Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 11:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove broxygen Sphinx integration

Browse source 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
This commit is contained in:
Jon Siwek 2018-12-17 16:25:41 -06:00
parent 9e5e9d04b7
commit 7e9d48f532
549 changed files with 89909 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

57
doc/scripts/policy/protocols/ssl/expiring-certs.bro.rst Normal file
View file

@ -0,0 +1,57 @@
:tocdepth: 3
policy/protocols/ssl/expiring-certs.bro
=======================================
.. bro:namespace:: SSL
Generate notices when X.509 certificates over SSL/TLS are expired or
going to expire soon based on the date and time values stored within the
certificate.
:Namespace: SSL
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================== =====================================================================
:bro:id:`SSL::notify_certs_expiration`: :bro:type:`Host` :bro:attr:`&redef` The category of hosts you would like to be notified about which have
certificates that are going to be expiring soon.
:bro:id:`SSL::notify_when_cert_expiring_in`: :bro:type:`interval` :bro:attr:`&redef` The time before a certificate is going to expire that you would like
to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
==================================================================================== =====================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SSL::notify_certs_expiration
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``LOCAL_HOSTS``
The category of hosts you would like to be notified about which have
certificates that are going to be expiring soon. By default, these
notices will be suppressed by the notice framework for 1 day after
a particular certificate has had a notice generated.
Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
.. bro:id:: SSL::notify_when_cert_expiring_in
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``30.0 days``
The time before a certificate is going to expire that you would like
to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.

45
doc/scripts/policy/protocols/ssl/extract-certs-pem.bro.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
policy/protocols/ssl/extract-certs-pem.bro
==========================================
.. bro:namespace:: SSL
This script is used to extract host certificates seen on the wire to disk
after being converted to PEM files. The certificates will be stored in
a single file, one for local certificates and one for remote certificates.
.. note::
- It doesn't work well on a cluster because each worker will write its
own certificate files and no duplicate checking is done across the
cluster so each node would log each certificate.
:Namespace: SSL
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
===================================================================== =========================================================
:bro:id:`SSL::extract_certs_pem`: :bro:type:`Host` :bro:attr:`&redef` Control if host certificates offered by the defined hosts
will be written to the PEM certificates file.
===================================================================== =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SSL::extract_certs_pem
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``LOCAL_HOSTS``
Control if host certificates offered by the defined hosts
will be written to the PEM certificates file.
Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.

25
doc/scripts/policy/protocols/ssl/heartbleed.bro.rst Normal file
View file

@ -0,0 +1,25 @@
:tocdepth: 3
policy/protocols/ssl/heartbleed.bro
===================================
.. bro:namespace:: Heartbleed
Detect the TLS heartbleed attack. See http://heartbleed.com for more.
:Namespace: Heartbleed
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
==================================================================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
:bro:type:`SSL::Info`: :bro:type:`record`
:bro:id:`SSL::disable_analyzer_after_detection`: :bro:type:`bool` :bro:attr:`&redef`
==================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

195
doc/scripts/policy/protocols/ssl/known-certs.bro.rst Normal file
View file

@ -0,0 +1,195 @@
:tocdepth: 3
policy/protocols/ssl/known-certs.bro
====================================
.. bro:namespace:: Known
Log information about certificates while attempting to avoid duplicate
logging.
:Namespace: Known
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ===================================================================
:bro:id:`Known::cert_store_expiry`: :bro:type:`interval` :bro:attr:`&redef` The expiry interval of new entries in :bro:see:`Known::cert_store`.
:bro:id:`Known::cert_store_timeout`: :bro:type:`interval` :bro:attr:`&redef` The timeout interval to use for operations against
:bro:see:`Known::cert_store`.
:bro:id:`Known::cert_tracking`: :bro:type:`Host` :bro:attr:`&redef` The certificates whose existence should be logged and tracked.
============================================================================ ===================================================================
Redefinable Options
###################
======================================================================= ==============================================================
:bro:id:`Known::cert_store_name`: :bro:type:`string` :bro:attr:`&redef` The Broker topic name to use for :bro:see:`Known::cert_store`.
:bro:id:`Known::use_cert_store`: :bro:type:`bool` :bro:attr:`&redef` Toggles between different implementations of this script.
======================================================================= ==============================================================
State Variables
###############
=================================================================================================== ====================================================================
:bro:id:`Known::cert_store`: :bro:type:`Cluster::StoreInfo` Holds the set of all known certificates.
:bro:id:`Known::certs`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef` The set of all known certificates to store for preventing duplicate
logging.
=================================================================================================== ====================================================================
Types
#####
======================================================= =
:bro:type:`Known::AddrCertHashPair`: :bro:type:`record`
:bro:type:`Known::CertsInfo`: :bro:type:`record`
======================================================= =
Redefinitions
#############
===================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
===================================== =
Events
######
=================================================== =====================================================================
:bro:id:`Known::log_known_certs`: :bro:type:`event` Event that can be handled to access the loggable record as it is sent
on to the logging framework.
=================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: Known::cert_store_expiry
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :bro:see:`Known::cert_store`.
This also changes the interval at which certs get logged.
.. bro:id:: Known::cert_store_timeout
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:bro:see:`Known::cert_store`.
.. bro:id:: Known::cert_tracking
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``ALL_HOSTS``
The certificates whose existence should be logged and tracked.
Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
Redefinable Options
###################
.. bro:id:: Known::cert_store_name
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"bro/known/certs"``
The Broker topic name to use for :bro:see:`Known::cert_store`.
.. bro:id:: Known::use_cert_store
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Bro set
with keys uniformly distributed over proxy nodes in cluster
operation.
State Variables
###############
.. bro:id:: Known::cert_store
:Type: :bro:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path=""], rocksdb=[path=""]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Holds the set of all known certificates. Keys in the store are of
type :bro:type:`Known::AddrCertHashPair` and their associated value is
always the boolean value of "true".
.. bro:id:: Known::certs
:Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`string`]
:Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
:Default: ``{}``
The set of all known certificates to store for preventing duplicate
logging. It can also be used from other scripts to
inspect if a certificate has been seen in use. The string value
in the set is for storing the DER formatted certificate' SHA1 hash.
In cluster operation, this set is uniformly distributed across
proxy nodes.
Types
#####
.. bro:type:: Known::AddrCertHashPair
:Type: :bro:type:`record`
host: :bro:type:`addr`
hash: :bro:type:`string`
.. bro:type:: Known::CertsInfo
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
The timestamp when the certificate was detected.
host: :bro:type:`addr` :bro:attr:`&log`
The address that offered the certificate.
port_num: :bro:type:`port` :bro:attr:`&log` :bro:attr:`&optional`
If the certificate was handed out by a server, this is the
port that the server was listening on.
subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Certificate subject.
issuer_subject: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Certificate issuer subject.
serial: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Serial number for the certificate.
Events
######
.. bro:id:: Known::log_known_certs
:Type: :bro:type:`event` (rec: :bro:type:`Known::CertsInfo`)
Event that can be handled to access the loggable record as it is sent
on to the logging framework.

25
doc/scripts/policy/protocols/ssl/log-hostcerts-only.bro.rst Normal file
View file

@ -0,0 +1,25 @@
:tocdepth: 3
policy/protocols/ssl/log-hostcerts-only.bro
===========================================
.. bro:namespace:: X509
When this script is loaded, only the host certificates (client and server)
will be logged to x509.log. Logging of all other certificates will be suppressed.
:Namespace: X509
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================================== =
:bro:type:`X509::Info`: :bro:type:`record`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

60
doc/scripts/policy/protocols/ssl/notary.bro.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
policy/protocols/ssl/notary.bro
===============================
.. bro:namespace:: CertNotary
:Namespace: CertNotary
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Runtime Options
###############
=================================================================== ===========================
:bro:id:`CertNotary::domain`: :bro:type:`string` :bro:attr:`&redef` The notary domain to query.
=================================================================== ===========================
Types
#####
==================================================== ============================================
:bro:type:`CertNotary::Response`: :bro:type:`record` A response from the ICSI certificate notary.
==================================================== ============================================
Redefinitions
#############
========================================= =
:bro:type:`SSL::Info`: :bro:type:`record`
========================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: CertNotary::domain
:Type: :bro:type:`string`
:Attributes: :bro:attr:`&redef`
:Default: ``"notary.icsi.berkeley.edu"``
The notary domain to query.
Types
#####
.. bro:type:: CertNotary::Response
:Type: :bro:type:`record`
first_seen: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
last_seen: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
times_seen: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
valid: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
A response from the ICSI certificate notary.

99
doc/scripts/policy/protocols/ssl/validate-certs.bro.rst Normal file
View file

@ -0,0 +1,99 @@
:tocdepth: 3
policy/protocols/ssl/validate-certs.bro
=======================================
.. bro:namespace:: SSL
Perform full certificate chain validation for SSL certificates.
:Namespace: SSL
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
State Variables
###############
===================================================================================================================== ==================================================================
:bro:id:`SSL::recently_validated_certs`: :bro:type:`table` :bro:attr:`&read_expire` = ``5.0 mins`` :bro:attr:`&redef` Result values for recently validated chains along with the
validation status are kept in this table to avoid constant
validation every time the same certificate chain is seen.
:bro:id:`SSL::ssl_cache_intermediate_ca`: :bro:type:`bool` :bro:attr:`&redef` Use intermediate CA certificate caching when trying to validate
certificates.
:bro:id:`SSL::ssl_store_valid_chain`: :bro:type:`bool` :bro:attr:`&redef` Store the valid chain in c$ssl$valid_chain if validation succeeds.
===================================================================================================================== ==================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
:bro:type:`SSL::Info`: :bro:type:`record`
========================================== =
Events
######
================================================== ===============================================================
:bro:id:`SSL::intermediate_add`: :bro:type:`event` Event from a manager to workers when encountering a new, valid
intermediate.
:bro:id:`SSL::new_intermediate`: :bro:type:`event` Event from workers to the manager when a new intermediate chain
is to be added.
================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. bro:id:: SSL::recently_validated_certs
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`X509::Result`
:Attributes: :bro:attr:`&read_expire` = ``5.0 mins`` :bro:attr:`&redef`
:Default: ``{}``
Result values for recently validated chains along with the
validation status are kept in this table to avoid constant
validation every time the same certificate chain is seen.
.. bro:id:: SSL::ssl_cache_intermediate_ca
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Use intermediate CA certificate caching when trying to validate
certificates. When this is enabled, Bro keeps track of all valid
intermediate CA certificates that it has seen in the past. When
encountering a host certificate that cannot be validated because
of missing intermediate CA certificate, the cached list is used
to try to validate the cert. This is similar to how Firefox is
doing certificate validation.
Disabling this will usually greatly increase the number of validation warnings
that you encounter. Only disable if you want to find misconfigured servers.
.. bro:id:: SSL::ssl_store_valid_chain
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Store the valid chain in c$ssl$valid_chain if validation succeeds.
This has a potentially high memory impact, depending on the local environment
and is thus disabled by default.
Events
######
.. bro:id:: SSL::intermediate_add
:Type: :bro:type:`event` (key: :bro:type:`string`, value: :bro:type:`vector` of :bro:type:`opaque` of x509)
Event from a manager to workers when encountering a new, valid
intermediate.
.. bro:id:: SSL::new_intermediate
:Type: :bro:type:`event` (key: :bro:type:`string`, value: :bro:type:`vector` of :bro:type:`opaque` of x509)
Event from workers to the manager when a new intermediate chain
is to be added.

24
doc/scripts/policy/protocols/ssl/validate-ocsp.bro.rst Normal file
View file

@ -0,0 +1,24 @@
:tocdepth: 3
policy/protocols/ssl/validate-ocsp.bro
======================================
.. bro:namespace:: SSL
Perform validation of stapled OCSP responses.
:Namespace: SSL
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
:bro:type:`SSL::Info`: :bro:type:`record`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

90
doc/scripts/policy/protocols/ssl/validate-sct.bro.rst Normal file
View file

@ -0,0 +1,90 @@
:tocdepth: 3
policy/protocols/ssl/validate-sct.bro
=====================================
.. bro:namespace:: SSL
Perform validation of Signed Certificate Timestamps, as used
for Certificate Transparency. See RFC6962 for more details.
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`policy/protocols/ssl/validate-certs.bro </scripts/policy/protocols/ssl/validate-certs.bro>`
Summary
~~~~~~~
Types
#####
============================================ ================================================================
:bro:type:`SSL::SctInfo`: :bro:type:`record` This record is used to store information about the SCTs that are
encountered in a SSL connection.
:bro:type:`SSL::SctSource`: :bro:type:`enum` List of the different sources for Signed Certificate Timestamp
============================================ ================================================================
Redefinitions
#############
========================================================================= =
:bro:type:`SSL::Info`: :bro:type:`record`
:bro:id:`SSL::ssl_store_valid_chain`: :bro:type:`bool` :bro:attr:`&redef`
========================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: SSL::SctInfo
:Type: :bro:type:`record`
version: :bro:type:`count`
The version of the encountered SCT (should always be 0 for v1).
logid: :bro:type:`string`
The ID of the log issuing this SCT.
timestamp: :bro:type:`count`
The timestamp at which this SCT was issued measured since the
epoch (January 1, 1970, 00:00), ignoring leap seconds, in
milliseconds. Not converted to a Bro timestamp because we need
the exact value for validation.
sig_alg: :bro:type:`count`
The signature algorithm used for this sct.
hash_alg: :bro:type:`count`
The hash algorithm used for this sct.
signature: :bro:type:`string`
The signature of this SCT.
source: :bro:type:`SSL::SctSource`
Source of this SCT.
valid: :bro:type:`bool` :bro:attr:`&optional`
Validation result of this SCT.
This record is used to store information about the SCTs that are
encountered in a SSL connection.
.. bro:type:: SSL::SctSource
:Type: :bro:type:`enum`
.. bro:enum:: SSL::SCT_X509_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in the extension of
an X.509 certificate.
.. bro:enum:: SSL::SCT_TLS_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in an TLS session
extension.
.. bro:enum:: SSL::SCT_OCSP_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in the extension of
an stapled OCSP reply.
List of the different sources for Signed Certificate Timestamp

94
doc/scripts/policy/protocols/ssl/weak-keys.bro.rst Normal file
View file

@ -0,0 +1,94 @@
:tocdepth: 3
policy/protocols/ssl/weak-keys.bro
==================================
.. bro:namespace:: SSL
Generate notices when SSL/TLS connections use certificates, DH parameters,
or cipher suites that are deemed to be insecure.
:Namespace: SSL
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================== ==============================================================================
:bro:id:`SSL::notify_dh_length_shorter_cert_length`: :bro:type:`bool` :bro:attr:`&redef` Warn if the DH key length is smaller than the certificate key length.
:bro:id:`SSL::notify_minimal_key_length`: :bro:type:`count` :bro:attr:`&redef` The minimal key length in bits that is considered to be safe.
:bro:id:`SSL::notify_weak_keys`: :bro:type:`Host` :bro:attr:`&redef` The category of hosts you would like to be notified about which are using weak
keys/ciphers/protocol_versions.
:bro:id:`SSL::tls_minimum_version`: :bro:type:`count` :bro:attr:`&redef` Warn if a server negotiates a SSL session with a protocol version smaller than
the specified version.
:bro:id:`SSL::unsafe_ciphers_regex`: :bro:type:`pattern` :bro:attr:`&redef` Warn if a server negotiates an unsafe cipher suite.
======================================================================================== ==============================================================================
Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum`
========================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: SSL::notify_dh_length_shorter_cert_length
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Warn if the DH key length is smaller than the certificate key length. This is
potentially unsafe because it gives a wrong impression of safety due to the
certificate key length. However, it is very common and cannot be avoided in some
settings (e.g. with old jave clients).
.. bro:id:: SSL::notify_minimal_key_length
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``2048``
The minimal key length in bits that is considered to be safe. Any shorter
(non-EC) key lengths will trigger a notice.
.. bro:id:: SSL::notify_weak_keys
:Type: :bro:type:`Host`
:Attributes: :bro:attr:`&redef`
:Default: ``LOCAL_HOSTS``
The category of hosts you would like to be notified about which are using weak
keys/ciphers/protocol_versions. By default, these notices will be suppressed
by the notice framework for 1 day after a particular host has had a notice
generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
.. bro:id:: SSL::tls_minimum_version
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``769``
Warn if a server negotiates a SSL session with a protocol version smaller than
the specified version. By default, the minimal version is TLSv10 because SSLv2
and v3 have serious security issued.
See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
To disable, set to SSLv20
.. bro:id:: SSL::unsafe_ciphers_regex
:Type: :bro:type:`pattern`
:Attributes: :bro:attr:`&redef`
:Default:
::
/^?((_EXPORT_)|(_RC4_))$?/
Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
encountering old export cipher suites, or RC4 (see RFC7465).