/bif/plugins/Bro_AsciiReader.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro>
base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro </scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro>
base/bif/plugins/Bro_BinaryReader.binary.bif.bro </scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro>
base/bif/plugins/Bro_ConfigReader.config.bif.bro </scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro>
base/bif/plugins/Bro_RawReader.raw.bif.bro </scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro>
base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro>
base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro>
base/bif/plugins/Bro_NoneWriter.none.bif.bro </scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro>
base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro>
base/init-default.bro </scripts/base/init-default.bro>
base/utils/active-http.bro </scripts/base/utils/active-http.bro>
base/utils/exec.bro </scripts/base/utils/exec.bro>
base/utils/addrs.bro </scripts/base/utils/addrs.bro>
base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>
base/utils/dir.bro </scripts/base/utils/dir.bro>
base/frameworks/reporter/__load__.bro </scripts/base/frameworks/reporter/__load__.bro>
base/frameworks/reporter/main.bro </scripts/base/frameworks/reporter/main.bro>
base/utils/paths.bro </scripts/base/utils/paths.bro>
base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>
base/utils/email.bro </scripts/base/utils/email.bro>
base/utils/files.bro </scripts/base/utils/files.bro>
base/utils/geoip-distance.bro </scripts/base/utils/geoip-distance.bro>
base/utils/hash_hrw.bro </scripts/base/utils/hash_hrw.bro>
base/utils/numbers.bro </scripts/base/utils/numbers.bro>
base/utils/queue.bro </scripts/base/utils/queue.bro>
base/utils/strings.bro </scripts/base/utils/strings.bro>
base/utils/thresholds.bro </scripts/base/utils/thresholds.bro>
base/utils/time.bro </scripts/base/utils/time.bro>
base/utils/urls.bro </scripts/base/utils/urls.bro>
base/frameworks/notice/__load__.bro </scripts/base/frameworks/notice/__load__.bro>
base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>
base/frameworks/cluster/__load__.bro </scripts/base/frameworks/cluster/__load__.bro>
base/frameworks/cluster/main.bro </scripts/base/frameworks/cluster/main.bro>
base/frameworks/control/__load__.bro </scripts/base/frameworks/control/__load__.bro>
base/frameworks/control/main.bro </scripts/base/frameworks/control/main.bro>
base/frameworks/cluster/pools.bro </scripts/base/frameworks/cluster/pools.bro>
base/frameworks/notice/weird.bro </scripts/base/frameworks/notice/weird.bro>
base/frameworks/notice/actions/drop.bro </scripts/base/frameworks/notice/actions/drop.bro>
base/frameworks/netcontrol/__load__.bro </scripts/base/frameworks/netcontrol/__load__.bro>
base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>
base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>
base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>
base/frameworks/netcontrol/plugins/__load__.bro </scripts/base/frameworks/netcontrol/plugins/__load__.bro>
base/frameworks/netcontrol/plugins/debug.bro </scripts/base/frameworks/netcontrol/plugins/debug.bro>
base/frameworks/netcontrol/plugins/openflow.bro </scripts/base/frameworks/netcontrol/plugins/openflow.bro>
base/frameworks/openflow/__load__.bro </scripts/base/frameworks/openflow/__load__.bro>
base/frameworks/openflow/consts.bro </scripts/base/frameworks/openflow/consts.bro>
base/frameworks/openflow/types.bro </scripts/base/frameworks/openflow/types.bro>
base/frameworks/openflow/main.bro </scripts/base/frameworks/openflow/main.bro>
base/frameworks/openflow/plugins/__load__.bro </scripts/base/frameworks/openflow/plugins/__load__.bro>
base/frameworks/openflow/plugins/ryu.bro </scripts/base/frameworks/openflow/plugins/ryu.bro>
base/utils/json.bro </scripts/base/utils/json.bro>
base/frameworks/openflow/plugins/log.bro </scripts/base/frameworks/openflow/plugins/log.bro>
base/frameworks/openflow/plugins/broker.bro </scripts/base/frameworks/openflow/plugins/broker.bro>
base/frameworks/openflow/non-cluster.bro </scripts/base/frameworks/openflow/non-cluster.bro>
base/frameworks/netcontrol/plugins/packetfilter.bro </scripts/base/frameworks/netcontrol/plugins/packetfilter.bro>
base/frameworks/netcontrol/plugins/broker.bro </scripts/base/frameworks/netcontrol/plugins/broker.bro>
base/frameworks/netcontrol/plugins/acld.bro </scripts/base/frameworks/netcontrol/plugins/acld.bro>
base/frameworks/netcontrol/drop.bro </scripts/base/frameworks/netcontrol/drop.bro>
base/frameworks/netcontrol/shunt.bro </scripts/base/frameworks/netcontrol/shunt.bro>
base/frameworks/netcontrol/catch-and-release.bro </scripts/base/frameworks/netcontrol/catch-and-release.bro>
base/frameworks/netcontrol/non-cluster.bro </scripts/base/frameworks/netcontrol/non-cluster.bro>
base/frameworks/notice/actions/email_admin.bro </scripts/base/frameworks/notice/actions/email_admin.bro>
base/frameworks/notice/actions/page.bro </scripts/base/frameworks/notice/actions/page.bro>
base/frameworks/notice/actions/add-geodata.bro </scripts/base/frameworks/notice/actions/add-geodata.bro>
base/frameworks/notice/actions/pp-alarms.bro </scripts/base/frameworks/notice/actions/pp-alarms.bro>
base/frameworks/dpd/__load__.bro </scripts/base/frameworks/dpd/__load__.bro>
base/frameworks/dpd/main.bro </scripts/base/frameworks/dpd/main.bro>
base/frameworks/signatures/__load__.bro </scripts/base/frameworks/signatures/__load__.bro>
base/frameworks/signatures/main.bro </scripts/base/frameworks/signatures/main.bro>
base/frameworks/packet-filter/__load__.bro </scripts/base/frameworks/packet-filter/__load__.bro>
base/frameworks/packet-filter/main.bro </scripts/base/frameworks/packet-filter/main.bro>
base/frameworks/packet-filter/netstats.bro </scripts/base/frameworks/packet-filter/netstats.bro>
base/frameworks/software/__load__.bro </scripts/base/frameworks/software/__load__.bro>
base/frameworks/software/main.bro </scripts/base/frameworks/software/main.bro>
base/frameworks/intel/__load__.bro </scripts/base/frameworks/intel/__load__.bro>
base/frameworks/intel/main.bro </scripts/base/frameworks/intel/main.bro>
base/frameworks/intel/files.bro </scripts/base/frameworks/intel/files.bro>
base/frameworks/intel/input.bro </scripts/base/frameworks/intel/input.bro>
base/frameworks/config/__load__.bro </scripts/base/frameworks/config/__load__.bro>
base/frameworks/config/main.bro </scripts/base/frameworks/config/main.bro>
base/frameworks/config/input.bro </scripts/base/frameworks/config/input.bro>
base/frameworks/config/weird.bro </scripts/base/frameworks/config/weird.bro>
base/frameworks/sumstats/__load__.bro </scripts/base/frameworks/sumstats/__load__.bro>
base/frameworks/sumstats/main.bro </scripts/base/frameworks/sumstats/main.bro>
base/frameworks/sumstats/plugins/__load__.bro </scripts/base/frameworks/sumstats/plugins/__load__.bro>
base/frameworks/sumstats/plugins/average.bro </scripts/base/frameworks/sumstats/plugins/average.bro>
base/frameworks/sumstats/plugins/hll_unique.bro </scripts/base/frameworks/sumstats/plugins/hll_unique.bro>
base/frameworks/sumstats/plugins/last.bro </scripts/base/frameworks/sumstats/plugins/last.bro>
base/frameworks/sumstats/plugins/max.bro </scripts/base/frameworks/sumstats/plugins/max.bro>
base/frameworks/sumstats/plugins/min.bro </scripts/base/frameworks/sumstats/plugins/min.bro>
base/frameworks/sumstats/plugins/sample.bro </scripts/base/frameworks/sumstats/plugins/sample.bro>
base/frameworks/sumstats/plugins/std-dev.bro </scripts/base/frameworks/sumstats/plugins/std-dev.bro>
base/frameworks/sumstats/plugins/variance.bro </scripts/base/frameworks/sumstats/plugins/variance.bro>
base/frameworks/sumstats/plugins/sum.bro </scripts/base/frameworks/sumstats/plugins/sum.bro>
base/frameworks/sumstats/plugins/topk.bro </scripts/base/frameworks/sumstats/plugins/topk.bro>
base/frameworks/sumstats/plugins/unique.bro </scripts/base/frameworks/sumstats/plugins/unique.bro>
base/frameworks/sumstats/non-cluster.bro </scripts/base/frameworks/sumstats/non-cluster.bro>
base/frameworks/tunnels/__load__.bro </scripts/base/frameworks/tunnels/__load__.bro>
base/frameworks/tunnels/main.bro </scripts/base/frameworks/tunnels/main.bro>
base/protocols/conn/__load__.bro </scripts/base/protocols/conn/__load__.bro>
base/protocols/conn/main.bro </scripts/base/protocols/conn/main.bro>
base/protocols/conn/contents.bro </scripts/base/protocols/conn/contents.bro>
base/protocols/conn/inactivity.bro </scripts/base/protocols/conn/inactivity.bro>
base/protocols/conn/polling.bro </scripts/base/protocols/conn/polling.bro>
base/protocols/conn/thresholds.bro </scripts/base/protocols/conn/thresholds.bro>
base/protocols/dce-rpc/__load__.bro </scripts/base/protocols/dce-rpc/__load__.bro>
base/protocols/dce-rpc/consts.bro </scripts/base/protocols/dce-rpc/consts.bro>
base/protocols/dce-rpc/main.bro </scripts/base/protocols/dce-rpc/main.bro>
base/protocols/dhcp/__load__.bro </scripts/base/protocols/dhcp/__load__.bro>
base/protocols/dhcp/consts.bro </scripts/base/protocols/dhcp/consts.bro>
base/protocols/dhcp/main.bro </scripts/base/protocols/dhcp/main.bro>
base/protocols/dnp3/__load__.bro </scripts/base/protocols/dnp3/__load__.bro>
base/protocols/dnp3/main.bro </scripts/base/protocols/dnp3/main.bro>
base/protocols/dnp3/consts.bro </scripts/base/protocols/dnp3/consts.bro>
base/protocols/dns/__load__.bro </scripts/base/protocols/dns/__load__.bro>
base/protocols/dns/consts.bro </scripts/base/protocols/dns/consts.bro>
base/protocols/dns/main.bro </scripts/base/protocols/dns/main.bro>
base/protocols/ftp/__load__.bro </scripts/base/protocols/ftp/__load__.bro>
base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>
base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>
base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>
base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>
base/protocols/ftp/files.bro </scripts/base/protocols/ftp/files.bro>
base/protocols/ftp/gridftp.bro </scripts/base/protocols/ftp/gridftp.bro>
base/protocols/ssl/__load__.bro </scripts/base/protocols/ssl/__load__.bro>
base/protocols/ssl/consts.bro </scripts/base/protocols/ssl/consts.bro>
base/protocols/ssl/main.bro </scripts/base/protocols/ssl/main.bro>
base/protocols/ssl/mozilla-ca-list.bro </scripts/base/protocols/ssl/mozilla-ca-list.bro>
base/protocols/ssl/ct-list.bro </scripts/base/protocols/ssl/ct-list.bro>
base/protocols/ssl/files.bro </scripts/base/protocols/ssl/files.bro>
base/files/x509/__load__.bro </scripts/base/files/x509/__load__.bro>
base/files/x509/main.bro </scripts/base/files/x509/main.bro>
base/files/hash/__load__.bro </scripts/base/files/hash/__load__.bro>
base/files/hash/main.bro </scripts/base/files/hash/main.bro>
base/protocols/http/__load__.bro </scripts/base/protocols/http/__load__.bro>
base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>
base/protocols/http/entities.bro </scripts/base/protocols/http/entities.bro>
base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>
base/protocols/http/files.bro </scripts/base/protocols/http/files.bro>
base/protocols/imap/__load__.bro </scripts/base/protocols/imap/__load__.bro>
base/protocols/imap/main.bro </scripts/base/protocols/imap/main.bro>
base/protocols/irc/__load__.bro </scripts/base/protocols/irc/__load__.bro>
base/protocols/irc/main.bro </scripts/base/protocols/irc/main.bro>
base/protocols/irc/dcc-send.bro </scripts/base/protocols/irc/dcc-send.bro>
base/protocols/irc/files.bro </scripts/base/protocols/irc/files.bro>
base/protocols/krb/__load__.bro </scripts/base/protocols/krb/__load__.bro>
base/protocols/krb/main.bro </scripts/base/protocols/krb/main.bro>
base/protocols/krb/consts.bro </scripts/base/protocols/krb/consts.bro>
base/protocols/krb/files.bro </scripts/base/protocols/krb/files.bro>
base/protocols/modbus/__load__.bro </scripts/base/protocols/modbus/__load__.bro>
base/protocols/modbus/consts.bro </scripts/base/protocols/modbus/consts.bro>
base/protocols/modbus/main.bro </scripts/base/protocols/modbus/main.bro>
base/protocols/mysql/__load__.bro </scripts/base/protocols/mysql/__load__.bro>
base/protocols/mysql/main.bro </scripts/base/protocols/mysql/main.bro>
base/protocols/mysql/consts.bro </scripts/base/protocols/mysql/consts.bro>
base/protocols/ntlm/__load__.bro </scripts/base/protocols/ntlm/__load__.bro>
base/protocols/ntlm/main.bro </scripts/base/protocols/ntlm/main.bro>
base/protocols/pop3/__load__.bro </scripts/base/protocols/pop3/__load__.bro>
base/protocols/radius/__load__.bro </scripts/base/protocols/radius/__load__.bro>
base/protocols/radius/main.bro </scripts/base/protocols/radius/main.bro>
base/protocols/radius/consts.bro </scripts/base/protocols/radius/consts.bro>
base/protocols/rdp/__load__.bro </scripts/base/protocols/rdp/__load__.bro>
base/protocols/rdp/consts.bro </scripts/base/protocols/rdp/consts.bro>
base/protocols/rdp/main.bro </scripts/base/protocols/rdp/main.bro>
base/protocols/rfb/__load__.bro </scripts/base/protocols/rfb/__load__.bro>
base/protocols/rfb/main.bro </scripts/base/protocols/rfb/main.bro>
base/protocols/sip/__load__.bro </scripts/base/protocols/sip/__load__.bro>
base/protocols/sip/main.bro </scripts/base/protocols/sip/main.bro>
base/protocols/snmp/__load__.bro </scripts/base/protocols/snmp/__load__.bro>
base/protocols/snmp/main.bro </scripts/base/protocols/snmp/main.bro>
base/protocols/smb/__load__.bro </scripts/base/protocols/smb/__load__.bro>
base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>
base/protocols/smb/const-dos-error.bro </scripts/base/protocols/smb/const-dos-error.bro>
base/protocols/smb/const-nt-status.bro </scripts/base/protocols/smb/const-nt-status.bro>
base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>
base/protocols/smb/smb1-main.bro </scripts/base/protocols/smb/smb1-main.bro>
base/protocols/smb/smb2-main.bro </scripts/base/protocols/smb/smb2-main.bro>
base/protocols/smb/files.bro </scripts/base/protocols/smb/files.bro>
base/protocols/smtp/__load__.bro </scripts/base/protocols/smtp/__load__.bro>
base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>
base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>
base/protocols/smtp/files.bro </scripts/base/protocols/smtp/files.bro>
base/protocols/socks/__load__.bro </scripts/base/protocols/socks/__load__.bro>
base/protocols/socks/consts.bro </scripts/base/protocols/socks/consts.bro>
base/protocols/socks/main.bro </scripts/base/protocols/socks/main.bro>
base/protocols/ssh/__load__.bro </scripts/base/protocols/ssh/__load__.bro>
base/protocols/ssh/main.bro </scripts/base/protocols/ssh/main.bro>
base/protocols/syslog/__load__.bro </scripts/base/protocols/syslog/__load__.bro>
base/protocols/syslog/consts.bro </scripts/base/protocols/syslog/consts.bro>
base/protocols/syslog/main.bro </scripts/base/protocols/syslog/main.bro>
base/protocols/tunnels/__load__.bro </scripts/base/protocols/tunnels/__load__.bro>
base/protocols/xmpp/__load__.bro </scripts/base/protocols/xmpp/__load__.bro>
base/protocols/xmpp/main.bro </scripts/base/protocols/xmpp/main.bro>
base/files/pe/__load__.bro </scripts/base/files/pe/__load__.bro>
base/files/pe/consts.bro </scripts/base/files/pe/consts.bro>
base/files/pe/main.bro </scripts/base/files/pe/main.bro>
base/files/extract/__load__.bro </scripts/base/files/extract/__load__.bro>
base/files/extract/main.bro </scripts/base/files/extract/main.bro>
base/files/unified2/__load__.bro </scripts/base/files/unified2/__load__.bro>
base/files/unified2/main.bro </scripts/base/files/unified2/main.bro>
base/misc/find-checksum-offloading.bro </scripts/base/misc/find-checksum-offloading.bro>
base/misc/find-filtered-trace.bro </scripts/base/misc/find-filtered-trace.bro>
base/misc/version.bro </scripts/base/misc/version.bro>
broxygen/__load__.bro </scripts/broxygen/__load__.bro>
test-all-policy.bro </scripts/test-all-policy.bro>
policy/frameworks/dpd/detect-protocols.bro </scripts/policy/frameworks/dpd/detect-protocols.bro>
policy/frameworks/dpd/packet-segment-logging.bro </scripts/policy/frameworks/dpd/packet-segment-logging.bro>
policy/frameworks/intel/do_notice.bro </scripts/policy/frameworks/intel/do_notice.bro>
policy/frameworks/intel/do_expire.bro </scripts/policy/frameworks/intel/do_expire.bro>
policy/frameworks/intel/whitelist.bro </scripts/policy/frameworks/intel/whitelist.bro>
policy/frameworks/intel/seen/__load__.bro </scripts/policy/frameworks/intel/seen/__load__.bro>
policy/frameworks/intel/seen/conn-established.bro </scripts/policy/frameworks/intel/seen/conn-established.bro>
policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>
policy/frameworks/intel/seen/dns.bro </scripts/policy/frameworks/intel/seen/dns.bro>
policy/frameworks/intel/seen/file-hashes.bro </scripts/policy/frameworks/intel/seen/file-hashes.bro>
policy/frameworks/intel/seen/file-names.bro </scripts/policy/frameworks/intel/seen/file-names.bro>
policy/frameworks/intel/seen/http-headers.bro </scripts/policy/frameworks/intel/seen/http-headers.bro>
policy/frameworks/intel/seen/http-url.bro </scripts/policy/frameworks/intel/seen/http-url.bro>
policy/frameworks/intel/seen/pubkey-hashes.bro </scripts/policy/frameworks/intel/seen/pubkey-hashes.bro>
policy/frameworks/intel/seen/ssl.bro </scripts/policy/frameworks/intel/seen/ssl.bro>
policy/frameworks/intel/seen/smtp.bro </scripts/policy/frameworks/intel/seen/smtp.bro>
policy/frameworks/intel/seen/smtp-url-extraction.bro </scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro>
policy/frameworks/intel/seen/x509.bro </scripts/policy/frameworks/intel/seen/x509.bro>
policy/frameworks/files/detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>
policy/frameworks/files/hash-all-files.bro </scripts/policy/frameworks/files/hash-all-files.bro>
policy/frameworks/files/entropy-test-all-files.bro </scripts/policy/frameworks/files/entropy-test-all-files.bro>
policy/frameworks/notice/__load__.bro </scripts/policy/frameworks/notice/__load__.bro>
policy/frameworks/notice/extend-email/hostnames.bro </scripts/policy/frameworks/notice/extend-email/hostnames.bro>
policy/files/x509/log-ocsp.bro </scripts/policy/files/x509/log-ocsp.bro>
policy/frameworks/packet-filter/shunt.bro </scripts/policy/frameworks/packet-filter/shunt.bro>
policy/frameworks/software/version-changes.bro </scripts/policy/frameworks/software/version-changes.bro>
policy/frameworks/software/vulnerable.bro </scripts/policy/frameworks/software/vulnerable.bro>
policy/frameworks/software/windows-version-detection.bro </scripts/policy/frameworks/software/windows-version-detection.bro>
policy/integration/barnyard2/__load__.bro </scripts/policy/integration/barnyard2/__load__.bro>
policy/integration/barnyard2/types.bro </scripts/policy/integration/barnyard2/types.bro>
policy/integration/barnyard2/main.bro </scripts/policy/integration/barnyard2/main.bro>
policy/integration/collective-intel/__load__.bro </scripts/policy/integration/collective-intel/__load__.bro>
policy/integration/collective-intel/main.bro </scripts/policy/integration/collective-intel/main.bro>
policy/misc/capture-loss.bro </scripts/policy/misc/capture-loss.bro>
policy/misc/detect-traceroute/__load__.bro </scripts/policy/misc/detect-traceroute/__load__.bro>
policy/misc/detect-traceroute/main.bro </scripts/policy/misc/detect-traceroute/main.bro>
policy/misc/load-balancing.bro </scripts/policy/misc/load-balancing.bro>
policy/misc/loaded-scripts.bro </scripts/policy/misc/loaded-scripts.bro>
policy/misc/profiling.bro </scripts/policy/misc/profiling.bro>
policy/misc/scan.bro </scripts/policy/misc/scan.bro>
policy/misc/stats.bro </scripts/policy/misc/stats.bro>
policy/misc/weird-stats.bro </scripts/policy/misc/weird-stats.bro>
policy/misc/trim-trace-file.bro </scripts/policy/misc/trim-trace-file.bro>
policy/protocols/conn/known-hosts.bro </scripts/policy/protocols/conn/known-hosts.bro>
policy/protocols/conn/known-services.bro </scripts/policy/protocols/conn/known-services.bro>
policy/protocols/conn/mac-logging.bro </scripts/policy/protocols/conn/mac-logging.bro>
policy/protocols/conn/vlan-logging.bro </scripts/policy/protocols/conn/vlan-logging.bro>
policy/protocols/conn/weirds.bro </scripts/policy/protocols/conn/weirds.bro>
policy/protocols/dhcp/msg-orig.bro </scripts/policy/protocols/dhcp/msg-orig.bro>
policy/protocols/dhcp/software.bro </scripts/policy/protocols/dhcp/software.bro>
policy/protocols/dhcp/sub-opts.bro </scripts/policy/protocols/dhcp/sub-opts.bro>
policy/protocols/dns/auth-addl.bro </scripts/policy/protocols/dns/auth-addl.bro>
policy/protocols/dns/detect-external-names.bro </scripts/policy/protocols/dns/detect-external-names.bro>
policy/protocols/ftp/detect-bruteforcing.bro </scripts/policy/protocols/ftp/detect-bruteforcing.bro>
policy/protocols/ftp/detect.bro </scripts/policy/protocols/ftp/detect.bro>
policy/protocols/ftp/software.bro </scripts/policy/protocols/ftp/software.bro>
policy/protocols/http/detect-sqli.bro </scripts/policy/protocols/http/detect-sqli.bro>
policy/protocols/http/detect-webapps.bro </scripts/policy/protocols/http/detect-webapps.bro>
policy/protocols/http/header-names.bro </scripts/policy/protocols/http/header-names.bro>
policy/protocols/http/software-browser-plugins.bro </scripts/policy/protocols/http/software-browser-plugins.bro>
policy/protocols/http/software.bro </scripts/policy/protocols/http/software.bro>
policy/protocols/http/var-extraction-cookies.bro </scripts/policy/protocols/http/var-extraction-cookies.bro>
policy/protocols/http/var-extraction-uri.bro </scripts/policy/protocols/http/var-extraction-uri.bro>
policy/protocols/krb/ticket-logging.bro </scripts/policy/protocols/krb/ticket-logging.bro>
policy/protocols/modbus/known-masters-slaves.bro </scripts/policy/protocols/modbus/known-masters-slaves.bro>
policy/protocols/modbus/track-memmap.bro </scripts/policy/protocols/modbus/track-memmap.bro>
policy/protocols/mysql/software.bro </scripts/policy/protocols/mysql/software.bro>
policy/protocols/rdp/indicate_ssl.bro </scripts/policy/protocols/rdp/indicate_ssl.bro>
policy/protocols/smb/log-cmds.bro </scripts/policy/protocols/smb/log-cmds.bro>
policy/protocols/smtp/blocklists.bro </scripts/policy/protocols/smtp/blocklists.bro>
policy/protocols/smtp/detect-suspicious-orig.bro </scripts/policy/protocols/smtp/detect-suspicious-orig.bro>
policy/protocols/smtp/entities-excerpt.bro </scripts/policy/protocols/smtp/entities-excerpt.bro>
policy/protocols/smtp/software.bro </scripts/policy/protocols/smtp/software.bro>
policy/protocols/ssh/detect-bruteforcing.bro </scripts/policy/protocols/ssh/detect-bruteforcing.bro>
policy/protocols/ssh/geo-data.bro </scripts/policy/protocols/ssh/geo-data.bro>
policy/protocols/ssh/interesting-hostnames.bro </scripts/policy/protocols/ssh/interesting-hostnames.bro>
policy/protocols/ssh/software.bro </scripts/policy/protocols/ssh/software.bro>
policy/protocols/ssl/expiring-certs.bro </scripts/policy/protocols/ssl/expiring-certs.bro>
policy/protocols/ssl/extract-certs-pem.bro </scripts/policy/protocols/ssl/extract-certs-pem.bro>
policy/protocols/ssl/heartbleed.bro </scripts/policy/protocols/ssl/heartbleed.bro>
policy/protocols/ssl/known-certs.bro </scripts/policy/protocols/ssl/known-certs.bro>
policy/protocols/ssl/log-hostcerts-only.bro </scripts/policy/protocols/ssl/log-hostcerts-only.bro>
policy/protocols/ssl/validate-certs.bro </scripts/policy/protocols/ssl/validate-certs.bro>
policy/protocols/ssl/validate-ocsp.bro </scripts/policy/protocols/ssl/validate-ocsp.bro>
policy/protocols/ssl/validate-sct.bro </scripts/policy/protocols/ssl/validate-sct.bro>
policy/protocols/ssl/weak-keys.bro </scripts/policy/protocols/ssl/weak-keys.bro>
policy/tuning/__load__.bro </scripts/policy/tuning/__load__.bro>
policy/tuning/defaults/__load__.bro </scripts/policy/tuning/defaults/__load__.bro>
policy/tuning/defaults/packet-fragments.bro </scripts/policy/tuning/defaults/packet-fragments.bro>
policy/tuning/defaults/warnings.bro </scripts/policy/tuning/defaults/warnings.bro>
policy/tuning/defaults/extracted_file_limits.bro </scripts/policy/tuning/defaults/extracted_file_limits.bro>
policy/tuning/json-logs.bro </scripts/policy/tuning/json-logs.bro>
policy/tuning/track-all-assets.bro </scripts/policy/tuning/track-all-assets.bro>
policy/protocols/ssl/notary.bro </scripts/policy/protocols/ssl/notary.bro>
policy/frameworks/control/controllee.bro </scripts/policy/frameworks/control/controllee.bro>
policy/frameworks/control/controller.bro </scripts/policy/frameworks/control/controller.bro>
policy/frameworks/files/extract-all-files.bro </scripts/policy/frameworks/files/extract-all-files.bro>
policy/misc/dump-events.bro </scripts/policy/misc/dump-events.bro>
policy/protocols/dhcp/deprecated_events.bro </scripts/policy/protocols/dhcp/deprecated_events.bro>
policy/protocols/smb/__load__.bro </scripts/policy/protocols/smb/__load__.bro>
broxygen/example.bro </scripts/broxygen/example.bro>

2
doc/script-reference/file-analyzers.rst
View file

@ -1 +1 @@
.. broxygen:file_analyzer:: *
.. include:: autogenerated-file-analyzer-index.rst

2
doc/script-reference/packages.rst
View file

@ -11,4 +11,4 @@ Packages/scripts in the ``base/`` directory are all loaded by default, while
ones in ``policy/`` provide functionality and customization options that are
more appropriate for users to decide whether they'd like to load it or not.
.. broxygen:package_index:: *
.. include:: autogenerated-package-index.rst

2
doc/script-reference/proto-analyzers.rst
View file

@ -1 +1 @@
.. broxygen:proto_analyzer:: *
.. include:: autogenerated-protocol-analyzer-index.rst

2
doc/script-reference/scripts.rst
View file

@ -2,4 +2,4 @@
Bro Script Index
================
.. broxygen:script_index:: *
.. include:: autogenerated-script-index.rst