Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove broxygen Sphinx integration

Browse source 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
This commit is contained in:
Jon Siwek 2018-12-17 16:25:41 -06:00
parent 9e5e9d04b7
commit 7e9d48f532
549 changed files with 89909 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/conn/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/conn/__load__.bro
================================
:Imports: :doc:`base/protocols/conn/contents.bro </scripts/base/protocols/conn/contents.bro>`, :doc:`base/protocols/conn/inactivity.bro </scripts/base/protocols/conn/inactivity.bro>`, :doc:`base/protocols/conn/main.bro </scripts/base/protocols/conn/main.bro>`, :doc:`base/protocols/conn/polling.bro </scripts/base/protocols/conn/polling.bro>`, :doc:`base/protocols/conn/thresholds.bro </scripts/base/protocols/conn/thresholds.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

63
doc/scripts/base/protocols/conn/contents.bro.rst Normal file
View file

@ -0,0 +1,63 @@
:tocdepth: 3
base/protocols/conn/contents.bro
================================
.. bro:namespace:: Conn
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :bro:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:Namespace: Conn
:Imports: :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================== ==================================================================
:bro:id:`Conn::default_extract`: :bro:type:`bool` :bro:attr:`&redef` If this variable is set to ``T``, then all contents of all
connections will be extracted.
:bro:id:`Conn::extraction_prefix`: :bro:type:`string` :bro:attr:`&redef` The prefix given to files containing extracted connections as they
are opened on disk.
======================================================================== ==================================================================
Redefinitions
#############
========================================== =
:bro:type:`connection`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Conn::default_extract
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
If this variable is set to ``T``, then all contents of all
connections will be extracted.
.. bro:id:: Conn::extraction_prefix
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"contents"``
The prefix given to files containing extracted connections as they
are opened on disk.

60
doc/scripts/base/protocols/conn/inactivity.bro.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/protocols/conn/inactivity.bro
==================================
.. bro:namespace:: Conn
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:Namespace: Conn
Summary
~~~~~~~
Runtime Options
###############
================================================================================== ==================================================================
:bro:id:`Conn::analyzer_inactivity_timeouts`: :bro:type:`table` :bro:attr:`&redef` Define inactivity timeouts by the service detected being used over
the connection.
:bro:id:`Conn::port_inactivity_timeouts`: :bro:type:`table` :bro:attr:`&redef` Define inactivity timeouts based on common protocol ports.
================================================================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Conn::analyzer_inactivity_timeouts
:Type: :bro:type:`table` [:bro:type:`Analyzer::Tag`] of :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default:
::
{
[Analyzer::ANALYZER_FTP] = 1.0 hr,
[Analyzer::ANALYZER_SSH] = 1.0 hr
}
Define inactivity timeouts by the service detected being used over
the connection.
.. bro:id:: Conn::port_inactivity_timeouts
:Type: :bro:type:`table` [:bro:type:`port`] of :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default:
::
{
[22/tcp] = 1.0 hr,
[513/tcp] = 1.0 hr,
[21/tcp] = 1.0 hr,
[23/tcp] = 1.0 hr
}
Define inactivity timeouts based on common protocol ports.

51
doc/scripts/base/protocols/conn/index.rst Normal file
View file

@ -0,0 +1,51 @@
:orphan:
Package: base/protocols/conn
============================
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`/scripts/base/protocols/conn/__load__.bro`
:doc:`/scripts/base/protocols/conn/main.bro`
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:doc:`/scripts/base/protocols/conn/contents.bro`
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :bro:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:doc:`/scripts/base/protocols/conn/inactivity.bro`
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:doc:`/scripts/base/protocols/conn/polling.bro`
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:doc:`/scripts/base/protocols/conn/thresholds.bro`
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.

201
doc/scripts/base/protocols/conn/main.bro.rst Normal file
View file

@ -0,0 +1,201 @@
:tocdepth: 3
base/protocols/conn/main.bro
============================
.. bro:namespace:: Conn
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:Namespace: Conn
:Imports: :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
Summary
~~~~~~~
Types
#####
========================================== ===================================================================
:bro:type:`Conn::Info`: :bro:type:`record` The record type which contains column fields of the connection log.
========================================== ===================================================================
Redefinitions
#############
========================================== =========================================
:bro:type:`Log::ID`: :bro:type:`enum` The connection logging stream identifier.
:bro:type:`connection`: :bro:type:`record`
========================================== =========================================
Events
######
=========================================== ==============================================================
:bro:id:`Conn::log_conn`: :bro:type:`event` Event that can be handled to access the :bro:type:`Conn::Info`
record as it is sent on to the logging framework.
=========================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Conn::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
This is the time of the first packet.
uid: :bro:type:`string` :bro:attr:`&log`
A unique identifier of the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
proto: :bro:type:`transport_proto` :bro:attr:`&log`
The transport layer protocol of the connection.
service: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
An identification of an application protocol being sent over
the connection.
duration: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
How long the connection lasted. For 3-way or 4-way connection
tear-downs, this will not include the final ACK.
orig_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The number of payload bytes the originator sent. For TCP
this is taken from sequence numbers and might be inaccurate
(e.g., due to large connections).
resp_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The number of payload bytes the responder sent. See
*orig_bytes*.
conn_state: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
========== ===============================================
conn_state Meaning
========== ===============================================
S0 Connection attempt seen, no reply.
S1 Connection established, not terminated.
SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
REJ Connection attempt rejected.
S2 Connection established and close attempt by originator seen (but no reply from responder).
S3 Connection established and close attempt by responder seen (but no reply from originator).
RSTO Connection established, originator aborted (sent a RST).
RSTR Responder sent a RST.
RSTOS0 Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
RSTRH Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
SHR Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed).
========== ===============================================
local_orig: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
If the connection is originated locally, this value will be T.
If it was originated remotely it will be F. In the case that
the :bro:id:`Site::local_nets` variable is undefined, this
field will be left empty at all times.
local_resp: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
If the connection is responded to locally, this value will be T.
If it was responded to remotely it will be F. In the case that
the :bro:id:`Site::local_nets` variable is undefined, this
field will be left empty at all times.
missed_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Indicates the number of bytes missed in content gaps, which
is representative of packet loss. A value other than zero
will normally cause protocol analysis to fail but some
analysis may have been completed prior to the packet loss.
history: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Records the state history of connections as a string of
letters. The meaning of those letters is:
====== ====================================================
Letter Meaning
====== ====================================================
s a SYN w/o the ACK bit set
h a SYN+ACK ("handshake")
a a pure ACK
d packet with payload ("data")
f packet with FIN bit set
r packet with RST bit set
c packet with a bad checksum (applies to UDP too)
t packet with retransmitted payload
w packet with a zero window advertisement
i inconsistent packet (e.g. FIN+RST bits set)
q multi-flag packet (SYN+FIN or SYN+RST bits set)
^ connection direction was flipped by Bro's heuristic
====== ====================================================
If the event comes from the originator, the letter is in
upper-case; if it comes from the responder, it's in
lower-case. The 'a', 'd', 'i' and 'q' flags are
recorded a maximum of one time in either direction regardless
of how many are actually seen. 'f', 'h', 'r' and
's' can be recorded multiple times for either direction
if the associated sequence number differs from the
last-seen packet of the same flag type.
'c', 't' and 'w' are recorded in a logarithmic fashion:
the second instance represents that the event was seen
(at least) 10 times; the third instance, 100 times; etc.
orig_pkts: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Number of packets that the originator sent.
Only set if :bro:id:`use_conn_size_analyzer` = T.
orig_ip_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Number of IP level bytes that the originator sent (as seen on
the wire, taken from the IP total_length header field).
Only set if :bro:id:`use_conn_size_analyzer` = T.
resp_pkts: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Number of packets that the responder sent.
Only set if :bro:id:`use_conn_size_analyzer` = T.
resp_ip_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Number of IP level bytes that the responder sent (as seen on
the wire, taken from the IP total_length header field).
Only set if :bro:id:`use_conn_size_analyzer` = T.
tunnel_parents: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
If this connection was over a tunnel, indicate the
*uid* values for any encapsulating parent connections
used over the lifetime of this inner connection.
orig_l2_addr: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/mac-logging.bro` is loaded)
Link-layer address of the originator, if available.
resp_l2_addr: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/mac-logging.bro` is loaded)
Link-layer address of the responder, if available.
vlan: :bro:type:`int` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/vlan-logging.bro` is loaded)
The outer VLAN for this connection, if applicable.
inner_vlan: :bro:type:`int` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/vlan-logging.bro` is loaded)
The inner VLAN for this connection, if applicable.
The record type which contains column fields of the connection log.
Events
######
.. bro:id:: Conn::log_conn
:Type: :bro:type:`event` (rec: :bro:type:`Conn::Info`)
Event that can be handled to access the :bro:type:`Conn::Info`
record as it is sent on to the logging framework.

51
doc/scripts/base/protocols/conn/polling.bro.rst Normal file
View file

@ -0,0 +1,51 @@
:tocdepth: 3
base/protocols/conn/polling.bro
===============================
.. bro:namespace:: ConnPolling
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:Namespace: ConnPolling
Summary
~~~~~~~
Functions
#########
================================================== =====================================
:bro:id:`ConnPolling::watch`: :bro:type:`function` Starts monitoring a given connection.
================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: ConnPolling::watch
:Type: :bro:type:`function` (c: :bro:type:`connection`, callback: :bro:type:`function` (c: :bro:type:`connection`, cnt: :bro:type:`count`) : :bro:type:`interval`, cnt: :bro:type:`count`, i: :bro:type:`interval`) : :bro:type:`void`
Starts monitoring a given connection.
:c: The connection to watch.
:callback: A callback function that takes as arguments the monitored
*connection*, and counter *cnt* that increments each time
the callback is called. It returns an interval indicating
how long in the future to schedule an event which will call
the callback. A negative return interval causes polling
to stop.
:cnt: The initial value of a counter which gets passed to *callback*.
:i: The initial interval at which to schedule the next callback.
May be ``0secs`` to poll right away.

172
doc/scripts/base/protocols/conn/thresholds.bro.rst Normal file
View file

@ -0,0 +1,172 @@
:tocdepth: 3
base/protocols/conn/thresholds.bro
==================================
.. bro:namespace:: ConnThreshold
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.
:Namespace: ConnThreshold
Summary
~~~~~~~
Types
#####
========================================================= =
:bro:type:`ConnThreshold::Thresholds`: :bro:type:`record`
========================================================= =
Redefinitions
#############
========================================== =
:bro:type:`connection`: :bro:type:`record`
========================================== =
Events
######
===================================================================== ============================================================
:bro:id:`ConnThreshold::bytes_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set byte threshold
:bro:id:`ConnThreshold::packets_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set byte threshold
===================================================================== ============================================================
Functions
#########
======================================================================= ===================================================================================================
:bro:id:`ConnThreshold::delete_bytes_threshold`: :bro:type:`function` Deletes a byte threshold for connection sizes.
:bro:id:`ConnThreshold::delete_packets_threshold`: :bro:type:`function` Deletes a packet threshold for connection sizes.
:bro:id:`ConnThreshold::set_bytes_threshold`: :bro:type:`function` Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
:bro:id:`ConnThreshold::set_packets_threshold`: :bro:type:`function` Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
======================================================================= ===================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: ConnThreshold::Thresholds
:Type: :bro:type:`record`
orig_byte: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
current originator byte thresholds we watch for
resp_byte: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
current responder byte thresholds we watch for
orig_packet: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
corrent originator packet thresholds we watch for
resp_packet: :bro:type:`set` [:bro:type:`count`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional`
corrent responder packet thresholds we watch for
Events
######
.. bro:id:: ConnThreshold::bytes_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set byte threshold
:c: the connection
:threshold: the threshold that was set
:is_orig: True if the threshold was crossed by the originator of the connection
.. bro:id:: ConnThreshold::packets_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set byte threshold
:c: the connection
:threshold: the threshold that was set
:is_orig: True if the threshold was crossed by the originator of the connection
Functions
#########
.. bro:id:: ConnThreshold::delete_bytes_threshold
:Type: :bro:type:`function` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Deletes a byte threshold for connection sizes.
:cid: The connection id.
:threshold: Threshold in bytes to remove.
:is_orig: If true, threshold is removed for packets from originator, otherwhise for packets from responder.
:returns: T on success, F on failure.
.. bro:id:: ConnThreshold::delete_packets_threshold
:Type: :bro:type:`function` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Deletes a packet threshold for connection sizes.
:cid: The connection id.
:threshold: Threshold in packets.
:is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
:returns: T on success, F on failure.
.. bro:id:: ConnThreshold::set_bytes_threshold
:Type: :bro:type:`function` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
conn_bytes_threshold_crossed will be raised for each set threshold.
:cid: The connection id.
:threshold: Threshold in bytes.
:is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
:returns: T on success, F on failure.
.. bro:id:: ConnThreshold::set_packets_threshold
:Type: :bro:type:`function` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
conn_packets_threshold_crossed will be raised for each set threshold.
:cid: The connection id.
:threshold: Threshold in packets.
:is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
:returns: T on success, F on failure.

14
doc/scripts/base/protocols/dce-rpc/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dce-rpc/__load__.bro
===================================
:Imports: :doc:`base/protocols/dce-rpc/consts.bro </scripts/base/protocols/dce-rpc/consts.bro>`, :doc:`base/protocols/dce-rpc/main.bro </scripts/base/protocols/dce-rpc/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

1433
doc/scripts/base/protocols/dce-rpc/consts.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

17
doc/scripts/base/protocols/dce-rpc/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/dce-rpc
===============================
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
Calls) protocol analysis.
:doc:`/scripts/base/protocols/dce-rpc/__load__.bro`
:doc:`/scripts/base/protocols/dce-rpc/consts.bro`
:doc:`/scripts/base/protocols/dce-rpc/main.bro`

123
doc/scripts/base/protocols/dce-rpc/main.bro.rst Normal file
View file

@ -0,0 +1,123 @@
:tocdepth: 3
base/protocols/dce-rpc/main.bro
===============================
.. bro:namespace:: DCE_RPC
:Namespace: DCE_RPC
:Imports: :doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`, :doc:`base/protocols/dce-rpc/consts.bro </scripts/base/protocols/dce-rpc/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== ===============================================================
:bro:id:`DCE_RPC::ignored_operations`: :bro:type:`table` :bro:attr:`&redef` These are DCE-RPC operations that are ignored, typically due to
the operations being noisy and low value on most networks.
=========================================================================== ===============================================================
Types
#####
===================================================== =
:bro:type:`DCE_RPC::BackingState`: :bro:type:`record`
:bro:type:`DCE_RPC::Info`: :bro:type:`record`
:bro:type:`DCE_RPC::State`: :bro:type:`record`
===================================================== =
Redefinitions
#############
==================================================================== =
:bro:id:`DPD::ignore_violations`: :bro:type:`set` :bro:attr:`&redef`
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
==================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: DCE_RPC::ignored_operations
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
["winreg"] = {
"BaseRegOpenKey",
"BaseRegEnumKey",
"OpenClassesRoot",
"BaseRegCloseKey",
"OpenLocalMachine",
"BaseRegQueryValue",
"BaseRegDeleteKeyEx",
"BaseRegGetVersion"
},
["spoolss"] = {
"RpcSplOpenPrinter",
"RpcClosePrinter"
},
["wkssvc"] = {
"NetrWkstaGetInfo"
}
}
These are DCE-RPC operations that are ignored, typically due to
the operations being noisy and low value on most networks.
Types
#####
.. bro:type:: DCE_RPC::BackingState
:Type: :bro:type:`record`
info: :bro:type:`DCE_RPC::Info`
state: :bro:type:`DCE_RPC::State`
.. bro:type:: DCE_RPC::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
rtt: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
Round trip time from the request to the response.
If either the request or response wasn't seen,
this will be null.
named_pipe: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Remote pipe name.
endpoint: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Endpoint name looked up from the uuid.
operation: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Operation seen in the call.
.. bro:type:: DCE_RPC::State
:Type: :bro:type:`record`
uuid: :bro:type:`string` :bro:attr:`&optional`
named_pipe: :bro:type:`string` :bro:attr:`&optional`
ctx_to_uuid: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string` :bro:attr:`&optional`

14
doc/scripts/base/protocols/dhcp/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dhcp/__load__.bro
================================
:Imports: :doc:`base/protocols/dhcp/consts.bro </scripts/base/protocols/dhcp/consts.bro>`, :doc:`base/protocols/dhcp/main.bro </scripts/base/protocols/dhcp/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

227
doc/scripts/base/protocols/dhcp/consts.bro.rst Normal file
View file

@ -0,0 +1,227 @@
:tocdepth: 3
base/protocols/dhcp/consts.bro
==============================
.. bro:namespace:: DHCP
Types, errors, and fields for analyzing DHCP data. A helper file
for DHCP analysis scripts.
:Namespace: DHCP
Summary
~~~~~~~
Constants
#########
================================================================================================================== ===================================
:bro:id:`DHCP::message_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Types of DHCP messages.
:bro:id:`DHCP::option_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Option types mapped to their names.
================================================================================================================== ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: DHCP::message_types
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "OFFER",
[9] = "FORCERENEW",
[17] = "LEASEQUERYSTATUS",
[6] = "NAK",
[11] = "LEASEUNASSIGNED",
[14] = "BULKLEASEQUERY",
[4] = "DECLINE",
[1] = "DISCOVER",
[8] = "INFORM",
[7] = "RELEASE",
[15] = "LEASEQUERYDONE",
[5] = "ACK",
[10] = "LEASEQUERY",
[3] = "REQUEST",
[12] = "LEASEUNKNOWN",
[13] = "LEASEACTIVE",
[18] = "TLS",
[16] = "ACTIVELEASEQUERY"
}
Types of DHCP messages. See :rfc:`1533`, :rfc:`3203`,
:rfc:`4388`, :rfc:`6926`, and :rfc:`7724`.
.. bro:id:: DHCP::option_types
:Type: :bro:type:`table` [:bro:type:`int`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[124] = "V-I Vendor Class",
[7] = "Log Server",
[22] = "Max DG Assembly",
[211] = "Reboot Time",
[213] = "OPTION_V4_ACCESS_DOMAIN",
[51] = "Address Time",
[3] = "Router",
[75] = "StreetTalk-Server",
[156] = "dhcp-state",
[4] = "Time Server",
[48] = "X Window Font",
[26] = "MTU Interface",
[10] = "Impress Server",
[11] = "RLP Server",
[90] = "Authentication",
[125] = "V-I Vendor-Specific Information",
[212] = "OPTION_6RD",
[123] = "GeoConf Option",
[175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
[45] = "NETBIOS Dist Srv",
[39] = "Keepalive Data",
[62] = "NetWare/IP Domain",
[132] = "IEEE 802.1Q VLAN ID",
[35] = "ARP Timeout",
[93] = "Client System",
[129] = "PXE - undefined (vendor specific)",
[34] = "Trailers",
[97] = "UUID/GUID",
[153] = "start-time-of-state",
[1] = "Subnet Mask",
[30] = "Mask Supplier",
[65] = "NIS-Server-Addr",
[42] = "NTP Servers",
[142] = "OPTION-IPv4_Address-ANDSF",
[76] = "STDA-Server",
[137] = "OPTION_V4_LOST",
[209] = "Configuration File",
[56] = "DHCP Message",
[46] = "NETBIOS Node Type",
[100] = "PCode",
[146] = "RDNSS Selection",
[220] = "Subnet Allocation Option",
[151] = "status-code",
[67] = "Bootfile-Name",
[81] = "Client FQDN",
[144] = "GeoLoc",
[70] = "POP3-Server",
[2] = "Time Offset",
[15] = "Domain Name",
[210] = "Path Prefix",
[119] = "Domain Search",
[83] = "iSNS",
[36] = "Ethernet",
[79] = "Service Scope",
[32] = "Router Request",
[23] = "Default IP TTL",
[221] = "Virtual Subnet Selection (VSS) Option",
[120] = "SIP Servers DHCP Option",
[40] = "NIS Domain",
[16] = "Swap Server",
[80] = "Rapid Commit",
[159] = "OPTION_V4_PORTPARAMS",
[94] = "Client NDI",
[8] = "Quotes Server",
[131] = "PXE - undefined (vendor specific)",
[78] = "Directory Agent",
[134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
[141] = "SIP UA Configuration Service Domains",
[69] = "SMTP-Server",
[59] = "Rebinding Time",
[154] = "query-start-time",
[55] = "Parameter List",
[155] = "query-end-time",
[77] = "User-Class",
[49] = "X Window Manager",
[50] = "Address Request",
[113] = "Netinfo Tag",
[9] = "LPR Server",
[0] = "Pad",
[66] = "Server-Name",
[138] = "OPTION_CAPWAP_AC_V4",
[139] = "OPTION-IPv4_Address-MoS",
[20] = "SrcRte On/Off",
[18] = "Extension File",
[37] = "Default TCP TTL",
[89] = "BCMCS Controller IPv4 address option",
[98] = "User-Auth",
[122] = "CCC",
[158] = "OPTION_V4_PCP_SERVER",
[255] = "End",
[63] = "NetWare/IP Option",
[53] = "DHCP Msg Type",
[128] = "PXE - undefined (vendor specific)",
[60] = "Class Id",
[136] = "OPTION_PANA_AGENT",
[72] = "WWW-Server",
[116] = "Auto-Config",
[130] = "PXE - undefined (vendor specific)",
[85] = "NDS Servers",
[73] = "Finger-Server",
[88] = "BCMCS Controller Domain Name list",
[208] = "PXELINUX Magic",
[19] = "Forward On/Off",
[112] = "Netinfo Address",
[54] = "DHCP Server Id",
[68] = "Home-Agent-Addrs",
[5] = "Name Server",
[114] = "URL",
[44] = "NETBIOS Name Srv",
[13] = "Boot File Size",
[47] = "NETBIOS Scope",
[58] = "Renewal Time",
[29] = "Mask Discovery",
[12] = "Hostname",
[17] = "Root Path",
[135] = "HTTP Proxy for phone-specific applications",
[61] = "Client Id",
[99] = "GEOCONF_CIVIC",
[25] = "MTU Plateau",
[121] = "Classless Static Route Option",
[71] = "NNTP-Server",
[117] = "Name Service Search",
[118] = "Subnet Selection Option",
[176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
[38] = "Keepalive Time",
[57] = "DHCP Max Msg Size",
[252] = "auto-proxy-config",
[52] = "Overload",
[150] = "TFTP server address",
[140] = "OPTION-IPv4_FQDN-MoS",
[43] = "Vendor Specific",
[41] = "NIS Servers",
[101] = "TCode",
[87] = "NDS Context",
[74] = "IRC-Server",
[6] = "Domain Server",
[177] = "PacketCable and CableHome (replaced by 122)",
[91] = "client-last-transaction-time option",
[82] = "Relay Agent Information",
[161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
[64] = "NIS-Domain-Name",
[95] = "LDAP",
[133] = "IEEE 802.1D/p Layer 2 Priority",
[14] = "Merit Dump File",
[27] = "MTU Subnet",
[31] = "Router Discovery",
[24] = "MTU Timeout",
[152] = "base-time",
[160] = "DHCP Captive-Portal",
[145] = "FORCERENEW_NONCE_CAPABLE",
[28] = "Broadcast Address",
[33] = "Static Route",
[92] = "associated-ip option",
[21] = "Policy Filter",
[157] = "data-source",
[86] = "NDS Tree Name"
}
Option types mapped to their names.

23
doc/scripts/base/protocols/dhcp/index.rst Normal file
View file

@ -0,0 +1,23 @@
:orphan:
Package: base/protocols/dhcp
============================
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
:doc:`/scripts/base/protocols/dhcp/__load__.bro`
:doc:`/scripts/base/protocols/dhcp/consts.bro`
Types, errors, and fields for analyzing DHCP data. A helper file
for DHCP analysis scripts.
:doc:`/scripts/base/protocols/dhcp/main.bro`
Analyze DHCP traffic and provide a log that is organized around
the idea of a DHCP "conversation" defined by messages exchanged within
a relatively short period of time using the same transaction ID.
The log will have information from clients and servers to give a more
complete picture of what happened.

257
doc/scripts/base/protocols/dhcp/main.bro.rst Normal file
View file

@ -0,0 +1,257 @@
:tocdepth: 3
base/protocols/dhcp/main.bro
============================
.. bro:namespace:: DHCP
Analyze DHCP traffic and provide a log that is organized around
the idea of a DHCP "conversation" defined by messages exchanged within
a relatively short period of time using the same transaction ID.
The log will have information from clients and servers to give a more
complete picture of what happened.
:Namespace: DHCP
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/dhcp/consts.bro </scripts/base/protocols/dhcp/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ===============================================================
:bro:id:`DHCP::max_txid_watch_time`: :bro:type:`interval` :bro:attr:`&redef` The maximum amount of time that a transation ID will be watched
for to try and tie messages together into a single DHCP
transaction narrative.
============================================================================ ===============================================================
State Variables
###############
================================================ ========================================================
:bro:id:`DHCP::log_info`: :bro:type:`DHCP::Info` This is a global variable that is only to be used in the
:bro::see::`DHCP::aggregate_msgs` event.
================================================ ========================================================
Types
#####
========================================== =================================================================
:bro:type:`DHCP::Info`: :bro:type:`record` The record type which contains the column fields of the DHCP log.
========================================== =================================================================
Redefinitions
#############
================================================================= =
:bro:type:`DHCP::Info`: :bro:type:`record`
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
================================================= ================================================================
:bro:id:`DHCP::aggregate_msgs`: :bro:type:`event` This event is used internally to distribute data around clusters
since DHCP doesn't follow the normal "connection" model used by
most protocols.
:bro:id:`DHCP::log_dhcp`: :bro:type:`event` Event that can be handled to access the DHCP
record as it is sent on to the logging framework.
================================================= ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: DHCP::max_txid_watch_time
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``30.0 secs``
The maximum amount of time that a transation ID will be watched
for to try and tie messages together into a single DHCP
transaction narrative.
State Variables
###############
.. bro:id:: DHCP::log_info
:Type: :bro:type:`DHCP::Info`
:Default:
::
{
ts=<uninitialized>
uids={
}
client_addr=<uninitialized>
server_addr=<uninitialized>
client_port=<uninitialized>
server_port=<uninitialized>
mac=<uninitialized>
host_name=<uninitialized>
client_fqdn=<uninitialized>
domain=<uninitialized>
requested_addr=<uninitialized>
assigned_addr=<uninitialized>
lease_time=<uninitialized>
client_message=<uninitialized>
server_message=<uninitialized>
msg_types=[]
duration=0 secs
last_message_ts=<uninitialized>
msg_orig=<uninitialized>
client_software=<uninitialized>
server_software=<uninitialized>
circuit_id=<uninitialized>
agent_remote_id=<uninitialized>
subscriber_id=<uninitialized>
}
This is a global variable that is only to be used in the
:bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid
looking up the info record for a transaction ID in every event handler
for :bro:see::`DHCP::aggregate_msgs`.
Types
#####
.. bro:type:: DHCP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The earliest time at which a DHCP message over the
associated connection is observed.
uids: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log`
A series of unique identifiers of the connections over which
DHCP is occurring. This behavior with multiple connections is
unique to DHCP because of the way it uses broadcast packets
on local networks.
client_addr: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
IP address of the client. If a transaction
is only a client sending INFORM messages then
there is no lease information exchanged so this
is helpful to know who sent the messages.
Getting an address in this field does require
that the client sources at least one DHCP message
using a non-broadcast address.
server_addr: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
IP address of the server involved in actually
handing out the lease. There could be other
servers replying with OFFER messages which won't
be represented here. Getting an address in this
field also requires that the server handing out
the lease also sources packets from a non-broadcast
IP address.
client_port: :bro:type:`port` :bro:attr:`&optional`
Client port number seen at time of server handing out IP (expected
as 68/udp).
server_port: :bro:type:`port` :bro:attr:`&optional`
Server port number seen at time of server handing out IP (expected
as 67/udp).
mac: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Client's hardware address.
host_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Name given by client in Hostname option 12.
client_fqdn: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
FQDN given by client in Client FQDN option 81.
domain: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Domain given by the server in option 15.
requested_addr: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
IP address requested by the client.
assigned_addr: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
IP address assigned by the server.
lease_time: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
IP address lease interval.
client_message: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Message typically accompanied with a DHCP_DECLINE
so the client can tell the server why it rejected
an address.
server_message: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Message typically accompanied with a DHCP_NAK to let
the client know why it rejected the request.
msg_types: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``[]`` :bro:attr:`&optional`
The DHCP message types seen by this DHCP transaction
duration: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&default` = ``0 secs`` :bro:attr:`&optional`
Duration of the DHCP "session" representing the
time from the first message to the last.
last_message_ts: :bro:type:`time` :bro:attr:`&optional`
msg_orig: :bro:type:`vector` of :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&default` = ``[]`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/msg-orig.bro` is loaded)
The address that originated each message from the
`msg_types` field.
client_software: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/software.bro` is loaded)
Software reported by the client in the `vendor_class` option.
server_software: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/software.bro` is loaded)
Software reported by the server in the `vendor_class` option.
circuit_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.bro` is loaded)
Added by DHCP relay agents which terminate switched or
permanent circuits. It encodes an agent-local identifier
of the circuit from which a DHCP client-to-server packet was
received. Typically it should represent a router or switch
interface number.
agent_remote_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.bro` is loaded)
A globally unique identifier added by relay agents to identify
the remote host end of the circuit.
subscriber_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.bro` is loaded)
The subscriber ID is a value independent of the physical
network configuration so that a customer's DHCP configuration
can be given to them correctly no matter where they are
physically connected.
The record type which contains the column fields of the DHCP log.
Events
######
.. bro:id:: DHCP::aggregate_msgs
:Type: :bro:type:`event` (ts: :bro:type:`time`, id: :bro:type:`conn_id`, uid: :bro:type:`string`, is_orig: :bro:type:`bool`, msg: :bro:type:`DHCP::Msg`, options: :bro:type:`DHCP::Options`)
This event is used internally to distribute data around clusters
since DHCP doesn't follow the normal "connection" model used by
most protocols. It can also be handled to extend the DHCP log.
:bro:see::`DHCP::log_info`.
.. bro:id:: DHCP::log_dhcp
:Type: :bro:type:`event` (rec: :bro:type:`DHCP::Info`)
Event that can be handled to access the DHCP
record as it is sent on to the logging framework.

14
doc/scripts/base/protocols/dnp3/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dnp3/__load__.bro
================================
:Imports: :doc:`base/protocols/dnp3/main.bro </scripts/base/protocols/dnp3/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

73
doc/scripts/base/protocols/dnp3/consts.bro.rst Normal file
View file

@ -0,0 +1,73 @@
:tocdepth: 3
base/protocols/dnp3/consts.bro
==============================
.. bro:namespace:: DNP3
:Namespace: DNP3
Summary
~~~~~~~
Redefinable Options
###################
====================================================================================================================================== =======================================
:bro:id:`DNP3::function_codes`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef` Standard defined Modbus function codes.
====================================================================================================================================== =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: DNP3::function_codes
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef`
:Default:
::
{
[2] = "WRITE",
[9] = "FREEZE_CLEAR",
[17] = "START_APPL",
[27] = "DELETE_FILE",
[6] = "DIRECT_OPERATE_NR",
[11] = "FREEZE_AT_TIME",
[14] = "WARM_RESTART",
[4] = "OPERATE",
[22] = "ASSIGN_CLASS",
[24] = "RECORD_CURRENT_TIME",
[30] = "ABORT_FILE",
[1] = "READ",
[8] = "IMMED_FREEZE_NR",
[7] = "IMMED_FREEZE",
[15] = "INITIALIZE_DATA",
[131] = "AUTHENTICATE_RESP",
[23] = "DELAY_MEASURE",
[33] = "AUTHENTICATE_REQ_NR",
[29] = "AUTHENTICATE_FILE",
[130] = "UNSOLICITED_RESPONSE",
[5] = "DIRECT_OPERATE",
[25] = "OPEN_FILE",
[32] = "AUTHENTICATE_REQ",
[19] = "SAVE_CONFIG",
[28] = "GET_FILE_INFO",
[31] = "ACTIVATE_CONFIG",
[10] = "FREEZE_CLEAR_NR",
[129] = "RESPONSE",
[0] = "CONFIRM",
[3] = "SELECT",
[12] = "FREEZE_AT_TIME_NR",
[13] = "COLD_RESTART",
[18] = "STOP_APPL",
[21] = "DISABLE_UNSOLICITED",
[16] = "INITIALIZE_APPL",
[20] = "ENABLE_UNSOLICITED",
[26] = "CLOSE_FILE"
}
Standard defined Modbus function codes.

17
doc/scripts/base/protocols/dnp3/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/dnp3
============================
Support for Distributed Network Protocol (DNP3) analysis.
:doc:`/scripts/base/protocols/dnp3/__load__.bro`
:doc:`/scripts/base/protocols/dnp3/main.bro`
A very basic DNP3 analysis script that just logs requests and replies.
:doc:`/scripts/base/protocols/dnp3/consts.bro`

72
doc/scripts/base/protocols/dnp3/main.bro.rst Normal file
View file

@ -0,0 +1,72 @@
:tocdepth: 3
base/protocols/dnp3/main.bro
============================
.. bro:namespace:: DNP3
A very basic DNP3 analysis script that just logs requests and replies.
:Namespace: DNP3
:Imports: :doc:`base/protocols/dnp3/consts.bro </scripts/base/protocols/dnp3/consts.bro>`
Summary
~~~~~~~
Types
#####
========================================== =
:bro:type:`DNP3::Info`: :bro:type:`record`
========================================== =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=========================================== ====================================================================
:bro:id:`DNP3::log_dnp3`: :bro:type:`event` Event that can be handled to access the DNP3 record as it is sent on
to the logging framework.
=========================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: DNP3::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time of the request.
uid: :bro:type:`string` :bro:attr:`&log`
Unique identifier for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
Identifier for the connection.
fc_request: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The name of the function message in the request.
fc_reply: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The name of the function message in the reply.
iin: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The response's "internal indication number".
Events
######
.. bro:id:: DNP3::log_dnp3
:Type: :bro:type:`event` (rec: :bro:type:`DNP3::Info`)
Event that can be handled to access the DNP3 record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/dns/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dns/__load__.bro
===============================
:Imports: :doc:`base/protocols/dns/consts.bro </scripts/base/protocols/dns/consts.bro>`, :doc:`base/protocols/dns/main.bro </scripts/base/protocols/dns/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

264
doc/scripts/base/protocols/dns/consts.bro.rst Normal file
View file

@ -0,0 +1,264 @@
:tocdepth: 3
base/protocols/dns/consts.bro
=============================
.. bro:namespace:: DNS
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:Namespace: DNS
Summary
~~~~~~~
Constants
#########
=============================================================================================================== ======================================================================
:bro:id:`DNS::ANY`: :bro:type:`count` A QTYPE value describing a request for all records.
:bro:id:`DNS::EDNS`: :bro:type:`count` An OPT RR TYPE value described by EDNS.
:bro:id:`DNS::PTR`: :bro:type:`count` RR TYPE value for a domain name pointer.
:bro:id:`DNS::algorithms`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Possible values of the algorithms used in DNSKEY, DS and RRSIG records
:bro:id:`DNS::base_errors`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Errors used for non-TSIG/EDNS types.
:bro:id:`DNS::classes`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Possible values of the CLASS field in resource records or QCLASS
field in query messages.
:bro:id:`DNS::digests`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Possible digest types used in DNSSEC.
:bro:id:`DNS::edns_zfield`: :bro:type:`table` :bro:attr:`&default` = ``"?"`` :bro:attr:`&optional` This deciphers EDNS Z field values.
:bro:id:`DNS::query_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` Mapping of DNS query type codes to human readable string
representation.
=============================================================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: DNS::ANY
:Type: :bro:type:`count`
:Default: ``255``
A QTYPE value describing a request for all records.
.. bro:id:: DNS::EDNS
:Type: :bro:type:`count`
:Default: ``41``
An OPT RR TYPE value described by EDNS.
.. bro:id:: DNS::PTR
:Type: :bro:type:`count`
:Default: ``12``
RR TYPE value for a domain name pointer.
.. bro:id:: DNS::algorithms
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "Diffie_Hellman",
[6] = "DSA_NSEC3_SHA1",
[14] = "ECDSA_curveP384withSHA384",
[4] = "Elliptic_Curve",
[1] = "RSA_MD5",
[8] = "RSA_SHA256",
[7] = "RSA_SHA1_NSEC3_SHA1",
[15] = "Ed25519",
[252] = "Indirect",
[254] = "PrivateOID",
[255] = "reserved255",
[5] = "RSA_SHA1",
[10] = "RSA_SHA512",
[253] = "PrivateDNS",
[0] = "reserved0",
[3] = "DSA_SHA1",
[12] = "GOST_R_34_10_2001",
[13] = "ECDSA_curveP256withSHA256",
[16] = "Ed448"
}
Possible values of the algorithms used in DNSKEY, DS and RRSIG records
.. bro:id:: DNS::base_errors
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "SERVFAIL",
[9] = "NOTAUTH",
[17] = "BADKEY",
[6] = "YXDOMAIN",
[11] = "unassigned-11",
[14] = "unassigned-14",
[4] = "NOTIMP",
[22] = "BADTRUNC",
[1] = "FORMERR",
[8] = "NXRRSet",
[3842] = "BADSIG",
[7] = "YXRRSET",
[15] = "unassigned-15",
[5] = "REFUSED",
[19] = "BADMODE",
[10] = "NOTZONE",
[0] = "NOERROR",
[3] = "NXDOMAIN",
[12] = "unassigned-12",
[13] = "unassigned-13",
[18] = "BADTIME",
[21] = "BADALG",
[16] = "BADVERS",
[20] = "BADNAME"
}
Errors used for non-TSIG/EDNS types.
.. bro:id:: DNS::classes
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "C_CSNET",
[4] = "C_HESOD",
[1] = "C_INTERNET",
[254] = "C_NONE",
[255] = "C_ANY",
[3] = "C_CHAOS"
}
Possible values of the CLASS field in resource records or QCLASS
field in query messages.
.. bro:id:: DNS::digests
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "SHA256",
[4] = "SHA384",
[1] = "SHA1",
[0] = "reserved0",
[3] = "GOST_R_34_11_94"
}
Possible digest types used in DNSSEC.
.. bro:id:: DNS::edns_zfield
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = ``"?"`` :bro:attr:`&optional`
:Default:
::
{
[32768] = "DNS_SEC_OK",
[0] = "NOVALUE"
}
This deciphers EDNS Z field values.
.. bro:id:: DNS::query_types
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[19] = "X25",
[10] = "NULL",
[3] = "MD",
[254] = "MAILA",
[43] = "DS",
[50] = "NSEC3",
[99] = "SPF",
[47] = "NSEC",
[251] = "IXFR",
[32768] = "TA",
[27] = "GPOS",
[6] = "SOA",
[20] = "ISDN",
[51] = "NSEC3PARAM",
[25] = "KEY",
[37] = "CERT",
[31] = "NIMLOC",
[28] = "AAAA",
[9] = "MR",
[32769] = "DLV",
[11] = "WKS",
[40] = "SINK",
[41] = "OPT",
[59] = "CDS",
[252] = "AXFR",
[46] = "RRSIG",
[5] = "CNAME",
[49] = "DHCID",
[103] = "UNSPEC",
[253] = "MAILB",
[45] = "IPSECKEY",
[8] = "MG",
[17] = "RP",
[48] = "DNSKEY",
[257] = "CAA",
[33] = "SRV",
[100] = "UINFO",
[24] = "SIG",
[23] = "NSAP-PTR",
[26] = "PX",
[101] = "UID",
[39] = "DNAME",
[16] = "TXT",
[34] = "ATMA",
[38] = "A6",
[18] = "AFSDB",
[35] = "NAPTR",
[42] = "APL",
[7] = "MB",
[15] = "MX",
[249] = "TKEY",
[36] = "KX",
[4] = "MF",
[44] = "SSHFP",
[52] = "TLSA",
[1] = "A",
[22] = "NSAP",
[250] = "TSIG",
[14] = "MINFO",
[102] = "GID",
[255] = "*",
[256] = "URI",
[21] = "RT",
[29] = "LOC",
[13] = "HINFO",
[30] = "EID",
[55] = "HIP",
[2] = "NS",
[32] = "NB",
[60] = "CDNSKEY",
[12] = "PTR",
[61] = "OPENPGPKEY"
}
Mapping of DNS query type codes to human readable string
representation.

20
doc/scripts/base/protocols/dns/index.rst Normal file
View file

@ -0,0 +1,20 @@
:orphan:
Package: base/protocols/dns
===========================
Support for Domain Name System (DNS) protocol analysis.
:doc:`/scripts/base/protocols/dns/__load__.bro`
:doc:`/scripts/base/protocols/dns/consts.bro`
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:doc:`/scripts/base/protocols/dns/main.bro`
Base DNS analysis script which tracks and logs DNS queries along with
their responses.

268
doc/scripts/base/protocols/dns/main.bro.rst Normal file
View file

@ -0,0 +1,268 @@
:tocdepth: 3
base/protocols/dns/main.bro
===========================
.. bro:namespace:: DNS
Base DNS analysis script which tracks and logs DNS queries along with
their responses.
:Namespace: DNS
:Imports: :doc:`base/protocols/dns/consts.bro </scripts/base/protocols/dns/consts.bro>`, :doc:`base/utils/queue.bro </scripts/base/utils/queue.bro>`
Summary
~~~~~~~
Runtime Options
###############
========================================================================== =======================================================================
:bro:id:`DNS::max_pending_msgs`: :bro:type:`count` :bro:attr:`&redef` Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Bro is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
:bro:id:`DNS::max_pending_query_ids`: :bro:type:`count` :bro:attr:`&redef` Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
========================================================================== =======================================================================
Types
#####
=================================================== ================================================================
:bro:type:`DNS::Info`: :bro:type:`record` The record type which contains the column fields of the DNS log.
:bro:type:`DNS::PendingMessages`: :bro:type:`table` Yields a queue of :bro:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
:bro:type:`DNS::State`: :bro:type:`record` A record type which tracks the status of DNS queries for a given
:bro:type:`connection`.
=================================================== ================================================================
Redefinitions
#############
================================================================= ==================================
:bro:type:`Log::ID`: :bro:type:`enum` The DNS logging stream identifier.
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= ==================================
Events
######
========================================= ================================================================
:bro:id:`DNS::log_dns`: :bro:type:`event` An event that can be handled to access the :bro:type:`DNS::Info`
record as it is sent to the logging framework.
========================================= ================================================================
Hooks
#####
============================================ =================================================================
:bro:id:`DNS::do_reply`: :bro:type:`hook` This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:bro:id:`DNS::set_session`: :bro:type:`hook` A hook that is called whenever a session is being set.
============================================ =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: DNS::max_pending_msgs
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Bro is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
.. bro:id:: DNS::max_pending_query_ids
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
Types
#####
.. bro:type:: DNS::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The earliest time at which a DNS protocol message over the
associated connection is observed.
uid: :bro:type:`string` :bro:attr:`&log`
A unique identifier of the connection over which DNS messages
are being transferred.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
proto: :bro:type:`transport_proto` :bro:attr:`&log`
The transport layer protocol of the connection.
trans_id: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
A 16-bit identifier assigned by the program that generated
the DNS query. Also used in responses to match up replies to
outstanding queries.
rtt: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
Round trip time for the query and response. This indicates
the delay between when the request was seen until the
answer started.
query: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The domain name that is the subject of the DNS query.
qclass: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The QCLASS value specifying the class of the query.
qclass_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
A descriptive name for the class of the query.
qtype: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
A QTYPE value specifying the type of the query.
qtype_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
A descriptive name for the type of the query.
rcode: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The response code value in DNS response messages.
rcode_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
A descriptive name for the response code value.
AA: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
The Authoritative Answer bit for response messages specifies
that the responding name server is an authority for the
domain name in the question section.
TC: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
The Truncation bit specifies that the message was truncated.
RD: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
The Recursion Desired bit in a request message indicates that
the client wants recursive service for this query.
RA: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
The Recursion Available bit in a response message indicates
that the name server supports recursive queries.
Z: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
A reserved field that is usually zero in
queries and responses.
answers: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The set of resource descriptions in the query answer.
TTLs: :bro:type:`vector` of :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
The caching intervals of the associated RRs described by the
*answers* field.
rejected: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
The DNS query was rejected by the server.
total_answers: :bro:type:`count` :bro:attr:`&optional`
The total number of resource records in a reply message's
answer section.
total_replies: :bro:type:`count` :bro:attr:`&optional`
The total number of resource records in a reply message's
answer, authority, and additional sections.
saw_query: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Whether the full DNS query has been seen.
saw_reply: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Whether the full DNS reply has been seen.
auth: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.bro` is loaded)
Authoritative responses for the query.
addl: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.bro` is loaded)
Additional responses for the query.
The record type which contains the column fields of the DNS log.
.. bro:type:: DNS::PendingMessages
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`Queue::Queue`
Yields a queue of :bro:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
.. bro:type:: DNS::State
:Type: :bro:type:`record`
pending_queries: :bro:type:`DNS::PendingMessages`
Indexed by query id, returns Info record corresponding to
queries that haven't been matched with a response yet.
pending_replies: :bro:type:`DNS::PendingMessages`
Indexed by query id, returns Info record corresponding to
replies that haven't been matched with a query yet.
A record type which tracks the status of DNS queries for a given
:bro:type:`connection`.
Events
######
.. bro:id:: DNS::log_dns
:Type: :bro:type:`event` (rec: :bro:type:`DNS::Info`)
An event that can be handled to access the :bro:type:`DNS::Info`
record as it is sent to the logging framework.
Hooks
#####
.. bro:id:: DNS::do_reply
:Type: :bro:type:`hook` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, reply: :bro:type:`string`) : :bro:type:`bool`
This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:c: The connection record for which to fill in DNS reply data.
:msg: The DNS message header information for the response.
:ans: The general information of a RR response.
:reply: The specific response information according to RR type/class.
.. bro:id:: DNS::set_session
:Type: :bro:type:`hook` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, is_query: :bro:type:`bool`) : :bro:type:`bool`
A hook that is called whenever a session is being set.
This can be used if additional initialization logic needs to happen
when creating a new session value.
:c: The connection involved in the new session.
:msg: The DNS message header information.
:is_query: Indicator for if this is being called for a query or a response.

14
doc/scripts/base/protocols/ftp/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ftp/__load__.bro
===============================
:Imports: :doc:`base/protocols/ftp/files.bro </scripts/base/protocols/ftp/files.bro>`, :doc:`base/protocols/ftp/gridftp.bro </scripts/base/protocols/ftp/gridftp.bro>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

44
doc/scripts/base/protocols/ftp/files.bro.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/protocols/ftp/files.bro
============================
.. bro:namespace:: FTP
:Namespace: FTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================================== =
:bro:type:`FTP::Info`: :bro:type:`record`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Functions
#########
==================================================== =====================================
:bro:id:`FTP::describe_file`: :bro:type:`function` Describe the file being transferred.
:bro:id:`FTP::get_file_handle`: :bro:type:`function` Default file handle provider for FTP.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FTP::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Describe the file being transferred.
.. bro:id:: FTP::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for FTP.

129
doc/scripts/base/protocols/ftp/gridftp.bro.rst Normal file
View file

@ -0,0 +1,129 @@
:tocdepth: 3
base/protocols/ftp/gridftp.bro
==============================
.. bro:namespace:: GridFTP
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:bro:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.
:Namespace: GridFTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ===================================================================
:bro:id:`GridFTP::max_time`: :bro:type:`interval` :bro:attr:`&redef` Time during which we check whether a connection's size exceeds the
:bro:see:`GridFTP::size_threshold`.
:bro:id:`GridFTP::size_threshold`: :bro:type:`count` :bro:attr:`&redef` Number of bytes transferred before guessing a connection is a
GridFTP data channel.
:bro:id:`GridFTP::skip_data`: :bro:type:`bool` :bro:attr:`&redef` Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
======================================================================= ===================================================================
Redefinitions
#############
========================================= =
:bro:type:`FTP::Info`: :bro:type:`record`
========================================= =
Events
######
=========================================================== ===============================================
:bro:id:`GridFTP::data_channel_detected`: :bro:type:`event` Raised when a GridFTP data channel is detected.
=========================================================== ===============================================
Functions
#########
========================================================================================= =================================================================
:bro:id:`GridFTP::data_channel_initial_criteria`: :bro:type:`function` :bro:attr:`&redef` The initial criteria used to determine whether to start polling
the connection for the :bro:see:`GridFTP::size_threshold` to have
been exceeded.
========================================================================================= =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: GridFTP::max_time
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``2.0 mins``
Time during which we check whether a connection's size exceeds the
:bro:see:`GridFTP::size_threshold`.
.. bro:id:: GridFTP::size_threshold
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``1073741824``
Number of bytes transferred before guessing a connection is a
GridFTP data channel.
.. bro:id:: GridFTP::skip_data
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
Events
######
.. bro:id:: GridFTP::data_channel_detected
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Raised when a GridFTP data channel is detected.
:c: The connection pertaining to the GridFTP data channel.
Functions
#########
.. bro:id:: GridFTP::data_channel_initial_criteria
:Type: :bro:type:`function` (c: :bro:type:`connection`) : :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
The initial criteria used to determine whether to start polling
the connection for the :bro:see:`GridFTP::size_threshold` to have
been exceeded. This is called in a :bro:see:`ssl_established` event
handler and by default looks for both a client and server certificate
and for a NULL bulk cipher. One way in which this function could be
redefined is to make it also consider client/server certificate
issuer subjects.
:c: The connection which may possibly be a GridFTP data channel.
:returns: true if the connection should be further polled for an
exceeded :bro:see:`GridFTP::size_threshold`, else false.

54
doc/scripts/base/protocols/ftp/index.rst Normal file
View file

@ -0,0 +1,54 @@
:orphan:
Package: base/protocols/ftp
===========================
Support for File Transfer Protocol (FTP) analysis.
:doc:`/scripts/base/protocols/ftp/__load__.bro`
:doc:`/scripts/base/protocols/ftp/utils-commands.bro`
:doc:`/scripts/base/protocols/ftp/info.bro`
Defines data structures for tracking and logging FTP sessions.
:doc:`/scripts/base/protocols/ftp/main.bro`
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:doc:`/scripts/base/protocols/ftp/utils.bro`
Utilities specific for FTP processing.
:doc:`/scripts/base/protocols/ftp/files.bro`
:doc:`/scripts/base/protocols/ftp/gridftp.bro`
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:bro:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.

132
doc/scripts/base/protocols/ftp/info.bro.rst Normal file
View file

@ -0,0 +1,132 @@
:tocdepth: 3
base/protocols/ftp/info.bro
===========================
.. bro:namespace:: FTP
Defines data structures for tracking and logging FTP sessions.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ==========================================================
:bro:id:`FTP::default_capture_password`: :bro:type:`bool` :bro:attr:`&redef` This setting changes if passwords used in FTP sessions are
captured or not.
============================================================================ ==========================================================
Types
#####
======================================================== ==============================================
:bro:type:`FTP::ExpectedDataChannel`: :bro:type:`record` The expected endpoints of an FTP data channel.
:bro:type:`FTP::Info`: :bro:type:`record`
======================================================== ==============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::default_capture_password
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in FTP sessions are
captured or not.
Types
#####
.. bro:type:: FTP::ExpectedDataChannel
:Type: :bro:type:`record`
passive: :bro:type:`bool` :bro:attr:`&log`
Whether PASV mode is toggled for control channel.
orig_h: :bro:type:`addr` :bro:attr:`&log`
The host that will be initiating the data connection.
resp_h: :bro:type:`addr` :bro:attr:`&log`
The host that will be accepting the data connection.
resp_p: :bro:type:`port` :bro:attr:`&log`
The port at which the acceptor is listening for the data
connection.
The expected endpoints of an FTP data channel.
.. bro:type:: FTP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time when the command was sent.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
user: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``"<unknown>"`` :bro:attr:`&optional`
User name for the current FTP session.
password: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Password for the current FTP session if captured.
command: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Command given by the client.
arg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Argument for the command if one is given.
mime_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Sniffed mime type of file.
file_size: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Size of the file if the command indicates a file transfer.
reply_code: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Reply code from the server in response to the command.
reply_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Reply message from the server in response to the command.
data_channel: :bro:type:`FTP::ExpectedDataChannel` :bro:attr:`&log` :bro:attr:`&optional`
Expected FTP data channel.
cwd: :bro:type:`string` :bro:attr:`&default` = ``"."`` :bro:attr:`&optional`
Current working directory that this session is in. By making
the default value '.', we can indicate that unless something
more concrete is discovered that the existing but unknown
directory is ok to use.
cmdarg: :bro:type:`FTP::CmdArg` :bro:attr:`&optional`
Command that is currently waiting for a response.
pending_commands: :bro:type:`FTP::PendingCmds`
Queue for commands that have been sent but not yet responded
to are tracked here.
passive: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicates if the session is in active or passive mode.
capture_password: :bro:type:`bool` :bro:attr:`&default` = :bro:see:`FTP::default_capture_password` :bro:attr:`&optional`
Determines if the password will be captured for this request.
fuid: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
(present if :doc:`/scripts/base/protocols/ftp/files.bro` is loaded)
File unique ID.
last_auth_requested: :bro:type:`string` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ftp/gridftp.bro` is loaded)

128
doc/scripts/base/protocols/ftp/main.bro.rst Normal file
View file

@ -0,0 +1,128 @@
:tocdepth: 3
base/protocols/ftp/main.bro
===========================
.. bro:namespace:: FTP
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`base/utils/numbers.bro </scripts/base/utils/numbers.bro>`, :doc:`base/utils/paths.bro </scripts/base/utils/paths.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================== ======================================================================
:bro:id:`FTP::guest_ids`: :bro:type:`set` :bro:attr:`&redef` User IDs that can be considered "anonymous".
:bro:id:`FTP::logged_commands`: :bro:type:`set` :bro:attr:`&redef` List of commands that should have their command/response pairs logged.
================================================================== ======================================================================
Types
#####
============================================== ===============================================
:bro:type:`FTP::ReplyCode`: :bro:type:`record` This record is to hold a parsed FTP reply code.
============================================== ===============================================
Redefinitions
#############
================================================================= ===========================================
:bro:type:`Log::ID`: :bro:type:`enum` The FTP protocol logging stream identifier.
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= ===========================================
Events
######
========================================= =============================================================
:bro:id:`FTP::log_ftp`: :bro:type:`event` Event that can be handled to access the :bro:type:`FTP::Info`
record as it is sent on to the logging framework.
========================================= =============================================================
Functions
#########
========================================================= =====================================================================
:bro:id:`FTP::parse_ftp_reply_code`: :bro:type:`function` Parse FTP reply codes into the three constituent single digit values.
========================================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::guest_ids
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"ftpuser",
"ftp",
"guest",
"anonymous"
}
User IDs that can be considered "anonymous".
.. bro:id:: FTP::logged_commands
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"RETR",
"EPSV",
"EPRT",
"DELE",
"PORT",
"PASV",
"STOR",
"APPE",
"STOU",
"ACCT"
}
List of commands that should have their command/response pairs logged.
Types
#####
.. bro:type:: FTP::ReplyCode
:Type: :bro:type:`record`
x: :bro:type:`count`
y: :bro:type:`count`
z: :bro:type:`count`
This record is to hold a parsed FTP reply code. For example, for the
201 status code, the digits would be parsed as: x->2, y->0, z->1.
Events
######
.. bro:id:: FTP::log_ftp
:Type: :bro:type:`event` (rec: :bro:type:`FTP::Info`)
Event that can be handled to access the :bro:type:`FTP::Info`
record as it is sent on to the logging framework.
Functions
#########
.. bro:id:: FTP::parse_ftp_reply_code
:Type: :bro:type:`function` (code: :bro:type:`count`) : :bro:type:`FTP::ReplyCode`
Parse FTP reply codes into the three constituent single digit values.

397
doc/scripts/base/protocols/ftp/utils-commands.bro.rst Normal file
View file

@ -0,0 +1,397 @@
:tocdepth: 3
base/protocols/ftp/utils-commands.bro
=====================================
.. bro:namespace:: FTP
:Namespace: FTP
Summary
~~~~~~~
Runtime Options
###############
================================================================= ===========================================================
:bro:id:`FTP::cmd_reply_code`: :bro:type:`set` :bro:attr:`&redef` Possible response codes for a wide variety of FTP commands.
================================================================= ===========================================================
Types
#####
=============================================== ====================================================================
:bro:type:`FTP::CmdArg`: :bro:type:`record`
:bro:type:`FTP::PendingCmds`: :bro:type:`table` Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.
=============================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::cmd_reply_code
:Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`count`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
["STRU", 501] ,
["SITE", 501] ,
["LIST", 530] ,
["PASS", 230] ,
["<init>", 421] ,
["STOR", 500] ,
["PASS", 202] ,
["ACCT", 500] ,
["RETR", 125] ,
["PWD", 550] ,
["NLST", 550] ,
["HELP", 502] ,
["LIST", 451] ,
["CWD", 530] ,
["HELP", 211] ,
["STOU", 551] ,
["STOU", 452] ,
["SYST", 215] ,
["NLST", 530] ,
["RNFR", 350] ,
["STOU", 451] ,
["MLST", 150] ,
["EPRT", 522] ,
["ABOR", 500] ,
["REST", 502] ,
["TYPE", 200] ,
["RETR", 110] ,
["RNTO", 530] ,
["APPE", 250] ,
["RETR", 451] ,
["NLST", 226] ,
["NLST", 502] ,
["APPE", 552] ,
["HELP", 501] ,
["STOR", 250] ,
["STOU", 500] ,
["STOR", 451] ,
["STOU", 553] ,
["APPE", 150] ,
["MKD", 502] ,
["RETR", 226] ,
["PWD", 257] ,
["MLST", 226] ,
["STRU", 421] ,
["MLSD", 550] ,
["STRU", 200] ,
["MLST", 500] ,
["APPE", 451] ,
["STOR", 452] ,
["SMNT", 501] ,
["ACCT", 230] ,
["DELE", 500] ,
["SYST", 502] ,
["ALLO", 504] ,
["STAT", 530] ,
["APPE", 532] ,
["CDUP", 501] ,
["SMNT", 421] ,
["APPE", 226] ,
["REST", 530] ,
["LIST", 150] ,
["SYST", 500] ,
["SYST", 530] ,
["RNFR", 500] ,
["STAT", 500] ,
["STRU", 504] ,
["STOR", 532] ,
["REST", 200] ,
["MODE", 530] ,
["DELE", 450] ,
["CWD", 502] ,
["REIN", 220] ,
["RNTO", 553] ,
["STOU", 421] ,
["RETR", 501] ,
["LIST", 500] ,
["RNFR", 421] ,
["MODE", 421] ,
["FEAT", 502] ,
["MACB", 200] ,
["RETR", 550] ,
["MODE", 504] ,
["APPE", 425] ,
["ALLO", 202] ,
["OPTS", 501] ,
["STOU", 226] ,
["STAT", 421] ,
["REIN", 502] ,
["STRU", 530] ,
["MLSD", 501] ,
["CWD", 421] ,
["NOOP", 500] ,
["MLSD", 250] ,
["PASS", 530] ,
["RNTO", 532] ,
["ALLO", 421] ,
["USER", 331] ,
["MKD", 530] ,
["STAT", 212] ,
["REIN", 120] ,
["RNTO", 503] ,
["STAT", 450] ,
["APPE", 500] ,
["APPE", 530] ,
["SITE", 214] ,
["FEAT", 211] ,
["STOU", 450] ,
["STOR", 425] ,
["RMD", 502] ,
["ABOR", 502] ,
["STOU", 426] ,
["STAT", 501] ,
["STOR", 552] ,
["RMD", 501] ,
["STOU", 110] ,
["MLST", 250] ,
["RNTO", 502] ,
["STOR", 150] ,
["ALLO", 200] ,
["MDTM", 501] ,
["PWD", 502] ,
["RNTO", 501] ,
["RETR", 450] ,
["MDTM", 213] ,
["RNTO", 250] ,
["DELE", 550] ,
["MKD", 421] ,
["RNTO", 421] ,
["APPE", 452] ,
["PORT", 200] ,
["STOU", 501] ,
["RNFR", 502] ,
["NLST", 425] ,
["REIN", 421] ,
["STOU", 532] ,
["RETR", 425] ,
["STAT", 502] ,
["HELP", 214] ,
["ABOR", 421] ,
["MKD", 501] ,
["CDUP", 200] ,
["STAT", 211] ,
["ALLO", 530] ,
["APPE", 553] ,
["CDUP", 250] ,
["PASS", 421] ,
["<init>", 120] ,
["EPSV", 501] ,
["TYPE", 504] ,
["HELP", 500] ,
["STOU", 550] ,
["SIZE", 550] ,
["DELE", 502] ,
["RNFR", 501] ,
["STAT", 213] ,
["USER", 421] ,
["CDUP", 500] ,
["PASV", 530] ,
["LIST", 550] ,
["REIN", 500] ,
["NOOP", 421] ,
["EPSV", 229] ,
["<missing>", 0] ,
["SYST", 421] ,
["APPE", 426] ,
["ACCT", 421] ,
["RMD", 550] ,
["MLSD", 226] ,
["USER", 230] ,
["PASS", 500] ,
["NLST", 125] ,
["NLST", 450] ,
["RMD", 530] ,
["STOR", 553] ,
["ACCT", 503] ,
["STOU", 425] ,
["MODE", 200] ,
["RMD", 250] ,
["PORT", 530] ,
["APPE", 501] ,
["HELP", 421] ,
["LPRT", 501] ,
["STOU", 250] ,
["STOU", 150] ,
["RMD", 421] ,
["HELP", 200] ,
["CLNT", 500] ,
["LIST", 125] ,
["CWD", 501] ,
["RNFR", 550] ,
["MLST", 550] ,
["CDUP", 502] ,
["SITE", 530] ,
["RETR", 421] ,
["RNTO", 500] ,
["RETR", 250] ,
["SITE", 202] ,
["STOR", 530] ,
["SMNT", 502] ,
["TYPE", 500] ,
["LIST", 426] ,
["APPE", 125] ,
["MDTM", 500] ,
["<init>", 0] ,
["LIST", 250] ,
["DELE", 250] ,
["MKD", 257] ,
["PASS", 332] ,
["PWD", 500] ,
["LIST", 226] ,
["FEAT", 500] ,
["NLST", 500] ,
["NLST", 501] ,
["EPRT", 500] ,
["DELE", 530] ,
["LIST", 502] ,
["APPE", 421] ,
["USER", 332] ,
["EPRT", 501] ,
["PORT", 500] ,
["SMNT", 250] ,
["STOU", 552] ,
["APPE", 550] ,
["STRU", 500] ,
["MLSD", 150] ,
["OPTS", 200] ,
["MODE", 501] ,
["NLST", 250] ,
["SIZE", 501] ,
["ACCT", 202] ,
["MKD", 500] ,
["SITE", 200] ,
["QUIT", 500] ,
["STOR", 426] ,
["LIST", 421] ,
["RETR", 150] ,
["MODE", 502] ,
["RMD", 500] ,
["NLST", 421] ,
["<init>", 220] ,
["PORT", 421] ,
["CWD", 250] ,
["RNFR", 450] ,
["STOR", 125] ,
["CLNT", 200] ,
["PASS", 501] ,
["PASV", 421] ,
["REST", 501] ,
["RNFR", 530] ,
["SMNT", 500] ,
["SMNT", 530] ,
["SITE", 502] ,
["APPE", 502] ,
["REST", 421] ,
["USER", 530] ,
["STOR", 550] ,
["MLST", 501] ,
["STOR", 551] ,
["OPTS", 451] ,
["SYST", 501] ,
["LPRT", 521] ,
["PORT", 501] ,
["NOOP", 200] ,
["APPE", 450] ,
["DELE", 501] ,
["ABOR", 225] ,
["PASV", 500] ,
["NLST", 150] ,
["CDUP", 530] ,
["PWD", 421] ,
["TYPE", 421] ,
["ABOR", 501] ,
["RETR", 500] ,
["ACCT", 530] ,
["STOR", 501] ,
["STOR", 226] ,
["RETR", 426] ,
["QUIT", 221] ,
["CDUP", 550] ,
["STOR", 450] ,
["NLST", 451] ,
["SITE", 500] ,
["SIZE", 213] ,
["STOR", 421] ,
["MACB", 550] ,
["PASV", 501] ,
["CWD", 500] ,
["ALLO", 501] ,
["PASV", 502] ,
["CDUP", 421] ,
["DELE", 421] ,
["SIZE", 500] ,
["PASV", 227] ,
["PWD", 501] ,
["REST", 350] ,
["NLST", 426] ,
["STOU", 530] ,
["USER", 501] ,
["USER", 500] ,
["PASS", 503] ,
["REST", 500] ,
["MLSD", 500] ,
["MACB", 500] ,
["SMNT", 550] ,
["RETR", 530] ,
["STOU", 125] ,
["TYPE", 501] ,
["CWD", 550] ,
["MKD", 550] ,
["STOR", 110] ,
["SMNT", 202] ,
["MDTM", 550] ,
["ABOR", 226] ,
["EPRT", 200] ,
["MODE", 500] ,
["ACCT", 501] ,
["EPSV", 500] ,
["QUIT", 0] ,
["ALLO", 500] ,
["LIST", 501] ,
["TYPE", 530] ,
["APPE", 551] ,
["LIST", 425] ,
["LPRT", 500] ,
["LIST", 450]
}
Possible response codes for a wide variety of FTP commands.
Types
#####
.. bro:type:: FTP::CmdArg
:Type: :bro:type:`record`
ts: :bro:type:`time`
Time when the command was sent.
cmd: :bro:type:`string` :bro:attr:`&default` = ``"<unknown>"`` :bro:attr:`&optional`
Command.
arg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`
Argument for the command if one was given.
seq: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Counter to track how many commands have been executed.
.. bro:type:: FTP::PendingCmds
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`FTP::CmdArg`
Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.

57
doc/scripts/base/protocols/ftp/utils.bro.rst Normal file
View file

@ -0,0 +1,57 @@
:tocdepth: 3
base/protocols/ftp/utils.bro
============================
.. bro:namespace:: FTP
Utilities specific for FTP processing.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`base/utils/paths.bro </scripts/base/utils/paths.bro>`
Summary
~~~~~~~
Functions
#########
================================================== ===========================================================
:bro:id:`FTP::build_url`: :bro:type:`function` Creates a URL from an :bro:type:`FTP::Info` record.
:bro:id:`FTP::build_url_ftp`: :bro:type:`function` Creates a URL from an :bro:type:`FTP::Info` record.
:bro:id:`FTP::describe`: :bro:type:`function` Create an extremely shortened representation of a log line.
================================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FTP::build_url
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`FTP::Info` record.
:rec: An :bro:type:`FTP::Info` record.
:returns: A URL, not prefixed by ``"ftp://"``.
.. bro:id:: FTP::build_url_ftp
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`FTP::Info` record.
:rec: An :bro:type:`FTP::Info` record.
:returns: A URL prefixed with ``"ftp://"``.
.. bro:id:: FTP::describe
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Create an extremely shortened representation of a log line.

14
doc/scripts/base/protocols/http/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/http/__load__.bro
================================
:Imports: :doc:`base/protocols/http/entities.bro </scripts/base/protocols/http/entities.bro>`, :doc:`base/protocols/http/files.bro </scripts/base/protocols/http/files.bro>`, :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`, :doc:`base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

40
doc/scripts/base/protocols/http/entities.bro.rst Normal file
View file

@ -0,0 +1,40 @@
:tocdepth: 3
base/protocols/http/entities.bro
================================
.. bro:namespace:: HTTP
Analysis and logging for MIME entities found in HTTP sessions.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`, :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`, :doc:`base/utils/strings.bro </scripts/base/utils/strings.bro>`
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`HTTP::Entity`: :bro:type:`record`
============================================ =
Redefinitions
#############
========================================================== =
:bro:type:`HTTP::Info`: :bro:type:`record`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: HTTP::Entity
:Type: :bro:type:`record`
filename: :bro:type:`string` :bro:attr:`&optional`
Filename for the entity if discovered from a header.

37
doc/scripts/base/protocols/http/files.bro.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/protocols/http/files.bro
=============================
.. bro:namespace:: HTTP
:Namespace: HTTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/http/entities.bro </scripts/base/protocols/http/entities.bro>`, :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`, :doc:`base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Functions
#########
===================================================== ======================================
:bro:id:`HTTP::describe_file`: :bro:type:`function` Default file describer for HTTP.
:bro:id:`HTTP::get_file_handle`: :bro:type:`function` Default file handle provider for HTTP.
===================================================== ======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: HTTP::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Default file describer for HTTP.
.. bro:id:: HTTP::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for HTTP.

27
doc/scripts/base/protocols/http/index.rst Normal file
View file

@ -0,0 +1,27 @@
:orphan:
Package: base/protocols/http
============================
Support for Hypertext Transfer Protocol (HTTP) analysis.
:doc:`/scripts/base/protocols/http/__load__.bro`
:doc:`/scripts/base/protocols/http/main.bro`
Implements base functionality for HTTP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.
:doc:`/scripts/base/protocols/http/entities.bro`
Analysis and logging for MIME entities found in HTTP sessions.
:doc:`/scripts/base/protocols/http/utils.bro`
Utilities specific for HTTP processing.
:doc:`/scripts/base/protocols/http/files.bro`

342
doc/scripts/base/protocols/http/main.bro.rst Normal file
View file

@ -0,0 +1,342 @@
:tocdepth: 3
base/protocols/http/main.bro
============================
.. bro:namespace:: HTTP
Implements base functionality for HTTP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`, :doc:`base/utils/numbers.bro </scripts/base/utils/numbers.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================= ====================================================================
:bro:id:`HTTP::default_capture_password`: :bro:type:`bool` :bro:attr:`&redef` This setting changes if passwords used in Basic-Auth are captured or
not.
:bro:id:`HTTP::http_methods`: :bro:type:`set` :bro:attr:`&redef` A list of HTTP methods.
:bro:id:`HTTP::proxy_headers`: :bro:type:`set` :bro:attr:`&redef` A list of HTTP headers typically used to indicate proxied requests.
============================================================================= ====================================================================
Types
#####
=========================================== ===================================================================
:bro:type:`HTTP::Info`: :bro:type:`record` The record type which contains the fields of the HTTP log.
:bro:type:`HTTP::State`: :bro:type:`record` Structure to maintain state for an HTTP connection with multiple
requests and responses.
:bro:type:`HTTP::Tags`: :bro:type:`enum` Indicate a type of attack or compromise in the record to be logged.
=========================================== ===================================================================
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=========================================== ====================================================================
:bro:id:`HTTP::log_http`: :bro:type:`event` Event that can be handled to access the HTTP record as it is sent on
to the logging framework.
=========================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: HTTP::default_capture_password
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in Basic-Auth are captured or
not.
.. bro:id:: HTTP::http_methods
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"MKCOL",
"MOVE",
"LOCK",
"SUBSCRIBE",
"REPORT",
"PROPPATCH",
"UNLOCK",
"OPTIONS",
"CONNECT",
"DELETE",
"TRACE",
"SEARCH",
"HEAD",
"COPY",
"BMOVE",
"GET",
"PUT",
"POST",
"PROPFIND",
"POLL"
}
A list of HTTP methods. Other methods will generate a weird. Note
that the HTTP analyzer will only accept methods consisting solely
of letters ``[A-Za-z]``.
.. bro:id:: HTTP::proxy_headers
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"X-FORWARDED-FOR",
"CLIENT-IP",
"XROXY-CONNECTION",
"X-FORWARDED-FROM",
"FORWARDED",
"PROXY-CONNECTION",
"VIA"
}
A list of HTTP headers typically used to indicate proxied requests.
Types
#####
.. bro:type:: HTTP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the request happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
trans_depth: :bro:type:`count` :bro:attr:`&log`
Represents the pipelined depth into the connection of this
request/response transaction.
method: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Verb used in the HTTP request (GET, POST, HEAD, etc.).
host: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value of the HOST header.
uri: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
URI used in the request.
referrer: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value of the "referer" header. The comment is deliberately
misspelled like the standard declares, but the name used here
is "referrer" spelled correctly.
version: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value of the version portion of the request.
user_agent: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value of the User-Agent header from the client.
request_body_len: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Actual uncompressed content size of the data transferred from
the client.
response_body_len: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Actual uncompressed content size of the data transferred from
the server.
status_code: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Status code returned by the server.
status_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Status message returned by the server.
info_code: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Last seen 1xx informational reply code returned by the server.
info_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Last seen 1xx informational reply message returned by the server.
tags: :bro:type:`set` [:bro:type:`HTTP::Tags`] :bro:attr:`&log`
A set of indicators of various attributes discovered and
related to a particular request/response pair.
username: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Username if basic-auth is performed for the request.
password: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Password if basic-auth is performed for the request.
capture_password: :bro:type:`bool` :bro:attr:`&default` = :bro:see:`HTTP::default_capture_password` :bro:attr:`&optional`
Determines if the password will be captured for this request.
proxied: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
All of the headers that may indicate if the request was proxied.
range_request: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicates if this request can assume 206 partial content in
response.
orig_fuids: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of file unique IDs.
orig_filenames: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of filenames from the client.
orig_mime_types: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of mime types.
resp_fuids: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of file unique IDs.
resp_filenames: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of filenames from the server.
resp_mime_types: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
An ordered vector of mime types.
current_entity: :bro:type:`HTTP::Entity` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
The current entity.
orig_mime_depth: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
Current number of MIME entities in the HTTP request message
body.
resp_mime_depth: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.bro` is loaded)
Current number of MIME entities in the HTTP response message
body.
client_header_names: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/header-names.bro` is loaded)
The vector of HTTP header names sent by the client. No
header values are included here, just the header names.
server_header_names: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/header-names.bro` is loaded)
The vector of HTTP header names sent by the server. No
header values are included here, just the header names.
omniture: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.bro` is loaded)
Indicates if the server is an omniture advertising server.
flash_version: :bro:type:`string` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.bro` is loaded)
The unparsed Flash version, if detected.
cookie_vars: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
(present if :doc:`/scripts/policy/protocols/http/var-extraction-cookies.bro` is loaded)
Variable names extracted from all cookies.
uri_vars: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
(present if :doc:`/scripts/policy/protocols/http/var-extraction-uri.bro` is loaded)
Variable names from the URI.
The record type which contains the fields of the HTTP log.
.. bro:type:: HTTP::State
:Type: :bro:type:`record`
pending: :bro:type:`table` [:bro:type:`count`] of :bro:type:`HTTP::Info`
Pending requests.
current_request: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Current request in the pending queue.
current_response: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Current response in the pending queue.
trans_depth: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Track the current deepest transaction.
This is meant to cope with missing requests
and responses.
Structure to maintain state for an HTTP connection with multiple
requests and responses.
.. bro:type:: HTTP::Tags
:Type: :bro:type:`enum`
.. bro:enum:: HTTP::EMPTY HTTP::Tags
Placeholder.
.. bro:enum:: HTTP::URI_SQLI HTTP::Tags
(present if :doc:`/scripts/policy/protocols/http/detect-sqli.bro` is loaded)
Indicator of a URI based SQL injection attack.
.. bro:enum:: HTTP::POST_SQLI HTTP::Tags
(present if :doc:`/scripts/policy/protocols/http/detect-sqli.bro` is loaded)
Indicator of client body based SQL injection attack. This is
typically the body content of a POST request. Not implemented
yet.
.. bro:enum:: HTTP::COOKIE_SQLI HTTP::Tags
(present if :doc:`/scripts/policy/protocols/http/detect-sqli.bro` is loaded)
Indicator of a cookie based SQL injection attack. Not
implemented yet.
Indicate a type of attack or compromise in the record to be logged.
Events
######
.. bro:id:: HTTP::log_http
:Type: :bro:type:`event` (rec: :bro:type:`HTTP::Info`)
Event that can be handled to access the HTTP record as it is sent on
to the logging framework.

78
doc/scripts/base/protocols/http/utils.bro.rst Normal file
View file

@ -0,0 +1,78 @@
:tocdepth: 3
base/protocols/http/utils.bro
=============================
.. bro:namespace:: HTTP
Utilities specific for HTTP processing.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`
Summary
~~~~~~~
Functions
#########
==================================================== ====================================================================
:bro:id:`HTTP::build_url`: :bro:type:`function` Creates a URL from an :bro:type:`HTTP::Info` record.
:bro:id:`HTTP::build_url_http`: :bro:type:`function` Creates a URL from an :bro:type:`HTTP::Info` record.
:bro:id:`HTTP::describe`: :bro:type:`function` Create an extremely shortened representation of a log line.
:bro:id:`HTTP::extract_keys`: :bro:type:`function` Given a string containing a series of key-value pairs separated
by "=", this function can be used to parse out all of the key names.
==================================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: HTTP::build_url
:Type: :bro:type:`function` (rec: :bro:type:`HTTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`HTTP::Info` record. This should
handle edge cases such as proxied requests appropriately.
:rec: An :bro:type:`HTTP::Info` record.
:returns: A URL, not prefixed by ``"http://"``.
.. bro:id:: HTTP::build_url_http
:Type: :bro:type:`function` (rec: :bro:type:`HTTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`HTTP::Info` record. This should
handle edge cases such as proxied requests appropriately.
:rec: An :bro:type:`HTTP::Info` record.
:returns: A URL prefixed with ``"http://"``.
.. bro:id:: HTTP::describe
:Type: :bro:type:`function` (rec: :bro:type:`HTTP::Info`) : :bro:type:`string`
Create an extremely shortened representation of a log line.
.. bro:id:: HTTP::extract_keys
:Type: :bro:type:`function` (data: :bro:type:`string`, kv_splitter: :bro:type:`pattern`) : :bro:type:`string_vec`
Given a string containing a series of key-value pairs separated
by "=", this function can be used to parse out all of the key names.
:data: The raw data, such as a URL or cookie value.
:kv_splitter: A regular expression representing the separator between
key-value pairs.
:returns: A vector of strings containing the keys.

14
doc/scripts/base/protocols/imap/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/imap/__load__.bro
================================
:Imports: :doc:`base/protocols/imap/main.bro </scripts/base/protocols/imap/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/imap/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/imap
============================
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
mails from IMAP sessions, only X509 certificates.
:doc:`/scripts/base/protocols/imap/__load__.bro`
:doc:`/scripts/base/protocols/imap/main.bro`

21
doc/scripts/base/protocols/imap/main.bro.rst Normal file
View file

@ -0,0 +1,21 @@
:tocdepth: 3
base/protocols/imap/main.bro
============================
.. bro:namespace:: IMAP
:Namespace: IMAP
Summary
~~~~~~~
Redefinitions
#############
================================================================= =
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/base/protocols/irc/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/irc/__load__.bro
===============================
:Imports: :doc:`base/protocols/irc/dcc-send.bro </scripts/base/protocols/irc/dcc-send.bro>`, :doc:`base/protocols/irc/files.bro </scripts/base/protocols/irc/files.bro>`, :doc:`base/protocols/irc/main.bro </scripts/base/protocols/irc/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/base/protocols/irc/dcc-send.bro.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
base/protocols/irc/dcc-send.bro
===============================
.. bro:namespace:: IRC
File extraction and introspection for DCC transfers over IRC.
There is a major problem with this script in the cluster context because
we might see A send B a message that a DCC connection is to be expected,
but that connection will actually be between B and C which could be
analyzed on a different worker.
:Namespace: IRC
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/irc/main.bro </scripts/base/protocols/irc/main.bro>`, :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================= =
:bro:type:`IRC::Info`: :bro:type:`record`
========================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~

37
doc/scripts/base/protocols/irc/files.bro.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/protocols/irc/files.bro
============================
.. bro:namespace:: IRC
:Namespace: IRC
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/irc/dcc-send.bro </scripts/base/protocols/irc/dcc-send.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================================== =
:bro:type:`IRC::Info`: :bro:type:`record`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Functions
#########
==================================================== =====================================
:bro:id:`IRC::get_file_handle`: :bro:type:`function` Default file handle provider for IRC.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: IRC::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for IRC.

29
doc/scripts/base/protocols/irc/index.rst Normal file
View file

@ -0,0 +1,29 @@
:orphan:
Package: base/protocols/irc
===========================
Support for Internet Relay Chat (IRC) protocol analysis.
:doc:`/scripts/base/protocols/irc/__load__.bro`
:doc:`/scripts/base/protocols/irc/main.bro`
Implements the core IRC analysis support. The logging model is to log
IRC commands along with the associated response and some additional
metadata about the connection if it's available.
:doc:`/scripts/base/protocols/irc/dcc-send.bro`
File extraction and introspection for DCC transfers over IRC.
There is a major problem with this script in the cluster context because
we might see A send B a message that a DCC connection is to be expected,
but that connection will actually be between B and C which could be
analyzed on a different worker.
:doc:`/scripts/base/protocols/irc/files.bro`

99
doc/scripts/base/protocols/irc/main.bro.rst Normal file
View file

@ -0,0 +1,99 @@
:tocdepth: 3
base/protocols/irc/main.bro
===========================
.. bro:namespace:: IRC
Implements the core IRC analysis support. The logging model is to log
IRC commands along with the associated response and some additional
metadata about the connection if it's available.
:Namespace: IRC
Summary
~~~~~~~
Types
#####
========================================= =
:bro:type:`IRC::Info`: :bro:type:`record`
========================================= =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
========================================= ====================================================================
:bro:id:`IRC::irc_log`: :bro:type:`event` Event that can be handled to access the IRC record as it is sent on
to the logging framework.
========================================= ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: IRC::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp when the command was seen.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
nick: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Nickname given for the connection.
user: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Username given for the connection.
command: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Command given by the client.
value: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value for the command given by the client.
addl: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Any additional data for the command.
dcc_file_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.bro` is loaded)
DCC filename requested.
dcc_file_size: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.bro` is loaded)
Size of the DCC transfer as indicated by the sender.
dcc_mime_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.bro` is loaded)
Sniffed mime type of the file.
fuid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/files.bro` is loaded)
File unique ID.
Events
######
.. bro:id:: IRC::irc_log
:Type: :bro:type:`event` (rec: :bro:type:`IRC::Info`)
Event that can be handled to access the IRC record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/krb/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/krb/__load__.bro
===============================
:Imports: :doc:`base/protocols/krb/files.bro </scripts/base/protocols/krb/files.bro>`, :doc:`base/protocols/krb/main.bro </scripts/base/protocols/krb/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

134
doc/scripts/base/protocols/krb/consts.bro.rst Normal file
View file

@ -0,0 +1,134 @@
:tocdepth: 3
base/protocols/krb/consts.bro
=============================
.. bro:namespace:: KRB
:Namespace: KRB
Summary
~~~~~~~
Constants
#########
============================================= =
:bro:id:`KRB::cipher_name`: :bro:type:`table`
:bro:id:`KRB::error_msg`: :bro:type:`table`
============================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: KRB::cipher_name
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Default:
::
{
[2] = "des-cbc-md4",
[9] = "dsaWithSHA1-CmsOID",
[17] = "aes128-cts-hmac-sha1-96",
[11] = "sha1WithRSAEncryption-CmsOID",
[14] = "rsaES-OAEP-ENV-OID",
[24] = "rc4-hmac-exp",
[1] = "des-cbc-crc",
[7] = "des3-cbc-sha1",
[15] = "des-ede3-cbc-Env-OID",
[23] = "rc4-hmac",
[5] = "des3-cbc-md5",
[25] = "camellia128-cts-cmac",
[10] = "md5WithRSAEncryption-CmsOID",
[65] = "subkey-keymaterial",
[3] = "des-cbc-md5",
[12] = "rc2CBC-EnvOID",
[13] = "rsaEncryption-EnvOID",
[18] = "aes256-cts-hmac-sha1-96",
[16] = "des3-cbc-sha1-kd",
[26] = "camellia256-cts-cmac"
}
.. bro:id:: KRB::error_msg
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Default:
::
{
[19] = "KDC_ERR_SERVICE_REVOKED",
[10] = "KDC_ERR_CANNOT_POSTDATE",
[3] = "KDC_ERR_BAD_PVNO",
[50] = "KRB_AP_ERR_INAPP_CKSUM",
[69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED",
[47] = "KRB_AP_ERR_BADDIRECTION",
[27] = "KDC_ERR_MUST_USE_USER2USER",
[67] = "KRB_AP_ERR_NO_TGT",
[70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE",
[6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
[66] = "KDC_ERR_CERTIFICATE_MISMATCH",
[20] = "KDC_ERR_TGT_REVOKED",
[51] = "KRB_AP_PATH_NOT_ACCEPTED",
[25] = "KDC_ERR_PREAUTH_REQUIRED",
[37] = "KRB_AP_ERR_SKEW",
[31] = "KRB_AP_ERR_BAD_INTEGRITY",
[63] = "KDC_ERROR_KDC_NOT_TRUSTED",
[28] = "KDC_ERR_PATH_NOT_ACCEPTED",
[68] = "KDC_ERR_WRONG_REALM",
[9] = "KDC_ERR_NULL_KEY",
[11] = "KDC_ERR_NEVER_VALID",
[40] = "KRB_AP_ERR_MSG_TYPE",
[41] = "KRB_AP_ERR_MODIFIED",
[46] = "KRB_AP_ERR_MUT_FAIL",
[5] = "KDC_ERR_S_OLD_MAST_KVNO",
[49] = "KRB_AP_ERR_BADSEQ",
[45] = "KRB_AP_ERR_NOKEY",
[8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
[17] = "KDC_ERR_TRTYPE_NOSUPP",
[48] = "KRB_AP_ERR_METHOD",
[33] = "KRB_AP_ERR_TKT_NYV",
[24] = "KDC_ERR_PREAUTH_FAILED",
[23] = "KDC_ERR_KEY_EXPIRED",
[26] = "KDC_ERR_SERVER_NOMATCH",
[0] = "KDC_ERR_NONE",
[39] = "KRB_AP_ERR_BADVERSION",
[16] = "KDC_ERR_PADATA_TYPE_NOSUPP",
[34] = "KRB_AP_ERR_REPEAT",
[38] = "KRB_AP_ERR_BADADDR",
[18] = "KDC_ERR_CLIENT_REVOKED",
[35] = "KRB_AP_ERR_NOT_US",
[42] = "KRB_AP_ERR_BADORDER",
[71] = "KDC_ERR_INVALID_CERTIFICATE",
[74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE",
[7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
[15] = "KDC_ERR_SUMTYPE_NOSUPP",
[36] = "KRB_AP_ERR_BADMATCH",
[62] = "KDC_ERROR_CLIENT_NOT_TRUSTED",
[4] = "KDC_ERR_C_OLD_MAST_KVNO",
[44] = "KRB_AP_ERR_BADKEYVER",
[52] = "KRB_ERR_RESPONSE_TOO_BIG",
[1] = "KDC_ERR_NAME_EXP",
[64] = "KDC_ERROR_INVALID_SIG",
[22] = "KDC_ERR_SERVICE_NOTYET",
[72] = "KDC_ERR_REVOKED_CERTIFICATE",
[14] = "KDC_ERR_ETYPE_NOSUPP",
[73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN",
[76] = "KDC_ERR_KDC_NAME_MISMATCH",
[21] = "KDC_ERR_CLIENT_NOTYET",
[29] = "KDC_ERR_SVC_UNAVAILABLE",
[13] = "KDC_ERR_BADOPTION",
[75] = "KDC_ERR_CLIENT_NAME_MISMATCH",
[2] = "KDC_ERR_SERVICE_EXP",
[32] = "KRB_AP_ERR_TKT_EXPIRED",
[60] = "KRB_ERR_GENERIC",
[12] = "KDC_ERR_POLICY",
[61] = "KRB_ERR_FIELD_TOOLONG",
[65] = "KDC_ERR_KEY_TOO_WEAK"
}

43
doc/scripts/base/protocols/krb/files.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/protocols/krb/files.bro
============================
.. bro:namespace:: KRB
:Namespace: KRB
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/krb/main.bro </scripts/base/protocols/krb/main.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================= =
:bro:type:`KRB::Info`: :bro:type:`record`
========================================= =
Functions
#########
==================================================== =====================================
:bro:id:`KRB::describe_file`: :bro:type:`function` Default file describer for KRB.
:bro:id:`KRB::get_file_handle`: :bro:type:`function` Default file handle provider for KRB.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: KRB::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Default file describer for KRB.
.. bro:id:: KRB::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for KRB.

21
doc/scripts/base/protocols/krb/index.rst Normal file
View file

@ -0,0 +1,21 @@
:orphan:
Package: base/protocols/krb
===========================
Support for Kerberos protocol analysis.
:doc:`/scripts/base/protocols/krb/__load__.bro`
:doc:`/scripts/base/protocols/krb/main.bro`
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:doc:`/scripts/base/protocols/krb/consts.bro`
:doc:`/scripts/base/protocols/krb/files.bro`

164
doc/scripts/base/protocols/krb/main.bro.rst Normal file
View file

@ -0,0 +1,164 @@
:tocdepth: 3
base/protocols/krb/main.bro
===========================
.. bro:namespace:: KRB
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:Namespace: KRB
:Imports: :doc:`base/protocols/krb/consts.bro </scripts/base/protocols/krb/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================= =======================================================
:bro:id:`KRB::ignored_errors`: :bro:type:`set` :bro:attr:`&redef` The server response error texts which are *not* logged.
================================================================= =======================================================
Types
#####
========================================= =
:bro:type:`KRB::Info`: :bro:type:`record`
========================================= =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
========================================= ===================================================================
:bro:id:`KRB::log_krb`: :bro:type:`event` Event that can be handled to access the KRB record as it is sent on
to the logging framework.
========================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: KRB::ignored_errors
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
"NEEDED_PREAUTH"
}
The server response error texts which are *not* logged.
Types
#####
.. bro:type:: KRB::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
request_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Request type - Authentication Service ("AS") or
Ticket Granting Service ("TGS")
client: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Client
service: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Service
success: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Request result
error_code: :bro:type:`count` :bro:attr:`&optional`
Error code
error_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Error message
from: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
Ticket valid from
till: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
Ticket valid till
cipher: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Ticket encryption type
forwardable: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Forwardable ticket requested
renewable: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Renewable ticket requested
logged: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
We've already logged this
client_cert: :bro:type:`Files::Info` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
Client certificate
client_cert_subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
Subject of client certificate, if any
client_cert_fuid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
File unique ID of client cert, if any
server_cert: :bro:type:`Files::Info` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
Server certificate
server_cert_subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
Subject of server certificate, if any
server_cert_fuid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.bro` is loaded)
File unique ID of server cert, if any
auth_ticket: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.bro` is loaded)
Hash of ticket used to authorize request/transaction
new_ticket: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.bro` is loaded)
Hash of ticket returned by the KDC
Events
######
.. bro:id:: KRB::log_krb
:Type: :bro:type:`event` (rec: :bro:type:`KRB::Info`)
Event that can be handled to access the KRB record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/modbus/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/modbus/__load__.bro
==================================
:Imports: :doc:`base/protocols/modbus/consts.bro </scripts/base/protocols/modbus/consts.bro>`, :doc:`base/protocols/modbus/main.bro </scripts/base/protocols/modbus/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

101
doc/scripts/base/protocols/modbus/consts.bro.rst Normal file
View file

@ -0,0 +1,101 @@
:tocdepth: 3
base/protocols/modbus/consts.bro
================================
.. bro:namespace:: Modbus
:Namespace: Modbus
Summary
~~~~~~~
Redefinable Options
###################
========================================================================================================================================= =======================================
:bro:id:`Modbus::exception_codes`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef`
:bro:id:`Modbus::function_codes`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef` Standard defined Modbus function codes.
========================================================================================================================================= =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: Modbus::exception_codes
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef`
:Default:
::
{
[2] = "ILLEGAL_DATA_ADDRESS",
[6] = "SLAVE_DEVICE_BUSY",
[11] = "GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND",
[4] = "SLAVE_DEVICE_FAILURE",
[1] = "ILLEGAL_FUNCTION",
[8] = "MEMORY_PARITY_ERROR",
[5] = "ACKNOWLEDGE",
[10] = "GATEWAY_PATH_UNAVAILABLE",
[3] = "ILLEGAL_DATA_VALUE"
}
.. bro:id:: Modbus::function_codes
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` :bro:attr:`&redef`
:Default:
::
{
[2] = "READ_DISCRETE_INPUTS",
[17] = "REPORT_SLAVE_ID",
[9] = "PROGRAM_484",
[126] = "PROGRAM_584_984_2",
[143] = "WRITE_MULTIPLE_COILS_EXCEPTION",
[152] = "READ_FIFO_QUEUE_EXCEPTION",
[6] = "WRITE_SINGLE_REGISTER",
[11] = "GET_COMM_EVENT_COUNTER",
[14] = "POLL_584_984",
[4] = "READ_INPUT_REGISTERS",
[22] = "MASK_WRITE_REGISTER",
[24] = "READ_FIFO_QUEUE",
[144] = "WRITE_MULTIPLE_REGISTERS_EXCEPTION",
[1] = "READ_COILS",
[8] = "DIAGNOSTICS",
[7] = "READ_EXCEPTION_STATUS",
[15] = "WRITE_MULTIPLE_COILS",
[131] = "READ_HOLDING_REGISTERS_EXCEPTION",
[23] = "READ_WRITE_MULTIPLE_REGISTERS",
[43] = "ENCAP_INTERFACE_TRANSPORT",
[127] = "REPORT_LOCAL_ADDRESS",
[133] = "WRITE_SINGLE_COIL_EXCEPTION",
[134] = "WRITE_SINGLE_REGISTER_EXCEPTION",
[130] = "READ_DISCRETE_INPUTS_EXCEPTION",
[149] = "WRITE_FILE_RECORD_EXCEPTION",
[5] = "WRITE_SINGLE_COIL",
[19] = "RESET_COMM_LINK_884_U84",
[125] = "FIRMWARE_REPLACEMENT",
[132] = "READ_INPUT_REGISTERS_EXCEPTION",
[10] = "POLL_484",
[129] = "READ_COILS_EXCEPTION",
[150] = "MASK_WRITE_REGISTER_EXCEPTION",
[3] = "READ_HOLDING_REGISTERS",
[12] = "GET_COMM_EVENT_LOG",
[21] = "WRITE_FILE_RECORD",
[13] = "PROGRAM_584_984",
[18] = "PROGRAM_884_U84",
[148] = "READ_FILE_RECORD_EXCEPTION",
[151] = "READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION",
[16] = "WRITE_MULTIPLE_REGISTERS",
[20] = "READ_FILE_RECORD",
[40] = "PROGRAM_CONCEPT",
[135] = "READ_EXCEPTION_STATUS_EXCEPTION"
}
Standard defined Modbus function codes.

17
doc/scripts/base/protocols/modbus/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/modbus
==============================
Support for Modbus protocol analysis.
:doc:`/scripts/base/protocols/modbus/__load__.bro`
:doc:`/scripts/base/protocols/modbus/consts.bro`
:doc:`/scripts/base/protocols/modbus/main.bro`
Base Modbus analysis script.

73
doc/scripts/base/protocols/modbus/main.bro.rst Normal file
View file

@ -0,0 +1,73 @@
:tocdepth: 3
base/protocols/modbus/main.bro
==============================
.. bro:namespace:: Modbus
Base Modbus analysis script.
:Namespace: Modbus
:Imports: :doc:`base/protocols/modbus/consts.bro </scripts/base/protocols/modbus/consts.bro>`
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`Modbus::Info`: :bro:type:`record`
============================================ =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=============================================== ===================================================================
:bro:id:`Modbus::log_modbus`: :bro:type:`event` Event that can be handled to access the Modbus record as it is sent
on to the logging framework.
=============================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Modbus::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time of the request.
uid: :bro:type:`string` :bro:attr:`&log`
Unique identifier for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
Identifier for the connection.
func: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The name of the function message that was sent.
exception: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The exception if the response was a failure.
track_address: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/modbus/track-memmap.bro` is loaded)
Events
######
.. bro:id:: Modbus::log_modbus
:Type: :bro:type:`event` (rec: :bro:type:`Modbus::Info`)
Event that can be handled to access the Modbus record as it is sent
on to the logging framework.

14
doc/scripts/base/protocols/mysql/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/mysql/__load__.bro
=================================
:Imports: :doc:`base/protocols/mysql/main.bro </scripts/base/protocols/mysql/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

67
doc/scripts/base/protocols/mysql/consts.bro.rst Normal file
View file

@ -0,0 +1,67 @@
:tocdepth: 3
base/protocols/mysql/consts.bro
===============================
.. bro:namespace:: MySQL
:Namespace: MySQL
Summary
~~~~~~~
Constants
#########
============================================================================================================== =
:bro:id:`MySQL::commands`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
============================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: MySQL::commands
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "init_db",
[9] = "statistics",
[17] = "change_user",
[27] = "set_option",
[6] = "drop_db",
[11] = "connect",
[14] = "ping",
[4] = "field_list",
[22] = "stmt_prepare",
[24] = "stmt_send_long_data",
[30] = "binlog_dump_gtid",
[1] = "quit",
[8] = "shutdown",
[7] = "refresh",
[15] = "time",
[23] = "stmt_execute",
[29] = "daemon",
[5] = "create_db",
[25] = "stmt_close",
[19] = "table_dump",
[28] = "stmt_fetch",
[31] = "reset_connection",
[10] = "process_info",
[0] = "sleep",
[3] = "query",
[12] = "process_kill",
[13] = "debug",
[18] = "binlog_dump",
[21] = "register_slave",
[16] = "delayed_insert",
[20] = "connect_out",
[26] = "stmt_reset"
}

17
doc/scripts/base/protocols/mysql/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/mysql
=============================
Support for MySQL protocol analysis.
:doc:`/scripts/base/protocols/mysql/__load__.bro`
:doc:`/scripts/base/protocols/mysql/main.bro`
Implements base functionality for MySQL analysis. Generates the mysql.log file.
:doc:`/scripts/base/protocols/mysql/consts.bro`

77
doc/scripts/base/protocols/mysql/main.bro.rst Normal file
View file

@ -0,0 +1,77 @@
:tocdepth: 3
base/protocols/mysql/main.bro
=============================
.. bro:namespace:: MySQL
Implements base functionality for MySQL analysis. Generates the mysql.log file.
:Namespace: MySQL
:Imports: :doc:`base/protocols/mysql/consts.bro </scripts/base/protocols/mysql/consts.bro>`
Summary
~~~~~~~
Types
#####
=========================================== =
:bro:type:`MySQL::Info`: :bro:type:`record`
=========================================== =
Redefinitions
#############
========================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
========================================== =
Events
######
============================================= =====================================================================
:bro:id:`MySQL::log_mysql`: :bro:type:`event` Event that can be handled to access the MySQL record as it is sent on
to the logging framework.
============================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: MySQL::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
cmd: :bro:type:`string` :bro:attr:`&log`
The command that was issued
arg: :bro:type:`string` :bro:attr:`&log`
The argument issued to the command
success: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Did the server tell us that the command succeeded?
rows: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
The number of affected rows, if any
response: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Server message, if any
Events
######
.. bro:id:: MySQL::log_mysql
:Type: :bro:type:`event` (rec: :bro:type:`MySQL::Info`)
Event that can be handled to access the MySQL record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/ntlm/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ntlm/__load__.bro
================================
:Imports: :doc:`base/protocols/ntlm/main.bro </scripts/base/protocols/ntlm/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

13
doc/scripts/base/protocols/ntlm/index.rst Normal file
View file

@ -0,0 +1,13 @@
:orphan:
Package: base/protocols/ntlm
============================
Support for NT LAN Manager (NTLM) protocol analysis.
:doc:`/scripts/base/protocols/ntlm/__load__.bro`
:doc:`/scripts/base/protocols/ntlm/main.bro`

71
doc/scripts/base/protocols/ntlm/main.bro.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/protocols/ntlm/main.bro
============================
.. bro:namespace:: NTLM
:Namespace: NTLM
:Imports: :doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`
Summary
~~~~~~~
Types
#####
========================================== =
:bro:type:`NTLM::Info`: :bro:type:`record`
========================================== =
Redefinitions
#############
==================================================================== =
:bro:id:`DPD::ignore_violations`: :bro:type:`set` :bro:attr:`&redef`
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
==================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: NTLM::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
username: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Username given by the client.
hostname: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Hostname given by the client.
domainname: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Domainname given by the client.
server_nb_computer_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
NetBIOS name given by the server in a CHALLENGE.
server_dns_computer_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
DNS name given by the server in a CHALLENGE.
server_tree_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Tree name given by the server in a CHALLENGE.
success: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Indicate whether or not the authentication was successful.
done: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Internally used field to indicate if the login attempt
has already been logged.

13
doc/scripts/base/protocols/pop3/__load__.bro.rst Normal file
View file

@ -0,0 +1,13 @@
:tocdepth: 3
base/protocols/pop3/__load__.bro
================================
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

10
doc/scripts/base/protocols/pop3/index.rst Normal file
View file

@ -0,0 +1,10 @@
:orphan:
Package: base/protocols/pop3
============================
Support for POP3 (Post Office Protocol) protocol analysis.
:doc:`/scripts/base/protocols/pop3/__load__.bro`

14
doc/scripts/base/protocols/radius/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/radius/__load__.bro
==================================
:Imports: :doc:`base/protocols/radius/main.bro </scripts/base/protocols/radius/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

15
doc/scripts/base/protocols/radius/consts.bro.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/protocols/radius/consts.bro
================================
.. bro:namespace:: RADIUS
:Namespace: RADIUS
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/radius/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/radius
==============================
Support for RADIUS protocol analysis.
:doc:`/scripts/base/protocols/radius/__load__.bro`
:doc:`/scripts/base/protocols/radius/main.bro`
Implements base functionality for RADIUS analysis. Generates the radius.log file.
:doc:`/scripts/base/protocols/radius/consts.bro`

98
doc/scripts/base/protocols/radius/main.bro.rst Normal file
View file

@ -0,0 +1,98 @@
:tocdepth: 3
base/protocols/radius/main.bro
==============================
.. bro:namespace:: RADIUS
Implements base functionality for RADIUS analysis. Generates the radius.log file.
:Namespace: RADIUS
:Imports: :doc:`base/protocols/radius/consts.bro </scripts/base/protocols/radius/consts.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`RADIUS::Info`: :bro:type:`record`
============================================ =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=============================================== ======================================================================
:bro:id:`RADIUS::log_radius`: :bro:type:`event` Event that can be handled to access the RADIUS record as it is sent on
to the logging framework.
=============================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: RADIUS::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
username: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The username, if present.
mac: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
MAC address, if present.
framed_addr: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
The address given to the network access server, if
present. This is only a hint from the RADIUS server
and the network access server is not required to honor
the address.
remote_ip: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
Remote IP address, if present. This is collected
from the Tunnel-Client-Endpoint attribute.
connect_info: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Connect info, if present.
reply_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Reply message from the server challenge. This is
frequently shown to the user authenticating.
result: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Successful or failed authentication.
ttl: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
The duration between the first request and
either the "Access-Accept" message or an error.
If the field is empty, it means that either
the request or response was not seen.
logged: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Whether this has already been logged and can be ignored.
Events
######
.. bro:id:: RADIUS::log_radius
:Type: :bro:type:`event` (rec: :bro:type:`RADIUS::Info`)
Event that can be handled to access the RADIUS record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/rdp/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/rdp/__load__.bro
===============================
:Imports: :doc:`base/protocols/rdp/consts.bro </scripts/base/protocols/rdp/consts.bro>`, :doc:`base/protocols/rdp/main.bro </scripts/base/protocols/rdp/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

440
doc/scripts/base/protocols/rdp/consts.bro.rst Normal file
View file

@ -0,0 +1,440 @@
:tocdepth: 3
base/protocols/rdp/consts.bro
=============================
.. bro:namespace:: RDP
:Namespace: RDP
Summary
~~~~~~~
Constants
#########
====================================================================================================================== =
:bro:id:`RDP::builds`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::cert_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::color_depths`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::encryption_levels`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::encryption_methods`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::failure_codes`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::high_color_depths`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::languages`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::results`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`RDP::security_protocols`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
====================================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: RDP::builds
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[6000] = "RDP 6.0",
[6001] = "RDP 6.1",
[7600] = "RDP 7.0",
[6002] = "RDP 6.2",
[25189] = "RDP 8.0 (Mac)",
[7601] = "RDP 7.1",
[9600] = "RDP 8.1",
[25282] = "RDP 8.0 (Mac)",
[2195] = "RDP 5.0",
[3790] = "RDP 5.2",
[419] = "RDP 4.0",
[2221] = "RDP 5.0",
[2600] = "RDP 5.1",
[9200] = "RDP 8.0"
}
.. bro:id:: RDP::cert_types
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "X.509",
[1] = "RSA"
}
.. bro:id:: RDP::color_depths
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "16bit",
[4] = "15bit",
[1] = "24bit",
[8] = "32bit"
}
.. bro:id:: RDP::encryption_levels
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "Client compatible",
[4] = "FIPS",
[1] = "Low",
[0] = "None",
[3] = "High"
}
.. bro:id:: RDP::encryption_methods
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "128bit",
[1] = "40bit",
[8] = "56bit",
[10] = "FIPS",
[0] = "None"
}
.. bro:id:: RDP::failure_codes
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "SSL_NOT_ALLOWED_BY_SERVER",
[6] = "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER",
[4] = "INCONSISTENT_FLAGS",
[1] = "SSL_REQUIRED_BY_SERVER",
[5] = "HYBRID_REQUIRED_BY_SERVER",
[3] = "SSL_CERT_NOT_ON_SERVER"
}
.. bro:id:: RDP::high_color_depths
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[4] = "4bit",
[24] = "24bit",
[8] = "8bit",
[15] = "15bit",
[16] = "16bit"
}
.. bro:id:: RDP::languages
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[1129] = "Ibibio - Nigeria",
[1025] = "Arabic - Saudi Arabia",
[3073] = "Arabic - Egypt",
[1084] = "Scottish Gaelic",
[5121] = "Arabic - Algeria",
[17417] = "English - Malaysia",
[1069] = "Basque",
[1093] = "Bengali (India)",
[7177] = "English - South Africa",
[1159] = "Kinyarwanda",
[2092] = "Azeri (Cyrillic)",
[1119] = "Tamazight (Arabic)",
[12297] = "English - Zimbabwe",
[1121] = "Nepali",
[1083] = "Sami (Lappish)",
[1113] = "Sindhi - India",
[4122] = "Croatian (Bosnia/Herzegovina)",
[1153] = "Maori - New Zealand",
[21514] = "Spanish - United States",
[1026] = "Bulgarian",
[1041] = "Japanese",
[2155] = "Quecha - Ecuador",
[1070] = "Sorbian",
[1105] = "Tibetan - People's Republic of China",
[1116] = "Cherokee - United States",
[1046] = "Portuguese - Brazil",
[2073] = "Russian - Moldava",
[2080] = "Urdu - India",
[1146] = "Mapudungun",
[1060] = "Slovenian",
[14346] = "Spanish - Uruguay",
[1056] = "Urdu",
[1045] = "Polish",
[4106] = "Spanish - Guatemala",
[5146] = "Bosnian (Bosnia/Herzegovina)",
[1156] = "Alsatian",
[2070] = "Portuguese - Portugal",
[1051] = "Slovak",
[1111] = "Konkani",
[6153] = "English - Ireland",
[1101] = "Assamese",
[10241] = "Arabic - Syria",
[1095] = "Gujarati",
[1133] = "Bashkir",
[1107] = "Khmer",
[1088] = "Kyrgyz (Cyrillic)",
[1137] = "Kanuri - Nigeria",
[11273] = "English - Trinidad",
[4105] = "English - Canada",
[7169] = "Arabic - Tunisia",
[1100] = "Malayalam",
[1160] = "Wolof",
[3079] = "German - Austria",
[1029] = "Czech",
[1042] = "Korean",
[1062] = "Latvian",
[1034] = "Spanish - Spain (Traditional Sort)",
[1055] = "Turkish",
[1059] = "Belarusian",
[1164] = "Dari",
[13313] = "Arabic - Kuwait",
[6145] = "Arabic - Morocco",
[1142] = "Latin",
[11274] = "Spanish - Argentina",
[1110] = "Galician",
[1036] = "French - France",
[1053] = "Swedish",
[58380] = "French - North Africa",
[1104] = "Mongolian (Cyrillic)",
[2074] = "Serbian (Latin)",
[13322] = "Spanish - Chile",
[22538] = "Spanish - Latin America",
[1128] = "Hausa - Nigeria",
[1061] = "Estonian",
[7178] = "Spanish - Dominican Republic",
[2143] = "Tamazight (Latin)",
[16385] = "Arabic - Qatar",
[1067] = "Armenian - Armenia",
[1065] = "Farsi",
[2060] = "French - Belgium",
[1068] = "Azeri (Latin)",
[1091] = "Uzbek (Latin)",
[1066] = "Vietnamese",
[1132] = "Sepedi",
[6154] = "Spanish - Panama",
[1058] = "Ukrainian",
[13321] = "English - Philippines",
[2064] = "Italian - Switzerland",
[1141] = "Hawaiian - United States",
[1038] = "Hungarian",
[12298] = "Spanish - Ecuador",
[3179] = "Quecha - Peru\x09CB",
[10250] = "Spanish - Peru",
[1124] = "Filipino",
[1094] = "Punjabi",
[1115] = "Sinhalese - Sri Lanka",
[9226] = "Spanish - Colombia",
[1090] = "Turkmen",
[2057] = "English - United Kingdom",
[1122] = "French - West Indies",
[1117] = "Inuktitut",
[16393] = "English - India",
[4100] = "Chinese - Singapore",
[1043] = "Dutch - Netherlands",
[15361] = "Arabic - Bahrain",
[2052] = "Chinese - People's Republic of China",
[3081] = "English - Australia",
[2072] = "Romanian - Moldava",
[11276] = "French - Cameroon",
[14337] = "Arabic - U.A.E.",
[1052] = "Albanian - Albania",
[1063] = "Lithuanian",
[1086] = "Malay - Malaysia",
[1047] = "Rhaeto-Romanic",
[16394] = "Spanish - Bolivia",
[1028] = "Chinese - Taiwan",
[1035] = "Finnish",
[1037] = "Hebrew",
[1032] = "Greek",
[1031] = "German - Germany",
[2110] = "Malay - Brunei Darussalam",
[1150] = "Breton",
[1082] = "Maltese",
[2068] = "Norwegian (Nynorsk)",
[1138] = "Oromo",
[1145] = "Papiamentu",
[1099] = "Kannada",
[2145] = "Nepali - India",
[2137] = "Sindhi - Pakistan",
[18442] = "Spanish - Honduras",
[1054] = "Thai",
[1040] = "Italian - Italy",
[12289] = "Arabic - Lebanon",
[1123] = "Pashto",
[1074] = "Tswana",
[1073] = "Tsonga",
[1071] = "FYRO Macedonian",
[1080] = "Faroese",
[8204] = "French - Reunion",
[18441] = "English - Singapore",
[1092] = "Tatar",
[9225] = "English - Caribbean",
[11265] = "Arabic - Jordan",
[1143] = "Somali",
[1114] = "Syriac",
[1157] = "Yakut",
[1127] = "Fulfulde - Nigeria",
[2049] = "Arabic - Iraq",
[14345] = "English - Indonesia",
[2058] = "Spanish - Mexico",
[1279] = "HID (Human Interface Device)",
[1057] = "Indonesian",
[13324] = "French - Mali",
[1072] = "Sutu",
[1064] = "Tajik",
[1079] = "Georgian",
[1136] = "Igbo - Nigeria",
[1108] = "Lao",
[1154] = "Occitan",
[19466] = "Spanish - Nicaragua",
[2163] = "Tigrigna - Eritrea",
[9228] = "French - Democratic Rep. of Congo",
[3076] = "Chinese - Hong Kong SAR",
[1076] = "Xhosa",
[1144] = "Yi",
[1077] = "Zulu",
[14348] = "French - Morocco",
[1140] = "Guarani - Paraguay",
[1109] = "Burmese",
[1078] = "Afrikaans - South Africa",
[5132] = "French - Luxembourg",
[5129] = "English - New Zealand",
[2129] = "Tibetan - Bhutan",
[15369] = "English - Hong Kong SAR",
[17418] = "Spanish - El Salvador",
[1027] = "Catalan",
[2144] = "Kashmiri",
[1096] = "Oriya",
[1049] = "Russian",
[2077] = "Swedish - Finland",
[2055] = "German - Switzerland",
[9217] = "Arabic - Yemen",
[1112] = "Manipuri",
[2128] = "Mongolian (Mongolian)",
[2108] = "Irish",
[12300] = "French - Cote d'Ivoire",
[1087] = "Kazakh",
[1098] = "Telugu",
[4108] = "French - Switzerland",
[8202] = "Spanish - Venezuela",
[10249] = "English - Belize",
[1033] = "English - United States",
[1120] = "Kashmiri (Arabic)",
[2115] = "Uzbek (Cyrillic)",
[1135] = "Greenlandic",
[20490] = "Spanish - Puerto Rico",
[1085] = "Yiddish",
[1126] = "Edo",
[5127] = "German - Liechtenstein",
[1102] = "Marathi",
[1103] = "Sanskrit",
[2067] = "Dutch - Belgium",
[1048] = "Romanian",
[5130] = "Spanish - Costa Rica",
[8201] = "English - Jamaica",
[1158] = "K'iche",
[15370] = "Spanish - Paraguay",
[1050] = "Croatian",
[3084] = "French - Canada",
[8193] = "Arabic - Oman",
[1081] = "Hindi",
[1039] = "Icelandic",
[1148] = "Mohawk",
[1030] = "Danish",
[1044] = "Norwegian (Bokmal)",
[1139] = "Tigrigna - Ethiopia",
[15372] = "French - Haiti",
[3098] = "Serbian (Cyrillic)",
[1075] = "Venda",
[1118] = "Amharic - Ethiopia",
[4097] = "Arabic - Libya",
[1125] = "Divehi",
[1134] = "Luxembourgish",
[2118] = "Punjabi (Pakistan)",
[1089] = "Swahili",
[1097] = "Tamil",
[1131] = "Quecha - Bolivia",
[1106] = "Welsh",
[1155] = "Corsican",
[4103] = "German - Luxembourg",
[5124] = "Chinese - Macao SAR",
[3082] = "Spanish - Spain (Modern Sort)",
[10252] = "French - Senegal",
[1152] = "Uighur - China",
[6156] = "French - Monaco",
[7180] = "French - West Indies",
[1130] = "Yoruba",
[2117] = "Bengali (Bangladesh)"
}
.. bro:id:: RDP::results
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "Resources not available",
[4] = "Locked conference",
[1] = "User rejected",
[0] = "Success",
[3] = "Rejected for symmetry breaking"
}
.. bro:id:: RDP::security_protocols
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "HYBRID",
[1] = "SSL",
[8] = "HYBRID_EX",
[0] = "RDP"
}

17
doc/scripts/base/protocols/rdp/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/rdp
===========================
Support for Remote Desktop Protocol (RDP) analysis.
:doc:`/scripts/base/protocols/rdp/__load__.bro`
:doc:`/scripts/base/protocols/rdp/consts.bro`
:doc:`/scripts/base/protocols/rdp/main.bro`
Implements base functionality for RDP analysis. Generates the rdp.log file.

159
doc/scripts/base/protocols/rdp/main.bro.rst Normal file
View file

@ -0,0 +1,159 @@
:tocdepth: 3
base/protocols/rdp/main.bro
===========================
.. bro:namespace:: RDP
Implements base functionality for RDP analysis. Generates the rdp.log file.
:Namespace: RDP
:Imports: :doc:`base/protocols/rdp/consts.bro </scripts/base/protocols/rdp/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================== ===================================================================
:bro:id:`RDP::disable_analyzer_after_detection`: :bro:type:`bool` :bro:attr:`&redef` If true, detach the RDP analyzer from the connection to prevent
continuing to process encrypted traffic.
:bro:id:`RDP::rdp_check_interval`: :bro:type:`interval` :bro:attr:`&redef` The amount of time to monitor an RDP session from when it is first
identified.
==================================================================================== ===================================================================
Types
#####
========================================= =
:bro:type:`RDP::Info`: :bro:type:`record`
========================================= =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`RDP::Info`: :bro:type:`record`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
========================================= ===================================================================
:bro:id:`RDP::log_rdp`: :bro:type:`event` Event that can be handled to access the rdp record as it is sent on
to the logging framework.
========================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: RDP::disable_analyzer_after_detection
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
If true, detach the RDP analyzer from the connection to prevent
continuing to process encrypted traffic.
.. bro:id:: RDP::rdp_check_interval
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``10.0 secs``
The amount of time to monitor an RDP session from when it is first
identified. When this interval is reached, the session is logged.
Types
#####
.. bro:type:: RDP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
cookie: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Cookie value used by the client machine.
This is typically a username.
result: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Status result for the connection. It's a mix between
RDP negotation failure messages and GCC server create
response messages.
security_protocol: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Security protocol chosen by the server.
keyboard_layout: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Keyboard layout (language) of the client machine.
client_build: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
RDP client version used by the client machine.
client_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Name of the client machine.
client_dig_product_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Product ID of the client machine.
desktop_width: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Desktop width of the client machine.
desktop_height: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Desktop height of the client machine.
requested_color_depth: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The color depth requested by the client in
the high_color_depth field.
cert_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
If the connection is being encrypted with native
RDP encryption, this is the type of cert
being used.
cert_count: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The number of certs seen. X.509 can transfer an
entire certificate chain.
cert_permanent: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Indicates if the provided certificate or certificate
chain is permanent or temporary.
encryption_level: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Encryption level of the connection.
encryption_method: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Encryption method of the connection.
analyzer_id: :bro:type:`count` :bro:attr:`&optional`
The analyzer ID used for the analyzer instance attached
to each connection. It is not used for logging since it's a
meaningless arbitrary number.
done: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Track status of logging RDP connections.
ssl: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/rdp/indicate_ssl.bro` is loaded)
Flag the connection if it was seen over SSL.
Events
######
.. bro:id:: RDP::log_rdp
:Type: :bro:type:`event` (rec: :bro:type:`RDP::Info`)
Event that can be handled to access the rdp record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/rfb/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/rfb/__load__.bro
===============================
:Imports: :doc:`base/protocols/rfb/main.bro </scripts/base/protocols/rfb/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

13
doc/scripts/base/protocols/rfb/index.rst Normal file
View file

@ -0,0 +1,13 @@
:orphan:
Package: base/protocols/rfb
===========================
Support for Remote FrameBuffer analysis. This includes all VNC servers.
:doc:`/scripts/base/protocols/rfb/__load__.bro`
:doc:`/scripts/base/protocols/rfb/main.bro`

92
doc/scripts/base/protocols/rfb/main.bro.rst Normal file
View file

@ -0,0 +1,92 @@
:tocdepth: 3
base/protocols/rfb/main.bro
===========================
.. bro:namespace:: RFB
:Namespace: RFB
Summary
~~~~~~~
Types
#####
========================================= =========================================================
:bro:type:`RFB::Info`: :bro:type:`record` The record type which contains the fields of the RFB log.
========================================= =========================================================
Redefinitions
#############
========================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
========================================== =
Events
######
========================================= =
:bro:id:`RFB::log_rfb`: :bro:type:`event`
========================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: RFB::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the event happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
client_major_version: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Major version of the client.
client_minor_version: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Minor version of the client.
server_major_version: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Major version of the server.
server_minor_version: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Minor version of the server.
authentication_method: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Identifier of authentication method used.
auth: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Whether or not authentication was successful.
share_flag: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Whether the client has an exclusive or a shared session.
desktop_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Name of the screen that is being shared.
width: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Width of the screen that is being shared.
height: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Height of the screen that is being shared.
done: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Internally used value to determine if this connection
has already been logged.
The record type which contains the fields of the RFB log.
Events
######
.. bro:id:: RFB::log_rfb
:Type: :bro:type:`event` (rec: :bro:type:`RFB::Info`)

14
doc/scripts/base/protocols/sip/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/sip/__load__.bro
===============================
:Imports: :doc:`base/protocols/sip/main.bro </scripts/base/protocols/sip/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/protocols/sip/index.rst Normal file
View file

@ -0,0 +1,16 @@
:orphan:
Package: base/protocols/sip
===========================
Support for Session Initiation Protocol (SIP) analysis.
:doc:`/scripts/base/protocols/sip/__load__.bro`
:doc:`/scripts/base/protocols/sip/main.bro`
Implements base functionality for SIP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.

180
doc/scripts/base/protocols/sip/main.bro.rst Normal file
View file

@ -0,0 +1,180 @@
:tocdepth: 3
base/protocols/sip/main.bro
===========================
.. bro:namespace:: SIP
Implements base functionality for SIP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.
:Namespace: SIP
:Imports: :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`, :doc:`base/utils/numbers.bro </scripts/base/utils/numbers.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================== ======================
:bro:id:`SIP::sip_methods`: :bro:type:`set` :bro:attr:`&redef` A list of SIP methods.
============================================================== ======================
Types
#####
========================================== =========================================================
:bro:type:`SIP::Info`: :bro:type:`record` The record type which contains the fields of the SIP log.
:bro:type:`SIP::State`: :bro:type:`record`
========================================== =========================================================
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
========================================= ===================================================================
:bro:id:`SIP::log_sip`: :bro:type:`event` Event that can be handled to access the SIP record as it is sent on
to the logging framework.
========================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SIP::sip_methods
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"NOTIFY",
"ACK",
"SUBSCRIBE",
"CANCEL",
"OPTIONS",
"REGISTER",
"INVITE",
"BYE"
}
A list of SIP methods. Other methods will generate a weird. Note
that the SIP analyzer will only accept methods consisting solely
of letters ``[A-Za-z]``.
Types
#####
.. bro:type:: SIP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp for when the request happened.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
trans_depth: :bro:type:`count` :bro:attr:`&log`
Represents the pipelined depth into the connection of this
request/response transaction.
method: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Verb used in the SIP request (INVITE, REGISTER etc.).
uri: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
URI used in the request.
date: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Date: header from the client
request_from: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the request From: header
Note: The tag= value that's usually appended to the sender
is stripped off and not logged.
request_to: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the To: header
response_from: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the response From: header
Note: The ``tag=`` value that's usually appended to the sender
is stripped off and not logged.
response_to: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the response To: header
reply_to: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Reply-To: header
call_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Call-ID: header from the client
seq: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the CSeq: header from the client
subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Subject: header from the client
request_path: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The client message transmission path, as extracted from the headers.
response_path: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The server message transmission path, as extracted from the headers.
user_agent: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the User-Agent: header from the client
status_code: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Status code returned by the server.
status_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Status message returned by the server.
warning: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Warning: header
request_body_len: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Content-Length: header from the client
response_body_len: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Content-Length: header from the server
content_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Content-Type: header from the server
The record type which contains the fields of the SIP log.
.. bro:type:: SIP::State
:Type: :bro:type:`record`
pending: :bro:type:`table` [:bro:type:`count`] of :bro:type:`SIP::Info`
Pending requests.
current_request: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Current request in the pending queue.
current_response: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Current response in the pending queue.
Events
######
.. bro:id:: SIP::log_sip
:Type: :bro:type:`event` (rec: :bro:type:`SIP::Info`)
Event that can be handled to access the SIP record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/smb/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/smb/__load__.bro
===============================
:Imports: :doc:`base/protocols/smb/const-dos-error.bro </scripts/base/protocols/smb/const-dos-error.bro>`, :doc:`base/protocols/smb/const-nt-status.bro </scripts/base/protocols/smb/const-nt-status.bro>`, :doc:`base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>`, :doc:`base/protocols/smb/files.bro </scripts/base/protocols/smb/files.bro>`, :doc:`base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>`, :doc:`base/protocols/smb/smb1-main.bro </scripts/base/protocols/smb/smb1-main.bro>`, :doc:`base/protocols/smb/smb2-main.bro </scripts/base/protocols/smb/smb2-main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

22
doc/scripts/base/protocols/smb/const-dos-error.bro.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/smb/const-dos-error.bro
======================================
.. bro:namespace:: SMB
:Namespace: SMB
:Imports: :doc:`base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>`
Summary
~~~~~~~
Redefinitions
#############
=============================================================================================================================== =
:bro:id:`SMB::statuses`: :bro:type:`table` :bro:attr:`&redef` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
=============================================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

22
doc/scripts/base/protocols/smb/const-nt-status.bro.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/smb/const-nt-status.bro
======================================
.. bro:namespace:: SMB
:Namespace: SMB
:Imports: :doc:`base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>`
Summary
~~~~~~~
Redefinitions
#############
=============================================================================================================================== =
:bro:id:`SMB::statuses`: :bro:type:`table` :bro:attr:`&redef` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
=============================================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

2388
doc/scripts/base/protocols/smb/consts.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

37
doc/scripts/base/protocols/smb/files.bro.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/protocols/smb/files.bro
============================
.. bro:namespace:: SMB
:Namespace: SMB
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>`
Summary
~~~~~~~
Functions
#########
==================================================== =====================================
:bro:id:`SMB::describe_file`: :bro:type:`function` Default file describer for SMB.
:bro:id:`SMB::get_file_handle`: :bro:type:`function` Default file handle provider for SMB.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: SMB::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Default file describer for SMB.
.. bro:id:: SMB::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for SMB.

31
doc/scripts/base/protocols/smb/index.rst Normal file
View file

@ -0,0 +1,31 @@
:orphan:
Package: base/protocols/smb
===========================
Support for SMB protocol analysis.
:doc:`/scripts/base/protocols/smb/__load__.bro`
:doc:`/scripts/base/protocols/smb/consts.bro`
:doc:`/scripts/base/protocols/smb/const-dos-error.bro`
:doc:`/scripts/base/protocols/smb/const-nt-status.bro`
:doc:`/scripts/base/protocols/smb/main.bro`
:doc:`/scripts/base/protocols/smb/smb1-main.bro`
:doc:`/scripts/base/protocols/smb/smb2-main.bro`
:doc:`/scripts/base/protocols/smb/files.bro`

289
doc/scripts/base/protocols/smb/main.bro.rst Normal file
View file

@ -0,0 +1,289 @@
:tocdepth: 3
base/protocols/smb/main.bro
===========================
.. bro:namespace:: SMB
:Namespace: SMB
:Imports: :doc:`base/protocols/smb/const-dos-error.bro </scripts/base/protocols/smb/const-dos-error.bro>`, :doc:`base/protocols/smb/const-nt-status.bro </scripts/base/protocols/smb/const-nt-status.bro>`, :doc:`base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================== ==================================
:bro:id:`SMB::logged_file_actions`: :bro:type:`set` :bro:attr:`&redef` The file actions which are logged.
====================================================================== ==================================
Types
#####
============================================= =======================================================
:bro:type:`SMB::Action`: :bro:type:`enum` Abstracted actions for SMB file actions.
:bro:type:`SMB::CmdInfo`: :bro:type:`record` This record is for the smb_cmd.log
:bro:type:`SMB::FileInfo`: :bro:type:`record` This record is for the smb_files.log
:bro:type:`SMB::State`: :bro:type:`record` This record stores the SMB state of in-flight commands,
the file and tree map of the connection.
:bro:type:`SMB::TreeInfo`: :bro:type:`record` This record is for the smb_mapping.log
============================================= =======================================================
Redefinitions
#############
================================================================= ============================================================
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`SMB::FileInfo`: :bro:type:`record`
:bro:type:`connection`: :bro:type:`record` Everything below here is used internally in the SMB scripts.
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= ============================================================
Functions
#########
======================================================================== ====================================
:bro:id:`SMB::set_current_file`: :bro:type:`function` :bro:attr:`&redef` This is an internally used function.
:bro:id:`SMB::write_file_log`: :bro:type:`function` :bro:attr:`&redef` This is an internally used function.
======================================================================== ====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMB::logged_file_actions
:Type: :bro:type:`set` [:bro:type:`SMB::Action`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
SMB::FILE_OPEN,
SMB::PRINT_CLOSE,
SMB::FILE_DELETE,
SMB::FILE_RENAME,
SMB::PRINT_OPEN
}
The file actions which are logged.
Types
#####
.. bro:type:: SMB::Action
:Type: :bro:type:`enum`
.. bro:enum:: SMB::FILE_READ SMB::Action
.. bro:enum:: SMB::FILE_WRITE SMB::Action
.. bro:enum:: SMB::FILE_OPEN SMB::Action
.. bro:enum:: SMB::FILE_CLOSE SMB::Action
.. bro:enum:: SMB::FILE_DELETE SMB::Action
.. bro:enum:: SMB::FILE_RENAME SMB::Action
.. bro:enum:: SMB::FILE_SET_ATTRIBUTE SMB::Action
.. bro:enum:: SMB::PIPE_READ SMB::Action
.. bro:enum:: SMB::PIPE_WRITE SMB::Action
.. bro:enum:: SMB::PIPE_OPEN SMB::Action
.. bro:enum:: SMB::PIPE_CLOSE SMB::Action
.. bro:enum:: SMB::PRINT_READ SMB::Action
.. bro:enum:: SMB::PRINT_WRITE SMB::Action
.. bro:enum:: SMB::PRINT_OPEN SMB::Action
.. bro:enum:: SMB::PRINT_CLOSE SMB::Action
Abstracted actions for SMB file actions.
.. bro:type:: SMB::CmdInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp of the command request.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID of the connection the request was sent over.
id: :bro:type:`conn_id` :bro:attr:`&log`
ID of the connection the request was sent over.
command: :bro:type:`string` :bro:attr:`&log`
The command sent by the client.
sub_command: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The subcommand sent by the client, if present.
argument: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Command argument sent by the client, if any.
status: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Server reply to the client's command.
rtt: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&optional`
Round trip time from the request to the response.
version: :bro:type:`string` :bro:attr:`&log`
Version of SMB for the command.
username: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Authenticated username, if available.
tree: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
If this is related to a tree, this is the tree
that was used for the current command.
tree_service: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The type of tree (disk share, printer share, named pipe, etc.).
referenced_file: :bro:type:`SMB::FileInfo` :bro:attr:`&log` :bro:attr:`&optional`
If the command referenced a file, store it here.
referenced_tree: :bro:type:`SMB::TreeInfo` :bro:attr:`&optional`
If the command referenced a tree, store it here.
smb1_offered_dialects: :bro:type:`string_vec` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/smb/smb1-main.bro` is loaded)
Dialects offered by the client.
smb2_offered_dialects: :bro:type:`index_vec` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/smb/smb2-main.bro` is loaded)
Dialects offered by the client.
This record is for the smb_cmd.log
.. bro:type:: SMB::FileInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time when the file was first discovered.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID of the connection the file was sent over.
id: :bro:type:`conn_id` :bro:attr:`&log`
ID of the connection the file was sent over.
fuid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Unique ID of the file.
action: :bro:type:`SMB::Action` :bro:attr:`&log` :bro:attr:`&optional`
Action this log record represents.
path: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Path pulled from the tree this file was transferred to or from.
name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Filename if one was seen.
size: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Total size of the file.
prev_name: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
If the rename action was seen, this will be
the file's previous name.
times: :bro:type:`SMB::MACTimes` :bro:attr:`&log` :bro:attr:`&optional`
Last time this file was modified.
fid: :bro:type:`count` :bro:attr:`&optional`
ID referencing this file.
uuid: :bro:type:`string` :bro:attr:`&optional`
UUID referencing this file if DCE/RPC.
This record is for the smb_files.log
.. bro:type:: SMB::State
:Type: :bro:type:`record`
current_cmd: :bro:type:`SMB::CmdInfo` :bro:attr:`&optional`
A reference to the current command.
current_file: :bro:type:`SMB::FileInfo` :bro:attr:`&optional`
A reference to the current file.
current_tree: :bro:type:`SMB::TreeInfo` :bro:attr:`&optional`
A reference to the current tree.
pending_cmds: :bro:type:`table` [:bro:type:`count`] of :bro:type:`SMB::CmdInfo` :bro:attr:`&optional`
Indexed on MID to map responses to requests.
fid_map: :bro:type:`table` [:bro:type:`count`] of :bro:type:`SMB::FileInfo` :bro:attr:`&optional`
File map to retrieve file information based on the file ID.
tid_map: :bro:type:`table` [:bro:type:`count`] of :bro:type:`SMB::TreeInfo` :bro:attr:`&optional`
Tree map to retrieve tree information based on the tree ID.
uid_map: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string` :bro:attr:`&optional`
User map to retrieve user name based on the user ID.
pipe_map: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string` :bro:attr:`&optional`
Pipe map to retrieve UUID based on the file ID of a pipe.
recent_files: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&default` = ``{ }`` :bro:attr:`&optional` :bro:attr:`&read_expire` = ``3.0 mins``
A set of recent files to avoid logging the same
files over and over in the smb files log.
This only applies to files seen in a single connection.
This record stores the SMB state of in-flight commands,
the file and tree map of the connection.
.. bro:type:: SMB::TreeInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
Time when the tree was mapped.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID of the connection the tree was mapped over.
id: :bro:type:`conn_id` :bro:attr:`&log`
ID of the connection the tree was mapped over.
path: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Name of the tree path.
service: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The type of resource of the tree (disk share, printer share, named pipe, etc.).
native_file_system: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
File system of the tree.
share_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``"DISK"`` :bro:attr:`&optional`
If this is SMB2, a share type will be included. For SMB1,
the type of share will be deduced and included as well.
This record is for the smb_mapping.log
Functions
#########
.. bro:id:: SMB::set_current_file
:Type: :bro:type:`function` (smb_state: :bro:type:`SMB::State`, file_id: :bro:type:`count`) : :bro:type:`void`
:Attributes: :bro:attr:`&redef`
This is an internally used function.
.. bro:id:: SMB::write_file_log
:Type: :bro:type:`function` (state: :bro:type:`SMB::State`) : :bro:type:`void`
:Attributes: :bro:attr:`&redef`
This is an internally used function.

22
doc/scripts/base/protocols/smb/smb1-main.bro.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/smb/smb1-main.bro
================================
.. bro:namespace:: SMB1
:Namespace: SMB1
:Imports: :doc:`base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:bro:type:`SMB::CmdInfo`: :bro:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

22
doc/scripts/base/protocols/smb/smb2-main.bro.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/smb/smb2-main.bro
================================
.. bro:namespace:: SMB2
:Namespace: SMB2
:Imports: :doc:`base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:bro:type:`SMB::CmdInfo`: :bro:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/base/protocols/smtp/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/smtp/__load__.bro
================================
:Imports: :doc:`base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>`, :doc:`base/protocols/smtp/files.bro </scripts/base/protocols/smtp/files.bro>`, :doc:`base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

45
doc/scripts/base/protocols/smtp/entities.bro.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/protocols/smtp/entities.bro
================================
.. bro:namespace:: SMTP
Analysis and logging for MIME entities found in SMTP sessions.
:Namespace: SMTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>`, :doc:`base/utils/files.bro </scripts/base/utils/files.bro>`, :doc:`base/utils/strings.bro </scripts/base/utils/strings.bro>`
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`SMTP::Entity`: :bro:type:`record`
============================================ =
Redefinitions
#############
=========================================== =
:bro:type:`SMTP::Info`: :bro:type:`record`
:bro:type:`SMTP::State`: :bro:type:`record`
=========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: SMTP::Entity
:Type: :bro:type:`record`
filename: :bro:type:`string` :bro:attr:`&optional`
Filename for the entity if discovered from a header.
excerpt: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/smtp/entities-excerpt.bro` is loaded)
The entity body excerpt.

43
doc/scripts/base/protocols/smtp/files.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/protocols/smtp/files.bro
=============================
.. bro:namespace:: SMTP
:Namespace: SMTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>`, :doc:`base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`SMTP::Info`: :bro:type:`record`
========================================== =
Functions
#########
===================================================== ======================================
:bro:id:`SMTP::describe_file`: :bro:type:`function` Default file describer for SMTP.
:bro:id:`SMTP::get_file_handle`: :bro:type:`function` Default file handle provider for SMTP.
===================================================== ======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: SMTP::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Default file describer for SMTP.
.. bro:id:: SMTP::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for SMTP.

20
doc/scripts/base/protocols/smtp/index.rst Normal file
View file

@ -0,0 +1,20 @@
:orphan:
Package: base/protocols/smtp
============================
Support for Simple Mail Transfer Protocol (SMTP) analysis.
:doc:`/scripts/base/protocols/smtp/__load__.bro`
:doc:`/scripts/base/protocols/smtp/main.bro`
:doc:`/scripts/base/protocols/smtp/entities.bro`
Analysis and logging for MIME entities found in SMTP sessions.
:doc:`/scripts/base/protocols/smtp/files.bro`

196
doc/scripts/base/protocols/smtp/main.bro.rst Normal file
View file

@ -0,0 +1,196 @@
:tocdepth: 3
base/protocols/smtp/main.bro
============================
.. bro:namespace:: SMTP
:Namespace: SMTP
:Imports: :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`, :doc:`base/utils/email.bro </scripts/base/utils/email.bro>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================== ===================================================
:bro:id:`SMTP::mail_path_capture`: :bro:type:`Host` :bro:attr:`&redef` Direction to capture the full "Received from" path.
====================================================================== ===================================================
Types
#####
=========================================== =
:bro:type:`SMTP::Info`: :bro:type:`record`
:bro:type:`SMTP::State`: :bro:type:`record`
=========================================== =
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=========================================== =
:bro:id:`SMTP::log_smtp`: :bro:type:`event`
=========================================== =
Functions
#########
============================================== ===========================================================
:bro:id:`SMTP::describe`: :bro:type:`function` Create an extremely shortened representation of a log line.
============================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SMTP::mail_path_capture
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``ALL_HOSTS``
Direction to capture the full "Received from" path.
REMOTE_HOSTS - only capture the path until an internal host is found.
LOCAL_HOSTS - only capture the path until the external host is discovered.
ALL_HOSTS - always capture the entire path.
NO_HOSTS - never capture the path.
Types
#####
.. bro:type:: SMTP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time when the message was first seen.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
trans_depth: :bro:type:`count` :bro:attr:`&log`
A count to represent the depth of this message transaction in
a single connection where multiple messages were transferred.
helo: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Helo header.
mailfrom: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Email addresses found in the From header.
rcptto: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
Email addresses found in the Rcpt header.
date: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Date header.
from: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the From header.
to: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
Contents of the To header.
cc: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&log` :bro:attr:`&optional`
Contents of the CC header.
reply_to: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the ReplyTo header.
msg_id: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the MsgID header.
in_reply_to: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the In-Reply-To header.
subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the Subject header.
x_originating_ip: :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the X-Originating-IP header.
first_received: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the first Received header.
second_received: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Contents of the second Received header.
last_reply: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The last message that the server sent to the client.
path: :bro:type:`vector` of :bro:type:`addr` :bro:attr:`&log` :bro:attr:`&optional`
The message transmission path, as extracted from the headers.
user_agent: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Value of the User-Agent header from the client.
tls: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicates that the connection has switched to using TLS.
process_received_from: :bro:type:`bool` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Indicates if the "Received: from" headers should still be
processed.
has_client_activity: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicates if client activity has been seen, but not yet logged.
entity: :bro:type:`SMTP::Entity` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/smtp/entities.bro` is loaded)
The current entity being seen.
fuids: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``[]`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/smtp/files.bro` is loaded)
An ordered vector of file unique IDs seen attached to
the message.
is_webmail: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/smtp/software.bro` is loaded)
Boolean indicator of if the message was sent through a
webmail interface.
.. bro:type:: SMTP::State
:Type: :bro:type:`record`
helo: :bro:type:`string` :bro:attr:`&optional`
messages_transferred: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Count the number of individual messages transmitted during
this SMTP session. Note, this is not the number of
recipients, but the number of message bodies transferred.
pending_messages: :bro:type:`set` [:bro:type:`SMTP::Info`] :bro:attr:`&optional`
mime_depth: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/smtp/entities.bro` is loaded)
Track the number of MIME encoded files transferred
during a session.
Events
######
.. bro:id:: SMTP::log_smtp
:Type: :bro:type:`event` (rec: :bro:type:`SMTP::Info`)
Functions
#########
.. bro:id:: SMTP::describe
:Type: :bro:type:`function` (rec: :bro:type:`SMTP::Info`) : :bro:type:`string`
Create an extremely shortened representation of a log line.

14
doc/scripts/base/protocols/snmp/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/snmp/__load__.bro
================================
:Imports: :doc:`base/protocols/snmp/main.bro </scripts/base/protocols/snmp/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/base/protocols/snmp/index.rst Normal file
View file

@ -0,0 +1,14 @@
:orphan:
Package: base/protocols/snmp
============================
Support for Simple Network Management Protocol (SNMP) analysis.
:doc:`/scripts/base/protocols/snmp/__load__.bro`
:doc:`/scripts/base/protocols/snmp/main.bro`
Enables analysis and logging of SNMP datagrams.

123
doc/scripts/base/protocols/snmp/main.bro.rst Normal file
View file

@ -0,0 +1,123 @@
:tocdepth: 3
base/protocols/snmp/main.bro
============================
.. bro:namespace:: SNMP
Enables analysis and logging of SNMP datagrams.
:Namespace: SNMP
Summary
~~~~~~~
Redefinable Options
###################
============================================================================================================================ ========================================================
:bro:id:`SNMP::version_map`: :bro:type:`table` :bro:attr:`&redef` :bro:attr:`&default` = ``"unknown"`` :bro:attr:`&optional` Maps an SNMP version integer to a human readable string.
============================================================================================================================ ========================================================
Types
#####
========================================== =====================================
:bro:type:`SNMP::Info`: :bro:type:`record` Information tracked per SNMP session.
========================================== =====================================
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
=========================================== ====================================================================
:bro:id:`SNMP::log_snmp`: :bro:type:`event` Event that can be handled to access the SNMP record as it is sent on
to the logging framework.
=========================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. bro:id:: SNMP::version_map
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&redef` :bro:attr:`&default` = ``"unknown"`` :bro:attr:`&optional`
:Default:
::
{
[1] = "2c",
[0] = "1",
[3] = "3"
}
Maps an SNMP version integer to a human readable string.
Types
#####
.. bro:type:: SNMP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Timestamp of first packet belonging to the SNMP session.
uid: :bro:type:`string` :bro:attr:`&log`
The unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 5-tuple of addresses/ports (ports inherently
include transport protocol information)
duration: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&default` = ``0 secs`` :bro:attr:`&optional`
The amount of time between the first packet beloning to
the SNMP session and the latest one seen.
version: :bro:type:`string` :bro:attr:`&log`
The version of SNMP being used.
community: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The community string of the first SNMP packet associated with
the session. This is used as part of SNMP's (v1 and v2c)
administrative/security framework. See :rfc:`1157` or :rfc:`1901`.
get_requests: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The number of variable bindings in GetRequest/GetNextRequest PDUs
seen for the session.
get_bulk_requests: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The number of variable bindings in GetBulkRequest PDUs seen for
the session.
get_responses: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The number of variable bindings in GetResponse/Response PDUs seen
for the session.
set_requests: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
The number of variable bindings in SetRequest PDUs seen for
the session.
display_string: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
A system description of the SNMP responder endpoint.
up_since: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
The time at which the SNMP responder endpoint claims it's been
up since.
Information tracked per SNMP session.
Events
######
.. bro:id:: SNMP::log_snmp
:Type: :bro:type:`event` (rec: :bro:type:`SNMP::Info`)
Event that can be handled to access the SNMP record as it is sent on
to the logging framework.

14
doc/scripts/base/protocols/socks/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/socks/__load__.bro
=================================
:Imports: :doc:`base/protocols/socks/consts.bro </scripts/base/protocols/socks/consts.bro>`, :doc:`base/protocols/socks/main.bro </scripts/base/protocols/socks/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

102
doc/scripts/base/protocols/socks/consts.bro.rst Normal file
View file

@ -0,0 +1,102 @@
:tocdepth: 3
base/protocols/socks/consts.bro
===============================
.. bro:namespace:: SOCKS
:Namespace: SOCKS
Summary
~~~~~~~
Constants
#########
=============================================================================================================================== =
:bro:id:`SOCKS::v4_status`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`SOCKS::v5_authentication_methods`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`SOCKS::v5_status`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
=============================================================================================================================== =
Types
#####
================================================ =
:bro:type:`SOCKS::RequestType`: :bro:type:`enum`
================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: SOCKS::v4_status
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[91] = "general SOCKS server failure",
[93] = "request failed because client's identd could not confirm the user ID string in the request",
[92] = "request failed because client is not running identd",
[90] = "succeeded"
}
.. bro:id:: SOCKS::v5_authentication_methods
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "Username/Password",
[6] = "Secure Sockets Layer",
[1] = "GSSAPI",
[8] = "Multi-Authentication Framework",
[7] = "NDS Authentication",
[255] = "No Acceptable Methods",
[5] = "Challenge-Response Authentication Method",
[0] = "No Authentication Required",
[3] = "Challenge-Handshake Authentication Protocol"
}
.. bro:id:: SOCKS::v5_status
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "connection not allowed by ruleset",
[6] = "TTL expired",
[4] = "Host unreachable",
[1] = "general SOCKS server failure",
[8] = "Address type not supported",
[7] = "Command not supported",
[5] = "Connection refused",
[0] = "succeeded",
[3] = "Network unreachable"
}
Types
#####
.. bro:type:: SOCKS::RequestType
:Type: :bro:type:`enum`
.. bro:enum:: SOCKS::CONNECTION SOCKS::RequestType
.. bro:enum:: SOCKS::PORT SOCKS::RequestType
.. bro:enum:: SOCKS::UDP_ASSOCIATE SOCKS::RequestType

16
doc/scripts/base/protocols/socks/index.rst Normal file
View file

@ -0,0 +1,16 @@
:orphan:
Package: base/protocols/socks
=============================
Support for Socket Secure (SOCKS) protocol analysis.
:doc:`/scripts/base/protocols/socks/__load__.bro`
:doc:`/scripts/base/protocols/socks/consts.bro`
:doc:`/scripts/base/protocols/socks/main.bro`

108
doc/scripts/base/protocols/socks/main.bro.rst Normal file
View file

@ -0,0 +1,108 @@
:tocdepth: 3
base/protocols/socks/main.bro
=============================
.. bro:namespace:: SOCKS
:Namespace: SOCKS
:Imports: :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/protocols/socks/consts.bro </scripts/base/protocols/socks/consts.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================== ======================================
:bro:id:`SOCKS::default_capture_password`: :bro:type:`bool` :bro:attr:`&redef` Whether passwords are captured or not.
============================================================================== ======================================
Types
#####
=========================================== ===========================================================
:bro:type:`SOCKS::Info`: :bro:type:`record` The record type which contains the fields of the SOCKS log.
=========================================== ===========================================================
Redefinitions
#############
================================================================= =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= =
Events
######
============================================= =================================================
:bro:id:`SOCKS::log_socks`: :bro:type:`event` Event that can be handled to access the SOCKS
record as it is sent on to the logging framework.
============================================= =================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SOCKS::default_capture_password
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
Whether passwords are captured or not.
Types
#####
.. bro:type:: SOCKS::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time when the proxy connection was first detected.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the tunnel - may correspond to connection uid
or be non-existent.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
version: :bro:type:`count` :bro:attr:`&log`
Protocol version of SOCKS.
user: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Username used to request a login to the proxy.
password: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Password used to request a login to the proxy.
status: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Server status for the attempt at using the proxy.
request: :bro:type:`SOCKS::Address` :bro:attr:`&log` :bro:attr:`&optional`
Client requested SOCKS address. Could be an address, a name
or both.
request_p: :bro:type:`port` :bro:attr:`&log` :bro:attr:`&optional`
Client requested port.
bound: :bro:type:`SOCKS::Address` :bro:attr:`&log` :bro:attr:`&optional`
Server bound address. Could be an address, a name or both.
bound_p: :bro:type:`port` :bro:attr:`&log` :bro:attr:`&optional`
Server bound port.
capture_password: :bro:type:`bool` :bro:attr:`&default` = :bro:see:`SOCKS::default_capture_password` :bro:attr:`&optional`
Determines if the password will be captured for this request.
The record type which contains the fields of the SOCKS log.
Events
######
.. bro:id:: SOCKS::log_socks
:Type: :bro:type:`event` (rec: :bro:type:`SOCKS::Info`)
Event that can be handled to access the SOCKS
record as it is sent on to the logging framework.

14
doc/scripts/base/protocols/ssh/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ssh/__load__.bro
===============================
:Imports: :doc:`base/protocols/ssh/main.bro </scripts/base/protocols/ssh/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/base/protocols/ssh/index.rst Normal file
View file

@ -0,0 +1,14 @@
:orphan:
Package: base/protocols/ssh
===========================
Support for SSH protocol analysis.
:doc:`/scripts/base/protocols/ssh/__load__.bro`
:doc:`/scripts/base/protocols/ssh/main.bro`
Implements base functionality for SSH analysis. Generates the ssh.log file.

Some files were not shown because too many files have changed in this diff Show more