Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/rtd-test'

Browse source 
* origin/rtd-test:
  Disable RTD pdf format due to exceeded capacity
  Add RTD pdf format
  Add RTD yaml config file
  Remove some Bro usages in main TOC entries
  Remove "contents" Sphinx directive usages
  Add a `make livehtml` target
  Use sourcecode Sphinx directive more widely
  Use Sphinx RTD theme for user manual
  Replace some code-block Sphinx directives
  Remove unused Sphinx extensions
  Remove broxygen Sphinx integration
  Remove Sphinx btest integrations and tests
  Fix a Sphinx deprecation

These are all changes required to build documentation from a static
Sphinx tree (e.g. on Read the Docs)
This commit is contained in:
Jon Siwek 2019-01-10 13:40:04 -06:00
commit b1b7027982
878 changed files with 91365 additions and 7892 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.readthedocs.yml Normal file
View file

@ -0,0 +1,4 @@
formats: []
python:
version: 3

22
CHANGES
View file

@ -1,7 +1,27 @@
2.6-61 | 2019-01-10 13:40:04 -0600
* Add RTD yaml config file (Jon Siwek, Corelight)
* Remove some Bro usages in main TOC entries (Jon Siwek, Corelight)
* Remove "contents" Sphinx directive usages (Jon Siwek, Corelight)
* Add a `make livehtml` target (Jon Siwek, Corelight)
* Use sourcecode Sphinx directive more widely (Jon Siwek, Corelight)
* Use Sphinx RTD theme for user manual (Jon Siwek, Corelight)
* Remove unused Sphinx extensions (Jon Siwek, Corelight)
* Remove broxygen Sphinx integration (Jon Siwek, Corelight)
* Remove Sphinx btest integrations and tests (Jon Siwek, Corelight)
2.6-46 | 2019-01-10 09:10:08 -0800
* improve performance of catch and release script (Juston Azonn, Corelight)
* improve performance of catch and release script (Justin Azoff, Corelight)
2.6-43 | 2019-01-07 09:50:43 -0800

6
Makefile
View file

@ -29,6 +29,10 @@ doc: configured
docclean: configured
$(MAKE) -C $(BUILD) $@
livehtml:
@mkdir -p build/doc/html
sphinx-autobuild --ignore "testing/*" --ignore "*.git/*" --ignore "*.lock" --ignore "*.pyc" --ignore "*.swp" --ignore "*.swpx" --ignore "*.swx" -b html ./doc ./build/doc/html
dist:
@test -e ../$(VERSION_FULL) && rm -ri ../$(VERSION_FULL) || true
@cp -R . ../$(VERSION_FULL)
@ -63,4 +67,4 @@ configured:
@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )
.PHONY : all install clean doc docclean dist distclean configured
.PHONY : all install clean doc docclean dist distclean configured livehtml

2
VERSION
View file

@ -1 +1 @@
2.6-46
2.6-61

78
doc/CMakeLists.txt
View file

@ -1,82 +1,20 @@
set(SPHINX_INPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_input)
set(SPHINX_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_output)
set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
set(html_output_dir ${CMAKE_CURRENT_BINARY_DIR}/html)
# Find out what BROPATH to use when executing bro.
execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
OUTPUT_VARIABLE BROPATH
RESULT_VARIABLE retval
OUTPUT_STRIP_TRAILING_WHITESPACE)
if (NOT ${retval} EQUAL 0)
message(FATAL_ERROR "Problem setting BROPATH")
endif ()
# Configure the Sphinx config file (expand variables CMake might know about).
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/conf.py.in
${CMAKE_CURRENT_BINARY_DIR}/conf.py
@ONLY)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/broxygen.conf.in
${CMAKE_CURRENT_BINARY_DIR}/broxygen.conf
@ONLY)
add_custom_target(sphinxdoc
# Copy the template documentation to build directory to use as input tree
# for Sphinx. This is needed because some parts are dynamically generated
# in to that tree by Bro/Broxygen.
COMMAND rsync -q -r --copy-links --times --delete
--filter='protect scripts/*'
${CMAKE_CURRENT_SOURCE_DIR}/ ${SPHINX_INPUT_DIR}
# Use Bro/Broxygen to dynamically generate reST for all Bro scripts.
COMMAND BROPATH=${BROPATH}
${CMAKE_BINARY_DIR}/src/bro
-X ${CMAKE_CURRENT_BINARY_DIR}/broxygen.conf
broxygen >/dev/null
# Rsync over the generated reST to the Sphinx source tree in the build dir.
COMMAND rsync -q -r --copy-links --times --delete --filter='protect *.bro'
${BROXYGEN_SCRIPT_OUTPUT}/ ${SPHINX_INPUT_DIR}/scripts
# Rsync over Bro scripts to the Sphinx source tree in the build dir.
# These are used by :download: references in the generated script docs.
COMMAND rsync -q -r --copy-links --times --delete
--filter='protect /base/bif/*' --filter='protect *.rst'
--filter='include */' --filter='include *.bro' --filter='exclude *'
${CMAKE_SOURCE_DIR}/scripts/ ${SPHINX_INPUT_DIR}/scripts
# Rsync over Bro scripts created by BIF compiler to the Sphinx source tree.
COMMAND rsync -q -r --copy-links --times --delete
--filter='protect *.rst' --filter='include */'
--filter='include *.bro' --filter='exclude *'
${CMAKE_BINARY_DIR}/scripts/base/bif/
${SPHINX_INPUT_DIR}/scripts/base/bif
# Use Sphinx to build HTML.
add_custom_target(zeek-doc-html
COMMAND sphinx-build
-b html
-c ${CMAKE_CURRENT_BINARY_DIR}
-d ${SPHINX_OUTPUT_DIR}/doctrees
${SPHINX_INPUT_DIR}
${SPHINX_OUTPUT_DIR}/html
-c ${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}
${html_output_dir}
# Create symlink to the html output directory for convenience.
COMMAND "${CMAKE_COMMAND}" -E create_symlink
${SPHINX_OUTPUT_DIR}/html
${html_output_dir}
${CMAKE_BINARY_DIR}/html
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")
add_dependencies(sphinxdoc bro)
add_custom_target(sphinxdoc_clean
COMMAND "${CMAKE_COMMAND}" -E remove_directory ${SPHINX_INPUT_DIR}
COMMAND "${CMAKE_COMMAND}" -E remove_directory ${SPHINX_OUTPUT_DIR}
COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_SCRIPT_OUTPUT}
COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_CACHE_DIR}
VERBATIM)
COMMENT "[Sphinx] Generate Bro HTML documentation in ${html_output_dir}")
if (NOT TARGET doc)
add_custom_target(doc)
endif ()
add_custom_target(docclean)
add_dependencies(doc sphinxdoc)
add_dependencies(docclean sphinxdoc_clean)
add_dependencies(doc zeek-doc-html)

39
doc/README
View file

@ -2,13 +2,12 @@
Documentation
=============
This directory contains Bro documentation in reStructuredText format
This directory contains documentation in reStructuredText format
(see http://docutils.sourceforge.net/rst.html).
It is the root of a Sphinx source tree and can be modified to add more
common/general documentation, style sheets, JavaScript, etc. The Sphinx
config file is produced from ``conf.py.in``, and can be edited to change
various Sphinx options.
documentation, style sheets, JavaScript, etc. The Sphinx config file
is ``conf.py``.
There is also a custom Sphinx domain implemented in ``ext/bro.py``
which adds some reST directives and roles that aid in generating useful
@ -18,30 +17,12 @@ a similar fashion.
The ``make doc`` target in the top-level Makefile can be used to locally
render the reST files into HTML. That target depends on:
* Python interpreter >= 2.5
* `Sphinx <http://sphinx-doc.org/>`_ >= 1.0.1
* Doxygen (required only for building the Broccoli API doc)
After completion, HTML documentation is symlinked in ``build/html``.
There's also a ``make docclean`` target which deletes any files
created during the documentation build process.
Notes for Writing Documentation
-------------------------------
* If you want to refer to a document that's part of the
distribution, it currently needs to be copied or otherwise symlinked
somewhere in to this Sphinx source tree. Then, it can be referenced
in a toc tree or with the :doc: role. Use the :download: role to
refer to static files that will not undergo sphinx rendering.
* If you want to refer to a page on the Bro web site, use an HTTP URL.
Guidelines
----------
TODO.
* Python interpreter >= 2.7
* `Sphinx <http://sphinx-doc.org/>`_
* `Read the Docs Sphinx Theme <https://github.com/rtfd/sphinx_rtd_theme>`_
After the build completes, HTML documentation is symlinked in ``build/html``.
There's also a ``make livehtml`` target in the top-level Makefile that
is useful for editing the reST files and seeing changes rendered out live
to a separate HTML browser.

1
doc/_static/960.css vendored
View file

File diff suppressed because one or more lines are too long

522
doc/_static/basic.css vendored
View file

@ -1,522 +0,0 @@
/*
* basic.css
* ~~~~~~~~~
*
* Sphinx stylesheet -- basic theme.
*
* :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
* :license: BSD, see LICENSE for details.
*
*/
/* -- main layout ----------------------------------------------------------- */
div.clearer {
clear: both;
}
/* -- relbar ---------------------------------------------------------------- */
div.related {
width: 100%;
font-size: 90%;
}
div.related h3 {
display: none;
}
div.related ul {
margin: 0;
padding: 0 0 0 10px;
list-style: none;
}
div.related li {
display: inline;
}
div.related li.right {
float: right;
margin-right: 5px;
}
/* -- sidebar --------------------------------------------------------------- */
div.sphinxsidebarwrapper {
padding: 10px 5px 0 10px;
}
div.sphinxsidebar {
float: left;
width: 230px;
margin-left: -100%;
font-size: 90%;
}
div.sphinxsidebar ul {
list-style: none;
}
div.sphinxsidebar ul ul,
div.sphinxsidebar ul.want-points {
margin-left: 20px;
list-style: square;
}
div.sphinxsidebar ul ul {
margin-top: 0;
margin-bottom: 0;
}
div.sphinxsidebar form {
margin-top: 10px;
}
div.sphinxsidebar input {
border: 1px solid #98dbcc;
font-family: sans-serif;
font-size: 1em;
}
div.sphinxsidebar input[type="text"] {
width: 170px;
}
div.sphinxsidebar input[type="submit"] {
width: 30px;
}
img {
border: 0;
}
/* -- search page ----------------------------------------------------------- */
ul.search {
margin: 10px 0 0 20px;
padding: 0;
}
ul.search li {
padding: 5px 0 5px 20px;
background-image: url(file.png);
background-repeat: no-repeat;
background-position: 0 7px;
}
ul.search li a {
font-weight: bold;
}
ul.search li div.context {
color: #888;
margin: 2px 0 0 30px;
text-align: left;
}
ul.keywordmatches li.goodmatch a {
font-weight: bold;
}
/* -- index page ------------------------------------------------------------ */
table.contentstable {
width: 90%;
}
table.contentstable p.biglink {
line-height: 150%;
}
a.biglink {
font-size: 1.3em;
}
span.linkdescr {
font-style: italic;
padding-top: 5px;
font-size: 90%;
}
/* -- general index --------------------------------------------------------- */
table.indextable {
width: 100%;
}
table.indextable td {
text-align: left;
vertical-align: top;
}
table.indextable dl, table.indextable dd {
margin-top: 0;
margin-bottom: 0;
}
table.indextable tr.pcap {
height: 10px;
}
table.indextable tr.cap {
margin-top: 10px;
background-color: #f2f2f2;
}
img.toggler {
margin-right: 3px;
margin-top: 3px;
cursor: pointer;
}
div.modindex-jumpbox {
border-top: 1px solid #ddd;
border-bottom: 1px solid #ddd;
margin: 1em 0 1em 0;
padding: 0.4em;
}
div.genindex-jumpbox {
border-top: 1px solid #ddd;
border-bottom: 1px solid #ddd;
margin: 1em 0 1em 0;
padding: 0.4em;
}
/* -- general body styles --------------------------------------------------- */
a.headerlink {
visibility: hidden;
}
div.body p.caption {
text-align: inherit;
}
div.body td {
text-align: left;
}
.field-list ul {
padding-left: 1em;
}
.first {
margin-top: 0 !important;
}
p.rubric {
margin-top: 30px;
font-weight: bold;
}
img.align-left, .figure.align-left, object.align-left {
clear: left;
float: left;
margin-right: 1em;
}
img.align-right, .figure.align-right, object.align-right {
clear: right;
float: right;
margin-left: 1em;
}
img.align-center, .figure.align-center, object.align-center {
display: block;
margin-left: auto;
margin-right: auto;
}
.align-left {
text-align: left;
}
.align-center {
text-align: center;
}
.align-right {
text-align: right;
}
/* -- sidebars -------------------------------------------------------------- */
div.sidebar {
margin: 0 0 0.5em 1em;
border: 1px solid #ddb;
padding: 7px 7px 0 7px;
background-color: #ffe;
width: 40%;
float: right;
}
p.sidebar-title {
font-weight: bold;
}
/* -- topics ---------------------------------------------------------------- */
div.topic {
border: 1px solid #ccc;
padding: 7px 7px 0 7px;
margin: 10px 0 10px 0;
}
p.topic-title {
font-size: 1.1em;
font-weight: bold;
margin-top: 10px;
}
/* -- admonitions ----------------------------------------------------------- */
div.admonition {
margin-top: 10px;
margin-bottom: 10px;
padding: 7px;
}
div.admonition dt {
font-weight: bold;
}
div.admonition dl {
margin-bottom: 0;
}
p.admonition-title {
margin: 0px 10px 5px 0px;
font-weight: bold;
}
div.body p.centered {
text-align: center;
margin-top: 25px;
}
/* -- tables ---------------------------------------------------------------- */
table.field-list td, table.field-list th {
border: 0 !important;
}
table.footnote td, table.footnote th {
border: 0 !important;
}
th {
text-align: left;
padding-right: 5px;
}
table.citation {
border-left: solid 1px gray;
margin-left: 1px;
}
table.citation td {
border-bottom: none;
}
/* -- other body styles ----------------------------------------------------- */
ol.arabic {
list-style: decimal;
}
ol.loweralpha {
list-style: lower-alpha;
}
ol.upperalpha {
list-style: upper-alpha;
}
ol.lowerroman {
list-style: lower-roman;
}
ol.upperroman {
list-style: upper-roman;
}
dd p {
margin-top: 0px;
}
dd ul, dd table {
margin-bottom: 10px;
}
dd {
margin-top: 3px;
margin-bottom: 10px;
margin-left: 30px;
}
dt:target, .highlighted {
background-color: #fbe54e;
}
dl.glossary dt {
font-weight: bold;
font-size: 1.1em;
}
.field-list ul {
margin: 0;
padding-left: 1em;
}
.field-list p {
margin: 0;
}
.refcount {
color: #060;
}
.optional {
font-size: 1.3em;
}
.versionmodified {
font-style: italic;
}
.system-message {
background-color: #fda;
padding: 5px;
border: 3px solid red;
}
.footnote:target {
background-color: #ffa;
}
.line-block {
display: block;
margin-top: 1em;
margin-bottom: 1em;
}
.line-block .line-block {
margin-top: 0;
margin-bottom: 0;
margin-left: 1.5em;
}
.guilabel, .menuselection {
font-family: sans-serif;
}
.accelerator {
text-decoration: underline;
}
.classifier {
font-style: oblique;
}
abbr, acronym {
border-bottom: dotted 1px;
cursor: help;
}
/* -- code displays --------------------------------------------------------- */
pre {
overflow: auto;
overflow-y: hidden; /* fixes display issues on Chrome browsers */
}
td.linenos pre {
padding: 5px 0px;
border: 0;
background-color: transparent;
color: #aaa;
}
.highlight-guess {
overflow:auto;
}
.highlight-none {
overflow:auto;
}
table.highlighttable {
margin-left: 0.5em;
overflow:scroll;
}
table.highlighttable td {
padding: 0 0.5em 0 0.5em;
}
tt.descname {
background-color: transparent;
font-weight: bold;
# font-size: 1.2em;
}
tt.descclassname {
background-color: transparent;
}
tt.xref, a tt {
background-color: transparent;
# font-weight: bold;
}
h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
background-color: transparent;
}
.viewcode-link {
float: right;
}
.viewcode-back {
float: right;
font-family: sans-serif;
}
div.viewcode-block:target {
margin: -1px -10px;
padding: 0 10px;
}
/* -- math display ---------------------------------------------------------- */
img.math {
vertical-align: middle;
}
div.body div.math p {
text-align: center;
}
span.eqno {
float: right;
}
/* -- printout stylesheet --------------------------------------------------- */
@media print {
div.document,
div.documentwrapper,
div.bodywrapper {
margin: 0 !important;
width: 100%;
}
div.sphinxsidebar,
div.related,
div.footer,
#top-link {
display: none;
}
}

160
doc/_static/broxygen-extra.css vendored
View file

@ -1,160 +0,0 @@
a.toc-backref {
color: #333;
}
h1, h2, h3, h4, h5, h6,
h1 a, h2 a, h3 a, h4 a, h5 a, h6 a {
padding:0 0 0px 0;
}
ul {
padding-bottom: 0px;
}
h1 {
font-weight: bold;
font-size: 32px;
line-height:32px;
text-align: center;
padding-top: 3px;
margin-bottom: 30px;
font-family: Palatino,'Palatino Linotype',Georgia,serif;;
color: #000;
border-bottom: 0px;
}
th.field-name
{
white-space:nowrap;
}
h2 {
margin-top: 50px;
padding-bottom: 5px;
margin-bottom: 30px;
border-bottom: 1px solid;
border-color: #aaa;
font-style: normal;
}
div.section h3 {
font-style: normal;
}
h3 {
font-size: 20px;
margin-top: 40px;
margin-bottom: 0¡px;
font-weight: bold;
font-style: normal;
}
h3.widgettitle {
font-style: normal;
}
h4 {
font-size:18px;
font-style: normal;
margin-bottom: 0em;
margin-top: 40px;
font-style: italic;
}
h5 {
font-size:16px;
}
h6 {
font-size:15px;
}
.toc-backref {
color: #333;
}
.contents ul {
padding-bottom: 1em;
}
dl.namespace {
display: none;
}
dl dt {
font-weight: normal;
}
table.docutils tbody {
margin: 1em 1em 1em 1em;
}
table.docutils td {
padding: 5pt 5pt 5pt 5pt;
font-size: 14px;
border-left: 0;
border-right: 0;
}
dl pre {
font-size: 14px;
}
table.docutils th {
padding: 5pt 5pt 5pt 5pt;
font-size: 14px;
font-style: normal;
border-left: 0;
border-right: 0;
}
table.docutils tr:first-child td {
#border-top: 1px solid #aaa;
}
.download {
font-family:"Courier New", Courier, mono;
font-weight: normal;
}
dt:target, .highlighted {
background-color: #ccc;
}
p {
padding-bottom: 0px;
}
p.last {
margin-bottom: 0px;
}
dl {
padding: 1em 1em 1em 1em;
background: #fffff0;
border: 1px solid #aaa;
}
dl {
margin-bottom: 10px;
}
table.docutils {
background: #fffff0;
border-collapse: collapse;
border: 1px solid #ddd;
}
dl table.docutils {
border: 0;
}
table.docutils dl {
border: 1px dashed #666;
}

0
doc/_static/broxygen-extra.js vendored
View file

483
doc/_static/broxygen.css vendored
View file

@ -1,483 +0,0 @@
/* Automatically generated. Do not edit. */
#bro-main, #bro-standalone-main {
padding: 0 0 0 0;
position:relative;
z-index:1;
}
#bro-main {
margin-bottom: 2em;
}
#bro-standalone-main {
margin-bottom: 0em;
padding-left: 50px;
padding-right: 50px;
}
#bro-outer {
color: #333;
background: #ffffff;
}
#bro-title {
font-weight: bold;
font-size: 32px;
line-height:32px;
text-align: center;
padding-top: 3px;
margin-bottom: 30px;
font-family: Palatino,'Palatino Linotype',Georgia,serif;;
color: #000;
}
.opening:first-letter {
font-size: 24px;
font-weight: bold;
letter-spacing: 0.05em;
}
.opening {
font-size: 17px;
}
.version {
text-align: right;
font-size: 12px;
color: #aaa;
line-height: 0;
height: 0;
}
.git-info-version {
position: relative;
height: 2em;
top: -1em;
color: #ccc;
float: left;
font-size: 12px;
}
.git-info-date {
position: relative;
height: 2em;
top: -1em;
color: #ccc;
float: right;
font-size: 12px;
}
body {
font-family:Arial, Helvetica, sans-serif;
font-size:15px;
line-height:22px;
color: #333;
margin: 0px;
}
h1, h2, h3, h4, h5, h6,
h1 a, h2 a, h3 a, h4 a, h5 a, h6 a {
padding:0 0 20px 0;
font-weight:bold;
text-decoration:none;
}
div.section h3, div.section h4, div.section h5, div.section h6 {
font-style: italic;
}
h1, h2 {
font-size:27px;
letter-spacing:-1px;
}
h3 {
margin-top: 1em;
font-size:18px;
}
h4 {
font-size:16px;
}
h5 {
font-size:15px;
}
h6 {
font-size:12px;
}
p {
padding:0 0 20px 0;
}
hr {
background:none;
height:1px;
line-height:1px;
border:0;
margin:0 0 20px 0;
}
ul, ol {
margin:0 20px 20px 0;
padding-left:40px;
}
ul.simple, ol.simple {
margin:0 0px 0px 0;
}
blockquote {
margin:0 0 0 40px;
}
strong, dfn {
font-weight:bold;
}
em, dfn {
font-style:italic;
}
sup, sub {
line-height:0;
}
pre, code {
white-space: pre;
overflow: auto;
margin-left: 0.25em;
margin-right: 0.25em;
word-wrap: normal;
}
pre, code, tt {
font-family:"Courier New", Courier, mono;
}
dl {
margin: 0 0 20px 0;
}
dl dt {
font-weight: bold;
}
li dl dt {
font-weight: normal;
}
dd {
margin:0 0 20px 20px;
}
small {
font-size:75%;
}
.small-text {
font-size:75%;
}
.align-center {
display: block;
margin-left: auto;
margin-right: auto;
}
a:link,
a:visited,
a:active
{
color: #2a85a7;
}
a:hover
{
color:#c24444;
}
h1, h2, h3, h4, h5, h6,
h1 a, h2 a, h3 a, h4 a, h5 a, h6 a
{
color: #333;
}
hr {
border-bottom:1px solid #ddd;
}
pre {
color: #333;
background: #FFFAE2;
padding: 7px 5px 3px 5px;
margin-bottom: 25px;
margin-top: 0px;
}
ul {
padding-bottom: 5px;
}
h1, h2 {
margin-top: 30px;
}
h1 {
margin-bottom: 50px;
margin-bottom: 20px;
padding-bottom: 5px;
border-bottom: 1px solid;
border-color: #aaa;
}
h2 {
font-size: 24px;
}
pre {
-moz-box-shadow:0 0 6px #ddd;
-webkit-box-shadow:0 0 6px #ddd;
box-shadow:0 0 6px #ddd;
}
a {
text-decoration:none;
}
p {
padding-bottom: 15px;
}
p, dd, li {
text-align: justify;
}
li {
margin-bottom: 5px;
}
#footer .widget_links ul a,
#footer .widget_links ol a
{
color: #ddd;
}
#footer .widget_links ul a:hover,
#footer .widget_links ol a:hover
{
color:#c24444;
}
#footer .widget li {
padding-bottom:10px;
}
#footer .widget_links li {
padding-bottom:1px;
}
#footer .widget li:last-child {
padding-bottom:0;
}
#footer .widgettitle {
color: #ddd;
}
.widget {
margin:0 0 40px 0;
}
.widget, .widgettitle {
font-size:12px;
line-height:18px;
}
.widgettitle {
font-weight:bold;
text-transform:uppercase;
padding:0 0 10px 0;
margin:0 0 20px 0;
line-height:100%;
}
.widget UL, .widget OL {
list-style-type:none;
margin:0;
padding:0;
}
.widget p {
padding:0;
}
.widget li {
padding-bottom:10px;
}
.widget a {
text-decoration:none;
}
#bro-main .widgettitle,
{
color: #333;
}
.widget img.left {
padding:5px 10px 10px 0;
}
.widget img.right {
padding:5px 0 10px 10px;
}
.ads .widgettitle {
margin-right:16px;
}
.widget {
margin-left: 1em;
}
.widgettitle {
color: #333;
}
.widgettitle {
border-bottom:1px solid #ddd;
}
.sidebar-toc ul li {
padding-bottom: 0px;
text-align: left;
list-style-type: square;
list-style-position: inside;
padding-left: 1em;
text-indent: -1em;
}
.sidebar-toc ul li li {
margin-left: 1em;
margin-bottom: 0px;
list-style-type: square;
}
.sidebar-toc ul li li a {
font-size: 8pt;
}
.contents {
padding: 10px;
background: #FFFAE2;
margin: 20px;
}
.topic-title {
font-size: 20px;
font-weight: bold;
padding: 0px 0px 5px 0px;
text-align: center;
padding-top: .5em;
}
.contents li {
margin-bottom: 0px;
list-style-type: square;
}
.contents ul ul li {
margin-left: 0px;
padding-left: 0px;
padding-top: 0em;
font-size: 90%;
list-style-type: square;
font-weight: normal;
}
.contents ul ul ul li {
list-style-type: none;
}
.contents ul ul ul ul li {
display:none;
}
.contents ul li {
padding-top: 1em;
list-style-type: none;
font-weight: bold;
}
.contents ul {
margin-left: 0px;
padding-left: 2em;
margin: 0px 0px 0px 0px;
}
.note, .warning, .error {
margin-left: 2em;
margin-right: 2em;
margin-top: 1.5em;
margin-bottom: 1.5em;
padding: 0.5em 1em 0.5em 1em;
overflow: auto;
border-left: solid 3px #aaa;
font-size: 15px;
color: #333;
}
.admonition p {
margin-left: 1em;
}
.admonition-title {
font-size: 16px;
font-weight: bold;
color: #000;
padding-bottom: 0em;
margin-bottom: .5em;
margin-top: 0em;
}
.btest-cmd .hll {
font-weight: bold;
background: #FFFAE2;
}
.btest-include .hll {
display: block;
text-align: center;
font-family: Palatino;
background: #FFFAE2;
}
.btest-include .hll * {
color: #aaa;
}
.linenodiv pre {
margin-left: 0px;
margin-right: 0px;
width: 1.5em;
text-align: right;
background: #000;
}
.btest-cmd .code pre, .btest-include .code pre {
margin-left: 0px;
}

BIN
doc/_static/logo-bro.png vendored
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 11 KiB

58
doc/_static/pygments.css vendored
View file

@ -1,58 +0,0 @@
.hll { background-color: #ffffcc }
.c { color: #aaaaaa; font-style: italic } /* Comment */
.err { color: #F00000; background-color: #F0A0A0 } /* Error */
.k { color: #0000aa } /* Keyword */
.cm { color: #aaaaaa; font-style: italic } /* Comment.Multiline */
.cp { color: #4c8317 } /* Comment.Preproc */
.c1 { color: #aaaaaa; font-style: italic } /* Comment.Single */
.cs { color: #0000aa; font-style: italic } /* Comment.Special */
.gd { color: #aa0000 } /* Generic.Deleted */
.ge { font-style: italic } /* Generic.Emph */
.gr { color: #aa0000 } /* Generic.Error */
.gh { color: #000080; font-weight: bold } /* Generic.Heading */
.gi { color: #00aa00 } /* Generic.Inserted */
.go { color: #888888 } /* Generic.Output */
.gp { color: #555555 } /* Generic.Prompt */
.gs { font-weight: bold } /* Generic.Strong */
.gu { color: #800080; font-weight: bold } /* Generic.Subheading */
.gt { color: #aa0000 } /* Generic.Traceback */
.kc { color: #0000aa } /* Keyword.Constant */
.kd { color: #0000aa } /* Keyword.Declaration */
.kn { color: #0000aa } /* Keyword.Namespace */
.kp { color: #0000aa } /* Keyword.Pseudo */
.kr { color: #0000aa } /* Keyword.Reserved */
.kt { color: #00aaaa } /* Keyword.Type */
.m { color: #009999 } /* Literal.Number */
.s { color: #aa5500 } /* Literal.String */
.na { color: #1e90ff } /* Name.Attribute */
.nb { color: #00aaaa } /* Name.Builtin */
.nc { color: #00aa00; text-decoration: underline } /* Name.Class */
.no { color: #aa0000 } /* Name.Constant */
.nd { color: #888888 } /* Name.Decorator */
.ni { color: #800000; font-weight: bold } /* Name.Entity */
.nf { color: #00aa00 } /* Name.Function */
.nn { color: #00aaaa; text-decoration: underline } /* Name.Namespace */
.nt { color: #1e90ff; font-weight: bold } /* Name.Tag */
.nv { color: #aa0000 } /* Name.Variable */
.ow { color: #0000aa } /* Operator.Word */
.w { color: #bbbbbb } /* Text.Whitespace */
.mf { color: #009999 } /* Literal.Number.Float */
.mh { color: #009999 } /* Literal.Number.Hex */
.mi { color: #009999 } /* Literal.Number.Integer */
.mo { color: #009999 } /* Literal.Number.Oct */
.sb { color: #aa5500 } /* Literal.String.Backtick */
.sc { color: #aa5500 } /* Literal.String.Char */
.sd { color: #aa5500 } /* Literal.String.Doc */
.s2 { color: #aa5500 } /* Literal.String.Double */
.se { color: #aa5500 } /* Literal.String.Escape */
.sh { color: #aa5500 } /* Literal.String.Heredoc */
.si { color: #aa5500 } /* Literal.String.Interpol */
.sx { color: #aa5500 } /* Literal.String.Other */
.sr { color: #009999 } /* Literal.String.Regex */
.s1 { color: #aa5500 } /* Literal.String.Single */
.ss { color: #0000aa } /* Literal.String.Symbol */
.bp { color: #00aaaa } /* Name.Builtin.Pseudo */
.vc { color: #aa0000 } /* Name.Variable.Class */
.vg { color: #aa0000 } /* Name.Variable.Global */
.vi { color: #aa0000 } /* Name.Variable.Instance */
.il { color: #009999 } /* Literal.Number.Integer.Long */

15
doc/_templates/breadcrumbs.html vendored Normal file
View file

@ -0,0 +1,15 @@
{% extends "!breadcrumbs.html" %}
{% block breadcrumbs_aside %}
<li class="wy-breadcrumbs-aside">
{% if pagename != "search" %}
{% if display_github %}
{% if github_version == "master" %}
<a href="https://{{ github_host|default("github.com") }}/{{ github_user }}/{{ github_repo }}/blob/{{ github_version }}{{ conf_py_path }}{{ pagename }}{{ suffix }}" class="fa fa-github"> {{ _('Edit on GitHub') }}</a>
{% endif %}
{% elif show_source and has_source and sourcename %}
<a href="{{ pathto('_sources/' + sourcename, true)|e }}" rel="nofollow"> {{ _('View page source') }}</a>
{% endif %}
{% endif %}
</li>
{% endblock %}

114
doc/_templates/layout.html vendored
View file

@ -1,113 +1,7 @@
{% extends "!layout.html" %}
{% block extrahead %}
<link rel="stylesheet" type="text/css" href="{{ pathto('_static/broxygen.css', 1) }}"></script>
<link rel="stylesheet" type="text/css" href="{{ pathto('_static/960.css', 1) }}"></script>
<link rel="stylesheet" type="text/css" href="{{ pathto('_static/pygments.css', 1) }}"></script>
<link rel="stylesheet" type="text/css" href="{{ pathto('_static/broxygen-extra.css', 1) }}"></script>
<script type="text/javascript" src="{{ pathto('_static/broxygen-extra.js', 1) }}"></script>
{% endblock %}
{% block header %}
<iframe src="https://www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
</iframe>
{% endblock %}
{% block relbar2 %}{% endblock %}
{% block relbar1 %}{% endblock %}
{% block content %}
<div id="bro-main" class="clearfix">
<div class="container_12">
<div class="grid_9">
<div>
{{ relbar() }}
</div>
<div class="body">
{% block body %}
{% endblock %}
</div>
</div>
<!-- Sidebar -->
<div class="grid_3 omega">
<div>
<img id="logo" src="{{pathto('_static/logo-bro.png', 1)}}" alt="Logo" />
</div>
<br />
<div class="widget sidebar-toc">
<h3 class="widgettitle">
Table of Contents
</h3>
<p>
<!-- <ul id="sidebar-toc"></ul> -->
<ul>{{toc}}</ul>
</p>
</div>
{% if next %}
<div class="widget">
<h3 class="widgettitle">
Next Page
</h3>
<p>
<a href="{{ next.link|e }}">{{ next.title }}</a>
</p>
</div>
{% if READTHEDOCS and current_version %}
{% if current_version == "latest" or current_version == "stable" %}
{% set current_version = current_version ~ " (" ~ version ~ ")" %}
{% endif %}
{% if prev %}
<div class="widget">
<h3 class="widgettitle">
Previous Page
</h3>
<p>
<a href="{{ prev.link|e }}">{{ prev.title }}</a>
</p>
</div>
{% endif %}
{%- if pagename != "search" %}
<div id="searchbox" style="display: none" class="widget">
<h3 class="widgettitle">{{ _('Search') }}</h3>
<form class="search" action="{{ pathto('search') }}" method="get">
<input type="text" name="q" />
<input type="submit" value="{{ _('Search') }}" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
{%- endif %}
</div>
</div>
<div class="container_12">
<div class="grid_12 alpha omega">
<div class="center">
<small>
Copyright {{ copyright }}.
Last updated on {{ last_updated }}.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.
</small>
</div>
</div>
</div>
</div>
{% endblock %}
{% block footer %}
<iframe src="https://www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
</iframe>
{% endblock %}
{% endif %}

150
doc/broids/index.rst
View file

@ -1,9 +1,9 @@
.. _bro-ids:
=======
Bro IDS
=======
===
IDS
===
An Intrusion Detection System (IDS) allows you to detect suspicious
activities happening on your network as a result of a past or active
@ -24,8 +24,26 @@ rejected usernames and passwords occurring from a single address. We
start by defining a threshold for the number of attempts, a monitoring
interval (in minutes), and a new notice type.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 9-25
.. sourcecode:: bro
:caption: detect-bruteforcing.bro
module FTP;
export {
redef enum Notice::Type += {
## Indicates a host bruteforcing FTP logins by watching for too
## many rejected usernames or failed passwords.
Bruteforcing
};
## How many rejected usernames or passwords are required before being
## considered to be bruteforcing.
const bruteforce_threshold: double = 20 &redef;
## The time period in which the threshold needs to be crossed before
## being reset.
const bruteforce_measurement_interval = 15mins &redef;
}
Using the ftp_reply event, we check for error codes from the `500
series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_
@ -35,24 +53,130 @@ function to break down the reply code and check if the first digit is a
"5" or not. If true, we then use the :ref:`Summary Statistics Framework
<sumstats-framework>` to keep track of the number of failed attempts.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 52-60
.. sourcecode:: bro
:caption: detect-bruteforcing.bro
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
{
local cmd = c$ftp$cmdarg$cmd;
if ( cmd == "USER" || cmd == "PASS" )
{
if ( FTP::parse_ftp_reply_code(code)$x == 5 )
SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
}
}
Next, we use the SumStats framework to raise a notice of the attack when
the number of failed attempts exceeds the specified threshold during the
measuring interval.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 28-50
.. sourcecode:: bro
:caption: detect-bruteforcing.bro
event bro_init()
{
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
SumStats::create([$name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)]);
}]);
}
Below is the final code for our script.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
.. sourcecode:: bro
:caption: detect-bruteforcing.bro
.. btest:: ftp-bruteforce
##! FTP brute-forcing detector, triggering when too many rejected usernames or
##! failed passwords have occurred from a single address.
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro
@TEST-EXEC: btest-rst-include notice.log
@load base/protocols/ftp
@load base/frameworks/sumstats
@load base/utils/time
module FTP;
export {
redef enum Notice::Type += {
## Indicates a host bruteforcing FTP logins by watching for too
## many rejected usernames or failed passwords.
Bruteforcing
};
## How many rejected usernames or passwords are required before being
## considered to be bruteforcing.
const bruteforce_threshold: double = 20 &redef;
## The time period in which the threshold needs to be crossed before
## being reset.
const bruteforce_measurement_interval = 15mins &redef;
}
event bro_init()
{
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
SumStats::create([$name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)]);
}]);
}
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
{
local cmd = c$ftp$cmdarg$cmd;
if ( cmd == "USER" || cmd == "PASS" )
{
if ( FTP::parse_ftp_reply_code(code)$x == 5 )
SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
}
}
.. sourcecode:: console
$ bro -r ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-12-13-22-56-21
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1389721084.522861 - - - - - - - - - FTP::Bruteforcing 192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s - 192.168.56.1 - - - - Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2018-12-13-22-56-21
As a final note, the :doc:`detect-bruteforcing.bro
</scripts/policy/protocols/ftp/detect-bruteforcing.bro>` script above is

1
doc/broxygen.conf.in
View file

@ -1 +0,0 @@
script * @BROXYGEN_SCRIPT_OUTPUT@/

6
doc/cluster/index.rst
View file

@ -1,7 +1,7 @@
========================
Bro Cluster Architecture
========================
====================
Cluster Architecture
====================
Bro is not multithreaded, so once the limitations of a single processor core

77
doc/conf.py.in → doc/conf.py
View file

@ -1,6 +1,6 @@
# -*- coding: utf-8 -*-
#
# Bro documentation build configuration file, created by sphinx-quickstart
# Zeek documentation build configuration file, created by sphinx-quickstart
#
# This file is execfile()d with the current directory set to its containing dir.
#
@ -17,28 +17,7 @@ extensions = []
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
sys.path.insert(0, os.path.abspath('sphinx_input/ext'))
# ----- Begin of BTest configuration. -----
btest = os.path.abspath("@CMAKE_SOURCE_DIR@/aux/btest")
brocut = os.path.abspath("@CMAKE_SOURCE_DIR@/build/aux/bro-aux/bro-cut")
bro = os.path.abspath("@CMAKE_SOURCE_DIR@/build/src")
os.environ["PATH"] += (":%s:%s/sphinx:%s:%s" % (btest, btest, bro, brocut))
sys.path.append(os.path.join(btest, "sphinx"))
extensions += ["btest-sphinx"]
btest_base="@CMAKE_SOURCE_DIR@/testing/btest"
btest_tests="doc/sphinx"
# ----- End of BTest configuration. -----
# ----- Begin of Broxygen configuration. -----
extensions += ["broxygen"]
bro_binary = os.path.abspath("@CMAKE_SOURCE_DIR@/build/src/bro")
broxygen_cache="@BROXYGEN_CACHE_DIR@"
os.environ["BROPATH"] = "@BROPATH@"
# ----- End of Broxygen configuration. -----
sys.path.insert(0, os.path.abspath('ext'))
# -- General configuration -----------------------------------------------------
@ -47,13 +26,10 @@ os.environ["BROPATH"] = "@BROPATH@"
# Add any Sphinx extension module names here, as strings. They can be extensions
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc']
os.environ["BRO_SRC_ROOT"] = "@CMAKE_SOURCE_DIR@"
os.environ["DOC_ROOT"] = "@CMAKE_SOURCE_DIR@/doc"
extensions += ['bro', 'sphinx.ext.todo']
# Add any paths that contain templates here, relative to this directory.
templates_path = ['sphinx_input/_templates', 'sphinx_input/_static']
templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
@ -65,17 +41,19 @@ source_suffix = '.rst'
master_doc = 'index'
# General information about the project.
project = u'Bro'
copyright = u'2016, The Bro Project'
project = u'Zeek'
copyright = u'2018, The Zeek Project'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '@VERSION_MAJ_MIN@'
with open('../VERSION', 'r') as f:
version = f.readline().strip()
# The full version, including alpha/beta/rc tags.
release = '@VERSION@'
release = version
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@ -108,6 +86,8 @@ show_authors = True
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
highlight_language = 'none'
# A list of ignored prefixes for module index sorting.
#modindex_common_prefix = []
@ -116,21 +96,30 @@ pygments_style = 'sphinx'
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'basic'
on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
if not on_rtd:
# only import and set the theme if we're building docs locally
import sphinx_rtd_theme
html_theme = 'sphinx_rtd_theme'
html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
html_last_updated_fmt = '%B %d, %Y'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
html_theme_options = { }
html_theme_options = {
'collapse_navigation': False,
'display_version': True,
}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> Documentation".
#html_title = None
html_title = u'Zeek User Manual v' + release
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
@ -147,7 +136,7 @@ html_theme_options = { }
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['sphinx_input/_static']
#html_static_path = ['_static']
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
@ -158,9 +147,9 @@ html_static_path = ['sphinx_input/_static']
#html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
html_sidebars = {
'**': ['localtoc.html', 'sourcelink.html', 'searchbox.html'],
}
#html_sidebars = {
#'**': ['localtoc.html', 'sourcelink.html', 'searchbox.html'],
#}
# Additional templates that should be rendered to pages, maps page names to
# template names.
@ -193,7 +182,7 @@ html_sidebars = {
#html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = 'Broxygen'
htmlhelp_basename = 'zeek-docs'
# -- Options for LaTeX output --------------------------------------------------
@ -206,8 +195,8 @@ htmlhelp_basename = 'Broxygen'
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author, documentclass [howto/manual]).
latex_documents = [
('index', 'Bro.tex', u'Bro Documentation',
u'The Bro Project', 'manual'),
('index', 'Zeek.tex', u'Zeek Documentation',
u'The Zeek Project', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
@ -238,8 +227,8 @@ latex_documents = [
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'bro', u'Bro Documentation',
[u'The Bro Project'], 1)
('index', 'bro', u'Zeek Documentation',
[u'The Zeek Project'], 1)
]
# -- Options for todo plugin --------------------------------------------

2
doc/configuration/index.rst
View file

@ -5,8 +5,6 @@
Cluster Configuration
=====================
.. contents::
A *Bro Cluster* is a set of systems jointly analyzing the traffic of
a network link in a coordinated fashion. You can operate such a setup from
a central manager system easily using BroControl because BroControl

6
doc/devel/plugins.rst
View file

@ -1,7 +1,7 @@
===================
Writing Bro Plugins
===================
===============
Writing Plugins
===============
Bro internally provides a plugin API that enables extending
the system dynamically, without modifying the core code base. That way

29
doc/ext/adapt-toc.py
View file

@ -1,29 +0,0 @@
import sys
import re
# Removes the first TOC level, which is just the page title.
def process_html_toc(app, pagename, templatename, context, doctree):
if not "toc" in context:
return
toc = context["toc"]
lines = toc.strip().split("\n")
lines = lines[2:-2]
toc = "\n".join(lines)
toc = "<ul>" + toc
context["toc"] = toc
# print >>sys.stderr, pagename
# print >>sys.stderr, context["toc"]
# print >>sys.stderr, "-----"
# print >>sys.stderr, toc
# print >>sys.stderr, "===="
def setup(app):
app.connect('html-page-context', process_html_toc)

0
doc/ext/bro_lexer/__init__.py
View file

76
doc/ext/bro_lexer/bro.py
View file

@ -1,76 +0,0 @@
from pygments.lexer import RegexLexer, bygroups, include
from pygments.token import *
__all__ = ["BroLexer"]
class BroLexer(RegexLexer):
name = 'Bro'
aliases = ['bro']
filenames = ['*.bro']
_hex = r'[0-9a-fA-F_]+'
_float = r'((\d*\.?\d+)|(\d+\.?\d*))([eE][-+]?\d+)?'
_h = r'[A-Za-z0-9][-A-Za-z0-9]*'
tokens = {
'root': [
# Whitespace
('^@.*?\n', Comment.Preproc),
(r'#.*?\n', Comment.Single),
(r'\n', Text),
(r'\s+', Text),
(r'\\\n', Text),
# Keywords
(r'(add|alarm|break|case|const|continue|delete|do|else|enum|event'
r'|export|for|function|if|global|local|module|next'
r'|of|print|redef|return|schedule|when|while)\b', Keyword),
(r'(addr|any|bool|count|counter|double|file|int|interval|net'
r'|pattern|port|record|set|string|subnet|table|time|timer'
r'|vector)\b', Keyword.Type),
(r'(T|F)\b', Keyword.Constant),
(r'(&)((?:add|delete|expire)_func|attr|(create|read|write)_expire'
r'|default|raw_output|encrypt|group|log'
r'|mergeable|optional|persistent|priority|redef'
r'|rotate_(?:interval|size)|synchronized)\b', bygroups(Punctuation,
Keyword)),
(r'\s+module\b', Keyword.Namespace),
# Addresses, ports and networks
(r'\d+/(tcp|udp|icmp|unknown)\b', Number),
(r'(\d+\.){3}\d+', Number),
(r'(' + _hex + r'){7}' + _hex, Number),
(r'0x' + _hex + r'(' + _hex + r'|:)*::(' + _hex + r'|:)*', Number),
(r'((\d+|:)(' + _hex + r'|:)*)?::(' + _hex + r'|:)*', Number),
(r'(\d+\.\d+\.|(\d+\.){2}\d+)', Number),
# Hostnames
(_h + r'(\.' + _h + r')+', String),
# Numeric
(_float + r'\s+(day|hr|min|sec|msec|usec)s?\b', Literal.Date),
(r'0[xX]' + _hex, Number.Hex),
(_float, Number.Float),
(r'\d+', Number.Integer),
(r'/', String.Regex, 'regex'),
(r'"', String, 'string'),
# Operators
(r'[!%*/+-:<=>?~|]', Operator),
(r'([-+=&|]{2}|[+-=!><]=)', Operator),
(r'(in|match)\b', Operator.Word),
(r'[{}()\[\]$.,;]', Punctuation),
# Identfier
(r'([_a-zA-Z]\w*)(::)', bygroups(Name, Name.Namespace)),
(r'[a-zA-Z_][a-zA-Z_0-9]*', Name)
],
'string': [
(r'"', String, '#pop'),
(r'\\([\\abfnrtv"\']|x[a-fA-F0-9]{2,4}|[0-7]{1,3})', String.Escape),
(r'[^\\"\n]+', String),
(r'\\\n', String),
(r'\\', String)
],
'regex': [
(r'/', String.Regex, '#pop'),
(r'\\[\\nt/]', String.Regex), # String.Escape is too intense.
(r'[^\\/\n]+', String.Regex),
(r'\\\n', String.Regex),
(r'\\', String.Regex)
]
}

317
doc/ext/broxygen.py
View file

@ -1,317 +0,0 @@
"""
Broxygen domain for Sphinx.
Adds directives that allow Sphinx to invoke Bro in order to generate script
reference documentation on the fly. The directives are:
broxygen:package
- Shows links to all scripts contained within matching package(s).
broxygen:package_index
- An index with links to matching package document(s).
broxygen:script
- Reference for matching script(s) (i.e. everything declared by the script).
broxygen:script_summary
- Shows link to matching script(s) with it's summary-section comments.
broxygen:script_index
- An index with links to all matching scrips.
broxygen:proto_analyzer
- All protocol analyzers and their components (events/bifs, etc.)
broxygen:file_analyzer
- All file analyzers and their components (events/bifs, etc.)
"""
from sphinx.domains import Domain, ObjType
from sphinx.locale import l_
from docutils.parsers.rst.directives.misc import Include
App = None
def info(msg):
"""Use Sphinx builder to output a console message."""
global App
from sphinx.util.console import blue
App.builder.info(blue(msg))
def pattern_to_filename_component(pattern):
"""Replace certain characters in Broxygen config file target pattern.
Such that it can be used as part of a (sane) filename.
"""
return pattern.replace("/", ".").replace("*", "star")
def ensure_dir(path):
"""Should act like ``mkdir -p``."""
import os
import errno
try:
os.makedirs(path)
except OSError as e:
if e.errno != errno.EEXIST:
raise
def generate_config(env, type, pattern):
"""Create a Broxygen config file for a particular target.
It can be used by Bro to generate reST docs for that target.
"""
import os
import tempfile
from sphinx.errors import SphinxError
work_dir = env.config.broxygen_cache
if not work_dir:
raise SphinxError("broxygen_cache not set in sphinx config file")
ensure_dir(work_dir)
prefix = "{0}-{1}-".format(type, pattern_to_filename_component(pattern))
(fd, cfg) = tempfile.mkstemp(suffix=".cfg", prefix=prefix, dir=work_dir)
generated_file = "{0}.rst".format(cfg)
config = "{0}\t{1}\t{2}".format(type, pattern, generated_file)
f = os.fdopen(fd, "w")
f.write(config)
f.close()
return (cfg, generated_file)
def generate_target(env, type, pattern):
"""Create a Broxygen target and build it.
For a target which hasn't been referenced by any other script, this function
creates an associated config file then uses Bro w/ it to build the target
and stores the target information in the build environment.
If a script references a target that's already found in the build
environment the results of the previous built are re-used.
"""
app_data = env.domaindata["broxygen"]
if (type, pattern) in app_data["targets"]:
info("Broxygen has cached doc for target '{0} {1}'".format(
type, pattern))
return app_data["targets"]
(cfg, gend_file) = generate_config(env, type, pattern)
target = BroxygenTarget(type, pattern, cfg, gend_file)
app_data["targets"][(type, pattern)] = target
build_target(env, target)
info("Broxygen built target '{0} {1}'".format(type, pattern))
return target
def build_target(env, target):
"""Invoke a Bro process to build a Broxygen target."""
import os
import subprocess
path_to_bro = env.config.bro_binary
if not path_to_bro:
raise SphinxError("'bro' not set in sphinx config file (path to bro)")
bro_cmd = "{0} -X {1} broxygen".format(path_to_bro, target.config_file)
cwd = os.getcwd()
os.chdir(os.path.dirname(target.config_file))
try:
subprocess.check_output(bro_cmd, stderr=subprocess.STDOUT, shell=True)
except subprocess.CalledProcessError as e:
from sphinx.errors import SphinxError
raise SphinxError(
"Command '{0}' returned non-zero exit status {1}: {2}".format(
e.cmd, e.returncode, e.output))
finally:
os.chdir(cwd)
class BroxygenTarget(object):
"""Some portion of reST documentation that Bro knows how to generate.
A target is identified by its type and pattern. E.g. type "script" and
pattern "broxygen/example.bro".
"""
def __init__(self, type, pattern, config_file, generated_file):
self.type = type
self.pattern = pattern
self.config_file = config_file
self.generated_file = generated_file
self.used_in_docs = set()
class BroxygenDirective(Include):
"""Base class for Broxygen directives.
It can use Bro to generate reST documentation on the fly and embed it in
the document at the location of the directive just like the ``.. include::``
directive. The only argument is a pattern to identify to Bro which
pieces of documentation it needs to create.
"""
required_arguments = 1
has_content = False
target_type = None
def run(self):
env = self.state.document.settings.env
info("Broxygen running .. {0}:: {1} in {2}".format(
self.name, self.arguments[0], env.docname))
target = generate_target(env, self.target_type, self.arguments[0])
target.used_in_docs.add(env.docname)
self.arguments = [target.generated_file]
return super(BroxygenDirective, self).run()
class PackageDirective(BroxygenDirective):
target_type = "package"
class PackageIndexDirective(BroxygenDirective):
target_type = "package_index"
class ScriptDirective(BroxygenDirective):
target_type = "script"
class ScriptSummaryDirective(BroxygenDirective):
target_type = "script_summary"
class ScriptIndexDirective(BroxygenDirective):
target_type = "script_index"
class ProtoAnalyzerDirective(BroxygenDirective):
target_type = "proto_analyzer"
class FileAnalyzerDirective(BroxygenDirective):
target_type = "file_analyzer"
class IdentifierDirective(BroxygenDirective):
target_type = "identifier"
class BroxygenDomain(Domain):
name = "broxygen"
label = "Broxygen"
object_types = {
"package": ObjType(l_("package")),
"package_index": ObjType(l_("package_index")),
"script": ObjType(l_("script")),
"script_summary": ObjType(l_("script_summary")),
"script_index": ObjType(l_("script_index")),
"proto_analyzer": ObjType(l_("proto_analyzer")),
"file_analyzer": ObjType(l_("file_analyzer")),
"identifier": ObjType(l_("identifier")),
}
directives = {
"package": PackageDirective,
"package_index": PackageIndexDirective,
"script": ScriptDirective,
"script_summary": ScriptSummaryDirective,
"script_index": ScriptIndexDirective,
"proto_analyzer": ProtoAnalyzerDirective,
"file_analyzer": FileAnalyzerDirective,
"identifier": IdentifierDirective,
}
roles = {}
initial_data = {
"targets": {}
}
def clear_doc(self, docname):
"""Update Broxygen targets referenced in docname.
If it's the last place the target was referenced, remove it from
the build environment and delete any generated config/reST files
associated with it from the cache.
"""
import os
stale_targets = []
for (type, pattern), target in self.data["targets"].items():
if docname in target.used_in_docs:
target.used_in_docs.remove(docname)
if not target.used_in_docs:
stale_targets.append(target)
for target in stale_targets:
del self.data["targets"][(target.type, target.pattern)]
os.remove(target.config_file)
os.remove(target.generated_file)
def get_objects(self):
"""No Broxygen-generated content is itself linkable/searchable."""
return []
def env_get_outdated_hook(app, env, added, changed, removed):
"""Check whether to re-read any documents referencing Broxygen targets.
To do that we have to ask Bro to rebuild each target and compare the
before and after modification times of the generated reST output file.
If Bro changed it, then the document containing the Broxygen directive
needs to be re-read.
"""
import os
reread = set()
for target in app.env.domaindata["broxygen"]["targets"].values():
before_mtime = os.stat(target.generated_file)
build_target(env, target)
after_mtime = os.stat(target.generated_file)
if after_mtime > before_mtime:
info("Broxygen target '{0} {1}' outdated".format(
target.type, target.pattern))
for docname in target.used_in_docs:
if docname not in removed:
info(" in document: {0}".format(docname))
reread.add(docname)
return list(reread)
def setup(app):
global App
App = app
app.add_domain(BroxygenDomain)
app.add_config_value("bro_binary", None, "env")
app.add_config_value("broxygen_cache", None, "env")
app.connect("env-get-outdated", env_get_outdated_hook)

183
doc/ext/rst_directive.py
View file

@ -1,183 +0,0 @@
def setup(app):
pass
# -*- coding: utf-8 -*-
"""
Modified version of the the Pygments reStructuredText directive. -Robin
This provides two new directives:
- .. code:: [<format>]
Highlights the following code block according to <format> if
given (e.g., "c", "python", etc.).
- .. console::
Highlits the following code block as a shell session.
For compatibility with the original version, "sourcecode" is
equivalent to "code".
Original comment:
The Pygments reStructuredText directive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This fragment is a Docutils_ 0.5 directive that renders source code
(to HTML only, currently) via Pygments.
To use it, adjust the options below and copy the code into a module
that you import on initialization. The code then automatically
registers a ``sourcecode`` directive that you can use instead of
normal code blocks like this::
.. sourcecode:: python
My code goes here.
If you want to have different code styles, e.g. one with line numbers
and one without, add formatters with their names in the VARIANTS dict
below. You can invoke them instead of the DEFAULT one by using a
directive option::
.. sourcecode:: python
:linenos:
My code goes here.
Look at the `directive documentation`_ to get all the gory details.
.. _Docutils: http://docutils.sf.net/
.. _directive documentation:
http://docutils.sourceforge.net/docs/howto/rst-directives.html
:copyright: Copyright 2006-2010 by the Pygments team, see AUTHORS.
:license: BSD, see LICENSE for details.
"""
# Options
# ~~~~~~~
# Set to True if you want inline CSS styles instead of classes
INLINESTYLES = False
from pygments.formatters import HtmlFormatter
class MyHtmlFormatter(HtmlFormatter):
def format_unencoded(self, tokensource, outfile):
# A NOP currently.
new_tokens = []
for (i, piece) in tokensource:
new_tokens += [(i, piece)]
return super(MyHtmlFormatter, self).format_unencoded(new_tokens, outfile)
# The default formatter
DEFAULT = MyHtmlFormatter(noclasses=INLINESTYLES, cssclass="pygments")
# Add name -> formatter pairs for every variant you want to use
VARIANTS = {
# 'linenos': HtmlFormatter(noclasses=INLINESTYLES, linenos=True),
}
import textwrap
from docutils import nodes
from docutils.parsers.rst import directives, Directive
from pygments import highlight
from pygments.lexers import get_lexer_by_name, guess_lexer, TextLexer
from pygments.token import Text, Keyword, Error, Operator, Name
from pygments.filter import Filter
# Ugly hack to register the Bro lexer. I'm sure there's a better way to do it,
# but it's not obvious ...
from bro_lexer.bro import BroLexer
from pygments.lexers._mapping import LEXERS
LEXERS['BroLexer'] = ('bro_lexer.bro', BroLexer.name, BroLexer.aliases, BroLexer.filenames, ())
class Pygments(Directive):
""" Source code syntax hightlighting.
"""
#max_line_length = 68
max_line_length = 0
required_arguments = 0
optional_arguments = 1
final_argument_whitespace = True
option_spec = dict([(key, directives.flag) for key in VARIANTS])
has_content = True
def wrapped_content(self):
content = []
if Console.max_line_length:
for line in self.content:
content += textwrap.wrap(line, Console.max_line_length, subsequent_indent=" ")
else:
content = self.content
return u'\n'.join(content)
def run(self):
self.assert_has_content()
content = self.wrapped_content()
if len(self.arguments) > 0:
try:
lexer = get_lexer_by_name(self.arguments[0])
except (ValueError, IndexError):
# lexer not found, use default.
lexer = TextLexer()
else:
try:
lexer = guess_lexer(content)
except:
lexer = TextLexer()
# import sys
# print >>sys.stderr, self.arguments, lexer.__class__
# take an arbitrary option if more than one is given
formatter = self.options and VARIANTS[self.options.keys()[0]] or DEFAULT
parsed = highlight(content, lexer, formatter)
return [nodes.raw('', parsed, format='html')]
class MyFilter(Filter):
def filter(self, lexer, stream):
bol = True
for (ttype, value) in stream:
# Color the '>' prompt sign.
if bol and ttype is Text and value == ">":
ttype = Name.Variable.Class # This gives us a nice red.
# Discolor builtin, that can look funny.
if ttype is Name.Builtin:
ttype = Text
bol = value.endswith("\n")
yield (ttype, value)
class Console(Pygments):
required_arguments = 0
optional_arguments = 0
def run(self):
self.assert_has_content()
content = self.wrapped_content()
lexer = get_lexer_by_name("sh")
lexer.add_filter(MyFilter())
parsed = highlight(content, lexer, DEFAULT)
return [nodes.raw('', parsed, format='html')]
directives.register_directive('sourcecode', Pygments)
directives.register_directive('code', Pygments)
directives.register_directive('console', Console)

61
doc/frameworks/broker.rst
View file

@ -29,8 +29,6 @@ Broker-Enabled Communication/Cluster Framework
also gives examples of Broker and the new cluster framework that
show off all the new features and capabilities.
.. contents::
Porting Guide
=============
@ -296,11 +294,17 @@ Connecting to Peers
Bro can accept incoming connections by calling :bro:see:`Broker::listen`.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro
.. literalinclude:: broker/connecting-listener.bro
:caption: connecting-listener.bro
:language: bro
:linenos:
Bro can initiate outgoing connections by calling :bro:see:`Broker::peer`.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro
.. literalinclude:: broker/connecting-connector.bro
:caption: connecting-connector.bro
:language: bro
:linenos:
In either case, connection status updates are monitored via the
:bro:see:`Broker::peer_added` and :bro:see:`Broker::peer_lost` events.
@ -317,7 +321,10 @@ more on how topics work and are chosen.
Use the :bro:see:`Broker::subscribe` function to subscribe to topics and
define any event handlers for events that peers will send.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
.. literalinclude:: broker/events-listener.bro
:caption: events-listener.bro
:language: bro
:linenos:
There are two different ways to send events.
@ -333,7 +340,10 @@ whenever the event is called locally via the normal event invocation syntax.
When auto-publishing events, local event handlers for the event are called
in addition to sending the event to any subscribed peers.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro
.. literalinclude:: broker/events-connector.bro
:caption: events-connector.bro
:language: bro
:linenos:
Note that the subscription model is prefix-based, meaning that if you subscribe
to the "bro/events" topic prefix you would receive events that are published
@ -342,16 +352,25 @@ to topic names "bro/events/foo" and "bro/events/bar" but not "bro/misc".
Remote Logging
--------------
.. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro
.. literalinclude:: broker/testlog.bro
:caption: testlog.bro
:language: bro
:linenos:
To toggle remote logs, redef :bro:see:`Log::enable_remote_logging`.
Use the :bro:see:`Broker::subscribe` function to advertise interest
in logs written by peers. The topic names that Bro uses are determined by
:bro:see:`Broker::log_topic`.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro
.. literalinclude:: broker/logs-listener.bro
:caption: logs-listener.bro
:language: bro
:linenos:
.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro
.. literalinclude:: broker/logs-connector.bro
:caption: logs-connector.bro
:language: bro
:linenos:
Note that logging events are only raised locally on the node that performs
the :bro:see:`Log::write` and not automatically published to peers.
@ -379,9 +398,15 @@ use. E.g. In-memory versus SQLite for persistence.
Data stores also support expiration on a per-key basis using an amount of
time relative to the entry's last modification time.
.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro
.. literalinclude:: broker/stores-listener.bro
:caption: stores-listener.bro
:language: bro
:linenos:
.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro
.. literalinclude:: broker/stores-connector.bro
:caption: stores-connector.bro
:language: bro
:linenos:
Note that all data store queries must be made within Bro's asynchronous
``when`` statements and must specify a timeout block.
@ -403,7 +428,7 @@ should always use the fully-qualified event name.
For example, this will likely not work as expected:
.. code:: bro
.. sourcecode:: bro
module MyModule;
@ -427,7 +452,7 @@ will never be called and also not any remote handlers either, even if
:bro:see:`Broker::auto_publish` was used elsewhere for it. Instead, at
minimum you would need change the ``bro_init()`` handler:
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -438,7 +463,7 @@ minimum you would need change the ``bro_init()`` handler:
Though, an easy rule of thumb to remember would be to always use the
explicit module namespace scoping and you can't go wrong:
.. code:: bro
.. sourcecode:: bro
module MyModule;
@ -467,7 +492,7 @@ Manager Sending Events To Workers
This is fairly straightforward, we just need a topic name which we know
all workers are subscribed combined with the event we want to send them.
.. code:: bro
.. sourcecode:: bro
event manager_to_workers(s: string)
{
@ -510,7 +535,7 @@ This should look almost identical to the previous case of sending an event
from the manager to workers, except it simply changes the topic name to
one which the manager is subscribed.
.. code:: bro
.. sourcecode:: bro
event worker_to_manager(worker_name: string)
{
@ -531,7 +556,7 @@ topology, this type of communication is a bit different than what we
did before since we have to manually relay the event via some node that *is*
connected to all workers. The manager or a proxy satisfies that requirement:
.. code:: bro
.. sourcecode:: bro
event worker_to_workers(worker_name: string)
{
@ -570,7 +595,7 @@ we can make use of a `Highest Random Weight (HRW) hashing
<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_ distribution strategy
to uniformly map an arbitrary key space across all available proxies.
.. code:: bro
.. sourcecode:: bro
event worker_to_proxies(worker_name: string)
{

14
doc/frameworks/configuration.rst
View file

@ -14,10 +14,6 @@ ability to specify input files to enable changing the value of options at
runtime, a couple of functions, and a log file "config.log"
which contains information about every change to option values.
.. contents::
Introduction
------------
@ -42,7 +38,7 @@ Declaring options
The "option" keyword allows variables to be declared as configuration options.
.. code:: bro
.. sourcecode:: bro
module TestModule;
@ -67,7 +63,7 @@ being that there is no need to specify the :bro:attr:`&redef` attribute in
the declaration of an option. For example, given the above option
declarations, here are some possible redefs:
.. code:: bro
.. sourcecode:: bro
redef TestModule::enable_feature = T;
redef TestModule::my_networks += { 10.1.0.0/16, 10.2.0.0/16 };
@ -90,7 +86,7 @@ only the manager node attempts to read the specified configuration files.
For example, simply add something like this to local.bro:
.. code:: bro
.. sourcecode:: bro
redef Config::config_files += { "/path/to/config.dat" };
@ -131,7 +127,7 @@ supported by the config input reader. In that case you would need to use
the Config::set_value function to change the value of such an option as
shown in the following example.
.. code:: bro
.. sourcecode:: bro
module TestModule;
@ -158,7 +154,7 @@ change handler for an option that has a data type of "addr" (for other
data types, the return type and 2nd parameter data type must be adjusted
accordingly):
.. code:: bro
.. sourcecode:: bro
module TestModule;

50
doc/frameworks/file-analysis.rst
View file

@ -21,8 +21,6 @@ File Analysis
provide analysis specifically for files that is analogous to the
analysis Bro provides for network connections.
.. contents::
File Lifecycle Events
=====================
@ -36,11 +34,23 @@ bytes have been transferred so far, and its MIME type.
Here's a simple example:
.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_01.bro
.. literalinclude:: file_analysis_01.bro
:caption:
:language: bro
:linenos:
.. btest:: file-analysis-01
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_01.bro
$ bro -r http/get.trace file_analysis_01.bro
file_state_remove
FakNcS1Jfe01uljb3
CHhAvVGS1DHFjwGM9
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
HTTP
connection_state_remove
CHhAvVGS1DHFjwGM9
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
HTTP
This doesn't perform any interesting analysis yet, but does highlight
the similarity between analysis of connections and files. Connections
@ -71,16 +81,21 @@ explicit attachment decision.
Here's a simple example of how to use the MD5 file analyzer to
calculate the MD5 of plain text files:
.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_02.bro
.. literalinclude:: file_analysis_02.bro
:caption:
:language: bro
:linenos:
.. btest:: file-analysis-02
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_02.bro
$ bro -r http/get.trace file_analysis_02.bro
new file, FakNcS1Jfe01uljb3
file_hash, FakNcS1Jfe01uljb3, md5, 397168fd09991a0e712254df7bc639ac
Some file analyzers might have tunable parameters that need to be
specified in the call to :bro:see:`Files::add_analyzer`:
.. code:: bro
.. sourcecode:: bro
event file_new(f: fa_file)
{
@ -109,19 +124,24 @@ in the same way it analyzes files that it sees coming over traffic from
a network interface it's monitoring. It only requires a call to
:bro:see:`Input::add_analysis`:
.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_03.bro
.. literalinclude:: file_analysis_03.bro
:caption:
:language: bro
:linenos:
Note that the "source" field of :bro:see:`fa_file` corresponds to the
"name" field of :bro:see:`Input::AnalysisDescription` since that is what
the input framework uses to uniquely identify an input stream.
The output of the above script may be (assuming a file called "myfile"
exists):
Example output of the above script may be:
.. btest:: file-analysis-03
.. sourcecode:: console
@TEST-EXEC: echo "Hello world" > myfile
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/file_analysis_03.bro
$ echo "Hello world" > myfile
$ bro file_analysis_03.bro
new file, FZedLu4Ajcvge02jA8
file_hash, FZedLu4Ajcvge02jA8, md5, f0ef7081e1539ac00ef5b761b4fb01b3
file_state_remove
Nothing that special, but it at least verifies the MD5 file analyzer
saw all the bytes of the input file and calculated the checksum

18
doc/frameworks/geoip.rst
View file

@ -17,8 +17,6 @@ GeoLocation
software, and then install the GeoLite2 city database before building
Bro.
.. contents::
Install libmaxminddb
--------------------
@ -26,19 +24,19 @@ Before building Bro, you need to install libmaxminddb.
* RPM/RedHat-based Linux:
.. console::
.. sourcecode:: console
sudo yum install libmaxminddb-devel
* DEB/Debian-based Linux:
.. console::
.. sourcecode:: console
sudo apt-get install libmaxminddb-dev
* FreeBSD:
.. console::
.. sourcecode:: console
sudo pkg install libmaxminddb
@ -58,7 +56,7 @@ and regions in addition to countries.
`Download <http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz>`__
the GeoLite2 city binary database:
.. console::
.. sourcecode:: console
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar zxf GeoLite2-City.tar.gz
@ -69,7 +67,7 @@ and will vary depending on which platform and package you are using. For
FreeBSD, use ``/usr/local/share/GeoIP``. For Linux, use ``/usr/share/GeoIP``
or ``/var/lib/GeoIP`` (choose whichever one already exists).
.. console::
.. sourcecode:: console
mv <extracted subdir>/GeoLite2-City.mmdb <path_to_database_dir>/GeoLite2-City.mmdb
@ -81,7 +79,7 @@ everything is setup correctly. After installing libmaxminddb and the GeoIP
city database, and building Bro, you can quickly check if the GeoIP
functionality works by running a command like this:
.. console::
.. sourcecode:: console
bro -e "print lookup_location(8.8.8.8);"
@ -113,7 +111,7 @@ Usage
There is a built-in function that provides the GeoIP functionality:
.. code:: bro
.. sourcecode:: bro
function lookup_location(a:addr): geo_location
@ -130,7 +128,7 @@ Example
To show every ftp connection from hosts in Ohio, this is now very easy:
.. code:: bro
.. sourcecode:: bro
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
{

22
doc/frameworks/input.rst
View file

@ -15,8 +15,6 @@ Input Framework
worthwhile to take a look at the unit tests in
``testing/btest/scripts/base/frameworks/input/``.
.. contents::
Reading Data into Tables
========================
@ -53,7 +51,7 @@ the table content.
The two records are defined as:
.. code:: bro
.. sourcecode:: bro
type Idx: record {
ip: addr;
@ -72,7 +70,7 @@ columns does not matter, because each column is identified by name.
The log file is read into the table with a simple call of the
:bro:id:`Input::add_table` function:
.. code:: bro
.. sourcecode:: bro
global blacklist: table[addr] of Val = table();
@ -109,7 +107,7 @@ Once the input framework finishes reading from a data source, it fires
the :bro:id:`Input::end_of_data` event. Once this event has been received all
data from the input file is available in the table.
.. code:: bro
.. sourcecode:: bro
event Input::end_of_data(name: string, source: string) {
# now all data is in the table
@ -121,7 +119,7 @@ just might not contain all lines from the input file before the event has
fired. After the table has been populated it can be used like any other Bro
table and blacklist entries can easily be tested:
.. code:: bro
.. sourcecode:: bro
if ( 192.168.18.12 in blacklist )
# take action
@ -143,7 +141,7 @@ elements from the file will be updated. After the update is finished the
In our example the call would look like:
.. code:: bro
.. sourcecode:: bro
Input::force_update("blacklist");
@ -155,7 +153,7 @@ of the :bro:id:`Input::add_table` call. Valid values are ``Input::MANUAL``
setting the value of the ``mode`` option in the previous example
would look like this:
.. code:: bro
.. sourcecode:: bro
Input::add_table([$source="blacklist.file", $name="blacklist",
$idx=Idx, $val=Val, $destination=blacklist,
@ -189,7 +187,7 @@ item is added to, removed from, or changed in a table.
The event definition looks like this (note that you can change the name of
this event in your own Bro script):
.. code:: bro
.. sourcecode:: bro
event entry(description: Input::TableDescription, tpe: Input::Event,
left: Idx, right: Val) {
@ -199,7 +197,7 @@ this event in your own Bro script):
The event must be specified in ``$ev`` in the ``add_table`` call:
.. code:: bro
.. sourcecode:: bro
Input::add_table([$source="blacklist.file", $name="blacklist",
$idx=Idx, $val=Val, $destination=blacklist,
@ -244,7 +242,7 @@ The following example filter will reject adding entries to the table when
they were generated over a month ago. It will accept all changes and all
removals of values that are already present in the table.
.. code:: bro
.. sourcecode:: bro
Input::add_table([$source="blacklist.file", $name="blacklist",
$idx=Idx, $val=Val, $destination=blacklist,
@ -307,7 +305,7 @@ discussed in much detail. To read the blacklist of the previous example
into an event stream, the :bro:id:`Input::add_event` function is used.
For example:
.. code:: bro
.. sourcecode:: bro
type Val: record {
ip: addr;

34
doc/frameworks/logging-input-sqlite.rst
View file

@ -14,8 +14,6 @@ Logging To and Reading From SQLite Databases
they can, for example, be used to make data that changes regularly available
to Bro on a continuing basis.
.. contents::
Warning
=======
@ -38,12 +36,10 @@ You have to define a filter which specifies SQLite as the writer.
The following example code adds SQLite as a filter for the connection log:
.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro
.. btest:: sqlite-conn-filter-check
# Make sure this parses correctly at least.
@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro
.. literalinclude:: sqlite-conn-filter.bro
:caption:
:language: bro
:linenos:
Bro will create the database file ``/var/db/conn.sqlite``, if it does not
already exist. It will also create a table with the name ``conn`` (if it
@ -71,7 +67,7 @@ same fields that are present in the ASCII log files::
Note that the ASCII ``conn.log`` will still be created. To prevent this file
from being created, you can remove the default filter:
.. code:: bro
.. sourcecode:: bro
Log::remove_filter(Conn::LOG, "default");
@ -115,12 +111,10 @@ The SQLite commands to create the schema are as follows::
After creating a file called ``hosts.sqlite`` with this content, we can
read the resulting table into Bro:
.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-table.bro
.. btest:: sqlite-read-table-check
# Make sure this parses correctly at least.
@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-table.bro
.. literalinclude:: sqlite-read-table.bro
:caption:
:language: bro
:linenos:
Afterwards, that table can be used to check logins into hosts against
the available userlist.
@ -164,12 +158,10 @@ of files that are transmitted over the network. For each hash, a SQL-query
is run against SQLite. If the query returns with a result, we had a hit
against our malware-database and output the matching hash.
.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-events.bro
.. btest:: sqlite-read-events-check
# Make sure this parses correctly at least.
@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-events.bro
.. literalinclude:: sqlite-read-events.bro
:caption:
:language: bro
:linenos:
If you run this script against the trace in
``testing/btest/Traces/ftp/ipv4.trace``, you will get one hit.

34
doc/frameworks/logging.rst
View file

@ -12,8 +12,6 @@ Logging Framework
logged. This document describes how logging can be customized and
extended.
.. contents::
Terminology
===========
@ -65,7 +63,7 @@ done:
In the following example, we create a new module "Foo" which creates
a new log stream.
.. code:: bro
.. sourcecode:: bro
module Foo;
@ -115,7 +113,7 @@ In this example, the :bro:id:`connection_established` event provides our data,
and we also store a copy of the data being logged into the
:bro:type:`connection` record:
.. code:: bro
.. sourcecode:: bro
event connection_established(c: connection)
{
@ -158,7 +156,7 @@ Let's say we want to add a boolean field ``is_private`` to
:bro:type:`Conn::Info` that indicates whether the originator IP address
is part of the :rfc:`1918` space:
.. code:: bro
.. sourcecode:: bro
# Add a field to the connection log record.
redef record Conn::Info += {
@ -184,7 +182,7 @@ In this example, since a connection's summary is generated at
the time its state is removed from memory, we can add another handler
at that time that sets our field correctly:
.. code:: bro
.. sourcecode:: bro
event connection_state_remove(c: connection)
{
@ -217,7 +215,7 @@ being logged. For these cases, a stream can specify an event that will
be generated every time a log record is written to it. To do this, we
need to modify the example module shown above to look something like this:
.. code:: bro
.. sourcecode:: bro
module Foo;
@ -248,7 +246,7 @@ connection log stream raises the event :bro:id:`Conn::log_conn`. You
could use that for example for flagging when a connection to a
specific destination exceeds a certain duration:
.. code:: bro
.. sourcecode:: bro
redef enum Notice::Type += {
## Indicates that a connection remained established longer
@ -275,7 +273,7 @@ Disable a Stream
One way to "turn off" a log is to completely disable the stream. For
example, the following example will prevent the conn.log from being written:
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -310,7 +308,7 @@ The easiest way to change a log filename is to simply replace the
default log filter with a new filter that specifies a value for the "path"
field. In this example, "conn.log" will be changed to "myconn.log":
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -335,7 +333,7 @@ if you want to restrict the set of fields being logged to the new file.
In this example, a new filter is added to the Conn::LOG stream that writes
two fields to a new log file:
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -366,7 +364,7 @@ corresponding ``exclude`` filter attribute that you can use instead of
If you want to make this the only log file for the stream, you can
remove the default filter:
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -383,7 +381,7 @@ allows, e.g., to record local and remote connections into separate
files. To do this, you define a function that returns the desired path,
and use the "path_func" filter attribute:
.. code:: bro
.. sourcecode:: bro
# Note: if using BroControl then you don't need to redef local_nets.
redef Site::local_nets = { 192.168.0.0/16 };
@ -415,7 +413,7 @@ only with the :bro:enum:`Conn::LOG` stream as the record type is hardcoded
into its argument list. However, Bro allows to do a more generic
variant:
.. code:: bro
.. sourcecode:: bro
function myfunc(id: Log::ID, path: string,
rec: record { id: conn_id; } ) : string
@ -434,7 +432,7 @@ We have seen how to customize the columns being logged, but
you can also control which records are written out by providing a
predicate that will be called for each log record:
.. code:: bro
.. sourcecode:: bro
function http_only(rec: Conn::Info) : bool
{
@ -464,7 +462,7 @@ Or specifically for certain :bro:type:`Log::Filter` instances by setting
their ``interv`` field. Here's an example of changing just the
:bro:enum:`Conn::LOG` stream's default filter rotation.
.. code:: bro
.. sourcecode:: bro
event bro_init()
{
@ -503,7 +501,7 @@ Some writer options are global (i.e., they affect all log filters using
that log writer). For example, to change the output format of all ASCII
logs to JSON format:
.. code:: bro
.. sourcecode:: bro
redef LogAscii::use_json = T;
@ -511,7 +509,7 @@ Some writer options are filter-specific (i.e., they affect only the filters
that explicitly specify the option). For example, to change the output
format of the ``conn.log`` only:
.. code:: bro
.. sourcecode:: bro
event bro_init()
{

267
doc/frameworks/netcontrol.rst
View file

@ -17,8 +17,6 @@ NetControl Framework
it can be used in practice, it might be worthwhile to take a look at
the unit tests.
.. contents::
NetControl Architecture
=======================
@ -65,7 +63,7 @@ Backends should be initialized in the :bro:see:`NetControl::init` event, calling
the :bro:see:`NetControl::activate` function after the plugin instance has been
initialized. The debug plugin can be initialized as follows:
.. code:: bro
.. sourcecode:: bro
event NetControl::init()
{
@ -133,17 +131,37 @@ start sending the rules to the added backend(s). To give a very simple example,
the following script will simply block the traffic of all connections that it
sees being established:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro
.. literalinclude:: netcontrol-1-drop-with-debug.bro
:caption:
:language: bro
:linenos:
Running this script on a file containing one connection will cause the debug
plugin to print one line to the standard output, which contains information
about the rule that was added. It will also cause creation of `netcontrol.log`,
which contains information about all actions that are taken by NetControl:
.. btest:: netcontrol-1-drop-with-debug.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
$ bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2018-12-14-18-50-53
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All
1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All
#close 2018-12-14-18-50-53
In our case, `netcontrol.log` contains several :bro:see:`NetControl::MESSAGE`
entries, which show that the debug plugin has been initialized and added.
@ -159,39 +177,99 @@ additional log called `netcontrol_drop.log`. This log file is much more succinct
only contains information that is specific to drops that are enacted by
NetControl:
.. btest:: netcontrol-1-drop-with-debug.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log
$ cat netcontrol_drop.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol_drop
#open 2018-12-14-18-50-53
#fields ts rule_id orig_h orig_p resp_h resp_p expire location
#types time string addr port addr port interval string
1398529018.678276 2 192.168.18.50 56981 74.125.239.97 443 20.000000 -
#close 2018-12-14-18-50-53
While this example of blocking all connections is usually not very useful, the
high-level API gives an easy way to take action, for example when a host is
identified doing some harmful activity. To give a more realistic example, the
following code automatically blocks a recognized SSH guesser:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro
.. literalinclude:: netcontrol-2-ssh-guesser.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-2-ssh-guesser.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
$ bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=1.0 hr, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2018-12-14-18-50-54
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1427726759.303199 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All
1427726759.303199 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All
#close 2018-12-14-18-50-54
Note that in this case, instead of calling NetControl directly, we also can use
the :bro:see:`Notice::ACTION_DROP` action of the notice framework:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro
.. literalinclude:: netcontrol-3-ssh-guesser.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-3-ssh-guesser.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
$ bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2018-12-14-18-50-55
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1427726759.303199 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All
1427726759.303199 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All
#close 2018-12-14-18-50-55
Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also
will cause the `dropped` column in `notice.log` to be set to true each time that
the NetControl framework enacts a block:
.. btest:: netcontrol-3-ssh-guesser.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd cat notice.log
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-12-14-18-50-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2018-12-14-18-50-55
Rule API
--------
@ -241,12 +319,32 @@ that the NetControl function has additional functionality, e.g. for logging.
Once again, we are going to test our function with a simple example that simply
drops all connections on the network:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro
.. literalinclude:: netcontrol-4-drop.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-4-drop.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
$ bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2018-12-14-18-50-55
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All
1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All
#close 2018-12-14-18-50-55
The last example shows that :bro:see:`NetControl::add_rule` returns a string
identifier that is unique for each rule (uniqueness is not preserved across
@ -281,11 +379,16 @@ discarded before further processing.
Here is a simple example which tells Bro to discard all rules for connections
originating from the 192.168.* network:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro
.. literalinclude:: netcontrol-5-hook.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-5-hook.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro
$ bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro
netcontrol debug (Debug-All): init
Ignored connection from, 192.168.18.50
NetControl Events
*****************
@ -355,11 +458,18 @@ Here is a simple example, which uses a trace that contains two connections from
the same IP address. After the first connection, the script recognizes that the
address is already blocked in the second connection.
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-6-find.bro
.. literalinclude:: netcontrol-6-find.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-6-find.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro
$ bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
Rule added
Rule already exists
Notice that the functions return vectors because it is possible that several
rules exist simultaneously that affect one IP; either there could be
@ -402,11 +512,16 @@ release is contained in the file
Using catch and release in your scripts is easy; just use
:bro:see:`NetControl::drop_address_catch_release` like in this example:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro
.. literalinclude:: netcontrol-7-catch-release.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-7-catch-release.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro
$ bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
Note that you do not have to provide the block time for catch and release;
instead, catch and release uses the time intervals specified in
@ -418,9 +533,20 @@ first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc.
Catch and release adds its own new logfile in addition to the already existing
ones (netcontrol_catch_release.log):
.. btest:: netcontrol-7-catch-release.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log
$ cat netcontrol_catch_release.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol_catch_release
#open 2018-12-14-18-50-58
#fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message
#types time string addr enum interval interval time time count string string
1398529018.678276 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - -
1398529018.678276 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - -
#close 2018-12-14-18-50-58
In addition to the blocking function, catch and release comes with the
:bro:see:`NetControl::get_catch_release_info` function to
@ -531,27 +657,65 @@ the 192.168.17.0/24 network; all other rules will be passed on to the debug
plugin. We manually block a few addresses in the
:bro:see:`NetControl::init_done` event to verify the correct functionality.
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro
.. literalinclude:: netcontrol-8-multiple.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-8-multiple.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro
$ bro netcontrol-8-multiple.bro
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.17.2/32, mac=<uninitialized>], expire=1.0 min, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
As you can see, only the single block affecting the 192.168.17.0/24 network is
output to the command line. The other two lines are handled by the OpenFlow
plugin. We can verify this by looking at netcontrol.log. The plugin column shows
which plugin handled a rule and reveals that two rules were handled by OpenFlow:
.. btest:: netcontrol-8-multiple.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2018-12-14-18-50-58
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
1544813458.913148 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
1544813458.913148 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
1544813458.913148 - NetControl::MESSAGE - - - - - - - activating plugin with priority 10 - - - Openflow-Log-42
1544813458.913148 - NetControl::MESSAGE - - - - - - - activation finished - - - Openflow-Log-42
1544813458.913148 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1544813458.913148 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42
1544813458.913148 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All
1544813458.913148 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42
1544813458.913148 3 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All
1544813458.913148 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42
1544813458.913148 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42
#close 2018-12-14-18-50-58
Furthermore, openflow.log also shows the two added rules, converted to OpenFlow
flow mods:
.. btest:: netcontrol-8-multiple.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd cat openflow.log
$ cat openflow.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path openflow
#open 2018-12-14-18-50-58
#fields ts dpid match.in_port match.dl_src match.dl_dst match.dl_vlan match.dl_vlan_pcp match.dl_type match.nw_tos match.nw_proto match.nw_src match.nw_dst match.tp_src match.tp_dst flow_mod.cookie flow_mod.table_id flow_mod.command flow_mod.idle_timeout flow_mod.hard_timeout flow_mod.priority flow_mod.out_port flow_mod.out_group flow_mod.flags flow_mod.actions.out_ports flow_mod.actions.vlan_vid flow_mod.actions.vlan_pcp flow_mod.actions.vlan_strip flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst
#types time count count string string count count count count count subnet subnet count count count count enum count count count count count count vector[count] count count bool string string count addr addr count count
1544813458.913148 42 - - - - - 2048 - - 10.0.0.1/32 - - - 4398046511108 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - -
1544813458.913148 42 - - - - - 2048 - - - 10.0.0.1/32 - - 4398046511109 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - -
1544813458.913148 42 - - - - - 2048 - - 192.168.18.2/32 - - - 4398046511112 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - -
1544813458.913148 42 - - - - - 2048 - - - 192.168.18.2/32 - - 4398046511113 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - -
#close 2018-12-14-18-50-58
.. note::
@ -613,16 +777,29 @@ raise the :bro:see:`NetControl::rule_added` and
:bro:see:`NetControl::rule_removed` events in your plugin to let NetControl know
when a rule was added and removed successfully.
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro
.. literalinclude:: netcontrol-9-skeleton.bro
:caption:
:language: bro
:linenos:
This example is already fully functional and we can use it with a script similar
to our very first example:
.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro
.. literalinclude:: netcontrol-10-use-skeleton.bro
:caption:
:language: bro
:linenos:
.. btest:: netcontrol-9-skeleton.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro
$ bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro
add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={
}, _active_plugin_ids={
}, _no_expire_plugins={
}, _added=F]
If you want to write your own plugins, it will be worthwhile to look at the
plugins that ship with the NetControl framework to see how they define the

31
doc/frameworks/notice.rst
View file

@ -14,8 +14,6 @@ Notice Framework
alarm emails. This page gives an introduction into writing such a notice
policy.
.. contents::
Overview
--------
@ -91,12 +89,25 @@ Here's a simple example which tells Bro to send an email for all notices of
type :bro:see:`SSH::Password_Guessing` if the guesser attempted to log in to
the server at 192.168.56.103:
.. btest-include:: ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
.. literalinclude:: notice_ssh_guesser.bro
:caption:
:language: bro
:linenos:
.. btest:: notice_ssh_guesser.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
@TEST-EXEC: btest-rst-cmd cat notice.log
$ bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-12-13-22-56-35
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2018-12-13-22-56-35
.. note::
@ -108,7 +119,7 @@ Hooks can also have priorities applied to order their execution like events
with a default priority of 0. Greater values are executed first. Setting
a hook body to run before default hook bodies might look like this:
.. code:: bro
.. sourcecode:: bro
hook Notice::policy(n: Notice::Info) &priority=5
{
@ -178,7 +189,7 @@ SSH analysis scripts sees enough failed logins to a given host, it
raises a notice of the type :bro:see:`SSH::Password_Guessing`. The code
in the base SSH analysis script which raises the notice looks like this:
.. code:: bro
.. sourcecode:: bro
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
@ -289,7 +300,7 @@ for session negotiations where the certificate or certificate chain did
not validate successfully against the available certificate authority
certificates.
.. code:: bro
.. sourcecode:: bro
NOTICE([$note=SSL::Invalid_Server_Cert,
$msg=fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status),
@ -335,7 +346,7 @@ There is a field in the :bro:see:`Notice::Info` record named
sent. An example of including some information from an HTTP request is
included below.
.. code:: bro
.. sourcecode:: bro
hook Notice::policy(n: Notice::Info)
{

23
doc/frameworks/signatures.rst
View file

@ -14,15 +14,10 @@ Signature Framework
other NIDS. This page gives a brief overview on Bro's signatures
and covers some of their technical subtleties.
.. contents::
:depth: 2
Basics
======
Let's look at an example signature first:
.. code:: bro-sig
Let's look at an example signature first::
signature my-first-sig {
ip-proto == tcp
@ -36,7 +31,7 @@ This signature asks Bro to match the regular expression ``.*root`` on
all TCP connections going to port 80. When the signature triggers, Bro
will raise an event :bro:id:`signature_match` of the form:
.. code:: bro
.. sourcecode:: bro
event signature_match(state: signature_state, msg: string, data: string)
@ -117,9 +112,7 @@ evaluates to true, the whole header condition matches (exception: with
``!=``, the header condition only matches if all values differ).
In addition to these pre-defined header keywords, a general header
condition can be defined either as
.. code:: bro-sig
condition can be defined either as::
header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>
@ -141,9 +134,7 @@ are not allowed in the value-list, though you can still inspect any 1,
2, or 4 byte section of an IPv6 header using this keyword.
Putting it all together, this is an example condition that is
equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
.. code:: bro-sig
equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``::
header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24
@ -162,9 +153,7 @@ Second, it may be prefixed with an analyzer-specific label, in which
case the expression is matched against the data as extracted by the
corresponding analyzer.
A ``payload`` condition has the form:
.. code:: bro-sig
A ``payload`` condition has the form::
payload /<regular expression>/
@ -272,7 +261,7 @@ two actions defined:
Raises a :bro:id:`signature_match` event. The event handler has the
following type:
.. code:: bro
.. sourcecode:: bro
event signature_match(state: signature_state, msg: string, data: string)

23
doc/frameworks/sumstats.rst
View file

@ -17,8 +17,6 @@ Summary Statistics
data sets and making them measurable in practice on large clustered and
non-clustered Bro deployments.
.. contents::
Overview
========
@ -73,15 +71,18 @@ Sumstats provides a simple way of approaching the problem of trying to count
the number of connections over a given time interval. Here is a script with
inline documentation that does this with the Sumstats framework:
.. btest-include:: ${DOC_ROOT}/frameworks/sumstats-countconns.bro
.. literalinclude:: sumstats-countconns.bro
:caption:
:language: bro
:linenos:
When run on a sample PCAP file from the Bro test suite, the following output
is created:
.. btest:: sumstats-countconns
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/workshop_2011_browse.trace ${DOC_ROOT}/frameworks/sumstats-countconns.bro
.. sourcecode:: console
$ bro -r workshop_2011_browse.trace sumstats-countconns.bro
Number of connections established: 6
Toy scan detection
------------------
@ -92,14 +93,18 @@ demonstrate how thresholding works in Sumstats and is not meant to be a
real-world functional example, that is left to the
:doc:`/scripts/policy/misc/scan.bro` script that is included with Bro.
.. btest-include:: ${DOC_ROOT}/frameworks/sumstats-toy-scan.bro
.. literalinclude:: sumstats-toy-scan.bro
:caption:
:language: bro
:linenos:
Let's see if there are any hosts that crossed the threshold in a PCAP file
containing a host running nmap:
.. btest:: sumstats-toy-scan
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/nmap-vsn.trace ${DOC_ROOT}/frameworks/sumstats-toy-scan.bro
$ bro -r nmap-vsn.trace sumstats-toy-scan.bro
192.168.1.71 attempted 5 or more connections
It seems the host running nmap was detected!

72
doc/httpmonitor/index.rst
View file

@ -1,9 +1,9 @@
.. _http-monitor:
================================
Monitoring HTTP Traffic with Bro
================================
=======================
Monitoring HTTP Traffic
=======================
Bro can be used to log the entire HTTP traffic from your network to the
http.log file. This file can then be used for analysis and auditing
@ -84,31 +84,43 @@ use this to identify a proxy server.
We can write a basic script in Bro to handle the http_reply event and
detect a reply for a ``GET http://`` request.
.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_01.bro
.. literalinclude:: http_proxy_01.bro
:caption:
:language: bro
:linenos:
.. btest:: http_proxy_01
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_01.bro
$ bro -r http/proxy.pcap http_proxy_01.bro
A local server is acting as an open proxy: 192.168.56.101
Basically, the script is checking for a "200 OK" status code on a reply
for a request that includes "http:" (case insensitive). In reality, the
HTTP protocol defines several success status codes other than 200, so we
will extend our basic script to also consider the additional codes.
.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_02.bro
.. literalinclude:: http_proxy_02.bro
:caption:
:language: bro
:linenos:
.. btest:: http_proxy_02
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_02.bro
$ bro -r http/proxy.pcap http_proxy_02.bro
A local server is acting as an open proxy: 192.168.56.101
Next, we will make sure that the responding proxy is part of our local
network.
.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_03.bro
.. literalinclude:: http_proxy_03.bro
:caption:
:language: bro
:linenos:
.. btest:: http_proxy_03
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_03.bro
$ bro -r http/proxy.pcap http_proxy_03.bro
A local server is acting as an open proxy: 192.168.56.101
.. note::
@ -123,12 +135,25 @@ we will tag the traffic accordingly and define a new ``Open_Proxy``
notification has been fired, we will further suppress it for one day.
Below is the complete script.
.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_04.bro
.. literalinclude:: http_proxy_04.bro
:caption:
:language: bro
:linenos:
.. btest:: http_proxy_04
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_04.bro
@TEST-EXEC: btest-rst-include notice.log
$ bro -r http/proxy.pcap http_proxy_04.bro
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-12-13-22-56-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1389654450.449603 CHhAvVGS1DHFjwGM9 192.168.56.1 52679 192.168.56.101 80 - - - tcp HTTP::Open_Proxy A local server is acting as an open proxy: 192.168.56.101 - 192.168.56.1 192.168.56.101 80 - - Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2018-12-13-22-56-40
Note that this script only logs the presence of the proxy to
``notice.log``, but if an additional email is desired (and email
@ -148,11 +173,20 @@ instruct Bro to create a copy of all files of certain types that it sees
using the :ref:`File Analysis Framework <file-analysis-framework>`
(introduced with Bro 2.2):
.. btest-include:: ${DOC_ROOT}/httpmonitor/file_extraction.bro
.. literalinclude:: file_extraction.bro
:caption:
:language: bro
:linenos:
.. btest:: file_extraction
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 5 bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/httpmonitor/file_extraction.bro
$ bro -r bro.org.pcap file_extraction.bro
Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html
Extracting file HTTP-FMG4bMmVV64eOsCb.txt
Extracting file HTTP-FnaT2a3UDd093opCB9.txt
Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt
Extracting file HTTP-FsvATF146kf1Emc21j.txt
[...]
Here, the ``mime_to_ext`` table serves two purposes. It defines which
mime types to extract and also the file suffix of the extracted files.

12
doc/index.rst
View file

@ -1,9 +1,7 @@
.. Bro documentation master file
==========
Bro Manual
==========
===========
Zeek Manual
===========
Introduction Section
====================
@ -21,8 +19,8 @@ Introduction Section
.. _using-bro:
Using Bro Section
=================
Using Zeek/Bro Section
======================
.. toctree::
:maxdepth: 2

2
doc/install/changes.rst
View file

@ -3,8 +3,6 @@
Detailed Version History
========================
.. contents::
---
Bro
---

16
doc/install/cross-compiling.rst
View file

@ -1,11 +1,9 @@
.. _crosstool-NG: https://crosstool-ng.github.io/
.. _CMake toolchain: https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
===================
Cross Compiling Bro
===================
.. contents::
===============
Cross Compiling
===============
Prerequisites
=============
@ -25,14 +23,14 @@ You first need to compile a few build tools native to the host system
for use during the later cross-compile build. In the root of your
Bro source tree:
.. console::
.. sourcecode:: console
./configure --builddir=../bro-buildtools
( cd ../bro-buildtools && make binpac bifcl )
Next configure Bro to use your cross-compilation toolchain:
.. console::
.. sourcecode:: console
./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../bro-buildtools/aux/binpac/src/binpac --with-bifcl=$(pwd)/../bro-buildtools/src/bifcl
@ -71,13 +69,13 @@ something the following (using a Raspberry Pi as target system)::
If that configuration succeeds you are ready to build:
.. console::
.. sourcecode:: console
make
And if that works, install on your host system:
.. console::
.. sourcecode:: console
make install

22
doc/install/install.rst
View file

@ -8,11 +8,9 @@
.. _installing-bro:
==============
Installing Bro
==============
.. contents::
==========
Installing
==========
Prerequisites
=============
@ -50,13 +48,13 @@ To install the required dependencies, you can use:
* RPM/RedHat-based Linux:
.. console::
.. sourcecode:: console
sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
* DEB/Debian-based Linux:
.. console::
.. sourcecode:: console
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
@ -68,7 +66,7 @@ To install the required dependencies, you can use:
Most required dependencies should come with a minimal FreeBSD install
except for the following.
.. console::
.. sourcecode:: console
sudo pkg install bash cmake swig30 bison python py27-sqlite3 py27-ipaddress
@ -152,7 +150,7 @@ hosted at https://github.com/zeek. See our `git development documentation
information on Bro's use of git revision control, but the short story
for downloading the full source code experience for Bro via git is:
.. console::
.. sourcecode:: console
git clone --recursive https://github.com/zeek/zeek
@ -163,7 +161,7 @@ for downloading the full source code experience for Bro via git is:
The typical way to build and install from source is (for more options,
run ``./configure --help``):
.. console::
.. sourcecode:: console
./configure
make
@ -214,13 +212,13 @@ according to the platform/shell/package you're using. For example:
Bourne-Shell Syntax:
.. console::
.. sourcecode:: console
export PATH=/usr/local/bro/bin:$PATH
C-Shell Syntax:
.. console::
.. sourcecode:: console
setenv PATH /usr/local/bro/bin:$PATH

2
doc/install/release-notes.rst
View file

@ -5,8 +5,6 @@
Release Notes
=============
.. contents::
.. include:: NEWS.rst

6
doc/install/upgrade.rst
View file

@ -1,7 +1,7 @@
=============
Upgrading Bro
=============
=========
Upgrading
=========
.. toctree::

2
doc/intro/index.rst
View file

@ -3,8 +3,6 @@
Introduction
============
.. contents::
Overview
--------

102
doc/logs/index.rst
View file

@ -1,11 +1,9 @@
.. _bro-logging:
===========
Bro Logging
===========
.. contents::
=======
Logging
=======
Once Bro has been deployed in an environment and monitoring live
traffic, it will, in its default configuration, begin to produce
@ -39,13 +37,23 @@ to the appropriate log file.
As the fields of the log entries can be further customized by the
user, the Logging Framework makes use of a header block to ensure that
it remains self-describing. This header entry can be see by running
the Unix utility ``head`` and outputting the first lines of the file:
it remains self-describing. Here's the first few lines of a ``conn.log``.
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r $TRACES/wikipedia.trace
@TEST-EXEC: btest-rst-include -n 15 conn.log
$ cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2018-12-10-22-18-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 -
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 -
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 -
[...]
As you can see, the header consists of lines prefixed by ``#`` and
includes information such as what separators are being used for
@ -129,15 +137,37 @@ require the user to refer to fields referenced by their position).
For example, the following command extracts just the given columns
from a ``conn.log``:
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 10 "cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration"
$ cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
141.142.220.202 5353 224.0.0.251 -
fe80::217:f2ff:fed7:cf65 5353 ff02::fb -
141.142.220.50 5353 224.0.0.251 -
141.142.220.118 43927 141.142.2.2 0.000435
141.142.220.118 37676 141.142.2.2 0.000420
141.142.220.118 40526 141.142.2.2 0.000392
141.142.220.118 32902 141.142.2.2 0.000317
141.142.220.118 59816 141.142.2.2 0.000343
141.142.220.118 59714 141.142.2.2 0.000375
141.142.220.118 58206 141.142.2.2 0.000339
[...]
The corresponding ``awk`` command will look like this:
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 10 awk \'/^[^#]/ {print \$3, \$4, \$5, \$6, \$9}\' conn.log
$ awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log
141.142.220.202 5353 224.0.0.251 5353 -
fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 -
141.142.220.50 5353 224.0.0.251 5353 -
141.142.220.118 43927 141.142.2.2 53 0.000435
141.142.220.118 37676 141.142.2.2 53 0.000420
141.142.220.118 40526 141.142.2.2 53 0.000392
141.142.220.118 32902 141.142.2.2 53 0.000317
141.142.220.118 59816 141.142.2.2 53 0.000343
141.142.220.118 59714 141.142.2.2 53 0.000375
141.142.220.118 58206 141.142.2.2 53 0.000339
[...]
While the output is similar, the advantages to using bro-cut over
``awk`` lay in that, while ``awk`` is flexible and powerful, ``bro-cut``
@ -191,17 +221,29 @@ includes the human readable time stamp, the unique identifier, the
HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log``
file:
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -d ts uid host uri < http.log"
$ bro-cut -d ts uid host uri < http.log
2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css
2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png
2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png
2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png
2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png
[...]
Often times log files from multiple sources are stored in UTC time to
allow easy correlation. Converting the timestamp from a log file to
UTC can be accomplished with the ``-u`` option:
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -u ts uid host uri < http.log"
$ bro-cut -u ts uid host uri < http.log
2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css
2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png
2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png
2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png
2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png
[...]
The default time format when using the ``-d`` or ``-u`` is the
``strftime`` format string ``%Y-%m-%dT%H:%M:%S%z`` which results in a
@ -211,9 +253,15 @@ using the ``-D`` and ``-U`` flags, using the standard ``strftime``
syntax. For example, to format the timestamp in the US-typical "Middle
Endian" you could use a format string of: ``%d-%m-%YT%H:%M:%S%z``
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log"
$ bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log
18-03-2011T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css
18-03-2011T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png
18-03-2011T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png
18-03-2011T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png
18-03-2011T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png
[...]
See ``man strfime`` for more options for the format string.
@ -235,16 +283,22 @@ largest number of bytes from the responder by redirecting the output
for ``cat conn.log`` into bro-cut to extract the UID and the
resp_bytes, then sorting that output by the resp_bytes field.
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd "cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5"
$ cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5
CwjjYJ2WqgTbAqiHl6 734
CtxTCR2Yer0FR1tIBg 734
Ck51lg1bScffFj34Ri 734
CLNN1k2QMum1aexUK7 734
CykQaM33ztNt0csB9a 733
Taking the UID of the first of the top responses, we can now
crossreference that with the UIDs in the ``http.log`` file.
.. btest:: using_bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11"
$ cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11
CUM0KZ3MLUfNB0cl11 208.80.152.118 GET 304 bits.wikimedia.org /skins-1.5/monobook/main.css
As you can see there are two HTTP ``GET`` requests within the
session that Bro identified and logged. Given that HTTP is a stream

57
doc/mimestats/index.rst
View file

@ -37,32 +37,69 @@ in the MIME type, size of the file ("response_body_len"), and the
originator host ("orig_h"). We use the MIME type as our key and create
observers for the other two values.
.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
:lines: 6-29, 54-64
.. literalinclude:: mimestats.bro
:caption:
:language: bro
:linenos:
:lines: 6-29
:lineno-start: 6
.. literalinclude:: mimestats.bro
:caption:
:language: bro
:linenos:
:lines: 54-64
:lineno-start: 54
Next, we create the reducers. The first will accumulate file sizes
and the second will make sure we only store a host ID once. Below is
the partial code from a :bro:see:`bro_init` handler.
.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
.. literalinclude:: mimestats.bro
:caption:
:language: bro
:linenos:
:lines: 34-37
:lineno-start: 34
In our final step, we create the SumStats where we check for the
observation interval. Once it expires, we populate the record
(defined above) with all the relevant data and write it to a log.
.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
.. literalinclude:: mimestats.bro
:caption:
:language: bro
:linenos:
:lines: 38-51
:lineno-start: 38
After putting the three pieces together we end up with the following final code for
our script.
After putting the three pieces together we end up with the following
final code for our script.
.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
.. literalinclude:: mimestats.bro
:caption:
:language: bro
:linenos:
.. btest:: mimestats
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/mimestats/mimestats.bro
@TEST-EXEC: btest-rst-include mime_metrics.log
$ bro -r http/bro.org.pcap mimestats.bro
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path mime_metrics
#open 2018-12-14-16-25-06
#fields ts ts_delta mtype uniq_hosts hits bytes
#types time interval string count count count
1389719059.311698 300.000000 image/png 1 9 82176
1389719059.311698 300.000000 image/gif 1 1 172
1389719059.311698 300.000000 image/x-icon 1 2 2300
1389719059.311698 300.000000 text/html 1 2 42231
1389719059.311698 300.000000 text/plain 1 15 128001
1389719059.311698 300.000000 image/jpeg 1 1 186859
1389719059.311698 300.000000 application/pgp-signature 1 1 836
#close 2018-12-14-16-25-06
.. note::

53
doc/quickstart/index.rst
View file

@ -7,8 +7,6 @@
Quick Start Guide
=================
.. contents::
Bro works on most modern, Unix-based systems and requires no custom
hardware. It can be downloaded in either pre-built binary package or
source code forms. See :ref:`installing-bro` for instructions on how to
@ -44,20 +42,20 @@ installation that will manage a single Bro instance on the ``localhost``:
Now start the BroControl shell like:
.. console::
.. sourcecode:: console
broctl
Since this is the first-time use of the shell, perform an initial installation
of the BroControl configuration:
.. console::
.. sourcecode:: console
[BroControl] > install
Then start up a Bro instance:
.. console::
.. sourcecode:: console
[BroControl] > start
@ -74,7 +72,7 @@ policy and output the results in ``$PREFIX/logs``.
You can leave it running for now, but to stop this Bro instance you would do:
.. console::
.. sourcecode:: console
[BroControl] > stop
@ -200,7 +198,7 @@ Let's continue on our path to modify the behavior for the two SSL
notices. Looking at :doc:`/scripts/base/frameworks/notice/main.bro`,
we see that it advertises:
.. code:: bro
.. sourcecode:: bro
module Notice;
@ -212,7 +210,7 @@ we see that it advertises:
That's exactly what we want to do for the first notice. Add to ``local.bro``:
.. code:: bro
.. sourcecode:: bro
redef Notice::ignored_types += { SSL::Invalid_Server_Cert };
@ -226,7 +224,7 @@ Then go into the BroControl shell to check whether the configuration change
is valid before installing it and then restarting the Bro instance. The
"deploy" command does all of this automatically:
.. console::
.. sourcecode:: console
[BroControl] > deploy
checking configurations ...
@ -255,12 +253,25 @@ action taken on notices can be user-defined.
In ``local.bro``, let's define a new ``policy`` hook handler body:
.. btest-include:: ${DOC_ROOT}/quickstart/conditional-notice.bro
.. literalinclude:: conditional-notice.bro
:caption:
:language: bro
:linenos:
.. btest:: conditional-notice
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/tls/tls-expired-cert.trace ${DOC_ROOT}/quickstart/conditional-notice.bro
@TEST-EXEC: btest-rst-cmd cat notice.log
$ bro -r tls/tls-expired-cert.trace conditional-notice.bro
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-12-14-17-36-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1394745603.293028 CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 F1fX1R2cDOzbvg17ye - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2018-12-14-17-36-05
You'll just have to trust the syntax for now, but what we've done is
first declare our own variable to hold a set of watched addresses,
@ -312,7 +323,7 @@ Monitoring Live Traffic
Analyzing live traffic from an interface is simple:
.. console::
.. sourcecode:: console
bro -i en0 <list of scripts to load>
@ -332,7 +343,7 @@ Reading Packet Capture (pcap) Files
Capturing packets from an interface and writing them to a file can be done
like this:
.. console::
.. sourcecode:: console
sudo tcpdump -i en0 -s 0 -w mypackets.trace
@ -343,7 +354,7 @@ whole packets; in cases where it's not supported use ``-s 65535`` instead).
After a while of capturing traffic, kill the ``tcpdump`` (with ctrl-c),
and tell Bro to perform all the default analysis on the capture which primarily includes :
.. console::
.. sourcecode:: console
bro -r mypackets.trace
@ -352,7 +363,7 @@ Bro will output log files into the working directory.
If you are interested in more detection, you can again load the ``local``
script that we include as a suggested configuration:
.. console::
.. sourcecode:: console
bro -r mypackets.trace local
@ -361,7 +372,7 @@ Telling Bro Which Scripts to Load
A command-line invocation of Bro typically looks like:
.. console::
.. sourcecode:: console
bro <options> <scripts...>
@ -378,7 +389,7 @@ directories are included in the default search path for Bro scripts::
These prefix paths can be used to load scripts like this:
.. console::
.. sourcecode:: console
bro -r mypackets.trace frameworks/files/extract-all
@ -407,7 +418,7 @@ customization" and is not overwritten when upgrades take place. To use
the site-specific ``local.bro`` script, just add it to the command-line (can
also be loaded through scripts with @load):
.. console::
.. sourcecode:: console
bro -i en0 local
@ -416,7 +427,7 @@ This causes Bro to load a script that prints a warning about lacking the
information at the command line like this (supply your "local" subnets
in place of the example subnets):
.. console::
.. sourcecode:: console
bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"

946
doc/script-reference/autogenerated-file-analyzer-index.rst Normal file
View file

@ -0,0 +1,946 @@
File Analyzers
==============
.. bro:type:: Files::Tag
:Type: :bro:type:`enum`
.. bro:enum:: Files::ANALYZER_DATA_EVENT Files::Tag
.. bro:enum:: Files::ANALYZER_ENTROPY Files::Tag
.. bro:enum:: Files::ANALYZER_EXTRACT Files::Tag
.. bro:enum:: Files::ANALYZER_MD5 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA1 Files::Tag
.. bro:enum:: Files::ANALYZER_SHA256 Files::Tag
.. bro:enum:: Files::ANALYZER_PE Files::Tag
.. bro:enum:: Files::ANALYZER_UNIFIED2 Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REPLY Files::Tag
.. bro:enum:: Files::ANALYZER_OCSP_REQUEST Files::Tag
.. bro:enum:: Files::ANALYZER_X509 Files::Tag
Bro::FileDataEvent
------------------
Delivers file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_DATA_EVENT`
Bro::FileEntropy
----------------
Entropy test file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_ENTROPY`
Events
++++++
.. bro:id:: file_entropy
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ent: :bro:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:f: The file.
:ent: The results of the entropy testing.
Bro::FileExtract
----------------
Extract file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_EXTRACT`
Events
++++++
.. bro:id:: file_extraction_limit
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`, limit: :bro:type:`count`, len: :bro:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:f: The file.
:args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:bro:see:`FileExtract::set_limit`.
:limit: The limit, in bytes, the extracted file is about to breach.
:len: The length of the file chunk about to be written.
.. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT
Functions
+++++++++
.. bro:id:: FileExtract::__set_limit
:Type: :bro:type:`function` (file_id: :bro:type:`string`, args: :bro:type:`any`, n: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`FileExtract::set_limit`.
Bro::FileHash
-------------
Hash file content
Components
++++++++++
:bro:enum:`Files::ANALYZER_MD5`
:bro:enum:`Files::ANALYZER_SHA1`
:bro:enum:`Files::ANALYZER_SHA256`
Events
++++++
.. bro:id:: file_hash
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, kind: :bro:type:`string`, hash: :bro:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:f: The file.
:kind: The type of digest algorithm.
:hash: The result of the hashing.
.. bro:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256
Bro::PE
-------
Portable Executable analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_PE`
Events
++++++
.. bro:id:: pe_dos_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:f: The file.
:h: The parsed DOS header information.
.. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_dos_code
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, code: :bro:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:f: The file.
:code: The DOS stub
.. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_file_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:f: The file.
:h: The parsed file header information.
.. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. bro:id:: pe_optional_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:f: The file.
:h: The parsed optional header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. bro:id:: pe_section_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:f: The file.
:h: The parsed section header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
Bro::Unified2
-------------
Analyze Unified2 alert files.
Components
++++++++++
:bro:enum:`Files::ANALYZER_UNIFIED2`
Types
+++++
.. bro:type:: Unified2::IDSEvent
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
ts: :bro:type:`time`
signature_id: :bro:type:`count`
generator_id: :bro:type:`count`
signature_revision: :bro:type:`count`
classification_id: :bro:type:`count`
priority_id: :bro:type:`count`
src_ip: :bro:type:`addr`
dst_ip: :bro:type:`addr`
src_p: :bro:type:`port`
dst_p: :bro:type:`port`
impact_flag: :bro:type:`count`
impact: :bro:type:`count`
blocked: :bro:type:`count`
mpls_label: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
vlan_id: :bro:type:`count` :bro:attr:`&optional`
Not available in "legacy" IDS events.
packet_action: :bro:type:`count` :bro:attr:`&optional`
Only available in "legacy" IDS events.
.. bro:type:: Unified2::Packet
:Type: :bro:type:`record`
sensor_id: :bro:type:`count`
event_id: :bro:type:`count`
event_second: :bro:type:`count`
packet_ts: :bro:type:`time`
link_type: :bro:type:`count`
data: :bro:type:`string`
Events
++++++
.. bro:id:: unified2_event
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ev: :bro:type:`Unified2::IDSEvent`)
Abstract all of the various Unified2 event formats into
a single event.
:f: The file.
:ev: TODO.
.. bro:id:: unified2_packet
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, pkt: :bro:type:`Unified2::Packet`)
The Unified2 packet format event.
:f: The file.
:pkt: TODO.
Bro::X509
---------
X509 and OCSP analyzer
Components
++++++++++
:bro:enum:`Files::ANALYZER_OCSP_REPLY`
:bro:enum:`Files::ANALYZER_OCSP_REQUEST`
:bro:enum:`Files::ANALYZER_X509`
Types
+++++
.. bro:type:: X509::Certificate
:Type: :bro:type:`record`
version: :bro:type:`count` :bro:attr:`&log`
Version number.
serial: :bro:type:`string` :bro:attr:`&log`
Serial number.
subject: :bro:type:`string` :bro:attr:`&log`
Subject.
issuer: :bro:type:`string` :bro:attr:`&log`
Issuer.
cn: :bro:type:`string` :bro:attr:`&optional`
Last (most specific) common name.
not_valid_before: :bro:type:`time` :bro:attr:`&log`
Timestamp before when certificate is not valid.
not_valid_after: :bro:type:`time` :bro:attr:`&log`
Timestamp after when certificate is not valid.
key_alg: :bro:type:`string` :bro:attr:`&log`
Name of the key algorithm
sig_alg: :bro:type:`string` :bro:attr:`&log`
Name of the signature algorithm
key_type: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Key type, if key parseable by openssl (either rsa, dsa or ec)
key_length: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Key length in bits
exponent: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Exponent, if RSA-certificate
curve: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
Curve, if EC-certificate
.. bro:type:: X509::Extension
:Type: :bro:type:`record`
name: :bro:type:`string`
Long name of extension. oid if name not known
short_name: :bro:type:`string` :bro:attr:`&optional`
Short name of extension if known
oid: :bro:type:`string`
Oid of extension
critical: :bro:type:`bool`
True if extension is critical
value: :bro:type:`string`
Extension content parsed to string for known extensions. Raw data otherwise.
.. bro:type:: X509::BasicConstraints
:Type: :bro:type:`record`
ca: :bro:type:`bool` :bro:attr:`&log`
CA flag set?
path_len: :bro:type:`count` :bro:attr:`&optional` :bro:attr:`&log`
Maximum path length
:Attributes: :bro:attr:`&log`
.. bro:type:: X509::SubjectAlternativeName
:Type: :bro:type:`record`
dns: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of DNS entries in SAN
uri: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of URI entries in SAN
email: :bro:type:`string_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of email entries in SAN
ip: :bro:type:`addr_vec` :bro:attr:`&optional` :bro:attr:`&log`
List of IP entries in SAN
other_fields: :bro:type:`bool`
True if the certificate contained other, not recognized or parsed name fields
.. bro:type:: X509::Result
:Type: :bro:type:`record`
result: :bro:type:`int`
OpenSSL result code
result_string: :bro:type:`string`
Result as string
chain_certs: :bro:type:`vector` of :bro:type:`opaque` of x509 :bro:attr:`&optional`
References to the final certificate chain, if verification successful. End-host certificate is first.
Result of an X509 certificate chain verification
Events
++++++
.. bro:id:: x509_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, cert_ref: :bro:type:`opaque` of x509, cert: :bro:type:`X509::Certificate`)
Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
connection handshake.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
certificate.
:cert: The parsed certificate information.
.. bro:see:: x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`)
Generated for X509 extensions seen in a certificate.
See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
about the X.509 format.
:f: The file.
:ext: The parsed extension.
.. bro:see:: x509_certificate x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_basic_constraints
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::BasicConstraints`)
Generated for the X509 basic constraints extension seen in a certificate.
This extension can be used to identify the subject of a certificate as a CA.
:f: The file.
:ext: The parsed basic constraints extension.
.. bro:see:: x509_certificate x509_extension
x509_ext_subject_alternative_name x509_parse x509_verify
x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: x509_ext_subject_alternative_name
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::SubjectAlternativeName`)
Generated for the X509 subject alternative name extension seen in a certificate.
This extension can be used to allow additional entities to be bound to the
subject of the certificate. Usually it is used to specify one or multiple DNS
names for which a certificate is valid.
:f: The file.
:ext: The parsed subject alternative name extension.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
x509_get_certificate_string
.. bro:id:: x509_ocsp_ext_signed_certificate_timestamp
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`, logid: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, signature_algorithm: :bro:type:`count`, signature: :bro:type:`string`)
Generated for the signed_certificate_timestamp X509 extension as defined in
:rfc:`6962`. The extension is used to transmit signed proofs that are
used for Certificate Transparency. Raised when the extension is encountered
in an X.509 certificate or in an OCSP reply.
:f: The file.
:version: the version of the protocol to which the SCT conforms. Always
should be 0 (representing version 1)
:logid: 32 bit key id
:timestamp: the NTP Time when the entry was logged measured since
the epoch, ignoring leap seconds, in milliseconds.
:signature_and_hashalgorithm: signature and hash algorithm used for the
digitally_signed struct
:signature: signature part of the digitally_signed struct
.. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
x509_parse x509_verify x509_ext_subject_alternative_name
x509_get_certificate_string ssl_extension_signed_certificate_timestamp
sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, version: :bro:type:`count`)
Event that is raised when encountering an OCSP request, e.g. in an HTTP
connection. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP Request.
:f: The file.
:req: version: the version of the OCSP request. Typically 0 (Version 1).
.. bro:see:: ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_request_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`)
Event that is raised when encountering an OCSP request for a certificate,
e.g. in an HTTP connection. See :rfc:`6960` for more details.
Note that a single OCSP request can contain requests for several certificates.
Thus this event can fire several times for one OCSP request, each time
requesting information for a different (or in theory even the same) certificate.
:f: The file.
:hashAlgorithm: The hash algorithm used for the issuerKeyHash.
:issuerKeyHash: Hash of the issuers public key.
:serialNumber: Serial number of the certificate for which the status is requested.
.. bro:see:: ocsp_request ocsp_response_status
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_status
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, status: :bro:type:`string`)
This event is raised when encountering an OCSP reply, e.g. in an HTTP
connection or a TLS extension. See :rfc:`6960` for more details.
This event is raised exactly once for each OCSP reply.
:f: The file.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
.. bro:see:: ocsp_request ocsp_request_certificate
ocsp_response_bytes ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_bytes
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, resp_ref: :bro:type:`opaque` of ocsp_resp, status: :bro:type:`string`, version: :bro:type:`count`, responderId: :bro:type:`string`, producedAt: :bro:type:`time`, signatureAlgorithm: :bro:type:`string`, certs: :bro:type:`x509_opaque_vector`)
This event is raised when encountering an OCSP response that contains response information.
An OCSP reply can be encountered, for example, in an HTTP connection or
a TLS extension. See :rfc:`6960` for more details on OCSP.
:f: The file.
:req_ref: An opaque pointer to the underlying OpenSSL data structure of the
OCSP response.
:status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
:version: Version of the OCSP response (typically - for version 1).
:responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
:producedAt: Time at which the reply was produced.
:signatureAlgorithm: Algorithm used for the OCSP signature.
:certs: Optional list of certificates that are sent with the OCSP response; these typically
are needed to perform validation of the reply.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_certificate ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_response_certificate
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, hashAlgorithm: :bro:type:`string`, issuerNameHash: :bro:type:`string`, issuerKeyHash: :bro:type:`string`, serialNumber: :bro:type:`string`, certStatus: :bro:type:`string`, revokeTime: :bro:type:`time`, revokeReason: :bro:type:`string`, thisUpdate: :bro:type:`time`, nextUpdate: :bro:type:`time`)
This event is raised for each SingleResponse contained in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
:issuerNameHash: Hash of the issuer's distinguished name.
:issuerKeyHash: Hash of the issuer's public key.
:serialNumber: Serial number of the affected certificate.
:certStatus: Status of the certificate.
:revokeTime: Time the certificate was revoked, 0 if not revoked.
:revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
:thisUpdate: Time this response was generated.
:nextUpdate: Time next response will be ready; 0 if not supploed.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_extension
x509_ocsp_ext_signed_certificate_timestamp
.. bro:id:: ocsp_extension
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ext: :bro:type:`X509::Extension`, global_resp: :bro:type:`bool`)
This event is raised when an OCSP extension is encountered in an OCSP response.
See :rfc:`6960` for more details on OCSP.
:f: The file.
:ext: The parsed extension (same format as X.509 extensions).
:global_resp: T if extension encountered in the global response (in ResponseData),
F when encountered in a SingleResponse.
.. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
ocsp_response_bytes ocsp_response_certificate
x509_ocsp_ext_signed_certificate_timestamp
Functions
+++++++++
.. bro:id:: x509_parse
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509) : :bro:type:`X509::Certificate`
Parses a certificate into an X509::Certificate structure.
:cert: The X509 certificate opaque handle.
:returns: A X509::Certificate structure.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_verify
x509_get_certificate_string
.. bro:id:: x509_get_certificate_string
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, pem: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`) : :bro:type:`string`
Returns the string form of a certificate.
:cert: The X509 certificate opaque handle.
:pem: A boolean that specifies if the certificate is returned
in pem-form (true), or as the raw ASN1 encoded binary
(false).
:returns: X509 certificate as a string.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse x509_verify
.. bro:id:: x509_ocsp_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, ocsp_reply: :bro:type:`string`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies an OCSP reply.
:certs: Specifies the certificate chain to use. Server certificate first.
:ocsp_reply: the ocsp reply to validate.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_verify
.. bro:id:: x509_verify
:Type: :bro:type:`function` (certs: :bro:type:`x509_opaque_vector`, root_certs: :bro:type:`table_string_of_string`, verify_time: :bro:type:`time` :bro:attr:`&default` = ``0.0`` :bro:attr:`&optional`) : :bro:type:`X509::Result`
Verifies a certificate.
:certs: Specifies a certificate chain that is being used to validate
the given certificate against the root store given in *root_certs*.
The host certificate has to be at index 0.
:root_certs: A list of root certificates to validate the certificate chain.
:verify_time: Time for the validity check of the certificates.
:returns: A record of type X509::Result containing the result code of the
verify operation. In case of success also returns the full
certificate chain.
.. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
x509_ext_subject_alternative_name x509_parse
x509_get_certificate_string x509_ocsp_verify sct_verify
.. bro:id:: sct_verify
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, logid: :bro:type:`string`, log_key: :bro:type:`string`, signature: :bro:type:`string`, timestamp: :bro:type:`count`, hash_algorithm: :bro:type:`count`, issuer_key_hash: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
See RFC6962 for more details.
:cert: Certificate against which the SCT should be validated.
:logid: Log id of the SCT.
:log_key: Public key of the Log that issued the SCT proof.
:timestamp: Timestamp at which the proof was generated.
:hash_algorithm: Hash algorithm that was used for the SCT proof.
:issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
This only has to be provided if the SCT was encountered in an X.509
certificate extension; in that case, it is necessary for validation.
:returns: T if the validation could be performed succesfully, F otherwhise.
.. bro:see:: ssl_extension_signed_certificate_timestamp
x509_ocsp_ext_signed_certificate_timestamp
x509_verify
.. bro:id:: x509_subject_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the subject's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_issuer_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_issuer_name_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the issuer's distinguished name.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_spki_hash
x509_verify sct_verify
.. bro:id:: x509_spki_hash
:Type: :bro:type:`function` (cert: :bro:type:`opaque` of x509, hash_alg: :bro:type:`count`) : :bro:type:`string`
Get the hash of the Subject Public Key Information of the certificate.
:cert: The X509 certificate opaque handle.
:hash_alg: the hash algorithm to use, according to the IANA mapping at
:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
:returns: The hash as a string.
.. bro:see:: x509_subject_name_hash x509_issuer_name_hash
x509_verify sct_verify

309
doc/script-reference/autogenerated-package-index.rst Normal file
View file

@ -0,0 +1,309 @@
:doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
The logging framework provides a flexible key-value based logging interface.
:doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`
Support for postprocessors in the logging framework.
:doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`
The Broker communication framework facilitates connecting to remote Bro
instances to share state and transfer events.
:doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
The input framework provides a way to read previously stored data either as
an event stream or into a Bro table.
:doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`
The analyzer framework allows to dynamically enable or disable Bro's
protocol analyzers, as well as to manage the well-known ports which
automatically activate a particular analyzer for new connections.
:doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
The file analysis framework provides an interface for driving the analysis
of files, possibly independent of any network protocol over which they're
transported.
:doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`
:doc:`base/bif </scripts/base/bif/index>`
:doc:`base/bif/plugins </scripts/base/bif/plugins/index>`
:doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`
This framework is intended to create an output and filtering path for
internally generated messages/warnings/errors.
:doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
The notice framework enables Bro to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable. This decoupling of detection and reporting allows
Bro to be customized to the different needs that sites have.
:doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
The cluster framework provides for establishing and controlling a cluster
of Bro instances.
:doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
The control framework provides the foundation for providing "commands"
that can be taken remotely at runtime to modify a running Bro instance
or collect information from the running instance.
:doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
The NetControl framework provides a way for Bro to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.
:doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`
Plugins for the NetControl framework.
:doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
The OpenFlow framework exposes the data structures and functions
necessary to interface to OpenFlow capable hardware.
:doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`
Plugins for the OpenFlow framework.
:doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`
The DPD (dynamic protocol detection) activates port-independent protocol
detection and selectively disables analyzers if protocol violations occur.
:doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`
The signature framework provides for doing low-level pattern matching. While
signatures are not Bro's preferred detection tool, they sometimes come in
handy and are closer to what many people are familiar with from using
other NIDS.
:doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
The packet filter framework supports how Bro sets its BPF capture filter.
:doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
The software framework provides infrastructure for maintaining a table
of software versions seen on the network. The version parsing itself
is carried out by external protocol-specific scripts that feed into
this framework.
:doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
The intelligence framework provides a way to store and query intelligence
data (such as IP addresses or strings). Metadata can also be associated
with the intelligence.
:doc:`base/frameworks/config </scripts/base/frameworks/config/index>`
The configuration framework provides a way to change the Bro configuration
in "option" values at run-time.
:doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
The summary statistics framework provides a way to summarize large streams
of data into simple reduced measurements.
:doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
Plugins for the summary statistics framework.
:doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`
The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
:doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
Calls) protocol analysis.
:doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
:doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`
Support for Distributed Network Protocol (DNP3) analysis.
:doc:`base/protocols/dns </scripts/base/protocols/dns/index>`
Support for Domain Name System (DNS) protocol analysis.
:doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
Support for File Transfer Protocol (FTP) analysis.
:doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
:doc:`base/files/x509 </scripts/base/files/x509/index>`
Support for X509 certificates with the file analysis framework.
Also supports parsing OCSP requests and responses.
:doc:`base/files/hash </scripts/base/files/hash/index>`
Support for file hashes with the file analysis framework.
:doc:`base/protocols/http </scripts/base/protocols/http/index>`
Support for Hypertext Transfer Protocol (HTTP) analysis.
:doc:`base/protocols/imap </scripts/base/protocols/imap/index>`
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
mails from IMAP sessions, only X509 certificates.
:doc:`base/protocols/irc </scripts/base/protocols/irc/index>`
Support for Internet Relay Chat (IRC) protocol analysis.
:doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
Support for Kerberos protocol analysis.
:doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
Support for Modbus protocol analysis.
:doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`
Support for MySQL protocol analysis.
:doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`
Support for NT LAN Manager (NTLM) protocol analysis.
:doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`
Support for POP3 (Post Office Protocol) protocol analysis.
:doc:`base/protocols/radius </scripts/base/protocols/radius/index>`
Support for RADIUS protocol analysis.
:doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`
Support for Remote Desktop Protocol (RDP) analysis.
:doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`
Support for Remote FrameBuffer analysis. This includes all VNC servers.
:doc:`base/protocols/sip </scripts/base/protocols/sip/index>`
Support for Session Initiation Protocol (SIP) analysis.
:doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`
Support for Simple Network Management Protocol (SNMP) analysis.
:doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
Support for SMB protocol analysis.
:doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
Support for Simple Mail Transfer Protocol (SMTP) analysis.
:doc:`base/protocols/socks </scripts/base/protocols/socks/index>`
Support for Socket Secure (SOCKS) protocol analysis.
:doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Support for SSH protocol analysis.
:doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`
Support for Syslog protocol analysis.
:doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`
Provides DPD signatures for tunneling protocols that otherwise
wouldn't be detected at all.
:doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`
Support for the Extensible Messaging and Presence Protocol (XMPP).
Note that currently the XMPP analyzer only supports analyzing XMPP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
actual chat information from XMPP sessions, only X509 certificates.
:doc:`base/files/pe </scripts/base/files/pe/index>`
Support for Portable Executable (PE) file analysis.
:doc:`base/files/extract </scripts/base/files/extract/index>`
Support for extracting files with the file analysis framework.
:doc:`base/files/unified2 </scripts/base/files/unified2/index>`
Support for Unified2 files in the file analysis framework.
:doc:`broxygen </scripts/broxygen/index>`
This package is loaded during the process which automatically generates
reference documentation for all Bro scripts (i.e. "Broxygen"). Its only
purpose is to provide an easy way to load all known Bro scripts plus any
extra scripts needed or used by the documentation process.
:doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
Scripts that send data to the intelligence framework.
:doc:`policy/frameworks/notice </scripts/policy/frameworks/notice/index>`
:doc:`policy/integration/barnyard2 </scripts/policy/integration/barnyard2/index>`
Integration with Barnyard2.
:doc:`policy/integration/collective-intel </scripts/policy/integration/collective-intel/index>`
The scripts in this module are for deeper integration with the
Collective Intelligence Framework (CIF) since Bro's Intel framework
doesn't natively behave the same as CIF nor does it store and maintain
the same data in all cases.
:doc:`policy/misc/detect-traceroute </scripts/policy/misc/detect-traceroute/index>`
Detect hosts that are running traceroute.
:doc:`policy/tuning </scripts/policy/tuning/index>`
Miscellaneous tuning parameters.
:doc:`policy/tuning/defaults </scripts/policy/tuning/defaults/index>`
Sets various defaults, and prints warning messages to stdout under
certain conditions.
:doc:`policy/protocols/smb </scripts/policy/protocols/smb/index>`

14385
doc/script-reference/autogenerated-protocol-analyzer-index.rst Normal file
View file

File diff suppressed because it is too large Load diff

470
doc/script-reference/autogenerated-script-index.rst Normal file
View file

@ -0,0 +1,470 @@
.. toctree::
:maxdepth: 1
base/init-bare.bro </scripts/base/init-bare.bro>
base/bif/const.bif.bro </scripts/base/bif/const.bif.bro>
base/bif/types.bif.bro </scripts/base/bif/types.bif.bro>
base/bif/bro.bif.bro </scripts/base/bif/bro.bif.bro>
base/bif/stats.bif.bro </scripts/base/bif/stats.bif.bro>
base/bif/reporter.bif.bro </scripts/base/bif/reporter.bif.bro>
base/bif/strings.bif.bro </scripts/base/bif/strings.bif.bro>
base/bif/option.bif.bro </scripts/base/bif/option.bif.bro>
base/bif/plugins/Bro_SNMP.types.bif.bro </scripts/base/bif/plugins/Bro_SNMP.types.bif.bro>
base/bif/plugins/Bro_KRB.types.bif.bro </scripts/base/bif/plugins/Bro_KRB.types.bif.bro>
base/bif/event.bif.bro </scripts/base/bif/event.bif.bro>
base/init-frameworks-and-bifs.bro </scripts/base/init-frameworks-and-bifs.bro>
base/frameworks/logging/__load__.bro </scripts/base/frameworks/logging/__load__.bro>
base/frameworks/logging/main.bro </scripts/base/frameworks/logging/main.bro>
base/bif/logging.bif.bro </scripts/base/bif/logging.bif.bro>
base/frameworks/logging/postprocessors/__load__.bro </scripts/base/frameworks/logging/postprocessors/__load__.bro>
base/frameworks/logging/postprocessors/scp.bro </scripts/base/frameworks/logging/postprocessors/scp.bro>
base/frameworks/logging/postprocessors/sftp.bro </scripts/base/frameworks/logging/postprocessors/sftp.bro>
base/frameworks/logging/writers/ascii.bro </scripts/base/frameworks/logging/writers/ascii.bro>
base/frameworks/logging/writers/sqlite.bro </scripts/base/frameworks/logging/writers/sqlite.bro>
base/frameworks/logging/writers/none.bro </scripts/base/frameworks/logging/writers/none.bro>
base/frameworks/broker/__load__.bro </scripts/base/frameworks/broker/__load__.bro>
base/frameworks/broker/main.bro </scripts/base/frameworks/broker/main.bro>
base/bif/comm.bif.bro </scripts/base/bif/comm.bif.bro>
base/bif/messaging.bif.bro </scripts/base/bif/messaging.bif.bro>
base/frameworks/broker/store.bro </scripts/base/frameworks/broker/store.bro>
base/bif/data.bif.bro </scripts/base/bif/data.bif.bro>
base/bif/store.bif.bro </scripts/base/bif/store.bif.bro>
base/frameworks/broker/log.bro </scripts/base/frameworks/broker/log.bro>
base/frameworks/input/__load__.bro </scripts/base/frameworks/input/__load__.bro>
base/frameworks/input/main.bro </scripts/base/frameworks/input/main.bro>
base/bif/input.bif.bro </scripts/base/bif/input.bif.bro>
base/frameworks/input/readers/ascii.bro </scripts/base/frameworks/input/readers/ascii.bro>
base/frameworks/input/readers/raw.bro </scripts/base/frameworks/input/readers/raw.bro>
base/frameworks/input/readers/benchmark.bro </scripts/base/frameworks/input/readers/benchmark.bro>
base/frameworks/input/readers/binary.bro </scripts/base/frameworks/input/readers/binary.bro>
base/frameworks/input/readers/config.bro </scripts/base/frameworks/input/readers/config.bro>
base/frameworks/input/readers/sqlite.bro </scripts/base/frameworks/input/readers/sqlite.bro>
base/frameworks/analyzer/__load__.bro </scripts/base/frameworks/analyzer/__load__.bro>
base/frameworks/analyzer/main.bro </scripts/base/frameworks/analyzer/main.bro>
base/frameworks/packet-filter/utils.bro </scripts/base/frameworks/packet-filter/utils.bro>
base/bif/analyzer.bif.bro </scripts/base/bif/analyzer.bif.bro>
base/frameworks/files/__load__.bro </scripts/base/frameworks/files/__load__.bro>
base/frameworks/files/main.bro </scripts/base/frameworks/files/main.bro>
base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>
base/utils/site.bro </scripts/base/utils/site.bro>
base/utils/patterns.bro </scripts/base/utils/patterns.bro>
base/frameworks/files/magic/__load__.bro </scripts/base/frameworks/files/magic/__load__.bro>
base/bif/__load__.bro </scripts/base/bif/__load__.bro>
base/bif/broxygen.bif.bro </scripts/base/bif/broxygen.bif.bro>
base/bif/pcap.bif.bro </scripts/base/bif/pcap.bif.bro>
base/bif/bloom-filter.bif.bro </scripts/base/bif/bloom-filter.bif.bro>
base/bif/cardinality-counter.bif.bro </scripts/base/bif/cardinality-counter.bif.bro>
base/bif/top-k.bif.bro </scripts/base/bif/top-k.bif.bro>
base/bif/plugins/__load__.bro </scripts/base/bif/plugins/__load__.bro>
base/bif/plugins/Bro_ARP.events.bif.bro </scripts/base/bif/plugins/Bro_ARP.events.bif.bro>
base/bif/plugins/Bro_BackDoor.events.bif.bro </scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro>
base/bif/plugins/Bro_BitTorrent.events.bif.bro </scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro>
base/bif/plugins/Bro_ConnSize.events.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro>
base/bif/plugins/Bro_ConnSize.functions.bif.bro </scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro>
base/bif/plugins/Bro_DCE_RPC.consts.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro>
base/bif/plugins/Bro_DCE_RPC.types.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro>
base/bif/plugins/Bro_DCE_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro>
base/bif/plugins/Bro_DHCP.events.bif.bro </scripts/base/bif/plugins/Bro_DHCP.events.bif.bro>
base/bif/plugins/Bro_DHCP.types.bif.bro </scripts/base/bif/plugins/Bro_DHCP.types.bif.bro>
base/bif/plugins/Bro_DNP3.events.bif.bro </scripts/base/bif/plugins/Bro_DNP3.events.bif.bro>
base/bif/plugins/Bro_DNS.events.bif.bro </scripts/base/bif/plugins/Bro_DNS.events.bif.bro>
base/bif/plugins/Bro_File.events.bif.bro </scripts/base/bif/plugins/Bro_File.events.bif.bro>
base/bif/plugins/Bro_Finger.events.bif.bro </scripts/base/bif/plugins/Bro_Finger.events.bif.bro>
base/bif/plugins/Bro_FTP.events.bif.bro </scripts/base/bif/plugins/Bro_FTP.events.bif.bro>
base/bif/plugins/Bro_FTP.functions.bif.bro </scripts/base/bif/plugins/Bro_FTP.functions.bif.bro>
base/bif/plugins/Bro_Gnutella.events.bif.bro </scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro>
base/bif/plugins/Bro_GSSAPI.events.bif.bro </scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro>
base/bif/plugins/Bro_GTPv1.events.bif.bro </scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro>
base/bif/plugins/Bro_HTTP.events.bif.bro </scripts/base/bif/plugins/Bro_HTTP.events.bif.bro>
base/bif/plugins/Bro_HTTP.functions.bif.bro </scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro>
base/bif/plugins/Bro_ICMP.events.bif.bro </scripts/base/bif/plugins/Bro_ICMP.events.bif.bro>
base/bif/plugins/Bro_Ident.events.bif.bro </scripts/base/bif/plugins/Bro_Ident.events.bif.bro>
base/bif/plugins/Bro_IMAP.events.bif.bro </scripts/base/bif/plugins/Bro_IMAP.events.bif.bro>
base/bif/plugins/Bro_InterConn.events.bif.bro </scripts/base/bif/plugins/Bro_InterConn.events.bif.bro>
base/bif/plugins/Bro_IRC.events.bif.bro </scripts/base/bif/plugins/Bro_IRC.events.bif.bro>
base/bif/plugins/Bro_KRB.events.bif.bro </scripts/base/bif/plugins/Bro_KRB.events.bif.bro>
base/bif/plugins/Bro_Login.events.bif.bro </scripts/base/bif/plugins/Bro_Login.events.bif.bro>
base/bif/plugins/Bro_Login.functions.bif.bro </scripts/base/bif/plugins/Bro_Login.functions.bif.bro>
base/bif/plugins/Bro_MIME.events.bif.bro </scripts/base/bif/plugins/Bro_MIME.events.bif.bro>
base/bif/plugins/Bro_Modbus.events.bif.bro </scripts/base/bif/plugins/Bro_Modbus.events.bif.bro>
base/bif/plugins/Bro_MySQL.events.bif.bro </scripts/base/bif/plugins/Bro_MySQL.events.bif.bro>
base/bif/plugins/Bro_NCP.events.bif.bro </scripts/base/bif/plugins/Bro_NCP.events.bif.bro>
base/bif/plugins/Bro_NCP.consts.bif.bro </scripts/base/bif/plugins/Bro_NCP.consts.bif.bro>
base/bif/plugins/Bro_NetBIOS.events.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro>
base/bif/plugins/Bro_NetBIOS.functions.bif.bro </scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro>
base/bif/plugins/Bro_NTLM.types.bif.bro </scripts/base/bif/plugins/Bro_NTLM.types.bif.bro>
base/bif/plugins/Bro_NTLM.events.bif.bro </scripts/base/bif/plugins/Bro_NTLM.events.bif.bro>
base/bif/plugins/Bro_NTP.events.bif.bro </scripts/base/bif/plugins/Bro_NTP.events.bif.bro>
base/bif/plugins/Bro_POP3.events.bif.bro </scripts/base/bif/plugins/Bro_POP3.events.bif.bro>
base/bif/plugins/Bro_RADIUS.events.bif.bro </scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro>
base/bif/plugins/Bro_RDP.events.bif.bro </scripts/base/bif/plugins/Bro_RDP.events.bif.bro>
base/bif/plugins/Bro_RDP.types.bif.bro </scripts/base/bif/plugins/Bro_RDP.types.bif.bro>
base/bif/plugins/Bro_RFB.events.bif.bro </scripts/base/bif/plugins/Bro_RFB.events.bif.bro>
base/bif/plugins/Bro_RPC.events.bif.bro </scripts/base/bif/plugins/Bro_RPC.events.bif.bro>
base/bif/plugins/Bro_SIP.events.bif.bro </scripts/base/bif/plugins/Bro_SIP.events.bif.bro>
base/bif/plugins/Bro_SNMP.events.bif.bro </scripts/base/bif/plugins/Bro_SNMP.events.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro>
base/bif/plugins/Bro_SMB.smb1_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro>
base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro>
base/bif/plugins/Bro_SMB.smb2_events.bif.bro </scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro>
base/bif/plugins/Bro_SMB.events.bif.bro </scripts/base/bif/plugins/Bro_SMB.events.bif.bro>
base/bif/plugins/Bro_SMB.consts.bif.bro </scripts/base/bif/plugins/Bro_SMB.consts.bif.bro>
base/bif/plugins/Bro_SMB.types.bif.bro </scripts/base/bif/plugins/Bro_SMB.types.bif.bro>
base/bif/plugins/Bro_SMTP.events.bif.bro </scripts/base/bif/plugins/Bro_SMTP.events.bif.bro>
base/bif/plugins/Bro_SMTP.functions.bif.bro </scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro>
base/bif/plugins/Bro_SOCKS.events.bif.bro </scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro>
base/bif/plugins/Bro_SSH.types.bif.bro </scripts/base/bif/plugins/Bro_SSH.types.bif.bro>
base/bif/plugins/Bro_SSH.events.bif.bro </scripts/base/bif/plugins/Bro_SSH.events.bif.bro>
base/bif/plugins/Bro_SSL.types.bif.bro </scripts/base/bif/plugins/Bro_SSL.types.bif.bro>
base/bif/plugins/Bro_SSL.events.bif.bro </scripts/base/bif/plugins/Bro_SSL.events.bif.bro>
base/bif/plugins/Bro_SSL.functions.bif.bro </scripts/base/bif/plugins/Bro_SSL.functions.bif.bro>
base/bif/plugins/Bro_SteppingStone.events.bif.bro </scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro>
base/bif/plugins/Bro_Syslog.events.bif.bro </scripts/base/bif/plugins/Bro_Syslog.events.bif.bro>
base/bif/plugins/Bro_TCP.events.bif.bro </scripts/base/bif/plugins/Bro_TCP.events.bif.bro>
base/bif/plugins/Bro_TCP.functions.bif.bro </scripts/base/bif/plugins/Bro_TCP.functions.bif.bro>
base/bif/plugins/Bro_Teredo.events.bif.bro </scripts/base/bif/plugins/Bro_Teredo.events.bif.bro>
base/bif/plugins/Bro_UDP.events.bif.bro </scripts/base/bif/plugins/Bro_UDP.events.bif.bro>
base/bif/plugins/Bro_XMPP.events.bif.bro </scripts/base/bif/plugins/Bro_XMPP.events.bif.bro>
base/bif/plugins/Bro_FileEntropy.events.bif.bro </scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro>
base/bif/plugins/Bro_FileExtract.events.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro>
base/bif/plugins/Bro_FileExtract.functions.bif.bro </scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro>
base/bif/plugins/Bro_FileHash.events.bif.bro </scripts/base/bif/plugins/Bro_FileHash.events.bif.bro>
base/bif/plugins/Bro_PE.events.bif.bro </scripts/base/bif/plugins/Bro_PE.events.bif.bro>
base/bif/plugins/Bro_Unified2.events.bif.bro </scripts/base/bif/plugins/Bro_Unified2.events.bif.bro>
base/bif/plugins/Bro_Unified2.types.bif.bro </scripts/base/bif/plugins/Bro_Unified2.types.bif.bro>
base/bif/plugins/Bro_X509.events.bif.bro </scripts/base/bif/plugins/Bro_X509.events.bif.bro>
base/bif/plugins/Bro_X509.types.bif.bro </scripts/base/bif/plugins/Bro_X509.types.bif.bro>
base/bif/plugins/Bro_X509.functions.bif.bro </scripts/base/bif/plugins/Bro_X509.functions.bif.bro>
base/bif/plugins/Bro_X509.ocsp_events.bif.bro </scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro>
base/bif/plugins/Bro_AsciiReader.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro>
base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro </scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro>
base/bif/plugins/Bro_BinaryReader.binary.bif.bro </scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro>
base/bif/plugins/Bro_ConfigReader.config.bif.bro </scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro>
base/bif/plugins/Bro_RawReader.raw.bif.bro </scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro>
base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro>
base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro </scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro>
base/bif/plugins/Bro_NoneWriter.none.bif.bro </scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro>
base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro </scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro>
base/init-default.bro </scripts/base/init-default.bro>
base/utils/active-http.bro </scripts/base/utils/active-http.bro>
base/utils/exec.bro </scripts/base/utils/exec.bro>
base/utils/addrs.bro </scripts/base/utils/addrs.bro>
base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>
base/utils/dir.bro </scripts/base/utils/dir.bro>
base/frameworks/reporter/__load__.bro </scripts/base/frameworks/reporter/__load__.bro>
base/frameworks/reporter/main.bro </scripts/base/frameworks/reporter/main.bro>
base/utils/paths.bro </scripts/base/utils/paths.bro>
base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>
base/utils/email.bro </scripts/base/utils/email.bro>
base/utils/files.bro </scripts/base/utils/files.bro>
base/utils/geoip-distance.bro </scripts/base/utils/geoip-distance.bro>
base/utils/hash_hrw.bro </scripts/base/utils/hash_hrw.bro>
base/utils/numbers.bro </scripts/base/utils/numbers.bro>
base/utils/queue.bro </scripts/base/utils/queue.bro>
base/utils/strings.bro </scripts/base/utils/strings.bro>
base/utils/thresholds.bro </scripts/base/utils/thresholds.bro>
base/utils/time.bro </scripts/base/utils/time.bro>
base/utils/urls.bro </scripts/base/utils/urls.bro>
base/frameworks/notice/__load__.bro </scripts/base/frameworks/notice/__load__.bro>
base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>
base/frameworks/cluster/__load__.bro </scripts/base/frameworks/cluster/__load__.bro>
base/frameworks/cluster/main.bro </scripts/base/frameworks/cluster/main.bro>
base/frameworks/control/__load__.bro </scripts/base/frameworks/control/__load__.bro>
base/frameworks/control/main.bro </scripts/base/frameworks/control/main.bro>
base/frameworks/cluster/pools.bro </scripts/base/frameworks/cluster/pools.bro>
base/frameworks/notice/weird.bro </scripts/base/frameworks/notice/weird.bro>
base/frameworks/notice/actions/drop.bro </scripts/base/frameworks/notice/actions/drop.bro>
base/frameworks/netcontrol/__load__.bro </scripts/base/frameworks/netcontrol/__load__.bro>
base/frameworks/netcontrol/types.bro </scripts/base/frameworks/netcontrol/types.bro>
base/frameworks/netcontrol/main.bro </scripts/base/frameworks/netcontrol/main.bro>
base/frameworks/netcontrol/plugin.bro </scripts/base/frameworks/netcontrol/plugin.bro>
base/frameworks/netcontrol/plugins/__load__.bro </scripts/base/frameworks/netcontrol/plugins/__load__.bro>
base/frameworks/netcontrol/plugins/debug.bro </scripts/base/frameworks/netcontrol/plugins/debug.bro>
base/frameworks/netcontrol/plugins/openflow.bro </scripts/base/frameworks/netcontrol/plugins/openflow.bro>
base/frameworks/openflow/__load__.bro </scripts/base/frameworks/openflow/__load__.bro>
base/frameworks/openflow/consts.bro </scripts/base/frameworks/openflow/consts.bro>
base/frameworks/openflow/types.bro </scripts/base/frameworks/openflow/types.bro>
base/frameworks/openflow/main.bro </scripts/base/frameworks/openflow/main.bro>
base/frameworks/openflow/plugins/__load__.bro </scripts/base/frameworks/openflow/plugins/__load__.bro>
base/frameworks/openflow/plugins/ryu.bro </scripts/base/frameworks/openflow/plugins/ryu.bro>
base/utils/json.bro </scripts/base/utils/json.bro>
base/frameworks/openflow/plugins/log.bro </scripts/base/frameworks/openflow/plugins/log.bro>
base/frameworks/openflow/plugins/broker.bro </scripts/base/frameworks/openflow/plugins/broker.bro>
base/frameworks/openflow/non-cluster.bro </scripts/base/frameworks/openflow/non-cluster.bro>
base/frameworks/netcontrol/plugins/packetfilter.bro </scripts/base/frameworks/netcontrol/plugins/packetfilter.bro>
base/frameworks/netcontrol/plugins/broker.bro </scripts/base/frameworks/netcontrol/plugins/broker.bro>
base/frameworks/netcontrol/plugins/acld.bro </scripts/base/frameworks/netcontrol/plugins/acld.bro>
base/frameworks/netcontrol/drop.bro </scripts/base/frameworks/netcontrol/drop.bro>
base/frameworks/netcontrol/shunt.bro </scripts/base/frameworks/netcontrol/shunt.bro>
base/frameworks/netcontrol/catch-and-release.bro </scripts/base/frameworks/netcontrol/catch-and-release.bro>
base/frameworks/netcontrol/non-cluster.bro </scripts/base/frameworks/netcontrol/non-cluster.bro>
base/frameworks/notice/actions/email_admin.bro </scripts/base/frameworks/notice/actions/email_admin.bro>
base/frameworks/notice/actions/page.bro </scripts/base/frameworks/notice/actions/page.bro>
base/frameworks/notice/actions/add-geodata.bro </scripts/base/frameworks/notice/actions/add-geodata.bro>
base/frameworks/notice/actions/pp-alarms.bro </scripts/base/frameworks/notice/actions/pp-alarms.bro>
base/frameworks/dpd/__load__.bro </scripts/base/frameworks/dpd/__load__.bro>
base/frameworks/dpd/main.bro </scripts/base/frameworks/dpd/main.bro>
base/frameworks/signatures/__load__.bro </scripts/base/frameworks/signatures/__load__.bro>
base/frameworks/signatures/main.bro </scripts/base/frameworks/signatures/main.bro>
base/frameworks/packet-filter/__load__.bro </scripts/base/frameworks/packet-filter/__load__.bro>
base/frameworks/packet-filter/main.bro </scripts/base/frameworks/packet-filter/main.bro>
base/frameworks/packet-filter/netstats.bro </scripts/base/frameworks/packet-filter/netstats.bro>
base/frameworks/software/__load__.bro </scripts/base/frameworks/software/__load__.bro>
base/frameworks/software/main.bro </scripts/base/frameworks/software/main.bro>
base/frameworks/intel/__load__.bro </scripts/base/frameworks/intel/__load__.bro>
base/frameworks/intel/main.bro </scripts/base/frameworks/intel/main.bro>
base/frameworks/intel/files.bro </scripts/base/frameworks/intel/files.bro>
base/frameworks/intel/input.bro </scripts/base/frameworks/intel/input.bro>
base/frameworks/config/__load__.bro </scripts/base/frameworks/config/__load__.bro>
base/frameworks/config/main.bro </scripts/base/frameworks/config/main.bro>
base/frameworks/config/input.bro </scripts/base/frameworks/config/input.bro>
base/frameworks/config/weird.bro </scripts/base/frameworks/config/weird.bro>
base/frameworks/sumstats/__load__.bro </scripts/base/frameworks/sumstats/__load__.bro>
base/frameworks/sumstats/main.bro </scripts/base/frameworks/sumstats/main.bro>
base/frameworks/sumstats/plugins/__load__.bro </scripts/base/frameworks/sumstats/plugins/__load__.bro>
base/frameworks/sumstats/plugins/average.bro </scripts/base/frameworks/sumstats/plugins/average.bro>
base/frameworks/sumstats/plugins/hll_unique.bro </scripts/base/frameworks/sumstats/plugins/hll_unique.bro>
base/frameworks/sumstats/plugins/last.bro </scripts/base/frameworks/sumstats/plugins/last.bro>
base/frameworks/sumstats/plugins/max.bro </scripts/base/frameworks/sumstats/plugins/max.bro>
base/frameworks/sumstats/plugins/min.bro </scripts/base/frameworks/sumstats/plugins/min.bro>
base/frameworks/sumstats/plugins/sample.bro </scripts/base/frameworks/sumstats/plugins/sample.bro>
base/frameworks/sumstats/plugins/std-dev.bro </scripts/base/frameworks/sumstats/plugins/std-dev.bro>
base/frameworks/sumstats/plugins/variance.bro </scripts/base/frameworks/sumstats/plugins/variance.bro>
base/frameworks/sumstats/plugins/sum.bro </scripts/base/frameworks/sumstats/plugins/sum.bro>
base/frameworks/sumstats/plugins/topk.bro </scripts/base/frameworks/sumstats/plugins/topk.bro>
base/frameworks/sumstats/plugins/unique.bro </scripts/base/frameworks/sumstats/plugins/unique.bro>
base/frameworks/sumstats/non-cluster.bro </scripts/base/frameworks/sumstats/non-cluster.bro>
base/frameworks/tunnels/__load__.bro </scripts/base/frameworks/tunnels/__load__.bro>
base/frameworks/tunnels/main.bro </scripts/base/frameworks/tunnels/main.bro>
base/protocols/conn/__load__.bro </scripts/base/protocols/conn/__load__.bro>
base/protocols/conn/main.bro </scripts/base/protocols/conn/main.bro>
base/protocols/conn/contents.bro </scripts/base/protocols/conn/contents.bro>
base/protocols/conn/inactivity.bro </scripts/base/protocols/conn/inactivity.bro>
base/protocols/conn/polling.bro </scripts/base/protocols/conn/polling.bro>
base/protocols/conn/thresholds.bro </scripts/base/protocols/conn/thresholds.bro>
base/protocols/dce-rpc/__load__.bro </scripts/base/protocols/dce-rpc/__load__.bro>
base/protocols/dce-rpc/consts.bro </scripts/base/protocols/dce-rpc/consts.bro>
base/protocols/dce-rpc/main.bro </scripts/base/protocols/dce-rpc/main.bro>
base/protocols/dhcp/__load__.bro </scripts/base/protocols/dhcp/__load__.bro>
base/protocols/dhcp/consts.bro </scripts/base/protocols/dhcp/consts.bro>
base/protocols/dhcp/main.bro </scripts/base/protocols/dhcp/main.bro>
base/protocols/dnp3/__load__.bro </scripts/base/protocols/dnp3/__load__.bro>
base/protocols/dnp3/main.bro </scripts/base/protocols/dnp3/main.bro>
base/protocols/dnp3/consts.bro </scripts/base/protocols/dnp3/consts.bro>
base/protocols/dns/__load__.bro </scripts/base/protocols/dns/__load__.bro>
base/protocols/dns/consts.bro </scripts/base/protocols/dns/consts.bro>
base/protocols/dns/main.bro </scripts/base/protocols/dns/main.bro>
base/protocols/ftp/__load__.bro </scripts/base/protocols/ftp/__load__.bro>
base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>
base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>
base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>
base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>
base/protocols/ftp/files.bro </scripts/base/protocols/ftp/files.bro>
base/protocols/ftp/gridftp.bro </scripts/base/protocols/ftp/gridftp.bro>
base/protocols/ssl/__load__.bro </scripts/base/protocols/ssl/__load__.bro>
base/protocols/ssl/consts.bro </scripts/base/protocols/ssl/consts.bro>
base/protocols/ssl/main.bro </scripts/base/protocols/ssl/main.bro>
base/protocols/ssl/mozilla-ca-list.bro </scripts/base/protocols/ssl/mozilla-ca-list.bro>
base/protocols/ssl/ct-list.bro </scripts/base/protocols/ssl/ct-list.bro>
base/protocols/ssl/files.bro </scripts/base/protocols/ssl/files.bro>
base/files/x509/__load__.bro </scripts/base/files/x509/__load__.bro>
base/files/x509/main.bro </scripts/base/files/x509/main.bro>
base/files/hash/__load__.bro </scripts/base/files/hash/__load__.bro>
base/files/hash/main.bro </scripts/base/files/hash/main.bro>
base/protocols/http/__load__.bro </scripts/base/protocols/http/__load__.bro>
base/protocols/http/main.bro </scripts/base/protocols/http/main.bro>
base/protocols/http/entities.bro </scripts/base/protocols/http/entities.bro>
base/protocols/http/utils.bro </scripts/base/protocols/http/utils.bro>
base/protocols/http/files.bro </scripts/base/protocols/http/files.bro>
base/protocols/imap/__load__.bro </scripts/base/protocols/imap/__load__.bro>
base/protocols/imap/main.bro </scripts/base/protocols/imap/main.bro>
base/protocols/irc/__load__.bro </scripts/base/protocols/irc/__load__.bro>
base/protocols/irc/main.bro </scripts/base/protocols/irc/main.bro>
base/protocols/irc/dcc-send.bro </scripts/base/protocols/irc/dcc-send.bro>
base/protocols/irc/files.bro </scripts/base/protocols/irc/files.bro>
base/protocols/krb/__load__.bro </scripts/base/protocols/krb/__load__.bro>
base/protocols/krb/main.bro </scripts/base/protocols/krb/main.bro>
base/protocols/krb/consts.bro </scripts/base/protocols/krb/consts.bro>
base/protocols/krb/files.bro </scripts/base/protocols/krb/files.bro>
base/protocols/modbus/__load__.bro </scripts/base/protocols/modbus/__load__.bro>
base/protocols/modbus/consts.bro </scripts/base/protocols/modbus/consts.bro>
base/protocols/modbus/main.bro </scripts/base/protocols/modbus/main.bro>
base/protocols/mysql/__load__.bro </scripts/base/protocols/mysql/__load__.bro>
base/protocols/mysql/main.bro </scripts/base/protocols/mysql/main.bro>
base/protocols/mysql/consts.bro </scripts/base/protocols/mysql/consts.bro>
base/protocols/ntlm/__load__.bro </scripts/base/protocols/ntlm/__load__.bro>
base/protocols/ntlm/main.bro </scripts/base/protocols/ntlm/main.bro>
base/protocols/pop3/__load__.bro </scripts/base/protocols/pop3/__load__.bro>
base/protocols/radius/__load__.bro </scripts/base/protocols/radius/__load__.bro>
base/protocols/radius/main.bro </scripts/base/protocols/radius/main.bro>
base/protocols/radius/consts.bro </scripts/base/protocols/radius/consts.bro>
base/protocols/rdp/__load__.bro </scripts/base/protocols/rdp/__load__.bro>
base/protocols/rdp/consts.bro </scripts/base/protocols/rdp/consts.bro>
base/protocols/rdp/main.bro </scripts/base/protocols/rdp/main.bro>
base/protocols/rfb/__load__.bro </scripts/base/protocols/rfb/__load__.bro>
base/protocols/rfb/main.bro </scripts/base/protocols/rfb/main.bro>
base/protocols/sip/__load__.bro </scripts/base/protocols/sip/__load__.bro>
base/protocols/sip/main.bro </scripts/base/protocols/sip/main.bro>
base/protocols/snmp/__load__.bro </scripts/base/protocols/snmp/__load__.bro>
base/protocols/snmp/main.bro </scripts/base/protocols/snmp/main.bro>
base/protocols/smb/__load__.bro </scripts/base/protocols/smb/__load__.bro>
base/protocols/smb/consts.bro </scripts/base/protocols/smb/consts.bro>
base/protocols/smb/const-dos-error.bro </scripts/base/protocols/smb/const-dos-error.bro>
base/protocols/smb/const-nt-status.bro </scripts/base/protocols/smb/const-nt-status.bro>
base/protocols/smb/main.bro </scripts/base/protocols/smb/main.bro>
base/protocols/smb/smb1-main.bro </scripts/base/protocols/smb/smb1-main.bro>
base/protocols/smb/smb2-main.bro </scripts/base/protocols/smb/smb2-main.bro>
base/protocols/smb/files.bro </scripts/base/protocols/smb/files.bro>
base/protocols/smtp/__load__.bro </scripts/base/protocols/smtp/__load__.bro>
base/protocols/smtp/main.bro </scripts/base/protocols/smtp/main.bro>
base/protocols/smtp/entities.bro </scripts/base/protocols/smtp/entities.bro>
base/protocols/smtp/files.bro </scripts/base/protocols/smtp/files.bro>
base/protocols/socks/__load__.bro </scripts/base/protocols/socks/__load__.bro>
base/protocols/socks/consts.bro </scripts/base/protocols/socks/consts.bro>
base/protocols/socks/main.bro </scripts/base/protocols/socks/main.bro>
base/protocols/ssh/__load__.bro </scripts/base/protocols/ssh/__load__.bro>
base/protocols/ssh/main.bro </scripts/base/protocols/ssh/main.bro>
base/protocols/syslog/__load__.bro </scripts/base/protocols/syslog/__load__.bro>
base/protocols/syslog/consts.bro </scripts/base/protocols/syslog/consts.bro>
base/protocols/syslog/main.bro </scripts/base/protocols/syslog/main.bro>
base/protocols/tunnels/__load__.bro </scripts/base/protocols/tunnels/__load__.bro>
base/protocols/xmpp/__load__.bro </scripts/base/protocols/xmpp/__load__.bro>
base/protocols/xmpp/main.bro </scripts/base/protocols/xmpp/main.bro>
base/files/pe/__load__.bro </scripts/base/files/pe/__load__.bro>
base/files/pe/consts.bro </scripts/base/files/pe/consts.bro>
base/files/pe/main.bro </scripts/base/files/pe/main.bro>
base/files/extract/__load__.bro </scripts/base/files/extract/__load__.bro>
base/files/extract/main.bro </scripts/base/files/extract/main.bro>
base/files/unified2/__load__.bro </scripts/base/files/unified2/__load__.bro>
base/files/unified2/main.bro </scripts/base/files/unified2/main.bro>
base/misc/find-checksum-offloading.bro </scripts/base/misc/find-checksum-offloading.bro>
base/misc/find-filtered-trace.bro </scripts/base/misc/find-filtered-trace.bro>
base/misc/version.bro </scripts/base/misc/version.bro>
broxygen/__load__.bro </scripts/broxygen/__load__.bro>
test-all-policy.bro </scripts/test-all-policy.bro>
policy/frameworks/dpd/detect-protocols.bro </scripts/policy/frameworks/dpd/detect-protocols.bro>
policy/frameworks/dpd/packet-segment-logging.bro </scripts/policy/frameworks/dpd/packet-segment-logging.bro>
policy/frameworks/intel/do_notice.bro </scripts/policy/frameworks/intel/do_notice.bro>
policy/frameworks/intel/do_expire.bro </scripts/policy/frameworks/intel/do_expire.bro>
policy/frameworks/intel/whitelist.bro </scripts/policy/frameworks/intel/whitelist.bro>
policy/frameworks/intel/seen/__load__.bro </scripts/policy/frameworks/intel/seen/__load__.bro>
policy/frameworks/intel/seen/conn-established.bro </scripts/policy/frameworks/intel/seen/conn-established.bro>
policy/frameworks/intel/seen/where-locations.bro </scripts/policy/frameworks/intel/seen/where-locations.bro>
policy/frameworks/intel/seen/dns.bro </scripts/policy/frameworks/intel/seen/dns.bro>
policy/frameworks/intel/seen/file-hashes.bro </scripts/policy/frameworks/intel/seen/file-hashes.bro>
policy/frameworks/intel/seen/file-names.bro </scripts/policy/frameworks/intel/seen/file-names.bro>
policy/frameworks/intel/seen/http-headers.bro </scripts/policy/frameworks/intel/seen/http-headers.bro>
policy/frameworks/intel/seen/http-url.bro </scripts/policy/frameworks/intel/seen/http-url.bro>
policy/frameworks/intel/seen/pubkey-hashes.bro </scripts/policy/frameworks/intel/seen/pubkey-hashes.bro>
policy/frameworks/intel/seen/ssl.bro </scripts/policy/frameworks/intel/seen/ssl.bro>
policy/frameworks/intel/seen/smtp.bro </scripts/policy/frameworks/intel/seen/smtp.bro>
policy/frameworks/intel/seen/smtp-url-extraction.bro </scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro>
policy/frameworks/intel/seen/x509.bro </scripts/policy/frameworks/intel/seen/x509.bro>
policy/frameworks/files/detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>
policy/frameworks/files/hash-all-files.bro </scripts/policy/frameworks/files/hash-all-files.bro>
policy/frameworks/files/entropy-test-all-files.bro </scripts/policy/frameworks/files/entropy-test-all-files.bro>
policy/frameworks/notice/__load__.bro </scripts/policy/frameworks/notice/__load__.bro>
policy/frameworks/notice/extend-email/hostnames.bro </scripts/policy/frameworks/notice/extend-email/hostnames.bro>
policy/files/x509/log-ocsp.bro </scripts/policy/files/x509/log-ocsp.bro>
policy/frameworks/packet-filter/shunt.bro </scripts/policy/frameworks/packet-filter/shunt.bro>
policy/frameworks/software/version-changes.bro </scripts/policy/frameworks/software/version-changes.bro>
policy/frameworks/software/vulnerable.bro </scripts/policy/frameworks/software/vulnerable.bro>
policy/frameworks/software/windows-version-detection.bro </scripts/policy/frameworks/software/windows-version-detection.bro>
policy/integration/barnyard2/__load__.bro </scripts/policy/integration/barnyard2/__load__.bro>
policy/integration/barnyard2/types.bro </scripts/policy/integration/barnyard2/types.bro>
policy/integration/barnyard2/main.bro </scripts/policy/integration/barnyard2/main.bro>
policy/integration/collective-intel/__load__.bro </scripts/policy/integration/collective-intel/__load__.bro>
policy/integration/collective-intel/main.bro </scripts/policy/integration/collective-intel/main.bro>
policy/misc/capture-loss.bro </scripts/policy/misc/capture-loss.bro>
policy/misc/detect-traceroute/__load__.bro </scripts/policy/misc/detect-traceroute/__load__.bro>
policy/misc/detect-traceroute/main.bro </scripts/policy/misc/detect-traceroute/main.bro>
policy/misc/load-balancing.bro </scripts/policy/misc/load-balancing.bro>
policy/misc/loaded-scripts.bro </scripts/policy/misc/loaded-scripts.bro>
policy/misc/profiling.bro </scripts/policy/misc/profiling.bro>
policy/misc/scan.bro </scripts/policy/misc/scan.bro>
policy/misc/stats.bro </scripts/policy/misc/stats.bro>
policy/misc/weird-stats.bro </scripts/policy/misc/weird-stats.bro>
policy/misc/trim-trace-file.bro </scripts/policy/misc/trim-trace-file.bro>
policy/protocols/conn/known-hosts.bro </scripts/policy/protocols/conn/known-hosts.bro>
policy/protocols/conn/known-services.bro </scripts/policy/protocols/conn/known-services.bro>
policy/protocols/conn/mac-logging.bro </scripts/policy/protocols/conn/mac-logging.bro>
policy/protocols/conn/vlan-logging.bro </scripts/policy/protocols/conn/vlan-logging.bro>
policy/protocols/conn/weirds.bro </scripts/policy/protocols/conn/weirds.bro>
policy/protocols/dhcp/msg-orig.bro </scripts/policy/protocols/dhcp/msg-orig.bro>
policy/protocols/dhcp/software.bro </scripts/policy/protocols/dhcp/software.bro>
policy/protocols/dhcp/sub-opts.bro </scripts/policy/protocols/dhcp/sub-opts.bro>
policy/protocols/dns/auth-addl.bro </scripts/policy/protocols/dns/auth-addl.bro>
policy/protocols/dns/detect-external-names.bro </scripts/policy/protocols/dns/detect-external-names.bro>
policy/protocols/ftp/detect-bruteforcing.bro </scripts/policy/protocols/ftp/detect-bruteforcing.bro>
policy/protocols/ftp/detect.bro </scripts/policy/protocols/ftp/detect.bro>
policy/protocols/ftp/software.bro </scripts/policy/protocols/ftp/software.bro>
policy/protocols/http/detect-sqli.bro </scripts/policy/protocols/http/detect-sqli.bro>
policy/protocols/http/detect-webapps.bro </scripts/policy/protocols/http/detect-webapps.bro>
policy/protocols/http/header-names.bro </scripts/policy/protocols/http/header-names.bro>
policy/protocols/http/software-browser-plugins.bro </scripts/policy/protocols/http/software-browser-plugins.bro>
policy/protocols/http/software.bro </scripts/policy/protocols/http/software.bro>
policy/protocols/http/var-extraction-cookies.bro </scripts/policy/protocols/http/var-extraction-cookies.bro>
policy/protocols/http/var-extraction-uri.bro </scripts/policy/protocols/http/var-extraction-uri.bro>
policy/protocols/krb/ticket-logging.bro </scripts/policy/protocols/krb/ticket-logging.bro>
policy/protocols/modbus/known-masters-slaves.bro </scripts/policy/protocols/modbus/known-masters-slaves.bro>
policy/protocols/modbus/track-memmap.bro </scripts/policy/protocols/modbus/track-memmap.bro>
policy/protocols/mysql/software.bro </scripts/policy/protocols/mysql/software.bro>
policy/protocols/rdp/indicate_ssl.bro </scripts/policy/protocols/rdp/indicate_ssl.bro>
policy/protocols/smb/log-cmds.bro </scripts/policy/protocols/smb/log-cmds.bro>
policy/protocols/smtp/blocklists.bro </scripts/policy/protocols/smtp/blocklists.bro>
policy/protocols/smtp/detect-suspicious-orig.bro </scripts/policy/protocols/smtp/detect-suspicious-orig.bro>
policy/protocols/smtp/entities-excerpt.bro </scripts/policy/protocols/smtp/entities-excerpt.bro>
policy/protocols/smtp/software.bro </scripts/policy/protocols/smtp/software.bro>
policy/protocols/ssh/detect-bruteforcing.bro </scripts/policy/protocols/ssh/detect-bruteforcing.bro>
policy/protocols/ssh/geo-data.bro </scripts/policy/protocols/ssh/geo-data.bro>
policy/protocols/ssh/interesting-hostnames.bro </scripts/policy/protocols/ssh/interesting-hostnames.bro>
policy/protocols/ssh/software.bro </scripts/policy/protocols/ssh/software.bro>
policy/protocols/ssl/expiring-certs.bro </scripts/policy/protocols/ssl/expiring-certs.bro>
policy/protocols/ssl/extract-certs-pem.bro </scripts/policy/protocols/ssl/extract-certs-pem.bro>
policy/protocols/ssl/heartbleed.bro </scripts/policy/protocols/ssl/heartbleed.bro>
policy/protocols/ssl/known-certs.bro </scripts/policy/protocols/ssl/known-certs.bro>
policy/protocols/ssl/log-hostcerts-only.bro </scripts/policy/protocols/ssl/log-hostcerts-only.bro>
policy/protocols/ssl/validate-certs.bro </scripts/policy/protocols/ssl/validate-certs.bro>
policy/protocols/ssl/validate-ocsp.bro </scripts/policy/protocols/ssl/validate-ocsp.bro>
policy/protocols/ssl/validate-sct.bro </scripts/policy/protocols/ssl/validate-sct.bro>
policy/protocols/ssl/weak-keys.bro </scripts/policy/protocols/ssl/weak-keys.bro>
policy/tuning/__load__.bro </scripts/policy/tuning/__load__.bro>
policy/tuning/defaults/__load__.bro </scripts/policy/tuning/defaults/__load__.bro>
policy/tuning/defaults/packet-fragments.bro </scripts/policy/tuning/defaults/packet-fragments.bro>
policy/tuning/defaults/warnings.bro </scripts/policy/tuning/defaults/warnings.bro>
policy/tuning/defaults/extracted_file_limits.bro </scripts/policy/tuning/defaults/extracted_file_limits.bro>
policy/tuning/json-logs.bro </scripts/policy/tuning/json-logs.bro>
policy/tuning/track-all-assets.bro </scripts/policy/tuning/track-all-assets.bro>
policy/protocols/ssl/notary.bro </scripts/policy/protocols/ssl/notary.bro>
policy/frameworks/control/controllee.bro </scripts/policy/frameworks/control/controllee.bro>
policy/frameworks/control/controller.bro </scripts/policy/frameworks/control/controller.bro>
policy/frameworks/files/extract-all-files.bro </scripts/policy/frameworks/files/extract-all-files.bro>
policy/misc/dump-events.bro </scripts/policy/misc/dump-events.bro>
policy/protocols/dhcp/deprecated_events.bro </scripts/policy/protocols/dhcp/deprecated_events.bro>
policy/protocols/smb/__load__.bro </scripts/policy/protocols/smb/__load__.bro>
broxygen/example.bro </scripts/broxygen/example.bro>

2
doc/script-reference/file-analyzers.rst
View file

@ -1 +1 @@
.. broxygen:file_analyzer:: *
.. include:: autogenerated-file-analyzer-index.rst

2
doc/script-reference/packages.rst
View file

@ -11,4 +11,4 @@ Packages/scripts in the ``base/`` directory are all loaded by default, while
ones in ``policy/`` provide functionality and customization options that are
more appropriate for users to decide whether they'd like to load it or not.
.. broxygen:package_index:: *
.. include:: autogenerated-package-index.rst

2
doc/script-reference/proto-analyzers.rst
View file

@ -1 +1 @@
.. broxygen:proto_analyzer:: *
.. include:: autogenerated-protocol-analyzer-index.rst

2
doc/script-reference/scripts.rst
View file

@ -2,4 +2,4 @@
Bro Script Index
================
.. broxygen:script_index:: *
.. include:: autogenerated-script-index.rst

104
doc/script-reference/types.rst
View file

@ -305,7 +305,7 @@ Here is a more detailed description of each type:
of an address gives the size in bits (32 for IPv4, and 128 for IPv6).
Addresses can also be masked with ``/`` to produce a :bro:type:`subnet`:
.. code:: bro
.. sourcecode:: bro
local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;
@ -315,7 +315,7 @@ Here is a more detailed description of each type:
And checked for inclusion within a :bro:type:`subnet` using ``in``
or ``!in``:
.. code:: bro
.. sourcecode:: bro
local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;
@ -329,7 +329,7 @@ Here is a more detailed description of each type:
correspond to multiple IP addresses, the type of such a variable is
"set[addr]". For example:
.. code:: bro
.. sourcecode:: bro
local a = www.google.com;
@ -349,7 +349,7 @@ Here is a more detailed description of each type:
A type allowing the specification of a set of related values that
have no further structure. An example declaration:
.. code:: bro
.. sourcecode:: bro
type color: enum { Red, White, Blue, };
@ -379,13 +379,13 @@ Here is a more detailed description of each type:
Here is an example of declaring a table indexed by "count" values
and yielding "string" values:
.. code:: bro
.. sourcecode:: bro
global a: table[count] of string;
The yield type can also be more complex:
.. code:: bro
.. sourcecode:: bro
global a: table[count] of table[addr, port] of string;
@ -396,7 +396,7 @@ Here is a more detailed description of each type:
One way to initialize a table is by enclosing a set of initializers within
braces, for example:
.. code:: bro
.. sourcecode:: bro
global t: table[count] of string = {
[11] = "eleven",
@ -405,7 +405,7 @@ Here is a more detailed description of each type:
A table constructor can also be used to create a table:
.. code:: bro
.. sourcecode:: bro
global t2 = table(
[192.168.0.2, 22/tcp] = "ssh",
@ -416,7 +416,7 @@ Here is a more detailed description of each type:
useful when a more complex index type could otherwise be
ambiguous:
.. code:: bro
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
@ -430,13 +430,13 @@ Here is a more detailed description of each type:
Accessing table elements is provided by enclosing index values within
square brackets (``[]``), for example:
.. code:: bro
.. sourcecode:: bro
print t[11];
And membership can be tested with ``in`` or ``!in``:
.. code:: bro
.. sourcecode:: bro
if ( 13 in t )
...
@ -445,13 +445,13 @@ Here is a more detailed description of each type:
Add or overwrite individual table elements by assignment:
.. code:: bro
.. sourcecode:: bro
t[13] = "thirteen";
Remove individual table elements with :bro:keyword:`delete`:
.. code:: bro
.. sourcecode:: bro
delete t[13];
@ -461,7 +461,7 @@ Here is a more detailed description of each type:
The number of elements in a table can be obtained by placing the table
identifier between vertical pipe characters:
.. code:: bro
.. sourcecode:: bro
|t|
@ -482,7 +482,7 @@ Here is a more detailed description of each type:
Sets can be initialized by listing elements enclosed by curly braces:
.. code:: bro
.. sourcecode:: bro
global s: set[port] = { 21/tcp, 23/tcp, 80/tcp, 443/tcp };
global s2: set[port, string] = { [21/tcp, "ftp"], [23/tcp, "telnet"] };
@ -490,7 +490,7 @@ Here is a more detailed description of each type:
A set constructor (equivalent to above example) can also be used to
create a set:
.. code:: bro
.. sourcecode:: bro
global s3 = set(21/tcp, 23/tcp, 80/tcp, 443/tcp);
@ -498,7 +498,7 @@ Here is a more detailed description of each type:
useful when a more complex index type could otherwise be
ambiguous:
.. code:: bro
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
@ -511,7 +511,7 @@ Here is a more detailed description of each type:
Set membership is tested with ``in`` or ``!in``:
.. code:: bro
.. sourcecode:: bro
if ( 21/tcp in s )
...
@ -521,7 +521,7 @@ Here is a more detailed description of each type:
Elements are added with :bro:keyword:`add`:
.. code:: bro
.. sourcecode:: bro
add s[22/tcp];
@ -530,7 +530,7 @@ Here is a more detailed description of each type:
And removed with :bro:keyword:`delete`:
.. code:: bro
.. sourcecode:: bro
delete s[21/tcp];
@ -540,7 +540,7 @@ Here is a more detailed description of each type:
The number of elements in a set can be obtained by placing the set
identifier between vertical pipe characters:
.. code:: bro
.. sourcecode:: bro
|s|
@ -563,13 +563,13 @@ Here is a more detailed description of each type:
:bro:type:`count` (and vector indexing is always zero-based). A vector
is declared like:
.. code:: bro
.. sourcecode:: bro
global v: vector of string;
And can be initialized with the vector constructor:
.. code:: bro
.. sourcecode:: bro
local v = vector("one", "two", "three");
@ -577,7 +577,7 @@ Here is a more detailed description of each type:
is useful for when a more complex yield type could otherwise be
ambiguous.
.. code:: bro
.. sourcecode:: bro
type MyRec: record {
a: count &optional;
@ -591,14 +591,14 @@ Here is a more detailed description of each type:
Accessing vector elements is provided by enclosing index values within
square brackets (``[]``), for example:
.. code:: bro
.. sourcecode:: bro
print v[2];
An element can be added to a vector by assigning the value (a value
that already exists at that index will be overwritten):
.. code:: bro
.. sourcecode:: bro
v[3] = "four";
@ -606,21 +606,21 @@ Here is a more detailed description of each type:
is normally equal to the number of elements in the vector) can be obtained
by placing the vector identifier between vertical pipe characters:
.. code:: bro
.. sourcecode:: bro
|v|
A particularly common operation on a vector is to append an element
to its end. You can do so using:
.. code:: bro
.. sourcecode:: bro
v += e;
where if e's type is ``X``, v's type is ``vector of X``. Note that
this expression is equivalent to:
.. code:: bro
.. sourcecode:: bro
v[|v|] = e;
@ -660,7 +660,7 @@ Here is a more detailed description of each type:
same as local or global variables). An example record type
definition:
.. code:: bro
.. sourcecode:: bro
type MyRecordType: record {
c: count;
@ -672,27 +672,27 @@ Here is a more detailed description of each type:
:bro:attr:`&optional` or have a :bro:attr:`&default` attribute must
be specified. First, there's a constructor syntax:
.. code:: bro
.. sourcecode:: bro
local r: MyRecordType = record($c = 7);
And the constructor can be explicitly named by type, too, which
is arguably more readable:
.. code:: bro
.. sourcecode:: bro
local r = MyRecordType($c = 42);
And the third way is like this:
.. code:: bro
.. sourcecode:: bro
local r: MyRecordType = [$c = 13, $s = "thirteen"];
Access to a record field uses the dollar sign (``$``) operator, and
record fields can be assigned with this:
.. code:: bro
.. sourcecode:: bro
local r: MyRecordType;
r$c = 13;
@ -701,7 +701,7 @@ Here is a more detailed description of each type:
value, use the ``?$`` operator (it returns a :bro:type:`bool` value of
``T`` if the field has been assigned a value, or ``F`` if not):
.. code:: bro
.. sourcecode:: bro
if ( r ?$ s )
...
@ -715,7 +715,7 @@ Here is a more detailed description of each type:
where *argument* is a (possibly empty) comma-separated list of
arguments, and *type* is an optional return type. For example:
.. code:: bro
.. sourcecode:: bro
global greeting: function(name: string): string;
@ -724,7 +724,7 @@ Here is a more detailed description of each type:
have different function body values at different times. To define
a function including a body value, the syntax is like:
.. code:: bro
.. sourcecode:: bro
function greeting(name: string): string
{
@ -739,7 +739,7 @@ Here is a more detailed description of each type:
Here is an example function that takes no parameters and does not
return a value:
.. code:: bro
.. sourcecode:: bro
function my_func()
{
@ -748,20 +748,20 @@ Here is a more detailed description of each type:
Function types don't need to have a name and can be assigned anonymously:
.. code:: bro
.. sourcecode:: bro
greeting = function(name: string): string { return "Hi, " + name; };
And finally, the function can be called like:
.. code:: bro
.. sourcecode:: bro
print greeting("Dave");
Function parameters may specify default values as long as they appear
last in the parameter list:
.. code:: bro
.. sourcecode:: bro
global foo: function(s: string, t: string &default="abc", u: count &default=0);
@ -770,7 +770,7 @@ Here is a more detailed description of each type:
body and they will still be used for function calls that lack those
arguments.
.. code:: bro
.. sourcecode:: bro
function foo(s: string, t: string, u: count)
{
@ -779,7 +779,7 @@ Here is a more detailed description of each type:
And calls to the function may omit the defaults from the argument list:
.. code:: bro
.. sourcecode:: bro
foo("test");
@ -792,7 +792,7 @@ Here is a more detailed description of each type:
Example:
.. code:: bro
.. sourcecode:: bro
event my_event(r: bool, s: string)
{
@ -815,7 +815,7 @@ Here is a more detailed description of each type:
Immediately queuing invocation of an event handler occurs like:
.. code:: bro
.. sourcecode:: bro
event password_exposed(user, password);
@ -827,7 +827,7 @@ Here is a more detailed description of each type:
This delays the invocation of event handlers until some time in
the future. For example:
.. code:: bro
.. sourcecode:: bro
schedule 5 secs { password_exposed(user, password) };
@ -856,7 +856,7 @@ Here is a more detailed description of each type:
where *argument* is a (possibly empty) comma-separated list of
arguments. For example:
.. code:: bro
.. sourcecode:: bro
global myhook: hook(s: string)
@ -864,7 +864,7 @@ Here is a more detailed description of each type:
bodies have been defined for it yet. To define some hook handler
bodies the syntax looks like:
.. code:: bro
.. sourcecode:: bro
hook myhook(s: string) &priority=10
{
@ -891,13 +891,13 @@ Here is a more detailed description of each type:
are called similarly to a function, except preceded by the ``hook``
keyword:
.. code:: bro
.. sourcecode:: bro
hook myhook("hi");
or
.. code:: bro
.. sourcecode:: bro
if ( hook myhook("hi") )
print "all handlers ran";
@ -925,7 +925,7 @@ Here is a more detailed description of each type:
function. For example, declare, open, and write to a file and finally
close it like:
.. code:: bro
.. sourcecode:: bro
local f = open("myfile");
print f, "hello, world";
@ -945,7 +945,7 @@ Here is a more detailed description of each type:
An example use of this type is the set of built-in functions which
perform hashing:
.. code:: bro
.. sourcecode:: bro
local handle = md5_hash_init();
md5_hash_update(handle, "test");

633
doc/scripting/index.rst
View file

@ -1,14 +1,12 @@
.. _writing-scripts:
===================
Writing Bro Scripts
===================
===============
Writing Scripts
===============
.. contents::
Understanding Bro Scripts
=========================
Understanding Scripts
=====================
Bro includes an event-driven scripting language that provides
the primary means for an organization to extend and customize Bro's
@ -37,10 +35,85 @@ Hash registry includes the ability to do a host lookup on a domain with the form
Team Cymru also populates the TXT record of their DNS responses with both a "first seen"
timestamp and a numerical "detection rate". The important aspect to understand is Bro already
generating hashes for files via the Files framework, but it is the
script ``detect-MHR.bro`` that is responsible for generating the
script :doc:`/scripts/policy/frameworks/files/detect-MHR.bro`
that is responsible for generating the
appropriate DNS lookup, parsing the response, and generating a notice if appropriate.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
.. sourcecode:: bro
:caption: detect-MHR.bro
##! Detect file downloads that have hash values matching files in Team
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
@load base/frameworks/files
@load base/frameworks/notice
@load frameworks/files/hash-all-files
module TeamCymruMalwareHashRegistry;
export {
redef enum Notice::Type += {
## The hash value of a file transferred over HTTP matched in the
## malware hash registry.
Match
};
## File types to attempt matching against the Malware Hash Registry.
option match_file_types = /application\/x-dosexec/ |
/application\/vnd.ms-cab-compressed/ |
/application\/pdf/ |
/application\/x-shockwave-flash/ |
/application\/x-java-applet/ |
/application\/jar/ |
/video\/mp4/;
## The Match notice has a sub message with a URL where you can get more
## information about the file. The %s will be replaced with the SHA-1
## hash of the file.
option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
## The malware hash registry runs each malware sample through several
## A/V engines. Team Cymru returns a percentage to indicate how
## many A/V engines flagged the sample as malicious. This threshold
## allows you to require a minimum detection rate.
option notice_threshold = 10;
}
function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
{
local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split_string1(MHR_result, / /);
if ( |MHR_answer| == 2 )
{
local mhr_detect_rate = to_count(MHR_answer[1]);
if ( mhr_detect_rate >= notice_threshold )
{
local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash);
# We don't have the full fa_file record here in order to
# avoid the "when" statement cloning it (expensive!).
local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
Notice::populate_file_info2(fi, n);
NOTICE(n);
}
}
}
}
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$info && f$info?$mime_type &&
match_file_types in f$info$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
}
Visually, there are three distinct sections of the script. First, there is a base
level with no indentation where libraries are included in the script through ``@load``
@ -51,8 +124,12 @@ specific event (``event file_hash``). Don't get discouraged if you don't
understand every section of the script; we'll cover the basics of the
script and much more in following sections.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
:lines: 4-6
.. sourcecode:: bro
:caption: detect-MHR.bro
@load base/frameworks/files
@load base/frameworks/notice
@load frameworks/files/hash-all-files
The first part of the script consists of ``@load`` directives which
process the ``__load__.bro`` script in the
@ -66,8 +143,36 @@ this level of granularity might not be entirely necessary. The ``@load`` direct
are ensuring the Files framework, the Notice framework and the script to hash all files has
been loaded by Bro.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
:lines: 10-36
.. sourcecode:: bro
:caption: detect-MHR.bro
export {
redef enum Notice::Type += {
## The hash value of a file transferred over HTTP matched in the
## malware hash registry.
Match
};
## File types to attempt matching against the Malware Hash Registry.
option match_file_types = /application\/x-dosexec/ |
/application\/vnd.ms-cab-compressed/ |
/application\/pdf/ |
/application\/x-shockwave-flash/ |
/application\/x-java-applet/ |
/application\/jar/ |
/video\/mp4/;
## The Match notice has a sub message with a URL where you can get more
## information about the file. The %s will be replaced with the SHA-1
## hash of the file.
option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
## The malware hash registry runs each malware sample through several
## A/V engines. Team Cymru returns a percentage to indicate how
## many A/V engines flagged the sample as malicious. This threshold
## allows you to require a minimum detection rate.
option notice_threshold = 10;
}
The export section redefines an enumerable constant that describes the
type of notice we will generate with the Notice framework. Bro
@ -89,8 +194,43 @@ Up until this point, the script has merely done some basic setup. With
the next section, the script starts to define instructions to take in
a given event.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
:lines: 38-71
.. sourcecode:: bro
:caption: detect-MHR.bro
function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
{
local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split_string1(MHR_result, / /);
if ( |MHR_answer| == 2 )
{
local mhr_detect_rate = to_count(MHR_answer[1]);
if ( mhr_detect_rate >= notice_threshold )
{
local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash);
# We don't have the full fa_file record here in order to
# avoid the "when" statement cloning it (expensive!).
local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
Notice::populate_file_info2(fi, n);
NOTICE(n);
}
}
}
}
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$info && f$info?$mime_type &&
match_file_types in f$info$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
The workhorse of the script is contained in the event handler for
``file_hash``. The :bro:see:`file_hash` event allows scripts to access
@ -182,8 +322,34 @@ This effort resulted in built-in-function files organized such that
each entry contains a descriptive event name, the arguments passed to
the event, and a concise explanation of the functions use.
.. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
:lines: 29-54
.. sourcecode:: bro
## Generated for DNS requests. For requests with multiple queries, this event
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
Above is a segment of the documentation for the event
:bro:id:`dns_request` (and the preceding link points to the
@ -226,7 +392,10 @@ remove this event from memory, effectively forgetting about it. Let's
take a look at a simple example script, that will output the connection record
for a single connection.
.. btest-include:: ${DOC_ROOT}/scripting/connection_record_01.bro
.. literalinclude:: connection_record_01.bro
:caption:
:language: bro
:linenos:
Again, we start with ``@load``, this time importing the
:doc:`/scripts/base/protocols/conn/index` scripts which supply the tracking
@ -242,9 +411,12 @@ more layers of information about a connection. This will give us a
chance to see the contents of the connection record without it being
overly populated.
.. btest:: connection-record-01
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro
$ bro -b -r http/get.trace connection_record_01.bro
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
As you can see from the output, the connection record is something of
a jumble when printed on its own. Regularly taking a peek at a
@ -270,11 +442,21 @@ proper format of a dereferenced variable in scripts. In the output of
the script above, groups of information are collected between
brackets, which would correspond to the ``$``-delimiter in a Bro script.
.. btest-include:: ${DOC_ROOT}/scripting/connection_record_02.bro
.. literalinclude:: connection_record_02.bro
:caption:
:language: bro
:linenos:
.. btest:: connection-record-02
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro
$bro -b -r http/get.trace connection_record_02.bro
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
}, current_request=1, current_response=1, trans_depth=1]]
The addition of the ``base/protocols/http`` scripts populates the
``http=[]`` member of the connection record. While Bro is doing a
@ -306,7 +488,10 @@ each of which produce the same result if ``EXPRESSION`` evaluates to the
same type as ``TYPE``. The decision as to which type of declaration to
use is likely to be dictated by personal preference and readability.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_declaration.bro
.. literalinclude:: data_type_declaration.bro
:caption:
:language: bro
:linenos:
Global Variables
~~~~~~~~~~~~~~~~
@ -347,13 +532,19 @@ decrypted from HTTP streams is stored in
:bro:see:`HTTP::default_capture_password` as shown in the stripped down
excerpt from :doc:`/scripts/base/protocols/http/main.bro` below.
.. btest-include:: ${DOC_ROOT}/scripting/http_main.bro
.. literalinclude:: http_main.bro
:caption:
:language: bro
:linenos:
Because the constant was declared with the ``&redef`` attribute, if we
needed to turn this option on globally, we could do so by adding the
following line to our ``site/local.bro`` file before firing up Bro.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_const_simple.bro
.. literalinclude:: data_type_const_simple.bro
:caption:
:language: bro
:linenos:
While the idea of a re-definable constant might be odd, the constraint
that constants can only be altered at parse-time remains even with the
@ -364,11 +555,18 @@ in a :bro:id:`bro_init` event. Were we to try to alter the table in
an event handler, Bro would notify the user of an error and the script
would fail.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_const.bro
.. literalinclude:: data_type_const.bro
:caption:
:language: bro
:linenos:
.. btest:: data_type_const.bro
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_type_const.bro
$ bro -b data_type_const.bro
{
[80/tcp] = WWW,
[6666/tcp] = IRC
}
Local Variables
~~~~~~~~~~~~~~~
@ -382,7 +580,10 @@ of a script passes beyond that scope and no longer used, the variable
is deleted. Bro maintains names of locals separately from globally
visible ones, an example of which is illustrated below.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_local.bro
.. literalinclude:: data_type_local.bro
:caption:
:language: bro
:linenos:
The script executes the event handler :bro:id:`bro_init` which in turn calls
the function ``add_two(i: count)`` with an argument of ``10``. Once Bro
@ -455,7 +656,10 @@ for information that is already naturally unique such as ports or IP
addresses. The code snippet below shows both an explicit and implicit
declaration of a locally scoped set.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro
.. literalinclude:: data_struct_set_declaration.bro
:caption:
:language: bro
:linenos:
:lines: 1-4,22
As you can see, sets are declared using the format ``SCOPE var_name:
@ -467,8 +671,12 @@ the ``in`` operator. In the case of iterating over a set, combining the
``for`` statement and the ``in`` operator will allow you to sequentially
process each element of the set as seen below.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro
.. literalinclude:: data_struct_set_declaration.bro
:caption:
:language: bro
:linenos:
:lines: 17-21
:lineno-start: 17
Here, the ``for`` statement loops over the contents of the set storing
each element in the temporary variable ``i``. With each iteration of
@ -487,16 +695,31 @@ negate the in operator itself. While the functionality is the same,
using the ``!in`` is more efficient as well as a more natural construct
which will aid in the readability of your script.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro
.. literalinclude:: data_struct_set_declaration.bro
:caption:
:language: bro
:linenos:
:lines: 13-15
:lineno-start: 13
You can see the full script and its output below.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro
.. literalinclude:: data_struct_set_declaration.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_set_declaration
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_set_declaration.bro
$ bro data_struct_set_declaration.bro
SSL Port: 22/tcp
SSL Port: 443/tcp
SSL Port: 587/tcp
SSL Port: 993/tcp
Non-SSL Port: 80/tcp
Non-SSL Port: 25/tcp
Non-SSL Port: 143/tcp
Non-SSL Port: 23/tcp
Tables
~~~~~~
@ -505,11 +728,18 @@ A table in Bro is a mapping of a key to a value or yield. While the
values don't have to be unique, each key in the table must be unique
to preserve a one-to-one mapping of keys to values.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_declaration.bro
.. literalinclude:: data_struct_table_declaration.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_table_declaration
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_table_declaration.bro
$ bro data_struct_table_declaration.bro
Service Name: SSH - Common Port: 22/tcp
Service Name: HTTPS - Common Port: 443/tcp
Service Name: SMTPS - Common Port: 587/tcp
Service Name: IMAPS - Common Port: 993/tcp
In this example,
we've compiled a table of SSL-enabled services and their common
@ -534,11 +764,18 @@ Bro implies a cost in complexity for the person writing the scripts
but pays off in effectiveness given the power of Bro as a network
security platform.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_complex.bro
.. literalinclude:: data_struct_table_complex.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_table_complex
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_table_complex.bro
$ bro -b data_struct_table_complex.bro
Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai
Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada
Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai
This script shows a sample table of strings indexed by two
strings, a count, and a final string. With a tuple acting as an
@ -580,11 +817,18 @@ the vector name between two vertical pipes to get the vector's current
length before printing the contents of both Vectors and their current
lengths.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_vector_declaration.bro
.. literalinclude:: data_struct_vector_declaration.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_vector_declaration
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_vector_declaration.bro
$ bro data_struct_vector_declaration.bro
contents of v1: [1, 2, 3, 4]
length of v1: 4
contents of v2: [1, 2, 3, 4]
length of v2: 4
In a lot of cases, storing elements in a vector is simply a precursor
to then iterating over them. Iterating over a vector is easy with the
@ -595,12 +839,17 @@ called ``i`` which will hold the index of the current element in the
vector. Using ``i`` as an index to addr_vector we can access the
current item in the vector with ``addr_vector[i]``.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_vector_iter.bro
.. literalinclude:: data_struct_vector_iter.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_vector_iter
@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_vector_iter.bro
.. sourcecode:: console
$ bro -b data_struct_vector_iter.bro
1.2.0.0/18
2.3.0.0/18
3.4.0.0/18
Data Types Revisited
--------------------
@ -653,7 +902,10 @@ your scripts. The following example below uses a Bro script to
determine if a series of IP addresses are within a set of subnets
using a 20 bit subnet mask.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_subnets.bro
.. literalinclude:: data_type_subnets.bro
:caption:
:language: bro
:linenos:
Because this is a script that doesn't use any kind of network
analysis, we can handle the event :bro:id:`bro_init` which is always
@ -669,9 +921,13 @@ For example, ``10.0.0.1 in 10.0.0.0/8`` would return true while
script, we get the output listing the IP address and the subnet in
which it belongs.
.. btest:: data_type_subnets
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_subnets.bro
$ bro data_type_subnets.bro
172.16.4.56 belongs to subnet 172.16.0.0/20
172.16.47.254 belongs to subnet 172.16.32.0/20
172.16.22.45 belongs to subnet 172.16.16.0/20
172.16.1.1 belongs to subnet 172.16.0.0/20
time
~~~~
@ -693,14 +949,26 @@ timestamp and an indication of who the originator and responder were.
We use the ``strftime`` format string of ``%Y%M%d %H:%m:%S`` to
produce a common date time formatted time stamp.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_time.bro
.. literalinclude:: data_type_time.bro
:caption:
:language: bro
:linenos:
When the script is executed we get an output showing the details of
established connections.
.. btest:: data_type_time
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_time.bro
$ bro -r wikipedia.trace data_type_time.bro
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2\x0a
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128\x0a
interval
~~~~~~~~
@ -730,15 +998,35 @@ operator. The script below amends the script started in the section
above to include a time delta value printed along with the connection
establishment report.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_interval.bro
.. literalinclude:: data_type_interval.bro
:caption:
:language: bro
:linenos:
This time, when we execute the script we see an additional line in the
output to display the time delta since the last fully established
connection.
.. btest:: data_type_interval
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_interval.bro
$ bro -r wikipedia.trace data_type_interval.bro
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 132.0 msecs 97.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 177.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 2.0 msecs 177.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 33.0 msecs 898.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 35.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
Time since last connection: 2.0 msecs 532.0 usecs
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2
Time since last connection: 7.0 msecs 866.0 usecs
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128
Time since last connection: 817.0 msecs 703.0 usecs
Pattern
@ -755,7 +1043,10 @@ adheres to a strict format, requiring the regular expression or
pattern constant to be on the left side of the ``in`` operator and the
string against which it will be tested to be on the right.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_pattern_01.bro
.. literalinclude:: data_type_pattern_01.bro
:caption:
:language: bro
:linenos:
In the sample above, two local variables are declared to hold our
sample sentence and regular expression. Our regular expression in
@ -771,9 +1062,12 @@ excluding the actual matches. In this case, our pattern matches
twice, and results in a table with three entries. The ``print`` statements
in the script will print the contents of the table in order.
.. btest:: data_type_pattern
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_01.bro
$ bro data_type_pattern_01.bro
The
brown fox jumps over the
dog.
Patterns can also be used to compare strings using equality and
inequality operators through the ``==`` and ``!=`` operators
@ -783,13 +1077,13 @@ ternary conditional statements to illustrate the use of the ``==``
operator with patterns. The output is altered based
on the result of the comparison between the pattern and the string.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_pattern_02.bro
.. btest:: data_type_pattern_02
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_02.bro
.. literalinclude:: data_type_pattern_02.bro
.. sourcecode:: console
$ bro data_type_pattern_02.bro
equality and /^?(equal)$?/ are not equal
equality and /^?(equality)$?/ are equal
Record Data Type
----------------
@ -809,7 +1103,10 @@ example of the ``record`` data type in the earlier sections, the
:bro:type:`Conn::Info`, which corresponds to the fields logged into
``conn.log``, is shown by the excerpt below.
.. btest-include:: ${DOC_ROOT}/scripting/data_type_record.bro
.. literalinclude:: data_type_record.bro
:caption:
:language: bro
:linenos:
Looking at the structure of the definition, a new collection of data
types is being defined as a type called ``Info``. Since this type
@ -822,11 +1119,20 @@ that make up the record. The individual fields that make up the new
record are not limited in type or number as long as the name for each
field is unique.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_record_01.bro
.. literalinclude:: data_struct_record_01.bro
:caption:
:language: bro
:linenos:
.. btest:: data_struct_record_01
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_01.bro
$ bro data_struct_record_01.bro
Service: dns(RFC1035)
port: 53/udp
port: 53/tcp
Service: http(RFC2616)
port: 8080/tcp
port: 80/tcp
The sample above shows a simple type definition that includes a
string, a set of ports, and a count to define a service type. Also
@ -843,11 +1149,18 @@ records are even valid as fields within another record. We can extend
the example above to include another record that contains a Service
record.
.. btest-include:: ${DOC_ROOT}/scripting/data_struct_record_02.bro
.. literalinclude:: data_struct_record_02.bro
.. btest:: data_struct_record_02
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_02.bro
$ bro data_struct_record_02.bro
System: morlock
Service: http(RFC2616)
port: 8080/tcp
port: 80/tcp
Service: dns(RFC1035)
port: 53/udp
port: 53/tcp
The example above includes a second record type in which a field is
used as the data type for a set. Records can be repeatedly nested
@ -858,8 +1171,12 @@ It's also common to see a ``type`` used to simply alias a data
structure to a more descriptive name. The example below shows an
example of this from Bro's own type definitions file.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/base/init-bare.bro
:lines: 12,19,26
.. sourcecode:: bro
:caption: init-bare.bro
type string_array: table[count] of string;
type string_set: set[string];
type addr_set: set[addr];
The three lines above alias a type of data structure to a descriptive
name. Functionally, the operations are the same, however, each of the
@ -916,11 +1233,24 @@ It's always best to work through the problem once, simulating the
desired output with ``print`` and ``fmt`` before attempting to dive
into the Logging Framework.
.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_01.bro
.. literalinclude:: framework_logging_factorial_01.bro
:caption:
:language: bro
:linenos:
.. btest:: framework_logging_factorial
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_01.bro
$ bro framework_logging_factorial_01.bro
1
2
6
24
120
720
5040
40320
362880
3628800
This script defines a factorial function to recursively calculate the
factorial of a unsigned integer passed as an argument to the function. Using
@ -930,7 +1260,10 @@ calculations correctly as well get an idea of the answers ourselves.
The output of the script aligns with what we expect so now it's time
to integrate the Logging Framework.
.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_02.bro
.. literalinclude:: framework_logging_factorial_02.bro
:caption:
:language: bro
:linenos:
As mentioned above we have to perform a few steps before we can
issue the :bro:id:`Log::write` method and produce a logfile.
@ -962,10 +1295,29 @@ Now, if we run this script, instead of generating
logging information to stdout, no output is created. Instead the
output is all in ``factor.log``, properly formatted and organized.
.. btest:: framework_logging_factorial-2
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_02.bro
@TEST-EXEC: btest-rst-include factor.log
$ bro framework_logging_factorial_02.bro
$ cat factor.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path factor
#open 2018-12-14-21-47-18
#fields num factorial_num
#types count count
1 1
2 2
3 6
4 24
5 120
6 720
7 5040
8 40320
9 362880
10 3628800
#close 2018-12-14-21-47-18
While the previous example is a simplistic one, it serves to
demonstrate the small pieces of script code hat need to be in place in
@ -993,7 +1345,10 @@ example we've been using, let's extend it so as to write any factorial
which is a factor of 5 to an alternate file, while writing the
remaining logs to factor.log.
.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro
.. literalinclude:: framework_logging_factorial_03.bro
:caption:
:language: bro
:linenos:
To dynamically alter the file in which a stream writes its logs, a
filter can specify a function that returns a string to be used as the
@ -1014,10 +1369,25 @@ factorials that are a factors of 5, ``factor-non5.log`` with the
factorials that are not factors of 5, and ``factor.log`` which would have
included all factorials.
.. btest:: framework_logging_factorial-3
.. sourcecode:: console
@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro
@TEST-EXEC: btest-rst-include factor-mod5.log
$ bro framework_logging_factorial_03.bro
$ cat factor-mod5.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path factor-mod5
#open 2018-12-14-21-47-18
#fields num factorial_num
#types count count
5 120
6 720
7 5040
8 40320
9 362880
10 3628800
#close 2018-12-14-21-47-1
The ability of Bro to generate easily customizable and extensible logs
which remain easily parsable is a big part of the reason Bro has
@ -1047,7 +1417,10 @@ block and define the value to be passed to it, in this case the
``Factor::Info`` record. We then list the ``log_factor`` function as
the ``$ev`` field in the call to ``Log::create_stream``
.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_04.bro
.. literalinclude:: framework_logging_factorial_04.bro
:caption:
:language: bro
:linenos:
Raising Notices
@ -1098,8 +1471,60 @@ or not that notice is acted upon is decided by the local Notice
Policy, but the script attempts to supply as much information as
possible while staying concise.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssh/interesting-hostnames.bro
:lines: 1-52
.. sourcecode:: bro
:caption: scripts/policy/protocols/ssh/interesting-hostnames.bro
##! This script will generate a notice if an apparent SSH login originates
##! or heads to a host with a reverse hostname that looks suspicious. By
##! default, the regular expression to match "interesting" hostnames includes
##! names that are typically used for infrastructure hosts like nameservers,
##! mail servers, web servers and ftp servers.
@load base/frameworks/notice
module SSH;
export {
redef enum Notice::Type += {
## Generated if a login originates or responds with a host where
## the reverse hostname lookup resolves to a name matched by the
## :bro:id:`SSH::interesting_hostnames` regular expression.
Interesting_Hostname_Login,
};
## Strange/bad host names to see successful SSH logins from or to.
option interesting_hostnames =
/^d?ns[0-9]*\./ |
/^smtp[0-9]*\./ |
/^mail[0-9]*\./ |
/^pop[0-9]*\./ |
/^imap[0-9]*\./ |
/^www[0-9]*\./ |
/^ftp[0-9]*\./;
}
function check_ssh_hostname(id: conn_id, uid: string, host: addr)
{
when ( local hostname = lookup_addr(host) )
{
if ( interesting_hostnames in hostname )
{
NOTICE([$note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == id$orig_h ? "client" : "server"),
$sub=hostname, $id=id, $uid=uid]);
}
}
}
event ssh_auth_successful(c: connection, auth_method_none: bool)
{
for ( host in set(c$id$orig_h, c$id$resp_h) )
{
check_ssh_hostname(c$id, c$uid, host);
}
}
While much of the script relates to the actual detection, the parts
specific to the Notice Framework are actually quite interesting in
@ -1137,7 +1562,10 @@ action based on the answer. The hook below adds the
``SSH::Interesting_Hostname_Login`` notice raised in the
:doc:`/scripts/policy/protocols/ssh/interesting-hostnames.bro` script.
.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_hook_01.bro
.. literalinclude:: framework_notice_hook_01.bro
:caption:
:language: bro
:linenos:
In the example above we've added ``Notice::ACTION_EMAIL`` to the
``n$actions`` set. This set, defined in the Notice Framework scripts,
@ -1174,8 +1602,14 @@ identifier. An identifier is a unique string of information collected
from the connection relative to the behavior that has been observed by
Bro.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssl/expiring-certs.bro
:lines: 64-68
.. sourcecode:: bro
:caption: scripts/policy/protocols/ssl/expiring-certs.bro
NOTICE([$note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
In the :doc:`/scripts/policy/protocols/ssl/expiring-certs.bro` script
which identifies when SSL certificates are set to expire and raises
@ -1206,7 +1640,10 @@ environment in which it is be run. Using the example of
``SSL::Certificate_Expires_Soon`` to configure the ``$suppress_for``
variable to a shorter time.
.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_hook_suppression_01.bro
.. literalinclude:: framework_notice_hook_suppression_01.bro
:caption:
:language: bro
:linenos:
While ``Notice::policy`` hooks allow you to build custom
predicate-based policies for a deployment, there are bound to be times
@ -1253,11 +1690,17 @@ suppression from a notice while ``Notice::type_suppression_intervals``
can be used to alter the suppression interval defined by $suppress_for
in the call to ``NOTICE``.
.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro
.. literalinclude:: framework_notice_shortcuts_01.bro
:caption:
:language: bro
:linenos:
The Notice Policy shortcut above adds the ``Notice::Type`` of
``SSH::Interesting_Hostname_Login`` to the
``Notice::emailed_types`` set while the shortcut below alters the length
of time for which those notices will be suppressed.
.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_02.bro
.. literalinclude:: framework_notice_shortcuts_02.bro
:caption:
:language: bro
:linenos:

14
doc/scripts/base/bif/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/bif/__load__.bro
=====================
:Imports: :doc:`base/bif/analyzer.bif.bro </scripts/base/bif/analyzer.bif.bro>`, :doc:`base/bif/bloom-filter.bif.bro </scripts/base/bif/bloom-filter.bif.bro>`, :doc:`base/bif/bro.bif.bro </scripts/base/bif/bro.bif.bro>`, :doc:`base/bif/broxygen.bif.bro </scripts/base/bif/broxygen.bif.bro>`, :doc:`base/bif/cardinality-counter.bif.bro </scripts/base/bif/cardinality-counter.bif.bro>`, :doc:`base/bif/comm.bif.bro </scripts/base/bif/comm.bif.bro>`, :doc:`base/bif/const.bif.bro </scripts/base/bif/const.bif.bro>`, :doc:`base/bif/data.bif.bro </scripts/base/bif/data.bif.bro>`, :doc:`base/bif/event.bif.bro </scripts/base/bif/event.bif.bro>`, :doc:`base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>`, :doc:`base/bif/input.bif.bro </scripts/base/bif/input.bif.bro>`, :doc:`base/bif/logging.bif.bro </scripts/base/bif/logging.bif.bro>`, :doc:`base/bif/messaging.bif.bro </scripts/base/bif/messaging.bif.bro>`, :doc:`base/bif/option.bif.bro </scripts/base/bif/option.bif.bro>`, :doc:`base/bif/pcap.bif.bro </scripts/base/bif/pcap.bif.bro>`, :doc:`base/bif/reporter.bif.bro </scripts/base/bif/reporter.bif.bro>`, :doc:`base/bif/stats.bif.bro </scripts/base/bif/stats.bif.bro>`, :doc:`base/bif/store.bif.bro </scripts/base/bif/store.bif.bro>`, :doc:`base/bif/strings.bif.bro </scripts/base/bif/strings.bif.bro>`, :doc:`base/bif/top-k.bif.bro </scripts/base/bif/top-k.bif.bro>`, :doc:`base/bif/types.bif.bro </scripts/base/bif/types.bif.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

66
doc/scripts/base/bif/analyzer.bif.bro.rst Normal file
View file

@ -0,0 +1,66 @@
:tocdepth: 3
base/bif/analyzer.bif.bro
=========================
.. bro:namespace:: Analyzer
.. bro:namespace:: GLOBAL
Internal functions and types used by the analyzer framework.
:Namespaces: Analyzer, GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================= =
:bro:id:`Analyzer::__disable_all_analyzers`: :bro:type:`function`
:bro:id:`Analyzer::__disable_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__enable_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__name`: :bro:type:`function`
:bro:id:`Analyzer::__register_for_port`: :bro:type:`function`
:bro:id:`Analyzer::__schedule_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__tag`: :bro:type:`function`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Analyzer::__disable_all_analyzers
:Type: :bro:type:`function` () : :bro:type:`any`
.. bro:id:: Analyzer::__disable_analyzer
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`) : :bro:type:`bool`
.. bro:id:: Analyzer::__enable_analyzer
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`) : :bro:type:`bool`
.. bro:id:: Analyzer::__name
:Type: :bro:type:`function` (atype: :bro:type:`Analyzer::Tag`) : :bro:type:`string`
.. bro:id:: Analyzer::__register_for_port
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`, p: :bro:type:`port`) : :bro:type:`bool`
.. bro:id:: Analyzer::__schedule_analyzer
:Type: :bro:type:`function` (orig: :bro:type:`addr`, resp: :bro:type:`addr`, resp_p: :bro:type:`port`, analyzer: :bro:type:`Analyzer::Tag`, tout: :bro:type:`interval`) : :bro:type:`bool`
.. bro:id:: Analyzer::__tag
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`Analyzer::Tag`

205
doc/scripts/base/bif/bloom-filter.bif.bro.rst Normal file
View file

@ -0,0 +1,205 @@
:tocdepth: 3
base/bif/bloom-filter.bif.bro
=============================
.. bro:namespace:: GLOBAL
Functions to create and manipulate Bloom filters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ===================================================================
:bro:id:`bloomfilter_add`: :bro:type:`function` Adds an element to a Bloom filter.
:bro:id:`bloomfilter_basic_init`: :bro:type:`function` Creates a basic Bloom filter.
:bro:id:`bloomfilter_basic_init2`: :bro:type:`function` Creates a basic Bloom filter.
:bro:id:`bloomfilter_clear`: :bro:type:`function` Removes all elements from a Bloom filter.
:bro:id:`bloomfilter_counting_init`: :bro:type:`function` Creates a counting Bloom filter.
:bro:id:`bloomfilter_internal_state`: :bro:type:`function` Returns a string with a representation of a Bloom filter's internal
state.
:bro:id:`bloomfilter_lookup`: :bro:type:`function` Retrieves the counter for a given element in a Bloom filter.
:bro:id:`bloomfilter_merge`: :bro:type:`function` Merges two Bloom filters.
========================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: bloomfilter_add
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter, x: :bro:type:`any`) : :bro:type:`any`
Adds an element to a Bloom filter.
:bf: The Bloom filter handle.
:x: The element to add.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
bloomfilter_merge
.. bro:id:: bloomfilter_basic_init
:Type: :bro:type:`function` (fp: :bro:type:`double`, capacity: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a basic Bloom filter.
:fp: The desired false-positive rate.
:capacity: the maximum number of elements that guarantees a false-positive
rate of *fp*.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_basic_init2
:Type: :bro:type:`function` (k: :bro:type:`count`, cells: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a basic Bloom filter. This function serves as a low-level
alternative to :bro:id:`bloomfilter_basic_init` where the user has full
control over the number of hash functions and cells in the underlying bit
vector.
:k: The number of hash functions to use.
:cells: The number of cells of the underlying bit vector.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_clear
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter) : :bro:type:`any`
Removes all elements from a Bloom filter. This function resets all bits in
the underlying bitvector back to 0 but does not change the parameterization
of the Bloom filter, such as the element type and the hasher seed.
:bf: The Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_merge
.. bro:id:: bloomfilter_counting_init
:Type: :bro:type:`function` (k: :bro:type:`count`, cells: :bro:type:`count`, max: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a counting Bloom filter.
:k: The number of hash functions to use.
:cells: The number of cells of the underlying counter vector. As there's
no single answer to what's the best parameterization for a
counting Bloom filter, we refer to the Bloom filter literature
here for choosing an appropiate value.
:max: The maximum counter value associated with each element
described by *w = ceil(log_2(max))* bits. Each bit in the underlying
counter vector becomes a cell of size *w* bits.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_internal_state
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter) : :bro:type:`string`
Returns a string with a representation of a Bloom filter's internal
state. This is for debugging/testing purposes only.
:bf: The Bloom filter handle.
:returns: a string with a representation of a Bloom filter's internal state.
.. bro:id:: bloomfilter_lookup
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter, x: :bro:type:`any`) : :bro:type:`count`
Retrieves the counter for a given element in a Bloom filter.
:bf: The Bloom filter handle.
:x: The element to count.
:returns: the counter associated with *x* in *bf*.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_clear
bloomfilter_merge
.. bro:id:: bloomfilter_merge
:Type: :bro:type:`function` (bf1: :bro:type:`opaque` of bloomfilter, bf2: :bro:type:`opaque` of bloomfilter) : :bro:type:`opaque` of bloomfilter
Merges two Bloom filters.
.. note:: Currently Bloom filters created by different Bro instances cannot
be merged. In the future, this will be supported as long as both filters
are created with the same name.
:bf1: The first Bloom filter handle.
:bf2: The second Bloom filter handle.
:returns: The union of *bf1* and *bf2*.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_clear

3567
doc/scripts/base/bif/bro.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

88
doc/scripts/base/bif/broxygen.bif.bro.rst Normal file
View file

@ -0,0 +1,88 @@
:tocdepth: 3
base/bif/broxygen.bif.bro
=========================
.. bro:namespace:: GLOBAL
Functions for querying script, package, or variable documentation.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================= =============================================================================
:bro:id:`get_identifier_comments`: :bro:type:`function` Retrieve the Broxygen-style comments (``##``) associated with an identifier
(e.g.
:bro:id:`get_package_readme`: :bro:type:`function` Retrieve the contents of a Bro script package's README file.
:bro:id:`get_record_field_comments`: :bro:type:`function` Retrieve the Broxygen-style comments (``##``) associated with a record field.
:bro:id:`get_script_comments`: :bro:type:`function` Retrieve the Broxygen-style summary comments (``##!``) associated with
a Bro script.
========================================================= =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: get_identifier_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style comments (``##``) associated with an identifier
(e.g. a variable or type).
:name: a script-level identifier for which to retrieve comments.
:returns: comments associated with *name*. If *name* is not a known
identifier, an empty string is returned.
.. bro:id:: get_package_readme
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the contents of a Bro script package's README file.
:name: the name of a Bro script package. It must be a relative path
to where it is located within a particular component of BROPATH.
:returns: contents of the package's README file. If *name* is not a known
package, an empty string is returned.
.. bro:id:: get_record_field_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style comments (``##``) associated with a record field.
:name: the name of a record type and a field within it formatted like
a typical record field access: "<record_type>$<field>".
:returns: comments associated with the record field. If *name* does
not point to a known record type or a known field within a record
type, an empty string is returned.
.. bro:id:: get_script_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style summary comments (``##!``) associated with
a Bro script.
:name: the name of a Bro script. It must be a relative path to where
it is located within a particular component of BROPATH and use
the same file name extension/suffix as the actual file (e.g. ".bro").
:returns: summary comments associated with script with *name*. If
*name* is not a known script, an empty string is returned.

117
doc/scripts/base/bif/cardinality-counter.bif.bro.rst Normal file
View file

@ -0,0 +1,117 @@
:tocdepth: 3
base/bif/cardinality-counter.bif.bro
====================================
.. bro:namespace:: GLOBAL
Functions to create and manipulate probabilistic cardinality counters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== =========================================================================
:bro:id:`hll_cardinality_add`: :bro:type:`function` Adds an element to a HyperLogLog cardinality counter.
:bro:id:`hll_cardinality_copy`: :bro:type:`function` Copy a HLL cardinality counter.
:bro:id:`hll_cardinality_estimate`: :bro:type:`function` Estimate the current cardinality of an HLL cardinality counter.
:bro:id:`hll_cardinality_init`: :bro:type:`function` Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:bro:id:`hll_cardinality_merge_into`: :bro:type:`function` Merges a HLL cardinality counter into another.
========================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: hll_cardinality_add
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality, elem: :bro:type:`any`) : :bro:type:`bool`
Adds an element to a HyperLogLog cardinality counter.
:handle: the HLL handle.
:elem: the element to add.
:returns: true on success.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into
hll_cardinality_init hll_cardinality_copy
.. bro:id:: hll_cardinality_copy
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality) : :bro:type:`opaque` of cardinality
Copy a HLL cardinality counter.
:handle: cardinality counter to copy.
:returns: copy of handle.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init
.. bro:id:: hll_cardinality_estimate
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality) : :bro:type:`double`
Estimate the current cardinality of an HLL cardinality counter.
:handle: the HLL handle.
:returns: the cardinality estimate. Returns -1.0 if the counter is empty.
.. bro:see:: hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init hll_cardinality_copy
.. bro:id:: hll_cardinality_init
:Type: :bro:type:`function` (err: :bro:type:`double`, confidence: :bro:type:`double`) : :bro:type:`opaque` of cardinality
Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:err: the desired error rate (e.g. 0.01).
:confidence: the desired confidence for the error rate (e.g., 0.95).
:returns: a HLL cardinality handle.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_copy
.. bro:id:: hll_cardinality_merge_into
:Type: :bro:type:`function` (handle1: :bro:type:`opaque` of cardinality, handle2: :bro:type:`opaque` of cardinality) : :bro:type:`bool`
Merges a HLL cardinality counter into another.
.. note:: The same restrictions as for Bloom filter merging apply,
see :bro:id:`bloomfilter_merge`.
:handle1: the first HLL handle, which will contain the merged result.
:handle2: the second HLL handle, which will be merged into the first.
:returns: true on success.
.. bro:see:: hll_cardinality_estimate hll_cardinality_add
hll_cardinality_init hll_cardinality_copy

96
doc/scripts/base/bif/comm.bif.bro.rst Normal file
View file

@ -0,0 +1,96 @@
:tocdepth: 3
base/bif/comm.bif.bro
=====================
.. bro:namespace:: Broker
.. bro:namespace:: GLOBAL
Functions and events regarding Bro's broker communication mechanisms.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Events
######
================================================= ==========================================================
:bro:id:`Broker::error`: :bro:type:`event` Generated when an error occurs in the Broker sub-system.
:bro:id:`Broker::peer_added`: :bro:type:`event` Generated when a new peering has been established.
:bro:id:`Broker::peer_lost`: :bro:type:`event` Generated when an existing peering has been lost.
:bro:id:`Broker::peer_removed`: :bro:type:`event` Generated when an existing peer has been removed.
:bro:id:`Broker::status`: :bro:type:`event` Generated when something changes in the Broker sub-system.
================================================= ==========================================================
Functions
#########
================================================= =
:bro:id:`Broker::__listen`: :bro:type:`function`
:bro:id:`Broker::__node_id`: :bro:type:`function`
:bro:id:`Broker::__peer`: :bro:type:`function`
:bro:id:`Broker::__peers`: :bro:type:`function`
:bro:id:`Broker::__unpeer`: :bro:type:`function`
================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: Broker::error
:Type: :bro:type:`event` (code: :bro:type:`Broker::ErrorCode`, msg: :bro:type:`string`)
Generated when an error occurs in the Broker sub-system.
.. bro:id:: Broker::peer_added
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when a new peering has been established.
.. bro:id:: Broker::peer_lost
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when an existing peering has been lost.
.. bro:id:: Broker::peer_removed
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when an existing peer has been removed.
.. bro:id:: Broker::status
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when something changes in the Broker sub-system.
Functions
#########
.. bro:id:: Broker::__listen
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`) : :bro:type:`port`
.. bro:id:: Broker::__node_id
:Type: :bro:type:`function` () : :bro:type:`string`
.. bro:id:: Broker::__peer
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`, retry: :bro:type:`interval`) : :bro:type:`bool`
.. bro:id:: Broker::__peers
:Type: :bro:type:`function` () : :bro:type:`Broker::PeerInfos`
.. bro:id:: Broker::__unpeer
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`) : :bro:type:`bool`

18
doc/scripts/base/bif/const.bif.bro.rst Normal file
View file

@ -0,0 +1,18 @@
:tocdepth: 3
base/bif/const.bif.bro
======================
.. bro:namespace:: GLOBAL
Declaration of various scripting-layer constants that the Bro core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.bro`.
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

322
doc/scripts/base/bif/data.bif.bro.rst Normal file
View file

@ -0,0 +1,322 @@
:tocdepth: 3
base/bif/data.bif.bro
=====================
.. bro:namespace:: Broker
.. bro:namespace:: GLOBAL
Functions for inspecting and manipulating broker data.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Types
#####
============================================== ====================================================================
:bro:type:`Broker::DataType`: :bro:type:`enum` Enumerates the possible types that :bro:see:`Broker::Data` may be in
terms of Bro data types.
============================================== ====================================================================
Functions
#########
=============================================================== =
:bro:id:`Broker::__data`: :bro:type:`function`
:bro:id:`Broker::__data_type`: :bro:type:`function`
:bro:id:`Broker::__record_assign`: :bro:type:`function`
:bro:id:`Broker::__record_create`: :bro:type:`function`
:bro:id:`Broker::__record_iterator`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__record_lookup`: :bro:type:`function`
:bro:id:`Broker::__record_size`: :bro:type:`function`
:bro:id:`Broker::__set_clear`: :bro:type:`function`
:bro:id:`Broker::__set_contains`: :bro:type:`function`
:bro:id:`Broker::__set_create`: :bro:type:`function`
:bro:id:`Broker::__set_insert`: :bro:type:`function`
:bro:id:`Broker::__set_iterator`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__set_remove`: :bro:type:`function`
:bro:id:`Broker::__set_size`: :bro:type:`function`
:bro:id:`Broker::__table_clear`: :bro:type:`function`
:bro:id:`Broker::__table_contains`: :bro:type:`function`
:bro:id:`Broker::__table_create`: :bro:type:`function`
:bro:id:`Broker::__table_insert`: :bro:type:`function`
:bro:id:`Broker::__table_iterator`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__table_lookup`: :bro:type:`function`
:bro:id:`Broker::__table_remove`: :bro:type:`function`
:bro:id:`Broker::__table_size`: :bro:type:`function`
:bro:id:`Broker::__vector_clear`: :bro:type:`function`
:bro:id:`Broker::__vector_create`: :bro:type:`function`
:bro:id:`Broker::__vector_insert`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__vector_lookup`: :bro:type:`function`
:bro:id:`Broker::__vector_remove`: :bro:type:`function`
:bro:id:`Broker::__vector_replace`: :bro:type:`function`
:bro:id:`Broker::__vector_size`: :bro:type:`function`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Broker::DataType
:Type: :bro:type:`enum`
.. bro:enum:: Broker::NONE Broker::DataType
.. bro:enum:: Broker::BOOL Broker::DataType
.. bro:enum:: Broker::INT Broker::DataType
.. bro:enum:: Broker::COUNT Broker::DataType
.. bro:enum:: Broker::DOUBLE Broker::DataType
.. bro:enum:: Broker::STRING Broker::DataType
.. bro:enum:: Broker::ADDR Broker::DataType
.. bro:enum:: Broker::SUBNET Broker::DataType
.. bro:enum:: Broker::PORT Broker::DataType
.. bro:enum:: Broker::TIME Broker::DataType
.. bro:enum:: Broker::INTERVAL Broker::DataType
.. bro:enum:: Broker::ENUM Broker::DataType
.. bro:enum:: Broker::SET Broker::DataType
.. bro:enum:: Broker::TABLE Broker::DataType
.. bro:enum:: Broker::VECTOR Broker::DataType
Enumerates the possible types that :bro:see:`Broker::Data` may be in
terms of Bro data types.
Functions
#########
.. bro:id:: Broker::__data
:Type: :bro:type:`function` (d: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__data_type
:Type: :bro:type:`function` (d: :bro:type:`Broker::Data`) : :bro:type:`Broker::DataType`
.. bro:id:: Broker::__record_assign
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__record_create
:Type: :bro:type:`function` (sz: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_iterator
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::RecordIterator
.. bro:id:: Broker::__record_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`bool`
.. bro:id:: Broker::__record_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`bool`
.. bro:id:: Broker::__record_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_lookup
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_size
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__set_clear
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__set_contains
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__set_insert
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::SetIterator
.. bro:id:: Broker::__set_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__set_remove
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_size
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__table_clear
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__table_contains
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__table_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_insert
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`, val: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_iterator
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::TableIterator
.. bro:id:: Broker::__table_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`bool`
.. bro:id:: Broker::__table_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`bool`
.. bro:id:: Broker::__table_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`Broker::TableItem`
.. bro:id:: Broker::__table_lookup
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_remove
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_size
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__vector_clear
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__vector_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_insert
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::VectorIterator
.. bro:id:: Broker::__vector_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_lookup
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_remove
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_replace
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_size
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`count`

1507
doc/scripts/base/bif/event.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

111
doc/scripts/base/bif/file_analysis.bif.bro.rst Normal file
View file

@ -0,0 +1,111 @@
:tocdepth: 3
base/bif/file_analysis.bif.bro
==============================
.. bro:namespace:: Files
.. bro:namespace:: GLOBAL
Internal functions and types used by the file analysis framework.
:Namespaces: Files, GLOBAL
Summary
~~~~~~~
Functions
#########
============================================================== ===================================================================
:bro:id:`Files::__add_analyzer`: :bro:type:`function` :bro:see:`Files::add_analyzer`.
:bro:id:`Files::__analyzer_name`: :bro:type:`function` :bro:see:`Files::analyzer_name`.
:bro:id:`Files::__disable_reassembly`: :bro:type:`function` :bro:see:`Files::disable_reassembly`.
:bro:id:`Files::__enable_reassembly`: :bro:type:`function` :bro:see:`Files::enable_reassembly`.
:bro:id:`Files::__file_exists`: :bro:type:`function` :bro:see:`Files::file_exists`.
:bro:id:`Files::__lookup_file`: :bro:type:`function` :bro:see:`Files::lookup_file`.
:bro:id:`Files::__remove_analyzer`: :bro:type:`function` :bro:see:`Files::remove_analyzer`.
:bro:id:`Files::__set_reassembly_buffer`: :bro:type:`function` :bro:see:`Files::set_reassembly_buffer_size`.
:bro:id:`Files::__set_timeout_interval`: :bro:type:`function` :bro:see:`Files::set_timeout_interval`.
:bro:id:`Files::__stop`: :bro:type:`function` :bro:see:`Files::stop`.
:bro:id:`set_file_handle`: :bro:type:`function` For use within a :bro:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework.
============================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Files::__add_analyzer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, tag: :bro:type:`Files::Tag`, args: :bro:type:`any`) : :bro:type:`bool`
:bro:see:`Files::add_analyzer`.
.. bro:id:: Files::__analyzer_name
:Type: :bro:type:`function` (tag: :bro:type:`Files::Tag`) : :bro:type:`string`
:bro:see:`Files::analyzer_name`.
.. bro:id:: Files::__disable_reassembly
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::disable_reassembly`.
.. bro:id:: Files::__enable_reassembly
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::enable_reassembly`.
.. bro:id:: Files::__file_exists
:Type: :bro:type:`function` (fuid: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::file_exists`.
.. bro:id:: Files::__lookup_file
:Type: :bro:type:`function` (fuid: :bro:type:`string`) : :bro:type:`fa_file`
:bro:see:`Files::lookup_file`.
.. bro:id:: Files::__remove_analyzer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, tag: :bro:type:`Files::Tag`, args: :bro:type:`any`) : :bro:type:`bool`
:bro:see:`Files::remove_analyzer`.
.. bro:id:: Files::__set_reassembly_buffer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, max: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`Files::set_reassembly_buffer_size`.
.. bro:id:: Files::__set_timeout_interval
:Type: :bro:type:`function` (file_id: :bro:type:`string`, t: :bro:type:`interval`) : :bro:type:`bool`
:bro:see:`Files::set_timeout_interval`.
.. bro:id:: Files::__stop
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::stop`.
.. bro:id:: set_file_handle
:Type: :bro:type:`function` (handle: :bro:type:`string`) : :bro:type:`any`
For use within a :bro:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework. Using an empty string for the handle signifies that the
input will be ignored/discarded.
:handle: A string that uniquely identifies a file.
.. bro:see:: get_file_handle

466
doc/scripts/base/bif/index.rst Normal file
View file

@ -0,0 +1,466 @@
:orphan:
Package: base/bif
=================
:doc:`/scripts/base/bif/const.bif.bro`
Declaration of various scripting-layer constants that the Bro core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.bro`.
:doc:`/scripts/base/bif/types.bif.bro`
Declaration of various types that the Bro core uses internally.
:doc:`/scripts/base/bif/bro.bif.bro`
A collection of built-in functions that implement a variety of things
such as general programming algorithms, string processing, math functions,
introspection, type conversion, file/directory manipulation, packet
filtering, interprocess communication and controlling protocol analyzer
behavior.
You'll find most of Bro's built-in functions that aren't protocol-specific
in this file.
:doc:`/scripts/base/bif/stats.bif.bro`
:doc:`/scripts/base/bif/reporter.bif.bro`
The reporter built-in functions allow for the scripting layer to
generate messages of varying severity. If no event handlers
exist for reporter messages, the messages are output to stderr.
If event handlers do exist, it's assumed they take care of determining
how/where to output the messages.
See :doc:`/scripts/base/frameworks/reporter/main.bro` for a convenient
reporter message logging framework.
:doc:`/scripts/base/bif/strings.bif.bro`
Definitions of built-in functions related to string processing and
manipulation.
:doc:`/scripts/base/bif/option.bif.bro`
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:doc:`/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_KRB.types.bif.bro`
:doc:`/scripts/base/bif/event.bif.bro`
The protocol-independent events that the C/C++ core of Bro can generate.
This is mostly events not related to a specific transport- or
application-layer protocol, but also includes a few that may be generated
by more than one protocols analyzer (like events generated by both UDP and
TCP analysis.)
:doc:`/scripts/base/bif/logging.bif.bro`
Internal functions and types used by the logging framework.
:doc:`/scripts/base/bif/comm.bif.bro`
Functions and events regarding Bro's broker communication mechanisms.
:doc:`/scripts/base/bif/messaging.bif.bro`
Functions for peering and various messaging patterns.
:doc:`/scripts/base/bif/data.bif.bro`
Functions for inspecting and manipulating broker data.
:doc:`/scripts/base/bif/store.bif.bro`
Functions to interface with broker's distributed data store.
:doc:`/scripts/base/bif/input.bif.bro`
Internal functions and types used by the input framework.
:doc:`/scripts/base/bif/analyzer.bif.bro`
Internal functions and types used by the analyzer framework.
:doc:`/scripts/base/bif/file_analysis.bif.bro`
Internal functions and types used by the file analysis framework.
:doc:`/scripts/base/bif/__load__.bro`
:doc:`/scripts/base/bif/broxygen.bif.bro`
Functions for querying script, package, or variable documentation.
:doc:`/scripts/base/bif/pcap.bif.bro`
:doc:`/scripts/base/bif/bloom-filter.bif.bro`
Functions to create and manipulate Bloom filters.
:doc:`/scripts/base/bif/cardinality-counter.bif.bro`
Functions to create and manipulate probabilistic cardinality counters.
:doc:`/scripts/base/bif/top-k.bif.bro`
Functions to probabilistically determine top-k elements.
:doc:`/scripts/base/bif/plugins/__load__.bro`
:doc:`/scripts/base/bif/plugins/Bro_ARP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DNS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_File.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Finger.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Ident.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_IRC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_KRB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Login.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Login.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_MIME.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_POP3.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RDP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RDP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RFB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RPC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SIP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSH.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSH.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_TCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_UDP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro`
Internal functions used by the extraction file analyzer.
:doc:`/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_PE.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro`

54
doc/scripts/base/bif/input.bif.bro.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
base/bif/input.bif.bro
======================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Input
Internal functions and types used by the input framework.
:Namespaces: GLOBAL, Input
Summary
~~~~~~~
Functions
#########
=============================================================== =
:bro:id:`Input::__create_analysis_stream`: :bro:type:`function`
:bro:id:`Input::__create_event_stream`: :bro:type:`function`
:bro:id:`Input::__create_table_stream`: :bro:type:`function`
:bro:id:`Input::__force_update`: :bro:type:`function`
:bro:id:`Input::__remove_stream`: :bro:type:`function`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Input::__create_analysis_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::AnalysisDescription`) : :bro:type:`bool`
.. bro:id:: Input::__create_event_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::EventDescription`) : :bro:type:`bool`
.. bro:id:: Input::__create_table_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::TableDescription`) : :bro:type:`bool`
.. bro:id:: Input::__force_update
:Type: :bro:type:`function` (id: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Input::__remove_stream
:Type: :bro:type:`function` (id: :bro:type:`string`) : :bro:type:`bool`

78
doc/scripts/base/bif/logging.bif.bro.rst Normal file
View file

@ -0,0 +1,78 @@
:tocdepth: 3
base/bif/logging.bif.bro
========================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Log
Internal functions and types used by the logging framework.
:Namespaces: GLOBAL, Log
Summary
~~~~~~~
Functions
#########
===================================================== =
:bro:id:`Log::__add_filter`: :bro:type:`function`
:bro:id:`Log::__create_stream`: :bro:type:`function`
:bro:id:`Log::__disable_stream`: :bro:type:`function`
:bro:id:`Log::__enable_stream`: :bro:type:`function`
:bro:id:`Log::__flush`: :bro:type:`function`
:bro:id:`Log::__remove_filter`: :bro:type:`function`
:bro:id:`Log::__remove_stream`: :bro:type:`function`
:bro:id:`Log::__set_buf`: :bro:type:`function`
:bro:id:`Log::__write`: :bro:type:`function`
===================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Log::__add_filter
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, filter: :bro:type:`Log::Filter`) : :bro:type:`bool`
.. bro:id:: Log::__create_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, stream: :bro:type:`Log::Stream`) : :bro:type:`bool`
.. bro:id:: Log::__disable_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__enable_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__flush
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__remove_filter
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, name: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Log::__remove_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__set_buf
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, buffered: :bro:type:`bool`) : :bro:type:`bool`
.. bro:id:: Log::__write
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, columns: :bro:type:`any`) : :bro:type:`bool`

151
doc/scripts/base/bif/messaging.bif.bro.rst Normal file
View file

@ -0,0 +1,151 @@
:tocdepth: 3
base/bif/messaging.bif.bro
==========================
.. bro:namespace:: Broker
.. bro:namespace:: Cluster
.. bro:namespace:: GLOBAL
Functions for peering and various messaging patterns.
:Namespaces: Broker, Cluster, GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================== ===================================================================
:bro:id:`Broker::__auto_publish`: :bro:type:`function`
:bro:id:`Broker::__auto_unpublish`: :bro:type:`function`
:bro:id:`Broker::__flush_logs`: :bro:type:`function`
:bro:id:`Broker::__forward`: :bro:type:`function`
:bro:id:`Broker::__publish_id`: :bro:type:`function`
:bro:id:`Broker::__subscribe`: :bro:type:`function`
:bro:id:`Broker::__unsubscribe`: :bro:type:`function`
:bro:id:`Broker::make_event`: :bro:type:`function` Create a data structure that may be used to send a remote event via
:bro:see:`Broker::publish`.
:bro:id:`Broker::publish`: :bro:type:`function` Publishes an event at a given topic.
:bro:id:`Cluster::publish_hrw`: :bro:type:`function` Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:bro:id:`Cluster::publish_rr`: :bro:type:`function` Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
======================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Broker::__auto_publish
:Type: :bro:type:`function` (topic: :bro:type:`string`, ev: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__auto_unpublish
:Type: :bro:type:`function` (topic: :bro:type:`string`, ev: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__flush_logs
:Type: :bro:type:`function` () : :bro:type:`count`
.. bro:id:: Broker::__forward
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__publish_id
:Type: :bro:type:`function` (topic: :bro:type:`string`, id: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__subscribe
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__unsubscribe
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::make_event
:Type: :bro:type:`function` (...) : :bro:type:`Broker::Event`
Create a data structure that may be used to send a remote event via
:bro:see:`Broker::publish`.
:args: an event, followed by a list of argument values that may be used
to call it.
:returns: opaque communication data that may be used to send a remote
event.
.. bro:id:: Broker::publish
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event at a given topic.
:topic: a topic associated with the event message.
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.
.. bro:id:: Cluster::publish_hrw
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:pool: the pool of nodes that are eligible to receive the event.
:key: data used for input to the hashing function that will uniformly
distribute keys among available nodes.
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.
.. bro:id:: Cluster::publish_rr
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
:pool: the pool of nodes that are eligible to receive the event.
:key: an arbitrary string to identify the purpose for which you're
distributing the event. e.g. consider using namespacing of your
script like "Intel::cluster_rr_key".
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.

86
doc/scripts/base/bif/option.bif.bro.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
base/bif/option.bif.bro
=======================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Option
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:Namespaces: GLOBAL, Option
Summary
~~~~~~~
Functions
#########
========================================================== ===================================
:bro:id:`Option::set`: :bro:type:`function` Set an option to a new value.
:bro:id:`Option::set_change_handler`: :bro:type:`function` Set a change handler for an option.
========================================================== ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Option::set
:Type: :bro:type:`function` (ID: :bro:type:`string`, val: :bro:type:`any`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Set an option to a new value. This change will also cause the option change
handlers to be called.
:ID: The ID of the option to update.
:val: The new value of the option.
:location: Optional parameter detailing where this change originated from.
:returns: true on success, false when an error occurred.
.. bro:see:: Option::set_change_handler Config::set_value
.. note:: :bro:id:`Option::set` only works on one node and does not distribute
new values across a cluster. The higher-level :bro:id:`Config::set_value`
supports clusterization and should typically be used instead of this
lower-level function.
.. bro:id:: Option::set_change_handler
:Type: :bro:type:`function` (ID: :bro:type:`string`, on_change: :bro:type:`any`, priority: :bro:type:`int` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`) : :bro:type:`bool`
Set a change handler for an option. The change handler will be
called anytime :bro:id:`Option::set` is called for the option.
:ID: The ID of the option for which change notifications are desired.
:on_change: The function that will be called when a change occurs. The
function can choose to receive two or three parameters: the first
parameter is a string containing *ID*, the second parameter is
the new option value. The third, optional, parameter is the
location string as passed to Option::set. Note that the global
value is not yet changed when the function is called. The passed
function has to return the new value that it wants the option to
be set to. This enables it to reject changes, or change values
that are being set. When several change handlers are set for an
option they are chained; the second change handler will see the
return value of the first change handler as the "new value".
:priority: The priority of the function that was added; functions with higher
priority are called first, functions with the same priority are
called in the order in which they were added.
:returns: true when the change handler was set, false when an error occurred.
.. bro:see:: Option::set

98
doc/scripts/base/bif/pcap.bif.bro.rst Normal file
View file

@ -0,0 +1,98 @@
:tocdepth: 3
base/bif/pcap.bif.bro
=====================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Pcap
:Namespaces: GLOBAL, Pcap
Summary
~~~~~~~
Functions
#########
============================================================ =============================================================
:bro:id:`Pcap::error`: :bro:type:`function` Returns a string representation of the last PCAP error.
:bro:id:`Pcap::install_pcap_filter`: :bro:type:`function` Installs a PCAP filter that has been precompiled with
:bro:id:`Pcap::precompile_pcap_filter`.
:bro:id:`Pcap::precompile_pcap_filter`: :bro:type:`function` Precompiles a PCAP filter and binds it to a given identifier.
============================================================ =============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Pcap::error
:Type: :bro:type:`function` () : :bro:type:`string`
Returns a string representation of the last PCAP error.
:returns: A descriptive error message of the PCAP function that failed.
.. bro:see:: Pcap::precompile_pcap_filter
Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
.. bro:id:: Pcap::install_pcap_filter
:Type: :bro:type:`function` (id: :bro:type:`PcapFilterID`) : :bro:type:`bool`
Installs a PCAP filter that has been precompiled with
:bro:id:`Pcap::precompile_pcap_filter`.
:id: The PCAP filter id of a precompiled filter.
:returns: True if the filter associated with *id* has been installed
successfully.
.. bro:see:: Pcap::precompile_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error
.. bro:id:: Pcap::precompile_pcap_filter
:Type: :bro:type:`function` (id: :bro:type:`PcapFilterID`, s: :bro:type:`string`) : :bro:type:`bool`
Precompiles a PCAP filter and binds it to a given identifier.
:id: The PCAP identifier to reference the filter *s* later on.
:s: The PCAP filter. See ``man tcpdump`` for valid expressions.
:returns: True if *s* is valid and precompiles successfully.
.. bro:see:: Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error

113
doc/scripts/base/bif/plugins/Bro_ARP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,113 @@
:tocdepth: 3
base/bif/plugins/Bro_ARP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== ====================================================
:bro:id:`arp_reply`: :bro:type:`event` Generated for ARP replies.
:bro:id:`arp_request`: :bro:type:`event` Generated for ARP requests.
:bro:id:`bad_arp`: :bro:type:`event` Generated for ARP packets that Bro cannot interpret.
======================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: arp_reply
:Type: :bro:type:`event` (mac_src: :bro:type:`string`, mac_dst: :bro:type:`string`, SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`)
Generated for ARP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:mac_src: The reply's source MAC address.
:mac_dst: The reply's destination MAC address.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
.. bro:see:: arp_request bad_arp
.. bro:id:: arp_request
:Type: :bro:type:`event` (mac_src: :bro:type:`string`, mac_dst: :bro:type:`string`, SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`)
Generated for ARP requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:mac_src: The request's source MAC address.
:mac_dst: The request's destination MAC address.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
.. bro:see:: arp_reply bad_arp
.. bro:id:: bad_arp
:Type: :bro:type:`event` (SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`, explanation: :bro:type:`string`)
Generated for ARP packets that Bro cannot interpret. Examples are packets
with non-standard hardware address formats or hardware addresses that do not
match the originator of the packet.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
:explanation: A short description of why the ARP packet is considered "bad".
.. bro:see:: arp_reply arp_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

16
doc/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
==============================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputAscii
:Namespaces: GLOBAL, InputAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
==============================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: LogAscii
:Namespaces: GLOBAL, LogAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

99
doc/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro.rst Normal file
View file

@ -0,0 +1,99 @@
:tocdepth: 3
base/bif/plugins/Bro_BackDoor.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ===========
:bro:id:`backdoor_remove_conn`: :bro:type:`event` Deprecated.
:bro:id:`backdoor_stats`: :bro:type:`event` Deprecated.
:bro:id:`ftp_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`gnutella_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`http_proxy_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`http_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`irc_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`rlogin_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`smtp_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`ssh_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`telnet_signature_found`: :bro:type:`event` Deprecated.
======================================================= ===========
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: backdoor_remove_conn
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: backdoor_stats
:Type: :bro:type:`event` (c: :bro:type:`connection`, os: :bro:type:`backdoor_endp_stats`, rs: :bro:type:`backdoor_endp_stats`)
Deprecated. Will be removed.
.. bro:id:: ftp_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: gnutella_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: http_proxy_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: http_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: irc_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: rlogin_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, num_null: :bro:type:`count`, len: :bro:type:`count`)
Deprecated. Will be removed.
.. bro:id:: smtp_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: ssh_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Deprecated. Will be removed.
.. bro:id:: telnet_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, len: :bro:type:`count`)
Deprecated. Will be removed.

16
doc/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
======================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputBenchmark
:Namespaces: GLOBAL, InputBenchmark
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_BinaryReader.binary.bif.bro
================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputBinary
:Namespaces: GLOBAL, InputBinary
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

310
doc/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro.rst Normal file
View file

@ -0,0 +1,310 @@
:tocdepth: 3
base/bif/plugins/Bro_BitTorrent.events.bif.bro
==============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== =====
:bro:id:`bittorrent_peer_bitfield`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_cancel`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_choke`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_handshake`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_have`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_interested`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_keep_alive`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_not_interested`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_piece`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_port`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_request`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_unchoke`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_unknown`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_weird`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_request`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_response`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_response_not_ok`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_weird`: :bro:type:`event` TODO.
=========================================================== =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: bittorrent_peer_bitfield
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, bitfield: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_cancel
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_choke
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_handshake
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, reserved: :bro:type:`string`, info_hash: :bro:type:`string`, peer_id: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_have
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, piece_index: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_interested
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_keep_alive
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_not_interested
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_piece
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, piece_length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_port
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, listen_port: :bro:type:`port`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_unchoke
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_unknown
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, message_id: :bro:type:`count`, data: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_weird
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown
.. bro:id:: bt_tracker_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, uri: :bro:type:`string`, headers: :bro:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, status: :bro:type:`count`, headers: :bro:type:`bt_tracker_headers`, peers: :bro:type:`bittorrent_peer_set`, benc: :bro:type:`bittorrent_benc_dir`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_response_not_ok
:Type: :bro:type:`event` (c: :bro:type:`connection`, status: :bro:type:`count`, headers: :bro:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_weird
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird

16
doc/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_ConfigReader.config.bif.bro
================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputConfig
:Namespaces: GLOBAL, InputConfig
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

64
doc/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro.rst Normal file
View file

@ -0,0 +1,64 @@
:tocdepth: 3
base/bif/plugins/Bro_ConnSize.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===============================================================
:bro:id:`conn_bytes_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set byte threshold.
:bro:id:`conn_packets_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set packet threshold.
=========================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: conn_bytes_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set byte threshold. Note that this
is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed instead.
:c: the connection
:threshold: the threshold that was set
:is_orig: true if the threshold was crossed by the originator of the connection
.. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
.. bro:id:: conn_packets_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set packet threshold. Note that this
is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed instead.
:c: the connection
:threshold: the threshold that was set
:is_orig: true if the threshold was crossed by the originator of the connection
.. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold

103
doc/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,103 @@
:tocdepth: 3
base/bif/plugins/Bro_ConnSize.functions.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================== ===================================================================================
:bro:id:`get_current_conn_bytes_threshold`: :bro:type:`function` Gets the current byte threshold size for a connection.
:bro:id:`get_current_conn_packets_threshold`: :bro:type:`function` Gets the current packet threshold size for a connection.
:bro:id:`set_current_conn_bytes_threshold`: :bro:type:`function` Sets the current byte threshold for connection sizes, overwriting any potential old
threshold.
:bro:id:`set_current_conn_packets_threshold`: :bro:type:`function` Sets a threshold for connection packets, overwtiting any potential old thresholds.
================================================================== ===================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: get_current_conn_bytes_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, is_orig: :bro:type:`bool`) : :bro:type:`count`
Gets the current byte threshold size for a connection.
:cid: The connection id.
:is_orig: If true, threshold of originator, otherwhise threshold of responder.
:returns: 0 if no threshold is set or the threshold in bytes
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold
.. bro:id:: get_current_conn_packets_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, is_orig: :bro:type:`bool`) : :bro:type:`count`
Gets the current packet threshold size for a connection.
:cid: The connection id.
:is_orig: If true, threshold of originator, otherwhise threshold of responder.
:returns: 0 if no threshold is set or the threshold in packets
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold
.. bro:id:: set_current_conn_bytes_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets the current byte threshold for connection sizes, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (ConnThreshold::set_bytes_threshold).
:cid: The connection id.
:threshold: Threshold in bytes.
:is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
.. bro:id:: set_current_conn_packets_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets a threshold for connection packets, overwtiting any potential old thresholds.
Be aware that in nearly any case you will want to use the high level API
instead (ConnThreshold::set_packets_threshold).
:cid: The connection id.
:threshold: Threshold in packets.
:is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.
.. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold

15
doc/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.consts.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

198
doc/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro.rst Normal file
View file

@ -0,0 +1,198 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.events.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ==============================================================================================================================
:bro:id:`dce_rpc_alter_context`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
:bro:id:`dce_rpc_alter_context_resp`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:bro:id:`dce_rpc_bind`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
:bro:id:`dce_rpc_bind_ack`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:bro:id:`dce_rpc_message`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:bro:id:`dce_rpc_request`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:bro:id:`dce_rpc_response`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
======================================================= ==============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dce_rpc_alter_context
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, uuid: :bro:type:`string`, ver_major: :bro:type:`count`, ver_minor: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:uuid: The string interpretted uuid of the endpoint being requested.
:ver_major: The major version of the endpoint being requested.
:ver_minor: The minor version of the endpoint being requested.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
.. bro:id:: dce_rpc_alter_context_resp
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
.. bro:id:: dce_rpc_bind
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, uuid: :bro:type:`string`, ver_major: :bro:type:`count`, ver_minor: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:uuid: The string interpretted uuid of the endpoint being requested.
:ver_major: The major version of the endpoint being requested.
:ver_minor: The minor version of the endpoint being requested.
.. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_bind_ack
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, sec_addr: :bro:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:sec_addr: Secondary address for the ack.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, fid: :bro:type:`count`, ptype_id: :bro:type:`count`, ptype: :bro:type:`DCE_RPC::PType`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:c: The connection.
:is_orig: True if the message was sent by the originator of the TCP connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ptype_id: Numeric representation of the procedure type of the message.
:ptype: Enum representation of the prodecure type of the message.
.. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, opnum: :bro:type:`count`, stub_len: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:opnum: Number of the RPC operation.
:stub_len: Length of the data for the request.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
.. bro:id:: dce_rpc_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, opnum: :bro:type:`count`, stub_len: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:opnum: Number of the RPC operation.
:stub_len: Length of the data for the response.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request

105
doc/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro.rst Normal file
View file

@ -0,0 +1,105 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.types.bif.bro
==========================================
.. bro:namespace:: DCE_RPC
.. bro:namespace:: GLOBAL
:Namespaces: DCE_RPC, GLOBAL
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`DCE_RPC::IfID`: :bro:type:`enum`
:bro:type:`DCE_RPC::PType`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: DCE_RPC::IfID
:Type: :bro:type:`enum`
.. bro:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
.. bro:enum:: DCE_RPC::epmapper DCE_RPC::IfID
.. bro:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
.. bro:enum:: DCE_RPC::mgmt DCE_RPC::IfID
.. bro:enum:: DCE_RPC::netlogon DCE_RPC::IfID
.. bro:enum:: DCE_RPC::samr DCE_RPC::IfID
.. bro:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::spoolss DCE_RPC::IfID
.. bro:enum:: DCE_RPC::drs DCE_RPC::IfID
.. bro:enum:: DCE_RPC::winspipe DCE_RPC::IfID
.. bro:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::oxid DCE_RPC::IfID
.. bro:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
.. bro:type:: DCE_RPC::PType
:Type: :bro:type:`enum`
.. bro:enum:: DCE_RPC::REQUEST DCE_RPC::PType
.. bro:enum:: DCE_RPC::PING DCE_RPC::PType
.. bro:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
.. bro:enum:: DCE_RPC::FAULT DCE_RPC::PType
.. bro:enum:: DCE_RPC::WORKING DCE_RPC::PType
.. bro:enum:: DCE_RPC::NOCALL DCE_RPC::PType
.. bro:enum:: DCE_RPC::REJECT DCE_RPC::PType
.. bro:enum:: DCE_RPC::ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
.. bro:enum:: DCE_RPC::FACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
.. bro:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
.. bro:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
.. bro:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
.. bro:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
.. bro:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
.. bro:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
.. bro:enum:: DCE_RPC::RTS DCE_RPC::PType

43
doc/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Bro_DHCP.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================= ================================
:bro:id:`dhcp_message`: :bro:type:`event` Generated for all DHCP messages.
========================================= ================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dhcp_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`DHCP::Msg`, options: :bro:type:`DHCP::Options`)
Generated for all DHCP messages.
:c: The connection record describing the underlying UDP flow.
:is_orig: Indicate if the message came in a packet from the
originator/client of the udp flow or the responder/server.
:msg: The parsed type-independent part of the DHCP message. The message
type is indicated in this record.
:options: The full set of supported and parsed DHCP options.

16
doc/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_DHCP.types.bif.bro
=======================================
.. bro:namespace:: DHCP
.. bro:namespace:: GLOBAL
:Namespaces: DHCP, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

567
doc/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro.rst Normal file
View file

@ -0,0 +1,567 @@
:tocdepth: 3
base/bif/plugins/Bro_DNP3.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================================== ===========================================================================
:bro:id:`dnp3_analog_input_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
:bro:id:`dnp3_analog_input_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
:bro:id:`dnp3_analog_input_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
:bro:id:`dnp3_analog_input_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
:bro:id:`dnp3_analog_input_DPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
:bro:id:`dnp3_analog_input_SPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
:bro:id:`dnp3_analog_input_event_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
:bro:id:`dnp3_analog_input_event_16woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
:bro:id:`dnp3_analog_input_event_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
:bro:id:`dnp3_analog_input_event_32woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
:bro:id:`dnp3_analog_input_event_DPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precisiion float point with time
:bro:id:`dnp3_analog_input_event_DPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
:bro:id:`dnp3_analog_input_event_SPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
:bro:id:`dnp3_analog_input_event_SPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
:bro:id:`dnp3_application_request_header`: :bro:type:`event` Generated for a DNP3 request header.
:bro:id:`dnp3_application_response_header`: :bro:type:`event` Generated for a DNP3 response header.
:bro:id:`dnp3_attribute_common`: :bro:type:`event` Generated for DNP3 attributes.
:bro:id:`dnp3_counter_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
:bro:id:`dnp3_counter_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
:bro:id:`dnp3_counter_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
:bro:id:`dnp3_counter_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
:bro:id:`dnp3_crob`: :bro:type:`event` Generated for DNP3 objects with the group number 12 and variation number 1
CROB: control relay output block
:bro:id:`dnp3_debug_byte`: :bro:type:`event` Debugging event generated by the DNP3 analyzer.
:bro:id:`dnp3_file_transport`: :bro:type:`event` g70
:bro:id:`dnp3_frozen_analog_input_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
:bro:id:`dnp3_frozen_analog_input_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
:bro:id:`dnp3_frozen_analog_input_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
:bro:id:`dnp3_frozen_analog_input_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
:bro:id:`dnp3_frozen_analog_input_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
:bro:id:`dnp3_frozen_analog_input_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
:bro:id:`dnp3_frozen_analog_input_DPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
:bro:id:`dnp3_frozen_analog_input_SPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
:bro:id:`dnp3_frozen_analog_input_event_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
:bro:id:`dnp3_frozen_analog_input_event_16woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
:bro:id:`dnp3_frozen_analog_input_event_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
:bro:id:`dnp3_frozen_analog_input_event_32woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
:bro:id:`dnp3_frozen_analog_input_event_DPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
:bro:id:`dnp3_frozen_analog_input_event_DPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
:bro:id:`dnp3_frozen_analog_input_event_SPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
:bro:id:`dnp3_frozen_analog_input_event_SPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
:bro:id:`dnp3_frozen_counter_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
:bro:id:`dnp3_frozen_counter_16wFlagTime`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
:bro:id:`dnp3_frozen_counter_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
:bro:id:`dnp3_frozen_counter_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
:bro:id:`dnp3_frozen_counter_32wFlagTime`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
:bro:id:`dnp3_frozen_counter_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
:bro:id:`dnp3_header_block`: :bro:type:`event` Generated for an additional header that the DNP3 analyzer passes to the
script-level.
:bro:id:`dnp3_object_header`: :bro:type:`event` Generated for the object header found in both DNP3 requests and responses.
:bro:id:`dnp3_object_prefix`: :bro:type:`event` Generated for the prefix before a DNP3 object.
:bro:id:`dnp3_pcb`: :bro:type:`event` Generated for DNP3 objects with the group number 12 and variation number 2
PCB: Pattern Control Block
:bro:id:`dnp3_response_data_object`: :bro:type:`event` Generated for a DNP3 "Response_Data_Object".
==================================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dnp3_analog_input_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
.. bro:id:: dnp3_analog_input_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
.. bro:id:: dnp3_analog_input_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
.. bro:id:: dnp3_analog_input_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
.. bro:id:: dnp3_analog_input_DPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
.. bro:id:: dnp3_analog_input_SPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
.. bro:id:: dnp3_analog_input_event_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
.. bro:id:: dnp3_analog_input_event_16woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
.. bro:id:: dnp3_analog_input_event_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
.. bro:id:: dnp3_analog_input_event_32woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
.. bro:id:: dnp3_analog_input_event_DPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precisiion float point with time
.. bro:id:: dnp3_analog_input_event_DPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
.. bro:id:: dnp3_analog_input_event_SPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
.. bro:id:: dnp3_analog_input_event_SPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
.. bro:id:: dnp3_application_request_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, application: :bro:type:`count`, fc: :bro:type:`count`)
Generated for a DNP3 request header.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:fc: function code.
.. bro:id:: dnp3_application_response_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, application: :bro:type:`count`, fc: :bro:type:`count`, iin: :bro:type:`count`)
Generated for a DNP3 response header.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:fc: function code.
:iin: internal indication number.
.. bro:id:: dnp3_attribute_common
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, data_type_code: :bro:type:`count`, leng: :bro:type:`count`, attribute_obj: :bro:type:`string`)
Generated for DNP3 attributes.
.. bro:id:: dnp3_counter_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
.. bro:id:: dnp3_counter_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
.. bro:id:: dnp3_counter_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
.. bro:id:: dnp3_counter_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
.. bro:id:: dnp3_crob
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, control_code: :bro:type:`count`, count8: :bro:type:`count`, on_time: :bro:type:`count`, off_time: :bro:type:`count`, status_code: :bro:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 1
:CROB: control relay output block
.. bro:id:: dnp3_debug_byte
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, debug: :bro:type:`string`)
Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
generates this for unknown "cases". The user can use it to debug the byte
string to check what caused the malformed network packets.
.. bro:id:: dnp3_file_transport
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, file_handle: :bro:type:`count`, block_num: :bro:type:`count`, file_data: :bro:type:`string`)
g70
.. bro:id:: dnp3_frozen_analog_input_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
.. bro:id:: dnp3_frozen_analog_input_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
.. bro:id:: dnp3_frozen_analog_input_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
.. bro:id:: dnp3_frozen_analog_input_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
.. bro:id:: dnp3_frozen_analog_input_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
.. bro:id:: dnp3_frozen_analog_input_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
.. bro:id:: dnp3_frozen_analog_input_DPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
.. bro:id:: dnp3_frozen_analog_input_SPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
.. bro:id:: dnp3_frozen_analog_input_event_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
.. bro:id:: dnp3_frozen_analog_input_event_16woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
.. bro:id:: dnp3_frozen_analog_input_event_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
.. bro:id:: dnp3_frozen_analog_input_event_32woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
.. bro:id:: dnp3_frozen_analog_input_event_DPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
.. bro:id:: dnp3_frozen_analog_input_event_DPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
.. bro:id:: dnp3_frozen_analog_input_event_SPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
.. bro:id:: dnp3_frozen_analog_input_event_SPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
.. bro:id:: dnp3_frozen_counter_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
.. bro:id:: dnp3_frozen_counter_16wFlagTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
.. bro:id:: dnp3_frozen_counter_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
.. bro:id:: dnp3_frozen_counter_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
.. bro:id:: dnp3_frozen_counter_32wFlagTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
.. bro:id:: dnp3_frozen_counter_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
.. bro:id:: dnp3_header_block
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, len: :bro:type:`count`, ctrl: :bro:type:`count`, dest_addr: :bro:type:`count`, src_addr: :bro:type:`count`)
Generated for an additional header that the DNP3 analyzer passes to the
script-level. This header mimics the DNP3 transport-layer yet is only passed
once for each sequence of DNP3 records (which are otherwise reassembled and
treated as a single entity).
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:len: the "length" field in the DNP3 Pseudo Link Layer.
:ctrl: the "control" field in the DNP3 Pseudo Link Layer.
:dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
:src_addr: the "source" field in the DNP3 Pseudo Link Layer.
.. bro:id:: dnp3_object_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, obj_type: :bro:type:`count`, qua_field: :bro:type:`count`, number: :bro:type:`count`, rf_low: :bro:type:`count`, rf_high: :bro:type:`count`)
Generated for the object header found in both DNP3 requests and responses.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:obj_type: type of object, which is classified based on an 8-bit group number
and an 8-bit variation number.
:qua_field: qualifier field.
:number: TODO.
:rf_low: the structure of the range field depends on the qualified field.
In some cases, the range field contains only one logic part, e.g.,
number of objects, so only *rf_low* contains useful values.
:rf_high: in some cases, the range field contains two logic parts, e.g., start
index and stop index, so *rf_low* contains the start index
while *rf_high* contains the stop index.
.. bro:id:: dnp3_object_prefix
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, prefix_value: :bro:type:`count`)
Generated for the prefix before a DNP3 object. The structure and the meaning
of the prefix are defined by the qualifier field.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:prefix_value: The prefix.
.. bro:id:: dnp3_pcb
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, control_code: :bro:type:`count`, count8: :bro:type:`count`, on_time: :bro:type:`count`, off_time: :bro:type:`count`, status_code: :bro:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 2
:PCB: Pattern Control Block
.. bro:id:: dnp3_response_data_object
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, data_value: :bro:type:`count`)
Generated for a DNP3 "Response_Data_Object".
The "Response_Data_Object" contains two parts: object prefix and object
data. In most cases, object data are defined by new record types. But
in a few cases, object data are directly basic types, such as int16, or
int8; thus we use an additional *data_value* to record the values of those
object data.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:data_value: The value for those objects that carry their information here
directly.

838
doc/scripts/base/bif/plugins/Bro_DNS.events.bif.bro.rst Normal file
View file

@ -0,0 +1,838 @@
:tocdepth: 3
base/bif/plugins/Bro_DNS.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== ================================================================================
:bro:id:`dns_A6_reply`: :bro:type:`event` Generated for DNS replies of type *A6*.
:bro:id:`dns_AAAA_reply`: :bro:type:`event` Generated for DNS replies of type *AAAA*.
:bro:id:`dns_A_reply`: :bro:type:`event` Generated for DNS replies of type *A*.
:bro:id:`dns_CAA_reply`: :bro:type:`event` Generated for DNS replies of type *CAA* (Certification Authority Authorization).
:bro:id:`dns_CNAME_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
:bro:id:`dns_DNSKEY`: :bro:type:`event` Generated for DNS replies of type *DNSKEY*.
:bro:id:`dns_DS`: :bro:type:`event` Generated for DNS replies of type *DS*.
:bro:id:`dns_EDNS_addl`: :bro:type:`event` Generated for DNS replies of type *EDNS*.
:bro:id:`dns_HINFO_reply`: :bro:type:`event` Generated for DNS replies of type *HINFO*.
:bro:id:`dns_MX_reply`: :bro:type:`event` Generated for DNS replies of type *MX*.
:bro:id:`dns_NSEC`: :bro:type:`event` Generated for DNS replies of type *NSEC*.
:bro:id:`dns_NSEC3`: :bro:type:`event` Generated for DNS replies of type *NSEC3*.
:bro:id:`dns_NS_reply`: :bro:type:`event` Generated for DNS replies of type *NS*.
:bro:id:`dns_PTR_reply`: :bro:type:`event` Generated for DNS replies of type *PTR*.
:bro:id:`dns_RRSIG`: :bro:type:`event` Generated for DNS replies of type *RRSIG*.
:bro:id:`dns_SOA_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
:bro:id:`dns_SRV_reply`: :bro:type:`event` Generated for DNS replies of type *SRV*.
:bro:id:`dns_TSIG_addl`: :bro:type:`event` Generated for DNS replies of type *TSIG*.
:bro:id:`dns_TXT_reply`: :bro:type:`event` Generated for DNS replies of type *TXT*.
:bro:id:`dns_WKS_reply`: :bro:type:`event` Generated for DNS replies of type *WKS*.
:bro:id:`dns_end`: :bro:type:`event` Generated at the end of processing a DNS packet.
:bro:id:`dns_full_request`: :bro:type:`event` Deprecated.
:bro:id:`dns_message`: :bro:type:`event` Generated for all DNS messages.
:bro:id:`dns_query_reply`: :bro:type:`event` Generated for each entry in the Question section of a DNS reply.
:bro:id:`dns_rejected`: :bro:type:`event` Generated for DNS replies that reject a query.
:bro:id:`dns_request`: :bro:type:`event` Generated for DNS requests.
:bro:id:`dns_unknown_reply`: :bro:type:`event` Generated on DNS reply resource records when the type of record is not one
that Bro knows how to parse and generate another more specific event.
:bro:id:`non_dns_request`: :bro:type:`event` msg: The raw DNS payload.
============================================== ================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dns_A6_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *A6*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_AAAA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *AAAA*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_A_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *A*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_CAA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, flags: :bro:type:`count`, tag: :bro:type:`string`, value: :bro:type:`string`)
Generated for DNS replies of type *CAA* (Certification Authority Authorization).
For replies with multiple answers, an individual event of the corresponding type
is raised for each.
See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:flags: The flags byte of the CAA reply.
:tag: The property identifier of the CAA reply.
:value: The property value of the CAA reply.
.. bro:id:: dns_CNAME_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_DNSKEY
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, dnskey: :bro:type:`dns_dnskey_rr`)
Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:dnskey: The parsed DNSKEY record.
.. bro:id:: dns_DS
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, ds: :bro:type:`dns_ds_rr`)
Generated for DNS replies of type *DS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:ds: The parsed RDATA of DS record.
.. bro:id:: dns_EDNS_addl
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_edns_additional`)
Generated for DNS replies of type *EDNS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The parsed EDNS reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_HINFO_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated for DNS replies of type *HINFO*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_MX_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`, preference: :bro:type:`count`)
Generated for DNS replies of type *MX*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
:preference: The preference for *name* specified by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_NSEC
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, next_name: :bro:type:`string`, bitmaps: :bro:type:`string_vec`)
Generated for DNS replies of type *NSEC*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:next_name: The parsed next secure domain name.
:bitmaps: vector of strings in hex for the bit maps present.
.. bro:id:: dns_NSEC3
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, nsec3: :bro:type:`dns_nsec3_rr`)
Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:nsec3: The parsed RDATA of Nsec3 record.
.. bro:id:: dns_NS_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *NS*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_PTR_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *PTR*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_RRSIG
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, rrsig: :bro:type:`dns_rrsig_rr`)
Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:rrsig: The parsed RRSIG record.
.. bro:id:: dns_SOA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, soa: :bro:type:`dns_soa`)
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:soa: The parsed SOA value.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_SRV_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, target: :bro:type:`string`, priority: :bro:type:`count`, weight: :bro:type:`count`, p: :bro:type:`count`)
Generated for DNS replies of type *SRV*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:target: Target of the SRV response -- the canonical hostname of the
machine providing the service, ending in a dot.
:priority: Priority of the SRV response -- the priority of the target
host, lower value means more preferred.
:weight: Weight of the SRV response -- a relative weight for records
with the same priority, higher value means more preferred.
:p: Port of the SRV response -- the TCP or UDP port on which the
service is to be found.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_TSIG_addl
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_tsig_additional`)
Generated for DNS replies of type *TSIG*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The parsed TSIG reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_TXT_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, strs: :bro:type:`string_vec`)
Generated for DNS replies of type *TXT*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:strs: The textual information returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_WKS_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated for DNS replies of type *WKS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_end
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`)
Generated at the end of processing a DNS packet. This event is the last
``dns_*`` event that will be raised for a DNS query/reply and signals that
all resource records have been passed on.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_full_request
:Type: :bro:type:`event` ()
Deprecated. Will be removed.
.. todo:: Unclear what this event is for; it's never raised. We should just
remove it.
.. bro:id:: dns_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`dns_msg`, len: :bro:type:`count`)
Generated for all DNS messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:is_orig: True if the message was sent by the originator of the connection.
:msg: The parsed DNS message header.
:len: The length of the message's raw representation (i.e., the DNS payload).
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_query_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for each entry in the Question section of a DNS reply.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_rejected
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for DNS replies that reject a query. This event is raised if a DNS
reply indicates failure because it does not pass on any
answers to a query. Note that all of the event's parameters are parsed out of
the reply; there's no stateful correlation with the query.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for DNS requests. For requests with multiple queries, this event
is raised once for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_unknown_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated on DNS reply resource records when the type of record is not one
that Bro knows how to parse and generate another more specific event.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
.. bro:id:: non_dns_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
:msg: The raw DNS payload.
.. note:: This event is deprecated and superseded by Bro's dynamic protocol
detection framework.

72
doc/scripts/base/bif/plugins/Bro_FTP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,72 @@
:tocdepth: 3
base/bif/plugins/Bro_FTP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== =======================================
:bro:id:`ftp_reply`: :bro:type:`event` Generated for server-side FTP replies.
:bro:id:`ftp_request`: :bro:type:`event` Generated for client-side FTP commands.
======================================== =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ftp_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, code: :bro:type:`count`, msg: :bro:type:`string`, cont_resp: :bro:type:`bool`)
Generated for server-side FTP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:c: The connection.
:code: The numerical response code the server responded with.
:msg: The textual message of the response.
:cont_resp: True if the reply line is tagged as being continued to the next
line. If so, further events will be raised and a handler may want
to reassemble the pieces before processing the response any
further.
.. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. bro:id:: ftp_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, command: :bro:type:`string`, arg: :bro:type:`string`)
Generated for client-side FTP commands.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:c: The connection.
:command: The FTP command issued by the client (without any arguments).
:arg: The arguments going with the command.
.. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port

110
doc/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,110 @@
:tocdepth: 3
base/bif/plugins/Bro_FTP.functions.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
=============================================== ==========================================================================
:bro:id:`fmt_ftp_port`: :bro:type:`function` Formats an IP address and TCP port as an FTP PORT command.
:bro:id:`parse_eftp_port`: :bro:type:`function` Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :bro:type:`ftp_port`.
:bro:id:`parse_ftp_epsv`: :bro:type:`function` Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:bro:type:`ftp_port`.
:bro:id:`parse_ftp_pasv`: :bro:type:`function` Converts the result of the FTP PASV command to an :bro:type:`ftp_port`.
:bro:id:`parse_ftp_port`: :bro:type:`function` Converts a string representation of the FTP PORT command to an
:bro:type:`ftp_port`.
=============================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: fmt_ftp_port
:Type: :bro:type:`function` (a: :bro:type:`addr`, p: :bro:type:`port`) : :bro:type:`string`
Formats an IP address and TCP port as an FTP PORT command. For example,
``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
:a: The IP address.
:p: The TCP port.
:returns: The FTP PORT string.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
.. bro:id:: parse_eftp_port
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`ftp_port`
Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :bro:type:`ftp_port`. The format is
``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
.. bro:id:: parse_ftp_epsv
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`ftp_port`
Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:bro:type:`ftp_port`. The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:str: The string containing the result of the FTP EPSV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
.. bro:id:: parse_ftp_pasv
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`ftp_port`
Converts the result of the FTP PASV command to an :bro:type:`ftp_port`.
:str: The string containing the result of the FTP PASV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
.. bro:id:: parse_ftp_port
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`ftp_port`
Converts a string representation of the FTP PORT command to an
:bro:type:`ftp_port`.
:s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port

44
doc/scripts/base/bif/plugins/Bro_File.events.bif.bro.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Bro_File.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ========================================================================
:bro:id:`file_transferred`: :bro:type:`event` Generated when a TCP connection associated w/ file data transfer is seen
(e.g.
============================================= ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_transferred
:Type: :bro:type:`event` (c: :bro:type:`connection`, prefix: :bro:type:`string`, descr: :bro:type:`string`, mime_type: :bro:type:`string`)
Generated when a TCP connection associated w/ file data transfer is seen
(e.g. as happens w/ FTP or IRC).
:c: The connection over which file data is transferred.
:prefix: Up to 1024 bytes of the file data.
:descr: Deprecated/unused argument.
:mime_type: MIME type of the file or "<unknown>" if no file magic signatures
matched.

38
doc/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro.rst Normal file
View file

@ -0,0 +1,38 @@
:tocdepth: 3
base/bif/plugins/Bro_FileEntropy.events.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================= ========================================================
:bro:id:`file_entropy`: :bro:type:`event` This event is generated each time file analysis performs
entropy testing on a file.
========================================= ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_entropy
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ent: :bro:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:f: The file.
:ent: The results of the entropy testing.

50
doc/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro.rst Normal file
View file

@ -0,0 +1,50 @@
:tocdepth: 3
base/bif/plugins/Bro_FileExtract.events.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ================================================================
:bro:id:`file_extraction_limit`: :bro:type:`event` This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_extraction_limit
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`, limit: :bro:type:`count`, len: :bro:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:f: The file.
:args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:bro:see:`FileExtract::set_limit`.
:limit: The limit, in bytes, the extracted file is about to breach.
:len: The length of the file chunk about to be written.
.. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT

31
doc/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,31 @@
:tocdepth: 3
base/bif/plugins/Bro_FileExtract.functions.bif.bro
==================================================
.. bro:namespace:: FileExtract
.. bro:namespace:: GLOBAL
Internal functions used by the extraction file analyzer.
:Namespaces: FileExtract, GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================== ==================================
:bro:id:`FileExtract::__set_limit`: :bro:type:`function` :bro:see:`FileExtract::set_limit`.
======================================================== ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FileExtract::__set_limit
:Type: :bro:type:`function` (file_id: :bro:type:`string`, args: :bro:type:`any`, n: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`FileExtract::set_limit`.

43
doc/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Bro_FileHash.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================== =========================================================================
:bro:id:`file_hash`: :bro:type:`event` This event is generated each time file analysis generates a digest of the
file contents.
====================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_hash
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, kind: :bro:type:`string`, hash: :bro:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:f: The file.
:kind: The type of digest algorithm.
:hash: The result of the hashing.
.. bro:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256

74
doc/scripts/base/bif/plugins/Bro_Finger.events.bif.bro.rst Normal file
View file

@ -0,0 +1,74 @@
:tocdepth: 3
base/bif/plugins/Bro_Finger.events.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ==============================
:bro:id:`finger_reply`: :bro:type:`event` Generated for Finger replies.
:bro:id:`finger_request`: :bro:type:`event` Generated for Finger requests.
=========================================== ==============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: finger_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, reply_line: :bro:type:`string`)
Generated for Finger replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:c: The connection.
:reply_line: The reply as returned by the server
.. bro:see:: finger_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: finger_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, full: :bro:type:`bool`, username: :bro:type:`string`, hostname: :bro:type:`string`)
Generated for Finger requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:c: The connection.
:full: True if verbose information is requested (``/W`` switch).
:username: The request's user name.
:hostname: The request's host name.
.. bro:see:: finger_reply
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

Some files were not shown because too many files have changed in this diff Show more