Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-234: rename Broxygen to Zeexygen along with roles/directives

Browse source 
* All "Broxygen" usages have been replaced in
  code, documentation, filenames, etc.

* Sphinx roles/directives like ":bro:see" are now ":zeek:see"

* The "--broxygen" command-line option is now "--zeexygen"
This commit is contained in:
Jon Siwek 2019-04-22 19:42:52 -07:00
parent 5ba46eaa71
commit aebcb1415d
254 changed files with 2675 additions and 2656 deletions
Download patch file Download diff file Expand all files Collapse all files

11
CHANGES
View file

@ -1,4 +1,15 @@
2.6-243 | 2019-04-22 19:42:52 -0700
* GH-234: rename Broxygen to Zeexygen along with roles/directives (Jon Siwek, Corelight)
* All "Broxygen" usages have been replaced in
code, documentation, filenames, etc.
* Sphinx roles/directives like ":bro:see" are now ":zeek:see"
* The "--broxygen" command-line option is now "--zeexygen"
2.6-242 | 2019-04-22 22:43:09 +0200
* update SSL consts from TLS 1.3 (Johanna Amann)

8
NEWS
View file

@ -175,6 +175,14 @@ Changed Functionality
the end of a connection (in a FIN or RST) are considered unreliable
and aren't counted as true gaps.
- The Broxygen component, which is used to generate our Doxygen-like
scripting API documentation has been renamed to Zeexygen. This likely has
no breaking or visible changes for most users, except in the case one
used it to generate their own documentation via the ``--broxygen`` flag,
which is now named ``--zeexygen``. Besides that, the various documentation
in scripts has also been updated to replace Sphinx cross-referencing roles
and directives like ":bro:see:" with ":zeek:zee:".
Removed Functionality
---------------------

2
VERSION
View file

@ -1 +1 @@
2.6-242
2.6-243

2
doc

@ -1 +1 @@
Subproject commit 38f6edaf273401eef51cf754010f144be6398066
Subproject commit dc37959938b9a70a642e7be48693d5c5fd3d5e80

4
man/bro.8
View file

@ -99,7 +99,7 @@ Record process status in file
\fB\-W\fR,\ \-\-watchdog
activate watchdog timer
.TP
\fB\-X\fR,\ \-\-broxygen <cfgfile>
\fB\-X\fR,\ \-\-zeexygen <cfgfile>
generate documentation based on config file
.TP
\fB\-\-pseudo\-realtime[=\fR<speedup>]
@ -150,7 +150,7 @@ ASCII log file extension
Output file for script execution statistics
.TP
.B BRO_DISABLE_BROXYGEN
Disable Broxygen documentation support
Disable Zeexygen (Broxygen) documentation support
.SH AUTHOR
.B bro
was written by The Bro Project <info@bro.org>.

6
scripts/base/files/extract/main.zeek
View file

@ -29,12 +29,12 @@ export {
## to know where to write the file to. If not specified, then
## a filename in the format "extract-<source>-<id>" is
## automatically assigned (using the *source* and *id*
## fields of :bro:see:`fa_file`).
## fields of :zeek:see:`fa_file`).
extract_filename: string &optional;
## The maximum allowed file size in bytes of *extract_filename*.
## Once reached, a :bro:see:`file_extraction_limit` event is
## Once reached, a :zeek:see:`file_extraction_limit` event is
## raised and the analyzer will be removed unless
## :bro:see:`FileExtract::set_limit` is called to increase the
## :zeek:see:`FileExtract::set_limit` is called to increase the
## limit. A value of zero means "no limit".
extract_limit: count &default=default_limit;
};

6
scripts/base/frameworks/analyzer/main.zeek
View file

@ -5,7 +5,7 @@
##! particular analyzer for new connections.
##!
##! Protocol analyzers are identified by unique tags of type
##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP`.
##! :zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`.
##! These tags are defined internally by
##! the analyzers themselves, and documented in their analyzer-specific
##! description along with the events that they generate.
@ -17,7 +17,7 @@ module Analyzer;
export {
## If true, all available analyzers are initially disabled at startup.
## One can then selectively enable them with
## :bro:id:`Analyzer::enable_analyzer`.
## :zeek:id:`Analyzer::enable_analyzer`.
global disable_all = F &redef;
## Enables an analyzer. Once enabled, the analyzer may be used for analysis
@ -109,7 +109,7 @@ export {
## Automatically creates a BPF filter for the specified protocol based
## on the data supplied for the protocol through the
## :bro:see:`Analyzer::register_for_ports` function.
## :zeek:see:`Analyzer::register_for_ports` function.
##
## tag: The analyzer tag.
##

38
scripts/base/frameworks/broker/main.zeek
View file

@ -10,19 +10,19 @@ export {
## Default interval to retry listening on a port if it's currently in
## use already. Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
## (set as a number of seconds) will override this option and also
## any values given to :bro:see:`Broker::listen`.
## any values given to :zeek:see:`Broker::listen`.
const default_listen_retry = 30sec &redef;
## Default address on which to listen.
##
## .. bro:see:: Broker::listen
## .. zeek:see:: Broker::listen
const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
## Default interval to retry connecting to a peer if it cannot be made to
## work initially, or if it ever becomes disconnected. Use of the
## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
## seconds) will override this option and also any values given to
## :bro:see:`Broker::peer`.
## :zeek:see:`Broker::peer`.
const default_connect_retry = 30sec &redef;
## If true, do not use SSL for network connections. By default, SSL will
@ -47,7 +47,7 @@ export {
const ssl_certificate = "" &redef;
## Passphrase to decrypt the private key specified by
## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid
## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid
## certificates for all peers.
const ssl_passphrase = "" &redef;
@ -96,7 +96,7 @@ export {
## Forward all received messages to subscribing peers.
const forward_messages = F &redef;
## Whether calling :bro:see:`Broker::peer` will register the Broker
## Whether calling :zeek:see:`Broker::peer` will register the Broker
## system as an I/O source that will block the process from shutting
## down. For example, set this to false when you are reading pcaps,
## but also want to initaiate a Broker peering and still shutdown after
@ -107,7 +107,7 @@ export {
## id is appended when writing to a particular stream.
const default_log_topic_prefix = "bro/logs/" &redef;
## The default implementation for :bro:see:`Broker::log_topic`.
## The default implementation for :zeek:see:`Broker::log_topic`.
function default_log_topic(id: Log::ID, path: string): string
{
return default_log_topic_prefix + cat(id);
@ -116,7 +116,7 @@ export {
## A function that will be called for each log entry to determine what
## broker topic string will be used for sending it to peers. The
## default implementation will return a value based on
## :bro:see:`Broker::default_log_topic_prefix`.
## :zeek:see:`Broker::default_log_topic_prefix`.
##
## id: the ID associated with the log stream entry that will be sent.
##
@ -232,7 +232,7 @@ export {
##
## Returns: the bound port or 0/? on failure.
##
## .. bro:see:: Broker::status
## .. zeek:see:: Broker::status
global listen: function(a: string &default = default_listen_address,
p: port &default = default_port,
retry: interval &default = default_listen_retry): port;
@ -252,7 +252,7 @@ export {
## it's a new peer. The actual connection may not be established
## until a later point in time.
##
## .. bro:see:: Broker::status
## .. zeek:see:: Broker::status
global peer: function(a: string, p: port &default=default_port,
retry: interval &default=default_connect_retry): bool;
@ -262,12 +262,12 @@ export {
## just means that we won't exchange any further information with it
## unless peering resumes later.
##
## a: the address used in previous successful call to :bro:see:`Broker::peer`.
## a: the address used in previous successful call to :zeek:see:`Broker::peer`.
##
## p: the port used in previous successful call to :bro:see:`Broker::peer`.
## p: the port used in previous successful call to :zeek:see:`Broker::peer`.
##
## Returns: true if the arguments match a previously successful call to
## :bro:see:`Broker::peer`.
## :zeek:see:`Broker::peer`.
##
## TODO: We do not have a function yet to terminate a connection.
global unpeer: function(a: string, p: port): bool;
@ -298,7 +298,7 @@ export {
## Register interest in all peer event messages that use a certain topic
## prefix. Note that subscriptions may not be altered immediately after
## calling (except during :bro:see:`zeek_init`).
## calling (except during :zeek:see:`zeek_init`).
##
## topic_prefix: a prefix to match against remote message topics.
## e.g. an empty prefix matches everything and "a" matches
@ -309,10 +309,10 @@ export {
## Unregister interest in all peer event messages that use a topic prefix.
## Note that subscriptions may not be altered immediately after calling
## (except during :bro:see:`zeek_init`).
## (except during :zeek:see:`zeek_init`).
##
## topic_prefix: a prefix previously supplied to a successful call to
## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`.
## :zeek:see:`Broker::subscribe` or :zeek:see:`Broker::forward`.
##
## Returns: true if interest in the topic prefix is no longer advertised.
global unsubscribe: function(topic_prefix: string): bool;
@ -320,8 +320,8 @@ export {
## Register a topic prefix subscription for events that should only be
## forwarded to any subscribing peers and not raise any event handlers
## on the receiving/forwarding node. i.e. it's the same as
## :bro:see:`Broker::subscribe` except matching events are not raised
## on the receiver, just forwarded. Use :bro:see:`Broker::unsubscribe`
## :zeek:see:`Broker::subscribe` except matching events are not raised
## on the receiver, just forwarded. Use :zeek:see:`Broker::unsubscribe`
## with the same argument to undo this operation.
##
## topic_prefix: a prefix to match against remote message topics.
@ -346,9 +346,9 @@ export {
## Stop automatically sending an event to peers upon local dispatch.
##
## topic: a topic originally given to :bro:see:`Broker::auto_publish`.
## topic: a topic originally given to :zeek:see:`Broker::auto_publish`.
##
## ev: an event originally given to :bro:see:`Broker::auto_publish`.
## ev: an event originally given to :zeek:see:`Broker::auto_publish`.
##
## Returns: true if automatic events will not occur for the topic/event
## pair.

2
scripts/base/frameworks/broker/store.zeek
View file

@ -353,7 +353,7 @@ export {
##
## Returns: a set with the keys. If you expect the keys to be of
## non-uniform type, consider using
## :bro:see:`Broker::set_iterator` to iterate over the result.
## :zeek:see:`Broker::set_iterator` to iterate over the result.
global keys: function(h: opaque of Broker::Store): QueryResult;
## Deletes all of a store's content, it will be empty afterwards.

2
scripts/base/frameworks/cluster/__load__.zeek
View file

@ -17,7 +17,7 @@ redef Broker::log_topic = Cluster::rr_log_topic;
# If this script isn't found anywhere, the cluster bombs out.
# Loading the cluster framework requires that a script by this name exists
# somewhere in the BROPATH. The only thing in the file should be the
# cluster definition in the :bro:id:`Cluster::nodes` variable.
# cluster definition in the :zeek:id:`Cluster::nodes` variable.
@load cluster-layout
@if ( Cluster::node in Cluster::nodes )

36
scripts/base/frameworks/cluster/main.zeek
View file

@ -1,8 +1,8 @@
##! A framework for establishing and controlling a cluster of Bro instances.
##! In order to use the cluster framework, a script named
##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path
##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable.
##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node`
##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
##! must also be sent and the cluster framework loaded as a package like
##! ``@load base/frameworks/cluster``.
@ -44,23 +44,23 @@ export {
const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef;
## Name of the node on which master data stores will be created if no other
## has already been specified by the user in :bro:see:`Cluster::stores`.
## has already been specified by the user in :zeek:see:`Cluster::stores`.
## An empty value means "use whatever name corresponds to the manager
## node".
const default_master_node = "" &redef;
## The type of data store backend that will be used for all data stores if
## no other has already been specified by the user in :bro:see:`Cluster::stores`.
## no other has already been specified by the user in :zeek:see:`Cluster::stores`.
const default_backend = Broker::MEMORY &redef;
## The type of persistent data store backend that will be used for all data
## stores if no other has already been specified by the user in
## :bro:see:`Cluster::stores`. This will be used when script authors call
## :bro:see:`Cluster::create_store` with the *persistent* argument set true.
## :zeek:see:`Cluster::stores`. This will be used when script authors call
## :zeek:see:`Cluster::create_store` with the *persistent* argument set true.
const default_persistent_backend = Broker::SQLITE &redef;
## Setting a default dir will, for persistent backends that have not
## been given an explicit file path via :bro:see:`Cluster::stores`,
## been given an explicit file path via :zeek:see:`Cluster::stores`,
## automatically create a path within this dir that is based on the name of
## the data store.
const default_store_dir = "" &redef;
@ -81,21 +81,21 @@ export {
## Parameters used for configuring the backend.
options: Broker::BackendOptions &default=Broker::BackendOptions();
## A resync/reconnect interval to pass through to
## :bro:see:`Broker::create_clone`.
## :zeek:see:`Broker::create_clone`.
clone_resync_interval: interval &default=Broker::default_clone_resync_interval;
## A staleness duration to pass through to
## :bro:see:`Broker::create_clone`.
## :zeek:see:`Broker::create_clone`.
clone_stale_interval: interval &default=Broker::default_clone_stale_interval;
## A mutation buffer interval to pass through to
## :bro:see:`Broker::create_clone`.
## :zeek:see:`Broker::create_clone`.
clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval;
};
## A table of cluster-enabled data stores that have been created, indexed
## by their name. This table will be populated automatically by
## :bro:see:`Cluster::create_store`, but if you need to customize
## :zeek:see:`Cluster::create_store`, but if you need to customize
## the options related to a particular data store, you may redef this
## table. Calls to :bro:see:`Cluster::create_store` will first check
## table. Calls to :zeek:see:`Cluster::create_store` will first check
## the table for an entry of the same name and, if found, will use the
## predefined options there when setting up the store.
global stores: table[string] of StoreInfo &default=StoreInfo() &redef;
@ -174,15 +174,15 @@ export {
## This function can be called at any time to determine if the cluster
## framework is being enabled for this run.
##
## Returns: True if :bro:id:`Cluster::node` has been set.
## Returns: True if :zeek:id:`Cluster::node` has been set.
global is_enabled: function(): bool;
## This function can be called at any time to determine what type of
## cluster node the current Bro instance is going to be acting as.
## If :bro:id:`Cluster::is_enabled` returns false, then
## :bro:enum:`Cluster::NONE` is returned.
## If :zeek:id:`Cluster::is_enabled` returns false, then
## :zeek:enum:`Cluster::NONE` is returned.
##
## Returns: The :bro:type:`Cluster::NodeType` the calling node acts as.
## Returns: The :zeek:type:`Cluster::NodeType` the calling node acts as.
global local_node_type: function(): NodeType;
## This gives the value for the number of workers currently connected to,
@ -241,8 +241,8 @@ export {
## Retrieve the topic associated with a specific node in the cluster.
##
## id: the id of the cluster node (from :bro:see:`Broker::EndpointInfo`
## or :bro:see:`Broker::node_id`.
## id: the id of the cluster node (from :zeek:see:`Broker::EndpointInfo`
## or :zeek:see:`Broker::node_id`.
##
## Returns: a topic string that may used to send a message exclusively to
## a given cluster node.

16
scripts/base/frameworks/cluster/pools.zeek
View file

@ -58,17 +58,17 @@ export {
alive_count: count &default = 0;
};
## The specification for :bro:see:`Cluster::proxy_pool`.
## The specification for :zeek:see:`Cluster::proxy_pool`.
global proxy_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/proxy",
$node_type = Cluster::PROXY) &redef;
## The specification for :bro:see:`Cluster::worker_pool`.
## The specification for :zeek:see:`Cluster::worker_pool`.
global worker_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/worker",
$node_type = Cluster::WORKER) &redef;
## The specification for :bro:see:`Cluster::logger_pool`.
## The specification for :zeek:see:`Cluster::logger_pool`.
global logger_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/logger",
$node_type = Cluster::LOGGER) &redef;
@ -120,10 +120,10 @@ export {
global rr_topic: function(pool: Pool, key: string &default=""): string;
## Distributes log message topics among logger nodes via round-robin.
## This will be automatically assigned to :bro:see:`Broker::log_topic`
## if :bro:see:`Cluster::enable_round_robin_logging` is enabled.
## This will be automatically assigned to :zeek:see:`Broker::log_topic`
## if :zeek:see:`Cluster::enable_round_robin_logging` is enabled.
## If no logger nodes are active, then this will return the value
## of :bro:see:`Broker::default_log_topic`.
## of :zeek:see:`Broker::default_log_topic`.
global rr_log_topic: function(id: Log::ID, path: string): string;
}
@ -136,7 +136,7 @@ export {
## Returns: F if a node of the same name already exists in the pool, else T.
global init_pool_node: function(pool: Pool, name: string): bool;
## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic`
## Mark a pool node as alive/online/available. :zeek:see:`Cluster::hrw_topic`
## will distribute keys to nodes marked as alive.
##
## pool: the pool to which the node belongs.
@ -146,7 +146,7 @@ global init_pool_node: function(pool: Pool, name: string): bool;
## Returns: F if the node does not exist in the pool, else T.
global mark_pool_node_alive: function(pool: Pool, name: string): bool;
## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic`
## Mark a pool node as dead/offline/unavailable. :zeek:see:`Cluster::hrw_topic`
## will not distribute keys to nodes marked as dead.
##
## pool: the pool to which the node belongs.

2
scripts/base/frameworks/cluster/setup-connections.zeek
View file

@ -1,5 +1,5 @@
##! This script establishes communication among all nodes in a cluster
##! as defined by :bro:id:`Cluster::nodes`.
##! as defined by :zeek:id:`Cluster::nodes`.
@load ./main
@load ./pools

6
scripts/base/frameworks/config/main.zeek
View file

@ -24,14 +24,14 @@ export {
location: string &optional &log;
};
## Event that can be handled to access the :bro:type:`Config::Info`
## Event that can be handled to access the :zeek:type:`Config::Info`
## record as it is sent on to the logging framework.
global log_config: event(rec: Info);
## This function is the config framework layer around the lower-level
## :bro:see:`Option::set` call. Config::set_value will set the configuration
## :zeek:see:`Option::set` call. Config::set_value will set the configuration
## value for all nodes in the cluster, no matter where it was called. Note
## that :bro:see:`Option::set` does not distribute configuration changes
## that :zeek:see:`Option::set` does not distribute configuration changes
## to other nodes.
##
## ID: The ID of the option to update.

8
scripts/base/frameworks/control/main.zeek
View file

@ -8,7 +8,7 @@ export {
## The topic prefix used for exchanging control messages via Broker.
const topic_prefix = "bro/control";
## Whether the controllee should call :bro:see:`Broker::listen`.
## Whether the controllee should call :zeek:see:`Broker::listen`.
## In a cluster, this isn't needed since the setup process calls it.
const controllee_listen = T &redef;
@ -18,7 +18,7 @@ export {
## The port of the host that will be controlled.
const host_port = 0/tcp &redef;
## If :bro:id:`Control::host` is a non-global IPv6 address and
## If :zeek:id:`Control::host` is a non-global IPv6 address and
## requires a specific :rfc:`4007` ``zone_id``, it can be set here.
const zone_id = "" &redef;
@ -45,7 +45,7 @@ export {
## Event for requesting the value of an ID (a variable).
global id_value_request: event(id: string);
## Event for returning the value of an ID after an
## :bro:id:`Control::id_value_request` event.
## :zeek:id:`Control::id_value_request` event.
global id_value_response: event(id: string, val: string);
## Requests the current communication status.
@ -62,7 +62,7 @@ export {
## updated.
global configuration_update_request: event();
## This event is a wrapper and alias for the
## :bro:id:`Control::configuration_update_request` event.
## :zeek:id:`Control::configuration_update_request` event.
## This event is also a primary hooking point for the control framework.
global configuration_update: event();
## Message in response to a configuration update request.

26
scripts/base/frameworks/files/main.zeek
View file

@ -18,19 +18,19 @@ export {
type AnalyzerArgs: record {
## An event which will be generated for all new file contents,
## chunk-wise. Used when *tag* (in the
## :bro:see:`Files::add_analyzer` function) is
## :bro:see:`Files::ANALYZER_DATA_EVENT`.
## :zeek:see:`Files::add_analyzer` function) is
## :zeek:see:`Files::ANALYZER_DATA_EVENT`.
chunk_event: event(f: fa_file, data: string, off: count) &optional;
## An event which will be generated for all new file contents,
## stream-wise. Used when *tag* is
## :bro:see:`Files::ANALYZER_DATA_EVENT`.
## :zeek:see:`Files::ANALYZER_DATA_EVENT`.
stream_event: event(f: fa_file, data: string) &optional;
} &redef;
## Contains all metadata related to the analysis of a given file.
## For the most part, fields here are derived from ones of the same name
## in :bro:see:`fa_file`.
## in :zeek:see:`fa_file`.
type Info: record {
## The time when the file was first seen.
ts: time &log;
@ -66,7 +66,7 @@ export {
analyzers: set[string] &default=string_set() &log;
## A mime type provided by the strongest file magic signature
## match against the *bof_buffer* field of :bro:see:`fa_file`,
## match against the *bof_buffer* field of :zeek:see:`fa_file`,
## or in the cases where no buffering of the beginning of file
## occurs, an initial guess of the mime type based on the first
## data seen.
@ -82,7 +82,7 @@ export {
## If the source of this file is a network connection, this field
## indicates if the data originated from the local network or not as
## determined by the configured :bro:see:`Site::local_nets`.
## determined by the configured :zeek:see:`Site::local_nets`.
local_orig: bool &log &optional;
## If the source of this file is a network connection, this field
@ -118,8 +118,8 @@ export {
const disable: table[Files::Tag] of bool = table() &redef;
## The salt concatenated to unique file handle strings generated by
## :bro:see:`get_file_handle` before hashing them in to a file id
## (the *id* field of :bro:see:`fa_file`).
## :zeek:see:`get_file_handle` before hashing them in to a file id
## (the *id* field of :zeek:see:`fa_file`).
## Provided to help mitigate the possibility of manipulating parts of
## network connections that factor in to the file handle in order to
## generate two handles that would hash to the same file id.
@ -142,11 +142,11 @@ export {
## Returns: T if the file uid is known.
global file_exists: function(fuid: string): bool;
## Lookup an :bro:see:`fa_file` record with the file id.
## Lookup an :zeek:see:`fa_file` record with the file id.
##
## fuid: the file id.
##
## Returns: the associated :bro:see:`fa_file` record.
## Returns: the associated :zeek:see:`fa_file` record.
global lookup_file: function(fuid: string): fa_file;
## Allows the file reassembler to be used if it's necessary because the
@ -169,10 +169,10 @@ export {
## max: Maximum allowed size of the reassembly buffer.
global set_reassembly_buffer_size: function(f: fa_file, max: count);
## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is
## Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is
## used to determine the length of inactivity that is allowed for a file
## before internal state related to it is cleaned up. When used within
## a :bro:see:`file_timeout` handler, the analysis will delay timing out
## a :zeek:see:`file_timeout` handler, the analysis will delay timing out
## again for the period specified by *t*.
##
## f: the file.
@ -255,7 +255,7 @@ export {
##
## tag: Tag for the protocol analyzer having a callback being registered.
##
## reg: A :bro:see:`Files::ProtoRegistration` record.
## reg: A :zeek:see:`Files::ProtoRegistration` record.
##
## Returns: true if the protocol being registered was not previously registered.
global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool;

2
scripts/base/frameworks/input/main.zeek
View file

@ -193,7 +193,7 @@ export {
## Descriptive name that uniquely identifies the input source.
## Can be used to remove a stream at a later time.
## This will also be used for the unique *source* field of
## :bro:see:`fa_file`. Most of the time, the best choice for this
## :zeek:see:`fa_file`. Most of the time, the best choice for this
## field will be the same value as the *source* field.
name: string;

6
scripts/base/frameworks/intel/main.zeek
View file

@ -35,7 +35,7 @@ export {
## Set of intelligence data types.
type TypeSet: set[Type];
## Data about an :bro:type:`Intel::Item`.
## Data about an :zeek:type:`Intel::Item`.
type MetaData: record {
## An arbitrary string value representing the data source. This
## value is used as unique key to identify a metadata record in
@ -75,7 +75,7 @@ export {
## The type of data that the indicator represents.
indicator_type: Type &log &optional;
## If the indicator type was :bro:enum:`Intel::ADDR`, then this
## If the indicator type was :zeek:enum:`Intel::ADDR`, then this
## field will be present.
host: addr &optional;
@ -155,7 +155,7 @@ export {
global extend_match: hook(info: Info, s: Seen, items: set[Item]);
## The expiration timeout for intelligence items. Once an item expires, the
## :bro:id:`Intel::item_expired` hook is called. Reinsertion of an item
## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item
## resets the timeout. A negative value disables expiration of intelligence
## items.
const item_expiration = -1 min &redef;

58
scripts/base/frameworks/logging/main.zeek
View file

@ -176,7 +176,7 @@ export {
## easy to flood the disk by returning a new string for each
## connection. Upon adding a filter to a stream, if neither
## ``path`` nor ``path_func`` is explicitly set by them, then
## :bro:see:`Log::default_path_func` is used.
## :zeek:see:`Log::default_path_func` is used.
##
## id: The ID associated with the log stream.
##
@ -191,7 +191,7 @@ export {
##
## Returns: The path to be used for the filter, which will be
## subject to the same automatic correction rules as
## the *path* field of :bro:type:`Log::Filter` in the
## the *path* field of :zeek:type:`Log::Filter` in the
## case of conflicts with other filters trying to use
## the same writer/path pair.
path_func: function(id: ID, path: string, rec: any): string &optional;
@ -232,7 +232,7 @@ export {
interv: interval &default=default_rotation_interval;
## Callback function to trigger for rotated files. If not set, the
## default comes out of :bro:id:`Log::default_rotation_postprocessors`.
## default comes out of :zeek:id:`Log::default_rotation_postprocessors`.
postprocessor: function(info: RotationInfo) : bool &optional;
## A key/value table that will be passed on to the writer.
@ -253,7 +253,7 @@ export {
## Returns: True if a new logging stream was successfully created and
## a default filter added to it.
##
## .. bro:see:: Log::add_default_filter Log::remove_default_filter
## .. zeek:see:: Log::add_default_filter Log::remove_default_filter
global create_stream: function(id: ID, stream: Stream) : bool;
## Removes a logging stream completely, stopping all the threads.
@ -262,7 +262,7 @@ export {
##
## Returns: True if the stream was successfully removed.
##
## .. bro:see:: Log::create_stream
## .. zeek:see:: Log::create_stream
global remove_stream: function(id: ID) : bool;
## Enables a previously disabled logging stream. Disabled streams
@ -273,7 +273,7 @@ export {
##
## Returns: True if the stream is re-enabled or was not previously disabled.
##
## .. bro:see:: Log::disable_stream
## .. zeek:see:: Log::disable_stream
global enable_stream: function(id: ID) : bool;
## Disables a currently enabled logging stream. Disabled streams
@ -284,7 +284,7 @@ export {
##
## Returns: True if the stream is now disabled or was already disabled.
##
## .. bro:see:: Log::enable_stream
## .. zeek:see:: Log::enable_stream
global disable_stream: function(id: ID) : bool;
## Adds a custom filter to an existing logging stream. If a filter
@ -299,7 +299,7 @@ export {
## the filter was not added or the *filter* argument was not
## the correct type.
##
## .. bro:see:: Log::remove_filter Log::add_default_filter
## .. zeek:see:: Log::remove_filter Log::add_default_filter
## Log::remove_default_filter Log::get_filter Log::get_filter_names
global add_filter: function(id: ID, filter: Filter) : bool;
@ -309,12 +309,12 @@ export {
## remove a filter.
##
## name: A string to match against the ``name`` field of a
## :bro:type:`Log::Filter` for identification purposes.
## :zeek:type:`Log::Filter` for identification purposes.
##
## Returns: True if the logging stream's filter was removed or
## if no filter associated with *name* was found.
##
## .. bro:see:: Log::remove_filter Log::add_default_filter
## .. zeek:see:: Log::remove_filter Log::add_default_filter
## Log::remove_default_filter Log::get_filter Log::get_filter_names
global remove_filter: function(id: ID, name: string) : bool;
@ -326,7 +326,7 @@ export {
##
## Returns: The set of filter names associated with the stream.
##
## ..bro:see:: Log::remove_filter Log::add_default_filter
## ..zeek:see:: Log::remove_filter Log::add_default_filter
## Log::remove_default_filter Log::get_filter
global get_filter_names: function(id: ID) : set[string];
@ -336,13 +336,13 @@ export {
## obtain one of its filters.
##
## name: A string to match against the ``name`` field of a
## :bro:type:`Log::Filter` for identification purposes.
## :zeek:type:`Log::Filter` for identification purposes.
##
## Returns: A filter attached to the logging stream *id* matching
## *name* or, if no matches are found returns the
## :bro:id:`Log::no_filter` sentinel value.
## :zeek:id:`Log::no_filter` sentinel value.
##
## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
## Log::remove_default_filter Log::get_filter_names
global get_filter: function(id: ID, name: string) : Filter;
@ -360,7 +360,7 @@ export {
## to handle, or one of the stream's filters has an invalid
## ``path_func``.
##
## .. bro:see:: Log::enable_stream Log::disable_stream
## .. zeek:see:: Log::enable_stream Log::disable_stream
global write: function(id: ID, columns: any) : bool;
## Sets the buffering status for all the writers of a given logging stream.
@ -375,7 +375,7 @@ export {
## Returns: True if buffering status was set, false if the logging stream
## does not exist.
##
## .. bro:see:: Log::flush
## .. zeek:see:: Log::flush
global set_buf: function(id: ID, buffered: bool): bool;
## Flushes any currently buffered output for all the writers of a given
@ -388,50 +388,50 @@ export {
## buffered data or if the logging stream is disabled,
## false if the logging stream does not exist.
##
## .. bro:see:: Log::set_buf Log::enable_stream Log::disable_stream
## .. zeek:see:: Log::set_buf Log::enable_stream Log::disable_stream
global flush: function(id: ID): bool;
## Adds a default :bro:type:`Log::Filter` record with ``name`` field
## Adds a default :zeek:type:`Log::Filter` record with ``name`` field
## set as "default" to a given logging stream.
##
## id: The ID associated with a logging stream for which to add a default
## filter.
##
## Returns: The status of a call to :bro:id:`Log::add_filter` using a
## default :bro:type:`Log::Filter` argument with ``name`` field
## Returns: The status of a call to :zeek:id:`Log::add_filter` using a
## default :zeek:type:`Log::Filter` argument with ``name`` field
## set to "default".
##
## .. bro:see:: Log::add_filter Log::remove_filter
## .. zeek:see:: Log::add_filter Log::remove_filter
## Log::remove_default_filter
global add_default_filter: function(id: ID) : bool;
## Removes the :bro:type:`Log::Filter` with ``name`` field equal to
## Removes the :zeek:type:`Log::Filter` with ``name`` field equal to
## "default".
##
## id: The ID associated with a logging stream from which to remove the
## default filter.
##
## Returns: The status of a call to :bro:id:`Log::remove_filter` using
## Returns: The status of a call to :zeek:id:`Log::remove_filter` using
## "default" as the argument.
##
## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
global remove_default_filter: function(id: ID) : bool;
## Runs a command given by :bro:id:`Log::default_rotation_postprocessor_cmd`
## Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd`
## on a rotated file. Meant to be called from postprocessor functions
## that are added to :bro:id:`Log::default_rotation_postprocessors`.
## that are added to :zeek:id:`Log::default_rotation_postprocessors`.
##
## info: A record holding meta-information about the log being rotated.
##
## npath: The new path of the file (after already being rotated/processed
## by writer-specific postprocessor as defined in
## :bro:id:`Log::default_rotation_postprocessors`).
## :zeek:id:`Log::default_rotation_postprocessors`).
##
## Returns: True when :bro:id:`Log::default_rotation_postprocessor_cmd`
## Returns: True when :zeek:id:`Log::default_rotation_postprocessor_cmd`
## is empty or the system command given by it has been invoked
## to postprocess a rotated log file.
##
## .. bro:see:: Log::default_rotation_date_format
## .. zeek:see:: Log::default_rotation_date_format
## Log::default_rotation_postprocessor_cmd
## Log::default_rotation_postprocessors
global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;

16
scripts/base/frameworks/logging/postprocessors/scp.zeek
View file

@ -2,22 +2,22 @@
##! to a logging filter in order to automatically SCP (secure copy)
##! a log stream (or a subset of it) to a remote host at configurable
##! rotation time intervals. Generally, to use this functionality
##! you must handle the :bro:id:`zeek_init` event and do the following
##! you must handle the :zeek:id:`zeek_init` event and do the following
##! in your handler:
##!
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
##! rotation interval, and set the ``postprocessor`` to
##! :bro:id:`Log::scp_postprocessor`.
##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
##! 3) Add a table entry to :bro:id:`Log::scp_destinations` for the filter's
##! writer/path pair which defines a set of :bro:type:`Log::SCPDestination`
##! :zeek:id:`Log::scp_postprocessor`.
##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
##! 3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's
##! writer/path pair which defines a set of :zeek:type:`Log::SCPDestination`
##! records.
module Log;
export {
## Secure-copies the rotated log to all the remote hosts
## defined in :bro:id:`Log::scp_destinations` and then deletes
## defined in :zeek:id:`Log::scp_destinations` and then deletes
## the local copy of the rotated log. It's not active when
## reading from trace files.
##
@ -42,7 +42,7 @@ export {
};
## A table indexed by a particular log writer and filter path, that yields
## a set of remote destinations. The :bro:id:`Log::scp_postprocessor`
## a set of remote destinations. The :zeek:id:`Log::scp_postprocessor`
## function queries this table upon log rotation and performs a secure
## copy of the rotated log to each destination in the set. This
## table can be modified at run-time.

16
scripts/base/frameworks/logging/postprocessors/sftp.zeek
View file

@ -2,22 +2,22 @@
##! to a logging filter in order to automatically SFTP
##! a log stream (or a subset of it) to a remote host at configurable
##! rotation time intervals. Generally, to use this functionality
##! you must handle the :bro:id:`zeek_init` event and do the following
##! you must handle the :zeek:id:`zeek_init` event and do the following
##! in your handler:
##!
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
##! rotation interval, and set the ``postprocessor`` to
##! :bro:id:`Log::sftp_postprocessor`.
##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
##! 3) Add a table entry to :bro:id:`Log::sftp_destinations` for the filter's
##! writer/path pair which defines a set of :bro:type:`Log::SFTPDestination`
##! :zeek:id:`Log::sftp_postprocessor`.
##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
##! 3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's
##! writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination`
##! records.
module Log;
export {
## Securely transfers the rotated log to all the remote hosts
## defined in :bro:id:`Log::sftp_destinations` and then deletes
## defined in :zeek:id:`Log::sftp_destinations` and then deletes
## the local copy of the rotated log. It's not active when
## reading from trace files.
##
@ -44,7 +44,7 @@ export {
};
## A table indexed by a particular log writer and filter path, that yields
## a set of remote destinations. The :bro:id:`Log::sftp_postprocessor`
## a set of remote destinations. The :zeek:id:`Log::sftp_postprocessor`
## function queries this table upon log rotation and performs a secure
## transfer of the rotated log to each destination in the set. This
## table can be modified at run-time.

12
scripts/base/frameworks/netcontrol/catch-and-release.zeek
View file

@ -80,7 +80,7 @@ export {
## again.
##
## In cluster mode, this function works on workers as well as the manager. On managers,
## the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID,
## the returned :zeek:see:`NetControl::BlockInfo` record will not contain the block ID,
## which will be assigned on the manager.
##
## a: The address to be dropped.
@ -89,7 +89,7 @@ export {
##
## location: An optional string describing where the drop was triggered.
##
## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
## the inserted block.
global drop_address_catch_release: function(a: addr, location: string &default="") : BlockInfo;
@ -114,7 +114,7 @@ export {
## a: The address that was seen and should be re-dropped if it is being watched.
global catch_release_seen: function(a: addr);
## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
## Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
## If the address is unknown to catch and release, the watch_until time will be set to 0.
##
## In cluster mode, this function works on the manager and workers. On workers, the data will
@ -123,7 +123,7 @@ export {
##
## a: The address to get information about.
##
## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
## the inserted block.
global get_catch_release_info: function(a: addr) : BlockInfo;
@ -132,7 +132,7 @@ export {
##
## a: The address that is no longer being managed.
##
## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
## bi: The :zeek:see:`NetControl::BlockInfo` record containing information about the block.
global catch_release_forgotten: event(a: addr, bi: BlockInfo);
## If true, catch_release_seen is called on the connection originator in new_connection,
@ -148,7 +148,7 @@ export {
## effect.
const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef;
## Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo`
## Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo`
## record as it is sent on to the logging framework.
global log_netcontrol_catch_release: event(rec: CatchReleaseInfo);

2
scripts/base/frameworks/netcontrol/drop.zeek
View file

@ -50,7 +50,7 @@ export {
## r: The rule to be added.
global NetControl::drop_rule_policy: hook(r: Rule);
## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
## record as it is sent on to the logging framework.
global log_netcontrol_drop: event(rec: DropInfo);
}

8
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -98,7 +98,7 @@ export {
## Returns: Vector of inserted rules on success, empty list on failure.
global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string;
## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules.
## Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
global clear: function();
# ###
@ -122,7 +122,7 @@ export {
## Removes a rule.
##
## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`.
## id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
##
## reason: Optional string argument giving information on why the rule was removed.
##
@ -138,7 +138,7 @@ export {
## the rule has been added; if it is not removed from them by a separate mechanism,
## it will stay installed and not be removed later.
##
## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`.
## id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
##
## reason: Optional string argument giving information on why the rule was deleted.
##
@ -321,7 +321,7 @@ export {
plugin: string &log &optional;
};
## Event that can be handled to access the :bro:type:`NetControl::Info`
## Event that can be handled to access the :zeek:type:`NetControl::Info`
## record as it is sent on to the logging framework.
global log_netcontrol: event(rec: Info);
}

2
scripts/base/frameworks/netcontrol/plugins/broker.zeek
View file

@ -9,7 +9,7 @@ module NetControl;
@load base/frameworks/broker
export {
## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
type BrokerConfig: record {
## The broker topic to send events to.
topic: string &optional;

2
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
View file

@ -7,7 +7,7 @@
module NetControl;
export {
## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
type OfConfig: record {
monitor: bool &default=T; ##< Accept rules that target the monitor path.
forward: bool &default=T; ##< Accept rules that target the forward path.

2
scripts/base/frameworks/netcontrol/shunt.zeek
View file

@ -31,7 +31,7 @@ export {
location: string &log &optional;
};
## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
## record as it is sent on to the logging framework.
global log_netcontrol_shunt: event(rec: ShuntInfo);
}

24
scripts/base/frameworks/netcontrol/types.zeek
View file

@ -1,6 +1,6 @@
##! This file defines the types that are used by the NetControl framework.
##!
##! The most important type defined in this file is :bro:see:`NetControl::Rule`,
##! The most important type defined in this file is :zeek:see:`NetControl::Rule`,
##! which is used to describe all rules that can be expressed by the NetControl framework.
module NetControl;
@ -10,11 +10,11 @@ export {
option default_priority: int = +0;
## The default priority that is used when using the high-level functions to
## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and
## :bro:see:`NetControl::whitelist_subnet`).
## push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
## :zeek:see:`NetControl::whitelist_subnet`).
##
## Note that this priority is not automatically used when manually creating rules
## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`.
## that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`.
const whitelist_priority: int = +5 &redef;
## Type defining the entity that a rule applies to.
@ -25,7 +25,7 @@ export {
MAC, ##< Activity involving a MAC address.
};
## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify
## Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
## a uni-directional flow that a rule applies to.
##
## If optional fields are not set, they are interpreted as wildcarded.
@ -41,10 +41,10 @@ export {
## Type defining the entity a rule is operating on.
type Entity: record {
ty: EntityType; ##< Type of entity.
conn: conn_id &optional; ##< Used with :bro:enum:`NetControl::CONNECTION`.
flow: Flow &optional; ##< Used with :bro:enum:`NetControl::FLOW`.
ip: subnet &optional; ##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
mac: string &optional; ##< Used with :bro:enum:`NetControl::MAC`.
conn: conn_id &optional; ##< Used with :zeek:enum:`NetControl::CONNECTION`.
flow: Flow &optional; ##< Used with :zeek:enum:`NetControl::FLOW`.
ip: subnet &optional; ##< Used with :zeek:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
mac: string &optional; ##< Used with :zeek:enum:`NetControl::MAC`.
};
## Type defining the target of a rule.
@ -59,7 +59,7 @@ export {
};
## Type of rules that the framework supports. Each type lists the extra
## :bro:type:`NetControl::Rule` fields it uses, if any.
## :zeek:type:`NetControl::Rule` fields it uses, if any.
##
## Plugins may extend this type to define their own.
type RuleType: enum {
@ -108,8 +108,8 @@ export {
priority: int &default=default_priority; ##< Priority if multiple rules match an entity (larger value is higher priority).
location: string &optional; ##< Optional string describing where/what installed the rule.
out_port: count &optional; ##< Argument for :bro:enum:`NetControl::REDIRECT` rules.
mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules.
out_port: count &optional; ##< Argument for :zeek:enum:`NetControl::REDIRECT` rules.
mod: FlowMod &optional; ##< Argument for :zeek:enum:`NetControl::MODIFY` rules.
id: string &default=""; ##< Internally determined unique ID for this rule. Will be set when added.
cid: count &default=0; ##< Internally determined unique numeric ID for this rule. Set when added.

2
scripts/base/frameworks/notice/actions/add-geodata.zeek
View file

@ -13,7 +13,7 @@ module Notice;
export {
redef enum Action += {
## Indicates that the notice should have geodata added for the
## "remote" host. :bro:id:`Site::local_nets` must be defined
## "remote" host. :zeek:id:`Site::local_nets` must be defined
## in order for this to work.
ACTION_ADD_GEODATA
};

2
scripts/base/frameworks/notice/actions/drop.zeek
View file

@ -8,7 +8,7 @@ module Notice;
export {
redef enum Action += {
## Drops the address via :bro:see:`NetControl::drop_address_catch_release`.
## Drops the address via :zeek:see:`NetControl::drop_address_catch_release`.
ACTION_DROP
};

4
scripts/base/frameworks/notice/actions/email_admin.zeek
View file

@ -1,6 +1,6 @@
##! Adds a new notice action type which can be used to email notices
##! to the administrators of a particular address space as set by
##! :bro:id:`Site::local_admins` if the notice contains a source
##! :zeek:id:`Site::local_admins` if the notice contains a source
##! or destination address that lies within their space.
@load ../main
@ -12,7 +12,7 @@ export {
redef enum Action += {
## Indicate that the generated email should be addressed to the
## appropriate email addresses as found by the
## :bro:id:`Site::get_emails` function based on the relevant
## :zeek:id:`Site::get_emails` function based on the relevant
## address or addresses indicated in the notice.
ACTION_EMAIL_ADMIN
};

4
scripts/base/frameworks/notice/actions/page.zeek
View file

@ -7,12 +7,12 @@ module Notice;
export {
redef enum Action += {
## Indicates that the notice should be sent to the pager email
## address configured in the :bro:id:`Notice::mail_page_dest`
## address configured in the :zeek:id:`Notice::mail_page_dest`
## variable.
ACTION_PAGE
};
## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE`
## Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE`
## action.
option mail_page_dest = "";
}

2
scripts/base/frameworks/notice/actions/pp-alarms.zeek
View file

@ -12,7 +12,7 @@ export {
const pretty_print_alarms = T &redef;
## Address to send the pretty-printed reports to. Default if not set is
## :bro:id:`Notice::mail_dest`.
## :zeek:id:`Notice::mail_dest`.
##
## Note that this is overridden by the BroControl MailAlarmsTo option.
const mail_dest_pretty_printed = "" &redef;

48
scripts/base/frameworks/notice/main.zeek
View file

@ -18,7 +18,7 @@ export {
## Scripts creating new notices need to redef this enum to add their
## own specific notice types which would then get used when they call
## the :bro:id:`NOTICE` function. The convention is to give a general
## the :zeek:id:`NOTICE` function. The convention is to give a general
## category along with the specific notice separating words with
## underscores and using leading capitals on each word except for
## abbreviations which are kept in all capitals. For example,
@ -37,12 +37,12 @@ export {
## logging stream.
ACTION_LOG,
## Indicates that the notice should be sent to the email
## address(es) configured in the :bro:id:`Notice::mail_dest`
## address(es) configured in the :zeek:id:`Notice::mail_dest`
## variable.
ACTION_EMAIL,
## Indicates that the notice should be alarmed. A readable
## ASCII version of the alarm log is emailed in bulk to the
## address(es) configured in :bro:id:`Notice::mail_dest`.
## address(es) configured in :zeek:id:`Notice::mail_dest`.
ACTION_ALARM,
};
@ -50,7 +50,7 @@ export {
type ActionSet: set[Notice::Action];
## The notice framework is able to do automatic notice suppression by
## utilizing the *identifier* field in :bro:type:`Notice::Info` records.
## utilizing the *identifier* field in :zeek:type:`Notice::Info` records.
## Set this to "0secs" to completely disable automated notice
## suppression.
option default_suppression_interval = 1hrs;
@ -103,18 +103,18 @@ export {
## *conn*, *iconn* or *p* is specified.
proto: transport_proto &log &optional;
## The :bro:type:`Notice::Type` of the notice.
## The :zeek:type:`Notice::Type` of the notice.
note: Type &log;
## The human readable message for the notice.
msg: string &log &optional;
## The human readable sub-message.
sub: string &log &optional;
## Source address, if we don't have a :bro:type:`conn_id`.
## Source address, if we don't have a :zeek:type:`conn_id`.
src: addr &log &optional;
## Destination address.
dst: addr &log &optional;
## Associated port, if we don't have a :bro:type:`conn_id`.
## Associated port, if we don't have a :zeek:type:`conn_id`.
p: port &log &optional;
## Associated count, or perhaps a status code.
n: count &log &optional;
@ -131,14 +131,14 @@ export {
## By adding chunks of text into this element, other scripts
## can expand on notices that are being emailed. The normal
## way to add text is to extend the vector by handling the
## :bro:id:`Notice::notice` event and modifying the notice in
## :zeek:id:`Notice::notice` event and modifying the notice in
## place.
email_body_sections: vector of string &optional;
## Adding a string "token" to this set will cause the notice
## framework's built-in emailing functionality to delay sending
## the email until either the token has been removed or the
## email has been delayed for :bro:id:`Notice::max_email_delay`.
## email has been delayed for :zeek:id:`Notice::max_email_delay`.
email_delay_tokens: set[string] &optional;
## This field is to be provided when a notice is generated for
@ -192,8 +192,8 @@ export {
## Note that this is overridden by the BroControl SendMail option.
option sendmail = "/usr/sbin/sendmail";
## Email address to send notices with the
## :bro:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
## on rotation with :bro:enum:`Notice::ACTION_ALARM`.
## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
## on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
##
## Note that this is overridden by the BroControl MailTo option.
const mail_dest = "" &redef;
@ -212,18 +212,18 @@ export {
## The maximum amount of time a plugin can delay email from being sent.
const max_email_delay = 15secs &redef;
## Contains a portion of :bro:see:`fa_file` that's also contained in
## :bro:see:`Notice::Info`.
## Contains a portion of :zeek:see:`fa_file` that's also contained in
## :zeek:see:`Notice::Info`.
type FileInfo: record {
fuid: string; ##< File UID.
desc: string; ##< File description from e.g.
##< :bro:see:`Files::describe`.
##< :zeek:see:`Files::describe`.
mime: string &optional; ##< Strongest mime type match for file.
cid: conn_id &optional; ##< Connection tuple over which file is sent.
cuid: string &optional; ##< Connection UID over which file is sent.
};
## Creates a record containing a subset of a full :bro:see:`fa_file` record.
## Creates a record containing a subset of a full :zeek:see:`fa_file` record.
##
## f: record containing metadata about a file.
##
@ -245,7 +245,7 @@ export {
global populate_file_info2: function(fi: Notice::FileInfo, n: Notice::Info);
## A log postprocessing function that implements emailing the contents
## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
## of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`.
## The rotated log is removed upon being sent.
##
## info: A record containing the rotated log file information.
@ -254,9 +254,9 @@ export {
global log_mailing_postprocessor: function(info: Log::RotationInfo): bool;
## This is the event that is called as the entry point to the
## notice framework by the global :bro:id:`NOTICE` function. By the
## notice framework by the global :zeek:id:`NOTICE` function. By the
## time this event is generated, default values have already been
## filled out in the :bro:type:`Notice::Info` record and the notice
## filled out in the :zeek:type:`Notice::Info` record and the notice
## policy has also been applied.
##
## n: The record containing notice data.
@ -268,7 +268,7 @@ export {
##
## suppress_for: length of time that this notice should be suppressed.
##
## note: The :bro:type:`Notice::Type` of the notice.
## note: The :zeek:type:`Notice::Type` of the notice.
##
## identifier: The identifier string of the notice that should be suppressed.
global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string);
@ -286,8 +286,8 @@ export {
global suppressed: event(n: Notice::Info);
## Call this function to send a notice in an email. It is already used
## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and
## :bro:enum:`Notice::ACTION_PAGE` actions.
## by default with the built in :zeek:enum:`Notice::ACTION_EMAIL` and
## :zeek:enum:`Notice::ACTION_PAGE` actions.
##
## n: The record of notice data to email.
##
@ -308,13 +308,13 @@ export {
## appended.
global email_headers: function(subject_desc: string, dest: string): string;
## This event can be handled to access the :bro:type:`Notice::Info`
## This event can be handled to access the :zeek:type:`Notice::Info`
## record as it is sent on to the logging framework.
##
## rec: The record containing notice data before it is logged.
global log_notice: event(rec: Info);
## This is an internal wrapper for the global :bro:id:`NOTICE`
## This is an internal wrapper for the global :zeek:id:`NOTICE`
## function; disregard.
##
## n: The record of notice data.
@ -598,7 +598,7 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
# This is run synchronously as a function before all of the other
# notice related functions and events. It also modifies the
# :bro:type:`Notice::Info` record in place.
# :zeek:type:`Notice::Info` record in place.
function apply_policy(n: Notice::Info)
{
# Fill in some defaults.

2
scripts/base/frameworks/openflow/plugins/log.zeek
View file

@ -41,7 +41,7 @@ export {
flow_mod: ofp_flow_mod &log;
};
## Event that can be handled to access the :bro:type:`OpenFlow::Info`
## Event that can be handled to access the :zeek:type:`OpenFlow::Info`
## record as it is sent on to the logging framework.
global log_openflow: event(rec: Info);
}

6
scripts/base/frameworks/packet-filter/main.zeek
View file

@ -2,7 +2,7 @@
##! Bro sets a capture filter that allows all traffic. If a filter
##! is set on the command line, that filter takes precedence over the default
##! open filter and all filters defined in Bro scripts with the
##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables.
##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
@load base/frameworks/notice
@load base/frameworks/analyzer
@ -48,7 +48,7 @@ export {
};
## The BPF filter that is used by default to define what traffic should
## be captured. Filters defined in :bro:id:`restrict_filters` will
## be captured. Filters defined in :zeek:id:`restrict_filters` will
## still be applied to reduce the captured traffic.
const default_capture_filter = "ip or not ip" &redef;
@ -64,7 +64,7 @@ export {
## The maximum amount of time that you'd like to allow for BPF filters to compile.
## If this time is exceeded, compensation measures may be taken by the framework
## to reduce the filter size. This threshold being crossed also results
## in the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
## in the :zeek:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
const max_filter_compile_time = 100msec &redef;
## Install a BPF filter to exclude some traffic. The filter should

2
scripts/base/frameworks/packet-filter/utils.zeek
View file

@ -1,7 +1,7 @@
module PacketFilter;
export {
## Takes a :bro:type:`port` and returns a BPF expression which will
## Takes a :zeek:type:`port` and returns a BPF expression which will
## match the port.
##
## p: The port.

6
scripts/base/frameworks/reporter/main.zeek
View file

@ -2,9 +2,9 @@
##! internal messages/warnings/errors. It should typically be loaded to
##! log such messages to a file in a standard way. For the options to
##! toggle whether messages are additionally written to STDERR, see
##! :bro:see:`Reporter::info_to_stderr`,
##! :bro:see:`Reporter::warnings_to_stderr`, and
##! :bro:see:`Reporter::errors_to_stderr`.
##! :zeek:see:`Reporter::info_to_stderr`,
##! :zeek:see:`Reporter::warnings_to_stderr`, and
##! :zeek:see:`Reporter::errors_to_stderr`.
##!
##! Note that this framework deals with the handling of internally generated
##! reporter messages, for the interface

20
scripts/base/frameworks/signatures/main.zeek
View file

@ -13,22 +13,22 @@ export {
Sensitive_Signature,
## Host has triggered many signatures on the same host. The
## number of signatures is defined by the
## :bro:id:`Signatures::vert_scan_thresholds` variable.
## :zeek:id:`Signatures::vert_scan_thresholds` variable.
Multiple_Signatures,
## Host has triggered the same signature on multiple hosts as
## defined by the :bro:id:`Signatures::horiz_scan_thresholds`
## defined by the :zeek:id:`Signatures::horiz_scan_thresholds`
## variable.
Multiple_Sig_Responders,
## The same signature has triggered multiple times for a host.
## The number of times the signature has been triggered is
## defined by the :bro:id:`Signatures::count_thresholds`
## defined by the :zeek:id:`Signatures::count_thresholds`
## variable. To generate this notice, the
## :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
## :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
## set for the signature.
Count_Signature,
## Summarize the number of times a host triggered a signature.
## The interval between summaries is defined by the
## :bro:id:`Signatures::summary_interval` variable.
## :zeek:id:`Signatures::summary_interval` variable.
Signature_Summary,
};
@ -48,7 +48,7 @@ export {
SIG_QUIET,
## Generate a notice.
SIG_LOG,
## The same as :bro:enum:`Signatures::SIG_LOG`, but ignore for
## The same as :zeek:enum:`Signatures::SIG_LOG`, but ignore for
## aggregate/scan processing.
SIG_FILE_BUT_NO_SCAN,
## Generate a notice and set it to be alarmed upon.
@ -58,8 +58,8 @@ export {
## Alarm once and then never again.
SIG_ALARM_ONCE,
## Count signatures per responder host and alarm with the
## :bro:enum:`Signatures::Count_Signature` notice if a threshold
## defined by :bro:id:`Signatures::count_thresholds` is reached.
## :zeek:enum:`Signatures::Count_Signature` notice if a threshold
## defined by :zeek:id:`Signatures::count_thresholds` is reached.
SIG_COUNT_PER_RESP,
## Don't alarm, but generate per-orig summary.
SIG_SUMMARY,
@ -114,11 +114,11 @@ export {
## different signature matches has reached one of the thresholds.
const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP`
## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
## signature is triggered as often as given by one of these thresholds.
const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
## The interval between when :bro:enum:`Signatures::Signature_Summary`
## The interval between when :zeek:enum:`Signatures::Signature_Summary`
## notices are generated.
option summary_interval = 1 day;

14
scripts/base/frameworks/software/main.zeek
View file

@ -2,7 +2,7 @@
##! parsing but doesn't actually do any detection on it's own. It relies on
##! other protocol specific scripts to parse out software from the protocols
##! that they analyze. The entry point for providing new software detections
##! to this framework is through the :bro:id:`Software::found` function.
##! to this framework is through the :zeek:id:`Software::found` function.
@load base/utils/directions-and-hosts
@load base/utils/numbers
@ -16,7 +16,7 @@ export {
## Scripts detecting new types of software need to redef this enum to add
## their own specific software types which would then be used when they
## create :bro:type:`Software::Info` records.
## create :zeek:type:`Software::Info` records.
type Type: enum {
## A placeholder type for when the type of software is not known.
UNKNOWN,
@ -45,7 +45,7 @@ export {
## The port on which the software is running. Only sensible for
## server software.
host_p: port &log &optional;
## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`).
## The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`).
software_type: Type &log &default=UNKNOWN;
## Name of the software (e.g. Apache).
name: string &log &optional;
@ -96,9 +96,9 @@ export {
["Flash Player"] = "Flash",
} &default=function(a: string): string { return a; };
## Type to represent a collection of :bro:type:`Software::Info` records.
## Type to represent a collection of :zeek:type:`Software::Info` records.
## It's indexed with the name of a piece of software such as "Firefox"
## and it yields a :bro:type:`Software::Info` record with more
## and it yields a :zeek:type:`Software::Info` record with more
## information about the software.
type SoftwareSet: table[string] of Info;
@ -108,7 +108,7 @@ export {
## uniformly distributed among proxy nodes.
global tracked: table[addr] of SoftwareSet &create_expire=1day;
## This event can be handled to access the :bro:type:`Software::Info`
## This event can be handled to access the :zeek:type:`Software::Info`
## record as it is sent on to the logging framework.
global log_software: event(rec: Info);
@ -117,7 +117,7 @@ export {
global version_change: event(old: Info, new: Info);
## This event is raised when software is about to be registered for
## tracking in :bro:see:`Software::tracked`.
## tracking in :zeek:see:`Software::tracked`.
global register: event(info: Info);
}

4
scripts/base/frameworks/sumstats/cluster.zeek
View file

@ -35,12 +35,12 @@ export {
global cluster_get_result: event(uid: string, ss_name: string, key: Key, cleanup: bool);
## This event is sent by nodes in response to a
## :bro:id:`SumStats::cluster_get_result` event.
## :zeek:id:`SumStats::cluster_get_result` event.
global cluster_send_result: event(uid: string, ss_name: string, key: Key, result: Result, cleanup: bool);
## This is sent by workers to indicate that they crossed the percent
## of the current threshold by the percentage defined globally in
## :bro:id:`SumStats::cluster_request_global_view_percent`.
## :zeek:id:`SumStats::cluster_request_global_view_percent`.
global cluster_key_intermediate_response: event(ss_name: string, key: SumStats::Key);
## This event is scheduled internally on workers to send result chunks.

6
scripts/base/frameworks/sumstats/main.zeek
View file

@ -105,7 +105,7 @@ export {
reducers: set[Reducer];
## A function that will be called once for each observation in order
## to calculate a value from the :bro:see:`SumStats::Result` structure
## to calculate a value from the :zeek:see:`SumStats::Result` structure
## which will be used for thresholding.
## This function is required if a *threshold* value or
## a *threshold_series* is given.
@ -157,7 +157,7 @@ export {
## Dynamically request a sumstat key. This function should be
## used sparingly and not as a replacement for the callbacks
## from the :bro:see:`SumStats::SumStat` record. The function is only
## from the :zeek:see:`SumStats::SumStat` record. The function is only
## available for use within "when" statements as an asynchronous
## function.
##
@ -168,7 +168,7 @@ export {
## Returns: The result for the requested sumstat key.
global request_key: function(ss_name: string, key: Key): Result;
## Helper function to represent a :bro:type:`SumStats::Key` value as
## Helper function to represent a :zeek:type:`SumStats::Key` value as
## a simple string.
##
## key: The metric key that is to be converted into a string.

2
scripts/base/frameworks/sumstats/plugins/last.zeek
View file

@ -19,7 +19,7 @@ export {
redef record ResultVal += {
## This is the queue where elements are maintained.
## Don't access this value directly, instead use the
## :bro:see:`SumStats::get_last` function to get a vector of
## :zeek:see:`SumStats::get_last` function to get a vector of
## the current element values.
last_elements: Queue::Queue &optional;
};

24
scripts/base/frameworks/tunnels/main.zeek
View file

@ -3,7 +3,7 @@
##!
##! For any connection that occurs over a tunnel, information about its
##! encapsulating tunnels is also found in the *tunnel* field of
##! :bro:type:`connection`.
##! :zeek:type:`connection`.
module Tunnel;
@ -18,7 +18,7 @@ export {
## A tunnel connection has closed.
CLOSE,
## No new connections over a tunnel happened in the amount of
## time indicated by :bro:see:`Tunnel::expiration_interval`.
## time indicated by :zeek:see:`Tunnel::expiration_interval`.
EXPIRE,
};
@ -27,7 +27,7 @@ export {
## Time at which some tunnel activity occurred.
ts: time &log;
## The unique identifier for the tunnel, which may correspond
## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
## to a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
## This is optional because there could be numerous connections
## for payload proxies like SOCKS but we should treat it as a
## single tunnel.
@ -42,29 +42,29 @@ export {
};
## Logs all tunnels in an encapsulation chain with action
## :bro:see:`Tunnel::DISCOVER` that aren't already in the
## :bro:id:`Tunnel::active` table and adds them if not.
## :zeek:see:`Tunnel::DISCOVER` that aren't already in the
## :zeek:id:`Tunnel::active` table and adds them if not.
global register_all: function(ecv: EncapsulatingConnVector);
## Logs a single tunnel "connection" with action
## :bro:see:`Tunnel::DISCOVER` if it's not already in the
## :bro:id:`Tunnel::active` table and adds it if not.
## :zeek:see:`Tunnel::DISCOVER` if it's not already in the
## :zeek:id:`Tunnel::active` table and adds it if not.
global register: function(ec: EncapsulatingConn);
## Logs a single tunnel "connection" with action
## :bro:see:`Tunnel::EXPIRE` and removes it from the
## :bro:id:`Tunnel::active` table.
## :zeek:see:`Tunnel::EXPIRE` and removes it from the
## :zeek:id:`Tunnel::active` table.
##
## t: A table of tunnels.
##
## idx: The index of the tunnel table corresponding to the tunnel to expire.
##
## Returns: 0secs, which when this function is used as an
## :bro:attr:`&expire_func`, indicates to remove the element at
## :zeek:attr:`&expire_func`, indicates to remove the element at
## *idx* immediately.
global expire: function(t: table[conn_id] of Info, idx: conn_id): interval;
## Removes a single tunnel from the :bro:id:`Tunnel::active` table
## Removes a single tunnel from the :zeek:id:`Tunnel::active` table
## and logs the closing/expiration of the tunnel.
##
## tunnel: The tunnel which has closed or expired.
@ -78,7 +78,7 @@ export {
## Currently active tunnels. That is, tunnels for which new,
## encapsulated connections have been seen in the interval indicated by
## :bro:see:`Tunnel::expiration_interval`.
## :zeek:see:`Tunnel::expiration_interval`.
global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire;
}

588
scripts/base/init-bare.zeek
View file

File diff suppressed because it is too large Load diff

2
scripts/base/misc/find-filtered-trace.zeek
View file

@ -1,7 +1,7 @@
##! Discovers trace files that contain TCP traffic consisting only of
##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
##! packets and no content). On finding such a trace, a warning is
##! emitted that suggests toggling the :bro:see:`detect_filtered_trace`
##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
##! option may be desired if the user does not want Bro to report
##! missing TCP segments.

2
scripts/base/protocols/conn/contents.zeek
View file

@ -2,7 +2,7 @@
##! responders data or both. By default nothing is extracted, and in order
##! to actually extract data the ``c$extract_orig`` and/or the
##! ``c$extract_resp`` variable must be set to ``T``. One way to achieve this
##! would be to handle the :bro:id:`connection_established` event elsewhere
##! would be to handle the :zeek:id:`connection_established` event elsewhere
##! and set the ``extract_orig`` and ``extract_resp`` options there.
##! However, there may be trouble with the timing due to event queue delay.
##!

14
scripts/base/protocols/conn/main.zeek
View file

@ -78,13 +78,13 @@ export {
## If the connection is originated locally, this value will be T.
## If it was originated remotely it will be F. In the case that
## the :bro:id:`Site::local_nets` variable is undefined, this
## the :zeek:id:`Site::local_nets` variable is undefined, this
## field will be left empty at all times.
local_orig: bool &log &optional;
## If the connection is responded to locally, this value will be T.
## If it was responded to remotely it will be F. In the case that
## the :bro:id:`Site::local_nets` variable is undefined, this
## the :zeek:id:`Site::local_nets` variable is undefined, this
## field will be left empty at all times.
local_resp: bool &log &optional;
@ -128,18 +128,18 @@ export {
## (at least) 10 times; the third instance, 100 times; etc.
history: string &log &optional;
## Number of packets that the originator sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T.
## Only set if :zeek:id:`use_conn_size_analyzer` = T.
orig_pkts: count &log &optional;
## Number of IP level bytes that the originator sent (as seen on
## the wire, taken from the IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T.
## Only set if :zeek:id:`use_conn_size_analyzer` = T.
orig_ip_bytes: count &log &optional;
## Number of packets that the responder sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T.
## Only set if :zeek:id:`use_conn_size_analyzer` = T.
resp_pkts: count &log &optional;
## Number of IP level bytes that the responder sent (as seen on
## the wire, taken from the IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T.
## Only set if :zeek:id:`use_conn_size_analyzer` = T.
resp_ip_bytes: count &log &optional;
## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections
@ -147,7 +147,7 @@ export {
tunnel_parents: set[string] &log &optional;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
## Event that can be handled to access the :zeek:type:`Conn::Info`
## record as it is sent on to the logging framework.
global log_conn: event(rec: Info);
}

6
scripts/base/protocols/dhcp/main.zeek
View file

@ -89,13 +89,13 @@ export {
## This event is used internally to distribute data around clusters
## since DHCP doesn't follow the normal "connection" model used by
## most protocols. It can also be handled to extend the DHCP log.
## bro:see::`DHCP::log_info`.
## :zeek:see:`DHCP::log_info`.
global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options);
## This is a global variable that is only to be used in the
## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid
## :zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid
## looking up the info record for a transaction ID in every event handler
## for :bro:see::`DHCP::aggregate_msgs`.
## for :zeek:see:`DHCP::aggregate_msgs`.
global DHCP::log_info: Info;
## Event that can be handled to access the DHCP

6
scripts/base/protocols/dns/main.zeek
View file

@ -80,7 +80,7 @@ export {
saw_reply: bool &default=F;
};
## An event that can be handled to access the :bro:type:`DNS::Info`
## An event that can be handled to access the :zeek:type:`DNS::Info`
## record as it is sent to the logging framework.
global log_dns: event(rec: Info);
@ -109,7 +109,7 @@ export {
## is_query: Indicator for if this is being called for a query or a response.
global set_session: hook(c: connection, msg: dns_msg, is_query: bool);
## Yields a queue of :bro:see:`DNS::Info` objects for a given
## Yields a queue of :zeek:see:`DNS::Info` objects for a given
## DNS message query/transaction ID.
type PendingMessages: table[count] of Queue::Queue;
@ -126,7 +126,7 @@ export {
option max_pending_query_ids = 50;
## A record type which tracks the status of DNS queries for a given
## :bro:type:`connection`.
## :zeek:type:`connection`.
type State: record {
## A single query that hasn't been matched with a response yet.
## Note this is maintained separate from the *pending_queries*

10
scripts/base/protocols/ftp/gridftp.zeek
View file

@ -6,7 +6,7 @@
##! indicating the GSI mechanism for GSSAPI was used. This analysis
##! is all supported internally, this script simply adds the "gridftp"
##! label to the *service* field of the control channel's
##! :bro:type:`connection` record.
##! :zeek:type:`connection` record.
##!
##! GridFTP data channels are identified by a heuristic that relies on
##! the fact that default settings for GridFTP clients typically
@ -33,7 +33,7 @@ export {
option size_threshold = 1073741824;
## Time during which we check whether a connection's size exceeds the
## :bro:see:`GridFTP::size_threshold`.
## :zeek:see:`GridFTP::size_threshold`.
option max_time = 2 min;
## Whether to skip further processing of the GridFTP data channel once
@ -46,8 +46,8 @@ export {
global data_channel_detected: event(c: connection);
## The initial criteria used to determine whether to start polling
## the connection for the :bro:see:`GridFTP::size_threshold` to have
## been exceeded. This is called in a :bro:see:`ssl_established` event
## the connection for the :zeek:see:`GridFTP::size_threshold` to have
## been exceeded. This is called in a :zeek:see:`ssl_established` event
## handler and by default looks for both a client and server certificate
## and for a NULL bulk cipher. One way in which this function could be
## redefined is to make it also consider client/server certificate
@ -56,7 +56,7 @@ export {
## c: The connection which may possibly be a GridFTP data channel.
##
## Returns: true if the connection should be further polled for an
## exceeded :bro:see:`GridFTP::size_threshold`, else false.
## exceeded :zeek:see:`GridFTP::size_threshold`, else false.
const data_channel_initial_criteria: function(c: connection): bool &redef;
}

2
scripts/base/protocols/ftp/main.zeek
View file

@ -36,7 +36,7 @@ export {
## Parse FTP reply codes into the three constituent single digit values.
global parse_ftp_reply_code: function(code: count): ReplyCode;
## Event that can be handled to access the :bro:type:`FTP::Info`
## Event that can be handled to access the :zeek:type:`FTP::Info`
## record as it is sent on to the logging framework.
global log_ftp: event(rec: Info);
}

8
scripts/base/protocols/ftp/utils.zeek
View file

@ -7,16 +7,16 @@
module FTP;
export {
## Creates a URL from an :bro:type:`FTP::Info` record.
## Creates a URL from an :zeek:type:`FTP::Info` record.
##
## rec: An :bro:type:`FTP::Info` record.
## rec: An :zeek:type:`FTP::Info` record.
##
## Returns: A URL, not prefixed by ``"ftp://"``.
global build_url: function(rec: Info): string;
## Creates a URL from an :bro:type:`FTP::Info` record.
## Creates a URL from an :zeek:type:`FTP::Info` record.
##
## rec: An :bro:type:`FTP::Info` record.
## rec: An :zeek:type:`FTP::Info` record.
##
## Returns: A URL prefixed with ``"ftp://"``.
global build_url_ftp: function(rec: Info): string;

20
scripts/base/protocols/http/entities.zeek
View file

@ -14,44 +14,44 @@ export {
};
## Maximum number of originator files to log.
## :bro:see:`HTTP::max_files_policy` even is called once this
## :zeek:see:`HTTP::max_files_policy` even is called once this
## limit is reached to determine if it's enforced.
option max_files_orig = 15;
## Maximum number of responder files to log.
## :bro:see:`HTTP::max_files_policy` even is called once this
## :zeek:see:`HTTP::max_files_policy` even is called once this
## limit is reached to determine if it's enforced.
option max_files_resp = 15;
## Called when reaching the max number of files across a given HTTP
## connection according to :bro:see:`HTTP::max_files_orig`
## or :bro:see:`HTTP::max_files_resp`. Break from the hook
## connection according to :zeek:see:`HTTP::max_files_orig`
## or :zeek:see:`HTTP::max_files_resp`. Break from the hook
## early to signal that the file limit should not be applied.
global max_files_policy: hook(f: fa_file, is_orig: bool);
redef record Info += {
## An ordered vector of file unique IDs.
## Limited to :bro:see:`HTTP::max_files_orig` entries.
## Limited to :zeek:see:`HTTP::max_files_orig` entries.
orig_fuids: vector of string &log &optional;
## An ordered vector of filenames from the client.
## Limited to :bro:see:`HTTP::max_files_orig` entries.
## Limited to :zeek:see:`HTTP::max_files_orig` entries.
orig_filenames: vector of string &log &optional;
## An ordered vector of mime types.
## Limited to :bro:see:`HTTP::max_files_orig` entries.
## Limited to :zeek:see:`HTTP::max_files_orig` entries.
orig_mime_types: vector of string &log &optional;
## An ordered vector of file unique IDs.
## Limited to :bro:see:`HTTP::max_files_resp` entries.
## Limited to :zeek:see:`HTTP::max_files_resp` entries.
resp_fuids: vector of string &log &optional;
## An ordered vector of filenames from the server.
## Limited to :bro:see:`HTTP::max_files_resp` entries.
## Limited to :zeek:see:`HTTP::max_files_resp` entries.
resp_filenames: vector of string &log &optional;
## An ordered vector of mime types.
## Limited to :bro:see:`HTTP::max_files_resp` entries.
## Limited to :zeek:see:`HTTP::max_files_resp` entries.
resp_mime_types: vector of string &log &optional;
## The current entity.

8
scripts/base/protocols/http/utils.zeek
View file

@ -17,18 +17,18 @@ export {
## Returns: A vector of strings containing the keys.
global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
## Creates a URL from an :bro:type:`HTTP::Info` record. This should
## Creates a URL from an :zeek:type:`HTTP::Info` record. This should
## handle edge cases such as proxied requests appropriately.
##
## rec: An :bro:type:`HTTP::Info` record.
## rec: An :zeek:type:`HTTP::Info` record.
##
## Returns: A URL, not prefixed by ``"http://"``.
global build_url: function(rec: Info): string;
## Creates a URL from an :bro:type:`HTTP::Info` record. This should
## Creates a URL from an :zeek:type:`HTTP::Info` record. This should
## handle edge cases such as proxied requests appropriately.
##
## rec: An :bro:type:`HTTP::Info` record.
## rec: An :zeek:type:`HTTP::Info` record.
##
## Returns: A URL prefixed with ``"http://"``.
global build_url_http: function(rec: Info): string;

10
scripts/base/protocols/ssh/main.zeek
View file

@ -75,7 +75,7 @@ export {
## c: The connection over which the :abbr:`SSH (Secure Shell)`
## connection took place.
##
## .. bro:see:: ssh_server_version ssh_client_version
## .. zeek:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_result ssh_auth_attempted
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
@ -98,7 +98,7 @@ export {
## auth_attempts: The number of authentication attempts that were
## observed.
##
## .. bro:see:: ssh_server_version ssh_client_version
## .. zeek:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_auth_attempted
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
@ -106,10 +106,10 @@ export {
global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
## Event that can be handled when the analyzer sees an SSH server host
## key. This abstracts :bro:id:`ssh1_server_host_key` and
## :bro:id:`ssh2_server_host_key`.
## key. This abstracts :zeek:id:`ssh1_server_host_key` and
## :zeek:id:`ssh2_server_host_key`.
##
## .. bro:see:: ssh_server_version ssh_client_version
## .. zeek:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params

2
scripts/base/utils/active-http.zeek
View file

@ -46,7 +46,7 @@ export {
};
## Perform an HTTP request according to the
## :bro:type:`ActiveHTTP::Request` record. This is an asynchronous
## :zeek:type:`ActiveHTTP::Request` record. This is an asynchronous
## function and must be called within a "when" statement.
##
## req: A record instance representing all options for an HTTP request.

2
scripts/base/utils/conn-ids.zeek
View file

@ -13,7 +13,7 @@ export {
## on the right to the originator on the left.
global reverse_id_string: function(id: conn_id): string;
## Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the
## Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
## second argument is T or F, respectively.
global directed_id_string: function(id: conn_id, is_orig: bool): string;
}

2
scripts/base/utils/dir.zeek
View file

@ -6,7 +6,7 @@ module Dir;
export {
## The default interval this module checks for files in directories when
## using the :bro:see:`Dir::monitor` function.
## using the :zeek:see:`Dir::monitor` function.
option polling_interval = 30sec;
## Register a directory to monitor with a callback that is called

2
scripts/base/utils/exec.zeek
View file

@ -8,7 +8,7 @@ export {
type Command: record {
## The command line to execute. Use care to avoid injection
## attacks (i.e., if the command uses untrusted/variable data,
## sanitize it with :bro:see:`safe_shell_quote`).
## sanitize it with :zeek:see:`safe_shell_quote`).
cmd: string;
## Provide standard input to the program as a string.
stdin: string &default="";

2
scripts/base/utils/geoip-distance.zeek
View file

@ -10,7 +10,7 @@
## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
## is not available for either of the IP addresses.
##
## .. bro:see:: haversine_distance lookup_location
## .. zeek:see:: haversine_distance lookup_location
function haversine_distance_ip(a1: addr, a2: addr): double
{
local loc1 = lookup_location(a1);

2
scripts/base/utils/paths.zeek
View file

@ -75,7 +75,7 @@ function build_path(dir: string, file_name: string): string
}
## Returns a compressed path to a file given a directory and file name.
## See :bro:id:`build_path` and :bro:id:`compress_path`.
## See :zeek:id:`build_path` and :zeek:id:`compress_path`.
function build_path_compressed(dir: string, file_name: string): string
{
return compress_path(build_path(dir, file_name));

2
scripts/base/utils/patterns.zeek
View file

@ -37,7 +37,7 @@ type PatternMatchResult: record {
};
## Matches the given pattern against the given string, returning
## a :bro:type:`PatternMatchResult` record.
## a :zeek:type:`PatternMatchResult` record.
## For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
## ``[matched=T, str=f, off=1]``, because the *first* match is for
## zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``

16
scripts/base/utils/site.zeek
View file

@ -22,9 +22,9 @@ export {
option local_nets: set[subnet] = {};
## This is used for retrieving the subnet when using multiple entries in
## :bro:id:`Site::local_nets`. It's populated automatically from there.
## :zeek:id:`Site::local_nets`. It's populated automatically from there.
## A membership query can be done with an
## :bro:type:`addr` and the table will yield the subnet it was found
## :zeek:type:`addr` and the table will yield the subnet it was found
## within.
global local_nets_table: table[subnet] of subnet = {};
@ -45,33 +45,33 @@ export {
## Function that returns true if an address corresponds to one of
## the local networks, false if not.
## The function inspects :bro:id:`Site::local_nets`.
## The function inspects :zeek:id:`Site::local_nets`.
global is_local_addr: function(a: addr): bool;
## Function that returns true if an address corresponds to one of
## the neighbor networks, false if not.
## The function inspects :bro:id:`Site::neighbor_nets`.
## The function inspects :zeek:id:`Site::neighbor_nets`.
global is_neighbor_addr: function(a: addr): bool;
## Function that returns true if an address corresponds to one of
## the private/unrouted networks, false if not.
## The function inspects :bro:id:`Site::private_address_space`.
## The function inspects :zeek:id:`Site::private_address_space`.
global is_private_addr: function(a: addr): bool;
## Function that returns true if a host name is within a local
## DNS zone.
## The function inspects :bro:id:`Site::local_zones`.
## The function inspects :zeek:id:`Site::local_zones`.
global is_local_name: function(name: string): bool;
## Function that returns true if a host name is within a neighbor
## DNS zone.
## The function inspects :bro:id:`Site::neighbor_zones`.
## The function inspects :zeek:id:`Site::neighbor_zones`.
global is_neighbor_name: function(name: string): bool;
## Function that returns a comma-separated list of email addresses
## that are considered administrators for the IP address provided as
## an argument.
## The function inspects :bro:id:`Site::local_admins`.
## The function inspects :zeek:id:`Site::local_admins`.
global get_emails: function(a: addr): string;
}

12
scripts/base/utils/thresholds.zeek
View file

@ -1,8 +1,8 @@
##! Functions for using multiple thresholds with a counting tracker. For
##! example, you may want to generate a notice when something happens 10 times
##! and again when it happens 100 times but nothing in between. You can use
##! the :bro:id:`check_threshold` function to define your threshold points
##! and the :bro:type:`TrackCount` variable where you are keeping track of your
##! the :zeek:id:`check_threshold` function to define your threshold points
##! and the :zeek:type:`TrackCount` variable where you are keeping track of your
##! counter.
module GLOBAL;
@ -18,12 +18,12 @@ export {
};
## The thresholds you would like to use as defaults with the
## :bro:id:`default_check_threshold` function.
## :zeek:id:`default_check_threshold` function.
const default_notice_thresholds: vector of count = {
30, 100, 1000, 10000, 100000, 1000000, 10000000,
} &redef;
## This will check if a :bro:type:`TrackCount` variable has crossed any
## This will check if a :zeek:type:`TrackCount` variable has crossed any
## thresholds in a given set.
##
## v: a vector holding counts that represent thresholds.
@ -34,8 +34,8 @@ export {
## Returns: T if a threshold has been crossed, else F.
global check_threshold: function(v: vector of count, tracker: TrackCount): bool;
## This will use the :bro:id:`default_notice_thresholds` variable to
## check a :bro:type:`TrackCount` variable to see if it has crossed
## This will use the :zeek:id:`default_notice_thresholds` variable to
## check a :zeek:type:`TrackCount` variable to see if it has crossed
## another threshold.
global default_check_threshold: function(tracker: TrackCount): bool;
}

2
scripts/base/utils/urls.zeek
View file

@ -3,7 +3,7 @@
## A regular expression for matching and extracting URLs.
const url_regex = /^([a-zA-Z\-]{3,5})(:\/\/[^\/?#"'\r\n><]*)([^?#"'\r\n><]*)([^[:blank:]\r\n"'><]*|\??[^"'\r\n><]*)/ &redef;
## A URI, as parsed by :bro:id:`decompose_uri`.
## A URI, as parsed by :zeek:id:`decompose_uri`.
type URI: record {
## The URL's scheme..
scheme: string &optional;

4
scripts/broxygen/README
View file

@ -1,4 +0,0 @@
This package is loaded during the process which automatically generates
reference documentation for all Bro scripts (i.e. "Broxygen"). Its only
purpose is to provide an easy way to load all known Bro scripts plus any
extra scripts needed or used by the documentation process.

2
scripts/policy/frameworks/dpd/packet-segment-logging.zeek
View file

@ -1,6 +1,6 @@
##! This script enables logging of packet segment data when a protocol
##! parsing violation is encountered. The amount of data from the
##! packet logged is set by the :bro:see:`DPD::packet_segment_size` variable.
##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable.
##! A caveat to logging packet data is that in some cases, the packet may
##! not be the packet that actually caused the protocol violation.

4
scripts/policy/frameworks/notice/extend-email/hostnames.zeek
View file

@ -1,6 +1,6 @@
##! Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action
##! Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
##! by appending to the email the hostnames associated with
##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
##! :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
##! DNS lookup.
@load base/frameworks/notice/main

4
scripts/policy/frameworks/packet-filter/shunt.zeek
View file

@ -23,7 +23,7 @@ export {
## update done by the `PacketFilter` framework.
global unshunt_host_pair: function(id: conn_id): bool;
## Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair`
## Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair`
## function, but it forces an immediate filter update.
global force_unshunt_host_pair: function(id: conn_id): bool;
@ -34,7 +34,7 @@ export {
global current_shunted_host_pairs: function(): set[conn_id];
redef enum Notice::Type += {
## Indicative that :bro:id:`PacketFilter::max_bpf_shunts`
## Indicative that :zeek:id:`PacketFilter::max_bpf_shunts`
## connections are already being shunted with BPF filters and
## no more are allowed.
No_More_Conn_Shunts_Available,

2
scripts/policy/frameworks/software/version-changes.zeek
View file

@ -12,7 +12,7 @@ export {
## For certain software, a version changing may matter. In that
## case, this notice will be generated. Software that matters
## if the version changes can be configured with the
## :bro:id:`Software::interesting_version_changes` variable.
## :zeek:id:`Software::interesting_version_changes` variable.
Software_Version_Change,
};

4
scripts/policy/integration/barnyard2/main.zeek
View file

@ -18,8 +18,8 @@ export {
alert: AlertData &log;
};
## This can convert a Barnyard :bro:type:`Barnyard2::PacketID` value to
## a :bro:type:`conn_id` value in the case that you might need to index
## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
## a :zeek:type:`conn_id` value in the case that you might need to index
## into an existing data structure elsewhere within Bro.
global pid2cid: function(p: PacketID): conn_id;
}

2
scripts/policy/misc/capture-loss.zeek
View file

@ -41,7 +41,7 @@ export {
option watch_interval = 15mins;
## The percentage of missed data that is considered "too much"
## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be
## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
## generated. The value is expressed as a double between 0 and 1 with 1
## being 100%.
option too_much_loss: double = 0.1;

2
scripts/policy/misc/detect-traceroute/main.zeek
View file

@ -34,7 +34,7 @@ export {
const icmp_time_exceeded_threshold: double = 3 &redef;
## Interval at which to watch for the
## :bro:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
## :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
## crossed. At the end of each interval the counter is reset.
const icmp_time_exceeded_interval = 3min &redef;

2
scripts/policy/misc/profiling.zeek
View file

@ -9,7 +9,7 @@ redef profiling_file = open_log_file("prof");
redef profiling_interval = 15 secs;
## Set the expensive profiling interval (multiple of
## :bro:id:`profiling_interval`).
## :zeek:id:`profiling_interval`).
redef expensive_profiling_multiple = 20;
event zeek_init()

8
scripts/policy/misc/scan.zeek
View file

@ -15,17 +15,17 @@ export {
redef enum Notice::Type += {
## Address scans detect that a host appears to be scanning some
## number of destinations on a single port. This notice is
## generated when more than :bro:id:`Scan::addr_scan_threshold`
## generated when more than :zeek:id:`Scan::addr_scan_threshold`
## unique hosts are seen over the previous
## :bro:id:`Scan::addr_scan_interval` time range.
## :zeek:id:`Scan::addr_scan_interval` time range.
Address_Scan,
## Port scans detect that an attacking host appears to be
## scanning a single victim host on several ports. This notice
## is generated when an attacking host attempts to connect to
## :bro:id:`Scan::port_scan_threshold`
## :zeek:id:`Scan::port_scan_threshold`
## unique ports on a single host over the previous
## :bro:id:`Scan::port_scan_interval` time range.
## :zeek:id:`Scan::port_scan_interval` time range.
Port_Scan,
};

2
scripts/policy/misc/trim-trace-file.zeek
View file

@ -11,7 +11,7 @@ export {
## tracefile rotation is required with the caveat that the script
## doesn't currently attempt to get back on schedule automatically and
## the next trim likely won't happen on the
## :bro:id:`TrimTraceFile::trim_interval`.
## :zeek:id:`TrimTraceFile::trim_interval`.
global go: event(first_trim: bool);
}

10
scripts/policy/protocols/conn/known-hosts.zeek
View file

@ -28,22 +28,22 @@ export {
const use_host_store = T &redef;
## The hosts whose existence should be logged and tracked.
## See :bro:type:`Host` for possible choices.
## See :zeek:type:`Host` for possible choices.
option host_tracking = LOCAL_HOSTS;
## Holds the set of all known hosts. Keys in the store are addresses
## and their associated value will always be the "true" boolean.
global host_store: Cluster::StoreInfo;
## The Broker topic name to use for :bro:see:`Known::host_store`.
## The Broker topic name to use for :zeek:see:`Known::host_store`.
const host_store_name = "bro/known/hosts" &redef;
## The expiry interval of new entries in :bro:see:`Known::host_store`.
## The expiry interval of new entries in :zeek:see:`Known::host_store`.
## This also changes the interval at which hosts get logged.
const host_store_expiry = 1day &redef;
## The timeout interval to use for operations against
## :bro:see:`Known::host_store`.
## :zeek:see:`Known::host_store`.
option host_store_timeout = 15sec;
## The set of all known addresses to store for preventing duplicate
@ -56,7 +56,7 @@ export {
## proxy nodes.
global hosts: set[addr] &create_expire=1day &redef;
## An event that can be handled to access the :bro:type:`Known::HostsInfo`
## An event that can be handled to access the :zeek:type:`Known::HostsInfo`
## record as it is sent on to the logging framework.
global log_known_hosts: event(rec: HostsInfo);
}

12
scripts/policy/protocols/conn/known-services.zeek
View file

@ -34,7 +34,7 @@ export {
const use_service_store = T &redef;
## The hosts whose services should be tracked and logged.
## See :bro:type:`Host` for possible choices.
## See :zeek:type:`Host` for possible choices.
option service_tracking = LOCAL_HOSTS;
type AddrPortPair: record {
@ -43,19 +43,19 @@ export {
};
## Holds the set of all known services. Keys in the store are
## :bro:type:`Known::AddrPortPair` and their associated value is
## :zeek:type:`Known::AddrPortPair` and their associated value is
## always the boolean value of "true".
global service_store: Cluster::StoreInfo;
## The Broker topic name to use for :bro:see:`Known::service_store`.
## The Broker topic name to use for :zeek:see:`Known::service_store`.
const service_store_name = "bro/known/services" &redef;
## The expiry interval of new entries in :bro:see:`Known::service_store`.
## The expiry interval of new entries in :zeek:see:`Known::service_store`.
## This also changes the interval at which services get logged.
const service_store_expiry = 1day &redef;
## The timeout interval to use for operations against
## :bro:see:`Known::service_store`.
## :zeek:see:`Known::service_store`.
option service_store_timeout = 15sec;
## Tracks the set of daily-detected services for preventing the logging
@ -68,7 +68,7 @@ export {
## This set is automatically populated and shouldn't be directly modified.
global services: set[addr, port] &create_expire=1day;
## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
## Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
## record as it is sent on to the logging framework.
global log_known_services: event(rec: ServicesInfo);
}

24
scripts/policy/protocols/dhcp/deprecated_events.zeek
View file

@ -11,9 +11,9 @@
## .. note:: This type is included to support the deprecated events dhcp_ack,
## dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer,
## dhcp_release and dhcp_request and is thus similarly deprecated
## itself. Use :bro:see:`dhcp_message` instead.
## itself. Use :zeek:see:`dhcp_message` instead.
##
## .. bro:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
## dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request
type dhcp_msg: record {
op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
@ -28,9 +28,9 @@ type dhcp_msg: record {
##
## .. note:: This type is included to support the deprecated events dhcp_ack
## and dhcp_offer and is thus similarly deprecated
## itself. Use :bro:see:`dhcp_message` instead.
## itself. Use :zeek:see:`dhcp_message` instead.
##
## .. bro:see:: dhcp_message dhcp_ack dhcp_offer
## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer
type dhcp_router_list: table[count] of addr;
## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
@ -44,7 +44,7 @@ type dhcp_router_list: table[count] of addr;
##
## host_name: The value of the host name option, if specified by the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -74,7 +74,7 @@ global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_n
## host_name: Optional host name value. May differ from the host name requested
## from the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -101,7 +101,7 @@ global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_
##
## host_name: The value of the host name option, if specified by the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -122,7 +122,7 @@ global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_ad
##
## host_name: Optional host name value.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -152,7 +152,7 @@ global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &dep
## host_name: Optional host name value. May differ from the host name requested
## from the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -170,7 +170,7 @@ global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ro
##
## host_name: Optional host name value.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -191,7 +191,7 @@ global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &depreca
##
## host_name: The value of the host name option, if specified by the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
@ -209,7 +209,7 @@ global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &dep
##
## host_name: The value of the host name option, if specified by the client.
##
## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_release
##
## .. note:: This event has been deprecated, and will be removed in the next version.

4
scripts/policy/protocols/dns/detect-external-names.zeek
View file

@ -1,6 +1,6 @@
##! This script detects names which are not within zones considered to be
##! local but resolving to addresses considered local.
##! The :bro:id:`Site::local_zones` variable **must** be set appropriately for
##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
##! this detection.
@load base/frameworks/notice
@ -11,7 +11,7 @@ module DNS;
export {
redef enum Notice::Type += {
## Raised when a non-local name is found to be pointing at a
## local host. The :bro:id:`Site::local_zones` variable
## local host. The :zeek:id:`Site::local_zones` variable
## **must** be set appropriately for this detection.
External_Name,
};

2
scripts/policy/protocols/http/detect-sqli.zeek
View file

@ -35,7 +35,7 @@ export {
const sqli_requests_threshold: double = 50.0 &redef;
## Interval at which to watch for the
## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
## At the end of each interval the counter is reset.
const sqli_requests_interval = 5min &redef;

2
scripts/policy/protocols/smtp/entities-excerpt.zeek
View file

@ -13,7 +13,7 @@ export {
## This is the default value for how much of the entity body should be
## included for all MIME entities. The lesser of this value and
## :bro:see:`default_file_bof_buffer_size` will be used.
## :zeek:see:`default_file_bof_buffer_size` will be used.
option default_entity_excerpt_len = 0;
}

2
scripts/policy/protocols/ssh/detect-bruteforcing.zeek
View file

@ -11,7 +11,7 @@ module SSH;
export {
redef enum Notice::Type += {
## Indicates that a host has been identified as crossing the
## :bro:id:`SSH::password_guesses_limit` threshold with
## :zeek:id:`SSH::password_guesses_limit` threshold with
## failed logins.
Password_Guessing,
## Indicates that a host previously identified as a "password

2
scripts/policy/protocols/ssh/geo-data.zeek
View file

@ -8,7 +8,7 @@ module SSH;
export {
redef enum Notice::Type += {
## If an SSH login is seen to or from a "watched" country based
## on the :bro:id:`SSH::watched_countries` variable then this
## on the :zeek:id:`SSH::watched_countries` variable then this
## notice will be generated.
Watched_Country_Login,
};

2
scripts/policy/protocols/ssh/interesting-hostnames.zeek
View file

@ -12,7 +12,7 @@ export {
redef enum Notice::Type += {
## Generated if a login originates or responds with a host where
## the reverse hostname lookup resolves to a name matched by the
## :bro:id:`SSH::interesting_hostnames` regular expression.
## :zeek:id:`SSH::interesting_hostnames` regular expression.
Interesting_Hostname_Login,
};

4
scripts/policy/protocols/ssl/expiring-certs.zeek
View file

@ -15,7 +15,7 @@ export {
## and the certificate is now invalid.
Certificate_Expired,
## Indicates that a certificate is going to expire within
## :bro:id:`SSL::notify_when_cert_expiring_in`.
## :zeek:id:`SSL::notify_when_cert_expiring_in`.
Certificate_Expires_Soon,
## Indicates that a certificate's NotValidBefore date is future
## dated.
@ -30,7 +30,7 @@ export {
option notify_certs_expiration = LOCAL_HOSTS;
## The time before a certificate is going to expire that you would like
## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
## to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
option notify_when_cert_expiring_in = 30days;
}

8
scripts/policy/protocols/ssl/known-certs.zeek
View file

@ -43,19 +43,19 @@ export {
};
## Holds the set of all known certificates. Keys in the store are of
## type :bro:type:`Known::AddrCertHashPair` and their associated value is
## type :zeek:type:`Known::AddrCertHashPair` and their associated value is
## always the boolean value of "true".
global cert_store: Cluster::StoreInfo;
## The Broker topic name to use for :bro:see:`Known::cert_store`.
## The Broker topic name to use for :zeek:see:`Known::cert_store`.
const cert_store_name = "bro/known/certs" &redef;
## The expiry interval of new entries in :bro:see:`Known::cert_store`.
## The expiry interval of new entries in :zeek:see:`Known::cert_store`.
## This also changes the interval at which certs get logged.
option cert_store_expiry = 1day;
## The timeout interval to use for operations against
## :bro:see:`Known::cert_store`.
## :zeek:see:`Known::cert_store`.
option cert_store_timeout = 15sec;
## The set of all known certificates to store for preventing duplicate

4
scripts/zeexygen/README Normal file
View file

@ -0,0 +1,4 @@
This package is loaded during the process which automatically generates
reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only
purpose is to provide an easy way to load all known Zeek scripts plus any
extra scripts needed or used by the documentation process.

0
scripts/broxygen/__load__.zeek → scripts/zeexygen/__load__.zeek
View file

32
scripts/broxygen/example.zeek → scripts/zeexygen/example.zeek
View file

@ -1,4 +1,4 @@
##! This is an example script that demonstrates Broxygen-style
##! This is an example script that demonstrates Zeexygen-style
##! documentation. It generally will make most sense when viewing
##! the script's raw source code and comparing to the HTML-rendered
##! version.
@ -11,14 +11,14 @@
##! .. tip:: You can embed directives and roles within ``##``-stylized comments.
##!
##! There's also a custom role to reference any identifier node in
##! the Bro Sphinx domain that's good for "see alsos", e.g.
##! the Zeek Sphinx domain that's good for "see alsos", e.g.
##!
##! See also: :bro:see:`BroxygenExample::a_var`,
##! :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info`
##! See also: :zeek:see:`ZeexygenExample::a_var`,
##! :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info`
##!
##! And a custom directive does the equivalent references:
##!
##! .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info
##! .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info
# Comments that use a single pound sign (#) are not significant to
# a script's auto-generated documentation, but ones that use a
@ -30,7 +30,7 @@
# variable declarations to associate with the last-declared identifier.
#
# Generally, the auto-doc comments (##) are associated with the
# next declaration/identifier found in the script, but Broxygen
# next declaration/identifier found in the script, but Zeexygen
# will track/render identifiers regardless of whether they have any
# of these special comments associated with them.
#
@ -49,19 +49,19 @@
# "module" statements are self-documenting, don't use any ``##`` style
# comments with them.
module BroxygenExample;
module ZeexygenExample;
# Redefinitions of "Notice::Type" are self-documenting, but
# more information can be supplied in two different ways.
redef enum Notice::Type += {
## Any number of this type of comment
## will document "Broxygen_One".
Broxygen_One,
Broxygen_Two, ##< Any number of this type of comment
##< will document "BROXYGEN_TWO".
Broxygen_Three,
## will document "Zeexygen_One".
Zeexygen_One,
Zeexygen_Two, ##< Any number of this type of comment
##< will document "ZEEXYGEN_TWO".
Zeexygen_Three,
## Omitting comments is fine, and so is mixing ``##`` and ``##<``, but
Broxygen_Four, ##< it's probably best to use only one style consistently.
Zeexygen_Four, ##< it's probably best to use only one style consistently.
};
# All redefs are automatically tracked. Comments of the "##" form can be use
@ -110,7 +110,7 @@ export {
type ComplexRecord: record {
field1: count; ##< Counts something.
field2: bool; ##< Toggles something.
field3: SimpleRecord; ##< Broxygen automatically tracks types
field3: SimpleRecord; ##< Zeexygen automatically tracks types
##< and cross-references are automatically
##< inserted in to generated docs.
msg: string &default="blah"; ##< Attributes are self-documenting.
@ -163,9 +163,9 @@ export {
## Summarize "an_event" here.
## Give more details about "an_event" here.
##
## BroxygenExample::a_function should not be confused as a parameter
## ZeexygenExample::a_function should not be confused as a parameter
## in the generated docs, but it also doesn't generate a cross-reference
## link. Use the see role instead: :bro:see:`BroxygenExample::a_function`.
## link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`.
##
## name: Describe the argument here.
global an_event: event(name: string);

6
src/Attr.cc
View file

@ -51,7 +51,7 @@ void Attr::Describe(ODesc* d) const
void Attr::DescribeReST(ODesc* d) const
{
d->Add(":bro:attr:`");
d->Add(":zeek:attr:`");
AddTag(d);
d->Add("`");
@ -64,14 +64,14 @@ void Attr::DescribeReST(ODesc* d) const
if ( expr->Tag() == EXPR_NAME )
{
d->Add(":bro:see:`");
d->Add(":zeek:see:`");
expr->Describe(d);
d->Add("`");
}
else if ( expr->Type()->Tag() == TYPE_FUNC )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(expr->Type()->AsFuncType()->FlavorString());
d->Add("`");
}

2
src/CMakeLists.txt
View file

@ -143,7 +143,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE)
add_subdirectory(analyzer)
add_subdirectory(broker)
add_subdirectory(broxygen)
add_subdirectory(zeexygen)
add_subdirectory(file_analysis)
add_subdirectory(input)
add_subdirectory(iosource)

2
src/DebugLogger.cc
View file

@ -18,7 +18,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
{ "dpd", 0, false }, { "tm", 0, false },
{ "logging", 0, false }, {"input", 0, false },
{ "threading", 0, false }, { "file_analysis", 0, false },
{ "plugins", 0, false }, { "broxygen", 0, false },
{ "plugins", 0, false }, { "zeexygen", 0, false },
{ "pktio", 0, false }, { "broker", 0, false },
{ "scripts", 0, false}
};

2
src/DebugLogger.h
View file

@ -30,7 +30,7 @@ enum DebugStream {
DBG_THREADING, // Threading system
DBG_FILE_ANALYSIS, // File analysis
DBG_PLUGINS, // Plugin system
DBG_BROXYGEN, // Broxygen
DBG_ZEEXYGEN, // Zeexygen
DBG_PKTIO, // Packet sources and dumpers.
DBG_BROKER, // Broker communication
DBG_SCRIPTS, // Script initialization

20
src/ID.cc
View file

@ -14,7 +14,7 @@
#include "PersistenceSerializer.h"
#include "Scope.h"
#include "Traverse.h"
#include "broxygen/Manager.h"
#include "zeexygen/Manager.h"
ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
{
@ -651,9 +651,9 @@ void ID::DescribeExtended(ODesc* d) const
void ID::DescribeReSTShort(ODesc* d) const
{
if ( is_type )
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
else
d->Add(":bro:id:`");
d->Add(":zeek:id:`");
d->Add(name);
d->Add("`");
@ -661,7 +661,7 @@ void ID::DescribeReSTShort(ODesc* d) const
if ( type )
{
d->Add(": ");
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
if ( ! is_type && ! type->GetName().empty() )
d->Add(type->GetName().c_str());
@ -682,7 +682,7 @@ void ID::DescribeReSTShort(ODesc* d) const
if ( is_type )
d->Add(type_name(t));
else
d->Add(broxygen_mgr->GetEnumTypeName(Name()).c_str());
d->Add(zeexygen_mgr->GetEnumTypeName(Name()).c_str());
break;
default:
@ -706,18 +706,18 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const
if ( roles_only )
{
if ( is_type )
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
else
d->Add(":bro:id:`");
d->Add(":zeek:id:`");
d->Add(name);
d->Add("`");
}
else
{
if ( is_type )
d->Add(".. bro:type:: ");
d->Add(".. zeek:type:: ");
else
d->Add(".. bro:id:: ");
d->Add(".. zeek:id:: ");
d->Add(name);
}
@ -730,7 +730,7 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const
if ( ! is_type && ! type->GetName().empty() )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(type->GetName());
d->Add("`");
}

50
src/Type.cc
View file

@ -8,8 +8,8 @@
#include "Scope.h"
#include "Serializer.h"
#include "Reporter.h"
#include "broxygen/Manager.h"
#include "broxygen/utils.h"
#include "zeexygen/Manager.h"
#include "zeexygen/utils.h"
#include <string>
#include <list>
@ -190,7 +190,7 @@ void BroType::Describe(ODesc* d) const
void BroType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(fmt(":bro:type:`%s`", type_name(Tag())));
d->Add(fmt(":zeek:type:`%s`", type_name(Tag())));
}
void BroType::SetError()
@ -478,7 +478,7 @@ void IndexType::Describe(ODesc* d) const
void IndexType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
if ( IsSet() )
d->Add("set");
@ -497,7 +497,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const
if ( ! t->GetName().empty() )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(t->GetName());
d->Add("`");
}
@ -513,7 +513,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const
if ( ! yield_type->GetName().empty() )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(yield_type->GetName());
d->Add("`");
}
@ -800,7 +800,7 @@ void FuncType::Describe(ODesc* d) const
void FuncType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(FlavorString());
d->Add("`");
d->Add(" (");
@ -813,7 +813,7 @@ void FuncType::DescribeReST(ODesc* d, bool roles_only) const
if ( ! yield->GetName().empty() )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(yield->GetName());
d->Add("`");
}
@ -957,7 +957,7 @@ void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const
if ( ! type->GetName().empty() )
{
d->Add(":bro:type:`");
d->Add(":zeek:type:`");
d->Add(type->GetName());
d->Add("`");
}
@ -1073,7 +1073,7 @@ void RecordType::Describe(ODesc* d) const
void RecordType::DescribeReST(ODesc* d, bool roles_only) const
{
d->PushType(this);
d->Add(":bro:type:`record`");
d->Add(":zeek:type:`record`");
if ( num_fields == 0 )
return;
@ -1197,8 +1197,8 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
if ( func_args )
continue;
using broxygen::IdentifierInfo;
IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(GetName());
using zeexygen::IdentifierInfo;
IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(GetName());
if ( ! doc )
{
@ -1217,7 +1217,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
field_from_script != type_from_script )
{
d->PushIndent();
d->Add(broxygen::redef_indication(field_from_script).c_str());
d->Add(zeexygen::redef_indication(field_from_script).c_str());
d->PopIndent();
}
@ -1237,7 +1237,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
{
string s = cmnts[i];
if ( broxygen::prettify_params(s) )
if ( zeexygen::prettify_params(s) )
d->NL();
d->Add(s.c_str());
@ -1405,7 +1405,7 @@ void OpaqueType::Describe(ODesc* d) const
void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(fmt(":bro:type:`%s` of %s", type_name(Tag()), name.c_str()));
d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str()));
}
IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE);
@ -1505,7 +1505,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
if ( deprecated )
id->MakeDeprecated();
broxygen_mgr->Identifier(id);
zeexygen_mgr->Identifier(id);
}
else
{
@ -1597,7 +1597,7 @@ EnumVal* EnumType::GetVal(bro_int_t i)
void EnumType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(":bro:type:`enum`");
d->Add(":zeek:type:`enum`");
// Create temporary, reverse name map so that enums can be documented
// in ascending order of their actual integral value instead of by name.
@ -1614,12 +1614,12 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
d->PushIndent();
if ( roles_only )
d->Add(fmt(":bro:enum:`%s`", it->second.c_str()));
d->Add(fmt(":zeek:enum:`%s`", it->second.c_str()));
else
d->Add(fmt(".. bro:enum:: %s %s", it->second.c_str(), GetName().c_str()));
d->Add(fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str()));
using broxygen::IdentifierInfo;
IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(it->second);
using zeexygen::IdentifierInfo;
IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(it->second);
if ( ! doc )
{
@ -1634,7 +1634,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
if ( doc->GetDeclaringScript() )
enum_from_script = doc->GetDeclaringScript()->Name();
IdentifierInfo* type_doc = broxygen_mgr->GetIdentifierInfo(GetName());
IdentifierInfo* type_doc = zeexygen_mgr->GetIdentifierInfo(GetName());
if ( type_doc && type_doc->GetDeclaringScript() )
type_from_script = type_doc->GetDeclaringScript()->Name();
@ -1644,7 +1644,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
{
d->NL();
d->PushIndent();
d->Add(broxygen::redef_indication(enum_from_script).c_str());
d->Add(zeexygen::redef_indication(enum_from_script).c_str());
d->PopIndent();
}
@ -1818,12 +1818,12 @@ void VectorType::Describe(ODesc* d) const
void VectorType::DescribeReST(ODesc* d, bool roles_only) const
{
d->Add(fmt(":bro:type:`%s` of ", type_name(Tag())));
d->Add(fmt(":zeek:type:`%s` of ", type_name(Tag())));
if ( yield_type->GetName().empty() )
yield_type->DescribeReST(d, roles_only);
else
d->Add(fmt(":bro:type:`%s`", yield_type->GetName().c_str()));
d->Add(fmt(":zeek:type:`%s`", yield_type->GetName().c_str()));
}
BroType* base_type_no_ref(TypeTag tag)

6
src/analyzer/protocol/arp/events.bif
View file

@ -15,7 +15,7 @@
##
## THA: The target hardware address.
##
## .. bro:see:: arp_reply bad_arp
## .. zeek:see:: arp_reply bad_arp
event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
@ -36,7 +36,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
##
## THA: The target hardware address.
##
## .. bro:see:: arp_request bad_arp
## .. zeek:see:: arp_request bad_arp
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
@ -54,7 +54,7 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
##
## explanation: A short description of why the ARP packet is considered "bad".
##
## .. bro:see:: arp_reply arp_request
## .. zeek:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet

36
src/analyzer/protocol/bittorrent/events.bif
View file

@ -3,7 +3,7 @@
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -16,7 +16,7 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -28,7 +28,7 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -40,7 +40,7 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request
@ -52,7 +52,7 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -64,7 +64,7 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -76,7 +76,7 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -88,7 +88,7 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
## .. zeek:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -100,7 +100,7 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%)
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
@ -113,7 +113,7 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -126,7 +126,7 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -139,7 +139,7 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
@ -151,7 +151,7 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -164,7 +164,7 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -176,7 +176,7 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -189,7 +189,7 @@ event bt_tracker_request%(c: connection, uri: string,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -204,7 +204,7 @@ event bt_tracker_response%(c: connection, status: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
@ -217,7 +217,7 @@ event bt_tracker_response_not_ok%(c: connection, status: count,
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke

4
src/analyzer/protocol/conn-size/events.bif
View file

@ -8,7 +8,7 @@
##
## is_orig: true if the threshold was crossed by the originator of the connection
##
## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
@ -22,6 +22,6 @@ event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bo
##
## is_orig: true if the threshold was crossed by the originator of the connection
##
## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);

Some files were not shown because too many files have changed in this diff Show more