Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
doc/scripts/base/bif/CPP-load.bif.zeek.rst Normal file
View file

@ -0,0 +1,39 @@
:tocdepth: 3
base/bif/CPP-load.bif.zeek
==========================
.. zeek:namespace:: GLOBAL
Definitions of built-in functions related to loading compiled-to-C++
scripts.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================== ====================================================================
:zeek:id:`load_CPP`: :zeek:type:`function` Activates the compile-to-C++ scripts associated with the given hash.
========================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: load_CPP
:source-code: base/bif/CPP-load.bif.zeek 16 16
:Type: :zeek:type:`function` (h: :zeek:type:`count`) : :zeek:type:`bool`
Activates the compile-to-C++ scripts associated with the given hash.
:param h: Hash of the set of C++ scripts.
:returns: True if it was present and loaded, false if not.

14
doc/scripts/base/bif/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/bif/__load__.zeek
======================
:Imports: :doc:`base/bif/CPP-load.bif.zeek </scripts/base/bif/CPP-load.bif.zeek>`, :doc:`base/bif/analyzer.bif.zeek </scripts/base/bif/analyzer.bif.zeek>`, :doc:`base/bif/bloom-filter.bif.zeek </scripts/base/bif/bloom-filter.bif.zeek>`, :doc:`base/bif/cardinality-counter.bif.zeek </scripts/base/bif/cardinality-counter.bif.zeek>`, :doc:`base/bif/cluster.bif.zeek </scripts/base/bif/cluster.bif.zeek>`, :doc:`base/bif/comm.bif.zeek </scripts/base/bif/comm.bif.zeek>`, :doc:`base/bif/communityid.bif.zeek </scripts/base/bif/communityid.bif.zeek>`, :doc:`base/bif/const.bif.zeek </scripts/base/bif/const.bif.zeek>`, :doc:`base/bif/data.bif.zeek </scripts/base/bif/data.bif.zeek>`, :doc:`base/bif/event.bif.zeek </scripts/base/bif/event.bif.zeek>`, :doc:`base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>`, :doc:`base/bif/input.bif.zeek </scripts/base/bif/input.bif.zeek>`, :doc:`base/bif/logging.bif.zeek </scripts/base/bif/logging.bif.zeek>`, :doc:`base/bif/messaging.bif.zeek </scripts/base/bif/messaging.bif.zeek>`, :doc:`base/bif/mmdb.bif.zeek </scripts/base/bif/mmdb.bif.zeek>`, :doc:`base/bif/option.bif.zeek </scripts/base/bif/option.bif.zeek>`, :doc:`base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>`, :doc:`base/bif/pcap.bif.zeek </scripts/base/bif/pcap.bif.zeek>`, :doc:`base/bif/reporter.bif.zeek </scripts/base/bif/reporter.bif.zeek>`, :doc:`base/bif/spicy.bif.zeek </scripts/base/bif/spicy.bif.zeek>`, :doc:`base/bif/stats.bif.zeek </scripts/base/bif/stats.bif.zeek>`, :doc:`base/bif/storage-async.bif.zeek </scripts/base/bif/storage-async.bif.zeek>`, :doc:`base/bif/storage-events.bif.zeek </scripts/base/bif/storage-events.bif.zeek>`, :doc:`base/bif/storage-sync.bif.zeek </scripts/base/bif/storage-sync.bif.zeek>`, :doc:`base/bif/storage.bif.zeek </scripts/base/bif/storage.bif.zeek>`, :doc:`base/bif/store.bif.zeek </scripts/base/bif/store.bif.zeek>`, :doc:`base/bif/strings.bif.zeek </scripts/base/bif/strings.bif.zeek>`, :doc:`base/bif/supervisor.bif.zeek </scripts/base/bif/supervisor.bif.zeek>`, :doc:`base/bif/telemetry_consts.bif.zeek </scripts/base/bif/telemetry_consts.bif.zeek>`, :doc:`base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>`, :doc:`base/bif/telemetry_types.bif.zeek </scripts/base/bif/telemetry_types.bif.zeek>`, :doc:`base/bif/top-k.bif.zeek </scripts/base/bif/top-k.bif.zeek>`, :doc:`base/bif/types.bif.zeek </scripts/base/bif/types.bif.zeek>`, :doc:`base/bif/zeek.bif.zeek </scripts/base/bif/zeek.bif.zeek>`, :doc:`base/bif/zeekygen.bif.zeek </scripts/base/bif/zeekygen.bif.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

80
doc/scripts/base/bif/analyzer.bif.zeek.rst Normal file
View file

@ -0,0 +1,80 @@
:tocdepth: 3
base/bif/analyzer.bif.zeek
==========================
.. zeek:namespace:: Analyzer
.. zeek:namespace:: GLOBAL
Internal functions and types used by the analyzer framework.
:Namespaces: Analyzer, GLOBAL
Summary
~~~~~~~
Functions
#########
=================================================================== =
:zeek:id:`Analyzer::__disable_all_analyzers`: :zeek:type:`function`
:zeek:id:`Analyzer::__disable_analyzer`: :zeek:type:`function`
:zeek:id:`Analyzer::__enable_analyzer`: :zeek:type:`function`
:zeek:id:`Analyzer::__has_tag`: :zeek:type:`function`
:zeek:id:`Analyzer::__name`: :zeek:type:`function`
:zeek:id:`Analyzer::__register_for_port`: :zeek:type:`function`
:zeek:id:`Analyzer::__schedule_analyzer`: :zeek:type:`function`
:zeek:id:`Analyzer::__tag`: :zeek:type:`function`
=================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Analyzer::__disable_all_analyzers
:source-code: base/bif/analyzer.bif.zeek 17 17
:Type: :zeek:type:`function` () : :zeek:type:`any`
.. zeek:id:: Analyzer::__disable_analyzer
:source-code: base/bif/analyzer.bif.zeek 14 14
:Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
.. zeek:id:: Analyzer::__enable_analyzer
:source-code: base/bif/analyzer.bif.zeek 11 11
:Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
.. zeek:id:: Analyzer::__has_tag
:source-code: base/bif/analyzer.bif.zeek 34 34
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Analyzer::__name
:source-code: base/bif/analyzer.bif.zeek 26 26
:Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`string`
.. zeek:id:: Analyzer::__register_for_port
:source-code: base/bif/analyzer.bif.zeek 20 20
:Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`, p: :zeek:type:`port`) : :zeek:type:`bool`
.. zeek:id:: Analyzer::__schedule_analyzer
:source-code: base/bif/analyzer.bif.zeek 23 23
:Type: :zeek:type:`function` (orig: :zeek:type:`addr`, resp: :zeek:type:`addr`, resp_p: :zeek:type:`port`, analyzer: :zeek:type:`Analyzer::Tag`, tout: :zeek:type:`interval`) : :zeek:type:`bool`
.. zeek:id:: Analyzer::__tag
:source-code: base/bif/analyzer.bif.zeek 31 31
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`AllAnalyzers::Tag`

270
doc/scripts/base/bif/bloom-filter.bif.zeek.rst Normal file
View file

@ -0,0 +1,270 @@
:tocdepth: 3
base/bif/bloom-filter.bif.zeek
==============================
.. zeek:namespace:: GLOBAL
Functions to create and manipulate Bloom filters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
============================================================ ============================================================================================
:zeek:id:`bloomfilter_add`: :zeek:type:`function` Adds an element to a Bloom filter.
:zeek:id:`bloomfilter_basic_init`: :zeek:type:`function` Creates a basic Bloom filter.
:zeek:id:`bloomfilter_basic_init2`: :zeek:type:`function` Creates a basic Bloom filter.
:zeek:id:`bloomfilter_clear`: :zeek:type:`function` Removes all elements from a Bloom filter.
:zeek:id:`bloomfilter_counting_init`: :zeek:type:`function` Creates a counting Bloom filter.
:zeek:id:`bloomfilter_decrement`: :zeek:type:`function` Decrements the counter for an element that was added to a counting bloom filter in the past.
:zeek:id:`bloomfilter_internal_state`: :zeek:type:`function` Returns a string with a representation of a Bloom filter's internal
state.
:zeek:id:`bloomfilter_intersect`: :zeek:type:`function` Intersects two Bloom filters.
:zeek:id:`bloomfilter_lookup`: :zeek:type:`function` Retrieves the counter for a given element in a Bloom filter.
:zeek:id:`bloomfilter_merge`: :zeek:type:`function` Merges two Bloom filters.
============================================================ ============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: bloomfilter_add
:source-code: base/bif/bloom-filter.bif.zeek 88 88
:Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`any`
Adds an element to a Bloom filter. For counting bloom filters, the counter is incremented.
:param bf: The Bloom filter handle.
:param x: The element to add.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
bloomfilter_merge bloomfilter_decrement
.. zeek:id:: bloomfilter_basic_init
:source-code: base/bif/bloom-filter.bif.zeek 28 28
:Type: :zeek:type:`function` (fp: :zeek:type:`double`, capacity: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
Creates a basic Bloom filter.
:param fp: The desired false-positive rate.
:param capacity: the maximum number of elements that guarantees a false-positive
rate of *fp*.
:param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :zeek:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Zeek process. Only
filters with the same seed can be merged with
:zeek:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. zeek:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. zeek:id:: bloomfilter_basic_init2
:source-code: base/bif/bloom-filter.bif.zeek 50 50
:Type: :zeek:type:`function` (k: :zeek:type:`count`, cells: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
Creates a basic Bloom filter. This function serves as a low-level
alternative to :zeek:id:`bloomfilter_basic_init` where the user has full
control over the number of hash functions and cells in the underlying bit
vector.
:param k: The number of hash functions to use.
:param cells: The number of cells of the underlying bit vector.
:param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :zeek:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Zeek process. Only
filters with the same seed can be merged with
:zeek:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. zeek:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. zeek:id:: bloomfilter_clear
:source-code: base/bif/bloom-filter.bif.zeek 137 137
:Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`any`
Removes all elements from a Bloom filter. This function resets all bits in
the underlying bitvector back to 0 but does not change the parameterization
of the Bloom filter, such as the element type and the hasher seed.
:param bf: The Bloom filter handle.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_merge
.. zeek:id:: bloomfilter_counting_init
:source-code: base/bif/bloom-filter.bif.zeek 76 76
:Type: :zeek:type:`function` (k: :zeek:type:`count`, cells: :zeek:type:`count`, max: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
Creates a counting Bloom filter.
:param k: The number of hash functions to use.
:param cells: The number of cells of the underlying counter vector. As there's
no single answer to what's the best parameterization for a
counting Bloom filter, we refer to the Bloom filter literature
here for choosing an appropriate value.
:param max: The maximum counter value associated with each element
described by *w = ceil(log_2(max))* bits. Each bit in the underlying
counter vector becomes a cell of size *w* bits.
:param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :zeek:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Zeek process. Only
filters with the same seed can be merged with
:zeek:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. zeek:id:: bloomfilter_decrement
:source-code: base/bif/bloom-filter.bif.zeek 105 105
:Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`bool`
Decrements the counter for an element that was added to a counting bloom filter in the past.
Note that decrement operations can lead to false negatives if used on a counting bloom-filter
that exceeded the width of its counter.
:param bf: The counting bloom filter handle.
:param x: The element to decrement
:returns: True on success
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
bloomfilter_merge
.. zeek:id:: bloomfilter_internal_state
:source-code: base/bif/bloom-filter.bif.zeek 185 185
:Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`string`
Returns a string with a representation of a Bloom filter's internal
state. This is for debugging/testing purposes only.
:param bf: The Bloom filter handle.
:returns: a string with a representation of a Bloom filter's internal state.
.. zeek:id:: bloomfilter_intersect
:source-code: base/bif/bloom-filter.bif.zeek 176 176
:Type: :zeek:type:`function` (bf1: :zeek:type:`opaque` of bloomfilter, bf2: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`opaque` of bloomfilter
Intersects two Bloom filters.
The resulting Bloom filter returns true when queried for elements
that were contained in both bloom filters. Note that intersected Bloom
filters have a slightly higher probability of false positives than
Bloom filters created from scratch.
Please note that, while this function works with basic and with counting
bloom filters, the result always is a basic bloom filter. So - intersecting
two counting bloom filters will result in a basic bloom filter. The reason
for this is that there is no reasonable definition of how to handle counters
during intersection.
:param bf1: The first Bloom filter handle.
:param bf2: The second Bloom filter handle.
:returns: The intersection of *bf1* and *bf2*.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_clear bloomfilter_merge
.. zeek:id:: bloomfilter_lookup
:source-code: base/bif/bloom-filter.bif.zeek 125 125
:Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`count`
Retrieves the counter for a given element in a Bloom filter.
For a basic bloom filter, this is 0 when the element is not part of the bloom filter, or 1
if it is part of the bloom filter.
For a counting bloom filter, this is the estimate of how often an element was added.
:param bf: The Bloom filter handle.
:param x: The element to count.
:returns: the counter associated with *x* in *bf*.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_clear
bloomfilter_merge
.. zeek:id:: bloomfilter_merge
:source-code: base/bif/bloom-filter.bif.zeek 151 151
:Type: :zeek:type:`function` (bf1: :zeek:type:`opaque` of bloomfilter, bf2: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`opaque` of bloomfilter
Merges two Bloom filters.
:param bf1: The first Bloom filter handle.
:param bf2: The second Bloom filter handle.
:returns: The union of *bf1* and *bf2*.
.. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_clear bloomfilter_merge

122
doc/scripts/base/bif/cardinality-counter.bif.zeek.rst Normal file
View file

@ -0,0 +1,122 @@
:tocdepth: 3
base/bif/cardinality-counter.bif.zeek
=====================================
.. zeek:namespace:: GLOBAL
Functions to create and manipulate probabilistic cardinality counters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
============================================================ =========================================================================
:zeek:id:`hll_cardinality_add`: :zeek:type:`function` Adds an element to a HyperLogLog cardinality counter.
:zeek:id:`hll_cardinality_copy`: :zeek:type:`function` Copy a HLL cardinality counter.
:zeek:id:`hll_cardinality_estimate`: :zeek:type:`function` Estimate the current cardinality of an HLL cardinality counter.
:zeek:id:`hll_cardinality_init`: :zeek:type:`function` Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:zeek:id:`hll_cardinality_merge_into`: :zeek:type:`function` Merges a HLL cardinality counter into another.
============================================================ =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: hll_cardinality_add
:source-code: base/bif/cardinality-counter.bif.zeek 35 35
:Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality, elem: :zeek:type:`any`) : :zeek:type:`bool`
Adds an element to a HyperLogLog cardinality counter.
:param handle: the HLL handle.
:param elem: the element to add.
:returns: true on success.
.. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into
hll_cardinality_init hll_cardinality_copy
.. zeek:id:: hll_cardinality_copy
:source-code: base/bif/cardinality-counter.bif.zeek 73 73
:Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality) : :zeek:type:`opaque` of cardinality
Copy a HLL cardinality counter.
:param handle: cardinality counter to copy.
:returns: copy of handle.
.. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init
.. zeek:id:: hll_cardinality_estimate
:source-code: base/bif/cardinality-counter.bif.zeek 62 62
:Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality) : :zeek:type:`double`
Estimate the current cardinality of an HLL cardinality counter.
:param handle: the HLL handle.
:returns: the cardinality estimate. Returns -1.0 if the counter is empty.
.. zeek:see:: hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init hll_cardinality_copy
.. zeek:id:: hll_cardinality_init
:source-code: base/bif/cardinality-counter.bif.zeek 22 22
:Type: :zeek:type:`function` (err: :zeek:type:`double`, confidence: :zeek:type:`double`) : :zeek:type:`opaque` of cardinality
Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:param err: the desired error rate (e.g. 0.01).
:param confidence: the desired confidence for the error rate (e.g., 0.95).
:returns: a HLL cardinality handle.
.. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_copy
.. zeek:id:: hll_cardinality_merge_into
:source-code: base/bif/cardinality-counter.bif.zeek 51 51
:Type: :zeek:type:`function` (handle1: :zeek:type:`opaque` of cardinality, handle2: :zeek:type:`opaque` of cardinality) : :zeek:type:`bool`
Merges a HLL cardinality counter into another.
.. note:: The same restrictions as for Bloom filter merging apply,
see :zeek:id:`bloomfilter_merge`.
:param handle1: the first HLL handle, which will contain the merged result.
:param handle2: the second HLL handle, which will be merged into the first.
:returns: true on success.
.. zeek:see:: hll_cardinality_estimate hll_cardinality_add
hll_cardinality_init hll_cardinality_copy

169
doc/scripts/base/bif/cluster.bif.zeek.rst Normal file
View file

@ -0,0 +1,169 @@
:tocdepth: 3
base/bif/cluster.bif.zeek
=========================
.. zeek:namespace:: Cluster
.. zeek:namespace:: Cluster::Backend
.. zeek:namespace:: GLOBAL
:Namespaces: Cluster, Cluster::Backend, GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===================================
:zeek:id:`Cluster::Backend::error`: :zeek:type:`event` Generated on cluster backend error.
====================================================== ===================================
Functions
#########
============================================================= ===================================================================
:zeek:id:`Cluster::Backend::__init`: :zeek:type:`function` Initialize the global cluster backend.
:zeek:id:`Cluster::__listen_websocket`: :zeek:type:`function`
:zeek:id:`Cluster::__subscribe`: :zeek:type:`function`
:zeek:id:`Cluster::__unsubscribe`: :zeek:type:`function`
:zeek:id:`Cluster::make_event`: :zeek:type:`function` Create a data structure that may be used to send a remote event via
:zeek:see:`Broker::publish`.
:zeek:id:`Cluster::publish`: :zeek:type:`function` Publishes an event to a given topic.
:zeek:id:`Cluster::publish_hrw`: :zeek:type:`function` Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:zeek:id:`Cluster::publish_rr`: :zeek:type:`function` Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
============================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: Cluster::Backend::error
:source-code: base/frameworks/cluster/main.zeek 716 720
:Type: :zeek:type:`event` (tag: :zeek:type:`string`, message: :zeek:type:`string`)
Generated on cluster backend error.
:param tag: A structured tag, not further specified.
:param message: A free form message with more details about the error.
Functions
#########
.. zeek:id:: Cluster::Backend::__init
:source-code: base/bif/cluster.bif.zeek 48 48
:Type: :zeek:type:`function` (nid: :zeek:type:`string`) : :zeek:type:`bool`
Initialize the global cluster backend.
:returns: true on success.
.. zeek:id:: Cluster::__listen_websocket
:source-code: base/bif/cluster.bif.zeek 87 87
:Type: :zeek:type:`function` (options: :zeek:type:`Cluster::WebSocketServerOptions`) : :zeek:type:`bool`
.. zeek:id:: Cluster::__subscribe
:source-code: base/bif/cluster.bif.zeek 39 39
:Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Cluster::__unsubscribe
:source-code: base/bif/cluster.bif.zeek 42 42
:Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Cluster::make_event
:source-code: base/bif/cluster.bif.zeek 36 36
:Type: :zeek:type:`function` (...) : :zeek:type:`Cluster::Event`
Create a data structure that may be used to send a remote event via
:zeek:see:`Broker::publish`.
:param args: an event, followed by a list of argument values that may be used
to call it.
:returns: A :zeek:type:`Cluster::Event` instance that can be published via
:zeek:see:`Cluster::publish`, :zeek:see:`Cluster::publish_rr`
or :zeek:see:`Cluster::publish_hrw`.
.. zeek:id:: Cluster::publish
:source-code: base/bif/cluster.bif.zeek 24 24
:Type: :zeek:type:`function` (...) : :zeek:type:`bool`
Publishes an event to a given topic.
:param topic: a topic associated with the event message.
:param args: Either the event arguments as already made by
:zeek:see:`Cluster::make_event` or the argument list to pass along
to it.
:returns: T if the event was accepted for sending. Depending on
the selected cluster backend, an event may be dropped
when a Zeek cluster is overloadede. This can happen on
the sending or receiving node.
.. zeek:id:: Cluster::publish_hrw
:source-code: base/bif/cluster.bif.zeek 84 84
:Type: :zeek:type:`function` (...) : :zeek:type:`bool`
Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:param pool: the pool of nodes that are eligible to receive the event.
:param key: data used for input to the hashing function that will uniformly
distribute keys among available nodes.
:param args: Either the event arguments as already made by
:zeek:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.
.. zeek:id:: Cluster::publish_rr
:source-code: base/bif/cluster.bif.zeek 67 67
:Type: :zeek:type:`function` (...) : :zeek:type:`bool`
Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
:param pool: the pool of nodes that are eligible to receive the event.
:param key: an arbitrary string to identify the purpose for which you're
distributing the event. e.g. consider using namespacing of your
script like "Intel::cluster_rr_key".
:param args: Either the event arguments as already made by
:zeek:see:`Cluster::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.

252
doc/scripts/base/bif/comm.bif.zeek.rst Normal file
View file

@ -0,0 +1,252 @@
:tocdepth: 3
base/bif/comm.bif.zeek
======================
.. zeek:namespace:: Broker
.. zeek:namespace:: GLOBAL
Functions and events regarding broker communication mechanisms.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Types
#####
====================================================== =
:zeek:type:`Broker::BrokerProtocol`: :zeek:type:`enum`
====================================================== =
Events
######
=========================================================== ======================================================================
:zeek:id:`Broker::endpoint_discovered`: :zeek:type:`event` Generated when a new Broker endpoint appeared.
:zeek:id:`Broker::endpoint_unreachable`: :zeek:type:`event` Generated when the last path to a Broker endpoint has been lost.
:zeek:id:`Broker::error`: :zeek:type:`event` Generated when an error occurs in the Broker sub-system.
:zeek:id:`Broker::internal_log_event`: :zeek:type:`event` Generated when Broker emits an internal logging event.
:zeek:id:`Broker::peer_added`: :zeek:type:`event` Generated when a new peering has been established.
:zeek:id:`Broker::peer_lost`: :zeek:type:`event` Generated when the local endpoint has lost its peering with another
endpoint.
:zeek:id:`Broker::peer_removed`: :zeek:type:`event` Generated when the local endpoint has removed its peering with another
endpoint.
:zeek:id:`Broker::status`: :zeek:type:`event` Generated when an unspecified change occurs in Broker.
=========================================================== ======================================================================
Functions
#########
=============================================================== =
:zeek:id:`Broker::__is_outbound_peering`: :zeek:type:`function`
:zeek:id:`Broker::__listen`: :zeek:type:`function`
:zeek:id:`Broker::__node_id`: :zeek:type:`function`
:zeek:id:`Broker::__peer`: :zeek:type:`function`
:zeek:id:`Broker::__peer_no_retry`: :zeek:type:`function`
:zeek:id:`Broker::__peering_stats`: :zeek:type:`function`
:zeek:id:`Broker::__peers`: :zeek:type:`function`
:zeek:id:`Broker::__unpeer`: :zeek:type:`function`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Broker::BrokerProtocol
:source-code: base/bif/comm.bif.zeek 149 149
:Type: :zeek:type:`enum`
.. zeek:enum:: Broker::NATIVE Broker::BrokerProtocol
.. zeek:enum:: Broker::WEBSOCKET Broker::BrokerProtocol
Events
######
.. zeek:id:: Broker::endpoint_discovered
:source-code: base/bif/comm.bif.zeek 78 78
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when a new Broker endpoint appeared.
.. zeek:id:: Broker::endpoint_unreachable
:source-code: base/bif/comm.bif.zeek 82 82
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when the last path to a Broker endpoint has been lost.
.. zeek:id:: Broker::error
:source-code: base/frameworks/broker/log.zeek 83 96
:Type: :zeek:type:`event` (code: :zeek:type:`Broker::ErrorCode`, msg: :zeek:type:`string`)
Generated when an error occurs in the Broker sub-system. This event
reports local errors in Broker, as indicated by the provided
:zeek:type:`Broker::ErrorCode`.
:param code: the type of error that triggered this event.
:param msg: a message providing additional context.
.. zeek:see:: Broker::peer_added Broker::peer_removed Broker::peer_lost
Broker::endpoint_discovered Broker::endpoint_unreachable Broker::status
.. zeek:id:: Broker::internal_log_event
:source-code: base/frameworks/broker/log.zeek 98 122
:Type: :zeek:type:`event` (lvl: :zeek:type:`Broker::LogSeverityLevel`, id: :zeek:type:`string`, description: :zeek:type:`string`)
Generated when Broker emits an internal logging event.
:param lvl: the severity of the event as reported by Broker.
:param id: an identifier for the event type.
:param description: a message providing additional context.
.. zeek:id:: Broker::peer_added
:source-code: base/bif/comm.bif.zeek 36 36
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when a new peering has been established. Both sides of the peering
receive this event, created independently in each endpoint. For the endpoint
establishing the peering, the added endpoint's network information will match
the address and port provided to :zeek:see:`Broker::peer`; for the listening
endpoint it's the peer's TCP client's address and (likely ephemeral) TCP
port.
:param endpoint: the added endpoint's Broker ID and connection information.
:param msg: a message providing additional context.
.. zeek:see:: Broker::peer_removed Broker::peer_lost
Broker::endpoint_discovered Broker::endpoint_unreachable
Broker::status Broker::error
.. zeek:id:: Broker::peer_lost
:source-code: base/bif/comm.bif.zeek 74 74
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when the local endpoint has lost its peering with another
endpoint. This event fires when the other endpoint stops or removes the
peering for some other reason. This event is independent of the original
directionality of connection establishment.
:param endpoint: the lost endpoint's Broker ID and connection information.
:param msg: a message providing additional context.
.. zeek:see:: Broker::peer_added Broker::peer_removed
Broker::endpoint_discovered Broker::endpoint_unreachable
Broker::status Broker::error
.. zeek:id:: Broker::peer_removed
:source-code: base/bif/comm.bif.zeek 59 59
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when the local endpoint has removed its peering with another
endpoint. This event can fire for multiple reasons, such as a local call to
:zeek:see:`Broker::unpeer`, or because Broker autonomously decides to
unpeer. One reason it might do this is message I/O backpressure overflow,
meaning that the remote peer cannot keep up with the stream of messages the
local endpoint sends it. Regardless of the cause, the remote endpoint will
locally trigger a corresponding :zeek:see:`Broker::peer_lost` event once the
peering ends. These events are independent of the original directionality of
TCP connection establishment and only reflect which endpoint terminates the
peering.
:param endpoint: the removed endpoint's Broker ID and connection information.
:param msg: a message providing additional context. If backpressure overflow
caused this unpeering, the message contains the string
*caf::sec::backpressure_overflow*.
.. zeek:see:: Broker::peer_added Broker::peer_lost
Broker::endpoint_discovered Broker::endpoint_unreachable
Broker::status Broker::error
.. zeek:id:: Broker::status
:source-code: base/bif/comm.bif.zeek 96 96
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
Generated when an unspecified change occurs in Broker. This event only fires
when the status change isn't covered by more specific Broker events. The
provided message string may be empty.
:param endpoint: the Broker ID and connection information, if available,
of the endpoint the update relates to.
:param msg: a message providing additional context.
.. zeek:see:: Broker::peer_added Broker::peer_removed Broker::peer_lost
Broker::endpoint_discovered Broker::endpoint_unreachable Broker::error
Functions
#########
.. zeek:id:: Broker::__is_outbound_peering
:source-code: base/bif/comm.bif.zeek 167 167
:Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
.. zeek:id:: Broker::__listen
:source-code: base/bif/comm.bif.zeek 155 155
:Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`, proto: :zeek:type:`Broker::BrokerProtocol`) : :zeek:type:`port`
.. zeek:id:: Broker::__node_id
:source-code: base/bif/comm.bif.zeek 173 173
:Type: :zeek:type:`function` () : :zeek:type:`string`
.. zeek:id:: Broker::__peer
:source-code: base/bif/comm.bif.zeek 158 158
:Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`, retry: :zeek:type:`interval`) : :zeek:type:`bool`
.. zeek:id:: Broker::__peer_no_retry
:source-code: base/bif/comm.bif.zeek 161 161
:Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
.. zeek:id:: Broker::__peering_stats
:source-code: base/bif/comm.bif.zeek 176 176
:Type: :zeek:type:`function` () : :zeek:type:`BrokerPeeringStatsTable`
.. zeek:id:: Broker::__peers
:source-code: base/bif/comm.bif.zeek 170 170
:Type: :zeek:type:`function` () : :zeek:type:`Broker::PeerInfos`
.. zeek:id:: Broker::__unpeer
:source-code: base/bif/comm.bif.zeek 164 164
:Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`

37
doc/scripts/base/bif/communityid.bif.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/bif/communityid.bif.zeek
=============================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================= ================================================================
:zeek:id:`community_id_v1`: :zeek:type:`function` Compute the Community ID hash (v1) from a connection identifier.
================================================= ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: community_id_v1
:source-code: base/bif/communityid.bif.zeek 12 12
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, seed: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`, do_base64: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`string`
Compute the Community ID hash (v1) from a connection identifier.
:param cid: The identifier of the connection for which to compute the community-id.
:returns: The Community ID hash of the connection identifier as string.

18
doc/scripts/base/bif/const.bif.zeek.rst Normal file
View file

@ -0,0 +1,18 @@
:tocdepth: 3
base/bif/const.bif.zeek
=======================
.. zeek:namespace:: GLOBAL
Declaration of various scripting-layer constants that the Zeek core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

372
doc/scripts/base/bif/data.bif.zeek.rst Normal file
View file

@ -0,0 +1,372 @@
:tocdepth: 3
base/bif/data.bif.zeek
======================
.. zeek:namespace:: Broker
.. zeek:namespace:: GLOBAL
Functions for inspecting and manipulating broker data.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Types
#####
================================================ =====================================================================
:zeek:type:`Broker::DataType`: :zeek:type:`enum` Enumerates the possible types that :zeek:see:`Broker::Data` may be in
terms of Zeek data types.
================================================ =====================================================================
Functions
#########
============================================================================== =
:zeek:id:`Broker::__data`: :zeek:type:`function`
:zeek:id:`Broker::__data_type`: :zeek:type:`function`
:zeek:id:`Broker::__opaque_clone_through_serialization`: :zeek:type:`function`
:zeek:id:`Broker::__record_assign`: :zeek:type:`function`
:zeek:id:`Broker::__record_create`: :zeek:type:`function`
:zeek:id:`Broker::__record_iterator`: :zeek:type:`function`
:zeek:id:`Broker::__record_iterator_last`: :zeek:type:`function`
:zeek:id:`Broker::__record_iterator_next`: :zeek:type:`function`
:zeek:id:`Broker::__record_iterator_value`: :zeek:type:`function`
:zeek:id:`Broker::__record_lookup`: :zeek:type:`function`
:zeek:id:`Broker::__record_size`: :zeek:type:`function`
:zeek:id:`Broker::__set_clear`: :zeek:type:`function`
:zeek:id:`Broker::__set_contains`: :zeek:type:`function`
:zeek:id:`Broker::__set_create`: :zeek:type:`function`
:zeek:id:`Broker::__set_insert`: :zeek:type:`function`
:zeek:id:`Broker::__set_iterator`: :zeek:type:`function`
:zeek:id:`Broker::__set_iterator_last`: :zeek:type:`function`
:zeek:id:`Broker::__set_iterator_next`: :zeek:type:`function`
:zeek:id:`Broker::__set_iterator_value`: :zeek:type:`function`
:zeek:id:`Broker::__set_remove`: :zeek:type:`function`
:zeek:id:`Broker::__set_size`: :zeek:type:`function`
:zeek:id:`Broker::__table_clear`: :zeek:type:`function`
:zeek:id:`Broker::__table_contains`: :zeek:type:`function`
:zeek:id:`Broker::__table_create`: :zeek:type:`function`
:zeek:id:`Broker::__table_insert`: :zeek:type:`function`
:zeek:id:`Broker::__table_iterator`: :zeek:type:`function`
:zeek:id:`Broker::__table_iterator_last`: :zeek:type:`function`
:zeek:id:`Broker::__table_iterator_next`: :zeek:type:`function`
:zeek:id:`Broker::__table_iterator_value`: :zeek:type:`function`
:zeek:id:`Broker::__table_lookup`: :zeek:type:`function`
:zeek:id:`Broker::__table_remove`: :zeek:type:`function`
:zeek:id:`Broker::__table_size`: :zeek:type:`function`
:zeek:id:`Broker::__vector_clear`: :zeek:type:`function`
:zeek:id:`Broker::__vector_create`: :zeek:type:`function`
:zeek:id:`Broker::__vector_insert`: :zeek:type:`function`
:zeek:id:`Broker::__vector_iterator`: :zeek:type:`function`
:zeek:id:`Broker::__vector_iterator_last`: :zeek:type:`function`
:zeek:id:`Broker::__vector_iterator_next`: :zeek:type:`function`
:zeek:id:`Broker::__vector_iterator_value`: :zeek:type:`function`
:zeek:id:`Broker::__vector_lookup`: :zeek:type:`function`
:zeek:id:`Broker::__vector_remove`: :zeek:type:`function`
:zeek:id:`Broker::__vector_replace`: :zeek:type:`function`
:zeek:id:`Broker::__vector_size`: :zeek:type:`function`
============================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Broker::DataType
:source-code: base/bif/data.bif.zeek 14 14
:Type: :zeek:type:`enum`
.. zeek:enum:: Broker::NONE Broker::DataType
.. zeek:enum:: Broker::BOOL Broker::DataType
.. zeek:enum:: Broker::INT Broker::DataType
.. zeek:enum:: Broker::COUNT Broker::DataType
.. zeek:enum:: Broker::DOUBLE Broker::DataType
.. zeek:enum:: Broker::STRING Broker::DataType
.. zeek:enum:: Broker::ADDR Broker::DataType
.. zeek:enum:: Broker::SUBNET Broker::DataType
.. zeek:enum:: Broker::PORT Broker::DataType
.. zeek:enum:: Broker::TIME Broker::DataType
.. zeek:enum:: Broker::INTERVAL Broker::DataType
.. zeek:enum:: Broker::ENUM Broker::DataType
.. zeek:enum:: Broker::SET Broker::DataType
.. zeek:enum:: Broker::TABLE Broker::DataType
.. zeek:enum:: Broker::VECTOR Broker::DataType
Enumerates the possible types that :zeek:see:`Broker::Data` may be in
terms of Zeek data types.
Functions
#########
.. zeek:id:: Broker::__data
:source-code: base/bif/data.bif.zeek 37 37
:Type: :zeek:type:`function` (d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__data_type
:source-code: base/bif/data.bif.zeek 40 40
:Type: :zeek:type:`function` (d: :zeek:type:`Broker::Data`) : :zeek:type:`Broker::DataType`
.. zeek:id:: Broker::__opaque_clone_through_serialization
:source-code: base/bif/data.bif.zeek 44 44
:Type: :zeek:type:`function` (d: :zeek:type:`any`) : :zeek:type:`any`
.. zeek:id:: Broker::__record_assign
:source-code: base/bif/data.bif.zeek 149 149
:Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__record_create
:source-code: base/bif/data.bif.zeek 143 143
:Type: :zeek:type:`function` (sz: :zeek:type:`count`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__record_iterator
:source-code: base/bif/data.bif.zeek 155 155
:Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::RecordIterator
.. zeek:id:: Broker::__record_iterator_last
:source-code: base/bif/data.bif.zeek 158 158
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__record_iterator_next
:source-code: base/bif/data.bif.zeek 161 161
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__record_iterator_value
:source-code: base/bif/data.bif.zeek 164 164
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__record_lookup
:source-code: base/bif/data.bif.zeek 152 152
:Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__record_size
:source-code: base/bif/data.bif.zeek 146 146
:Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`count`
.. zeek:id:: Broker::__set_clear
:source-code: base/bif/data.bif.zeek 50 50
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_contains
:source-code: base/bif/data.bif.zeek 56 56
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_create
:source-code: base/bif/data.bif.zeek 47 47
:Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__set_insert
:source-code: base/bif/data.bif.zeek 59 59
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_iterator
:source-code: base/bif/data.bif.zeek 65 65
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::SetIterator
.. zeek:id:: Broker::__set_iterator_last
:source-code: base/bif/data.bif.zeek 68 68
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_iterator_next
:source-code: base/bif/data.bif.zeek 71 71
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_iterator_value
:source-code: base/bif/data.bif.zeek 74 74
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__set_remove
:source-code: base/bif/data.bif.zeek 62 62
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__set_size
:source-code: base/bif/data.bif.zeek 53 53
:Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`count`
.. zeek:id:: Broker::__table_clear
:source-code: base/bif/data.bif.zeek 80 80
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
.. zeek:id:: Broker::__table_contains
:source-code: base/bif/data.bif.zeek 86 86
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__table_create
:source-code: base/bif/data.bif.zeek 77 77
:Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__table_insert
:source-code: base/bif/data.bif.zeek 89 89
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`, val: :zeek:type:`any`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__table_iterator
:source-code: base/bif/data.bif.zeek 98 98
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::TableIterator
.. zeek:id:: Broker::__table_iterator_last
:source-code: base/bif/data.bif.zeek 101 101
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__table_iterator_next
:source-code: base/bif/data.bif.zeek 104 104
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__table_iterator_value
:source-code: base/bif/data.bif.zeek 107 107
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`Broker::TableItem`
.. zeek:id:: Broker::__table_lookup
:source-code: base/bif/data.bif.zeek 95 95
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__table_remove
:source-code: base/bif/data.bif.zeek 92 92
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__table_size
:source-code: base/bif/data.bif.zeek 83 83
:Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`count`
.. zeek:id:: Broker::__vector_clear
:source-code: base/bif/data.bif.zeek 113 113
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
.. zeek:id:: Broker::__vector_create
:source-code: base/bif/data.bif.zeek 110 110
:Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__vector_insert
:source-code: base/bif/data.bif.zeek 119 119
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
.. zeek:id:: Broker::__vector_iterator
:source-code: base/bif/data.bif.zeek 131 131
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::VectorIterator
.. zeek:id:: Broker::__vector_iterator_last
:source-code: base/bif/data.bif.zeek 134 134
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__vector_iterator_next
:source-code: base/bif/data.bif.zeek 137 137
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
.. zeek:id:: Broker::__vector_iterator_value
:source-code: base/bif/data.bif.zeek 140 140
:Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__vector_lookup
:source-code: base/bif/data.bif.zeek 128 128
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__vector_remove
:source-code: base/bif/data.bif.zeek 125 125
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__vector_replace
:source-code: base/bif/data.bif.zeek 122 122
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
.. zeek:id:: Broker::__vector_size
:source-code: base/bif/data.bif.zeek 116 116
:Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`count`

1332
doc/scripts/base/bif/event.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

146
doc/scripts/base/bif/file_analysis.bif.zeek.rst Normal file
View file

@ -0,0 +1,146 @@
:tocdepth: 3
base/bif/file_analysis.bif.zeek
===============================
.. zeek:namespace:: Files
.. zeek:namespace:: GLOBAL
Internal functions and types used by the file analysis framework.
:Namespaces: Files, GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================ ====================================================================
:zeek:id:`Files::__add_analyzer`: :zeek:type:`function` :zeek:see:`Files::add_analyzer`.
:zeek:id:`Files::__analyzer_enabled`: :zeek:type:`function` :zeek:see:`Files::analyzer_enabled`.
:zeek:id:`Files::__analyzer_name`: :zeek:type:`function` :zeek:see:`Files::analyzer_name`.
:zeek:id:`Files::__disable_analyzer`: :zeek:type:`function` :zeek:see:`Files::disable_analyzer`.
:zeek:id:`Files::__disable_reassembly`: :zeek:type:`function` :zeek:see:`Files::disable_reassembly`.
:zeek:id:`Files::__enable_analyzer`: :zeek:type:`function` :zeek:see:`Files::enable_analyzer`.
:zeek:id:`Files::__enable_reassembly`: :zeek:type:`function` :zeek:see:`Files::enable_reassembly`.
:zeek:id:`Files::__file_exists`: :zeek:type:`function` :zeek:see:`Files::file_exists`.
:zeek:id:`Files::__lookup_file`: :zeek:type:`function` :zeek:see:`Files::lookup_file`.
:zeek:id:`Files::__remove_analyzer`: :zeek:type:`function` :zeek:see:`Files::remove_analyzer`.
:zeek:id:`Files::__set_reassembly_buffer`: :zeek:type:`function` :zeek:see:`Files::set_reassembly_buffer_size`.
:zeek:id:`Files::__set_timeout_interval`: :zeek:type:`function` :zeek:see:`Files::set_timeout_interval`.
:zeek:id:`Files::__stop`: :zeek:type:`function` :zeek:see:`Files::stop`.
:zeek:id:`set_file_handle`: :zeek:type:`function` For use within a :zeek:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework.
================================================================ ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Files::__add_analyzer
:source-code: base/bif/file_analysis.bif.zeek 42 42
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`any`) : :zeek:type:`bool`
:zeek:see:`Files::add_analyzer`.
.. zeek:id:: Files::__analyzer_enabled
:source-code: base/bif/file_analysis.bif.zeek 38 38
:Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
:zeek:see:`Files::analyzer_enabled`.
.. zeek:id:: Files::__analyzer_name
:source-code: base/bif/file_analysis.bif.zeek 54 54
:Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`string`
:zeek:see:`Files::analyzer_name`.
.. zeek:id:: Files::__disable_analyzer
:source-code: base/bif/file_analysis.bif.zeek 34 34
:Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
:zeek:see:`Files::disable_analyzer`.
.. zeek:id:: Files::__disable_reassembly
:source-code: base/bif/file_analysis.bif.zeek 22 22
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
:zeek:see:`Files::disable_reassembly`.
.. zeek:id:: Files::__enable_analyzer
:source-code: base/bif/file_analysis.bif.zeek 30 30
:Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
:zeek:see:`Files::enable_analyzer`.
.. zeek:id:: Files::__enable_reassembly
:source-code: base/bif/file_analysis.bif.zeek 18 18
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
:zeek:see:`Files::enable_reassembly`.
.. zeek:id:: Files::__file_exists
:source-code: base/bif/file_analysis.bif.zeek 58 58
:Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`bool`
:zeek:see:`Files::file_exists`.
.. zeek:id:: Files::__lookup_file
:source-code: base/bif/file_analysis.bif.zeek 62 62
:Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`fa_file`
:zeek:see:`Files::lookup_file`.
.. zeek:id:: Files::__remove_analyzer
:source-code: base/bif/file_analysis.bif.zeek 46 46
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`any`) : :zeek:type:`bool`
:zeek:see:`Files::remove_analyzer`.
.. zeek:id:: Files::__set_reassembly_buffer
:source-code: base/bif/file_analysis.bif.zeek 26 26
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, max: :zeek:type:`count`) : :zeek:type:`bool`
:zeek:see:`Files::set_reassembly_buffer_size`.
.. zeek:id:: Files::__set_timeout_interval
:source-code: base/bif/file_analysis.bif.zeek 14 14
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, t: :zeek:type:`interval`) : :zeek:type:`bool`
:zeek:see:`Files::set_timeout_interval`.
.. zeek:id:: Files::__stop
:source-code: base/bif/file_analysis.bif.zeek 50 50
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
:zeek:see:`Files::stop`.
.. zeek:id:: set_file_handle
:source-code: base/bif/file_analysis.bif.zeek 76 76
:Type: :zeek:type:`function` (handle: :zeek:type:`string`) : :zeek:type:`any`
For use within a :zeek:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework. Using an empty string for the handle signifies that the
input will be ignored/discarded.
:param handle: A string that uniquely identifies a file.
.. zeek:see:: get_file_handle

567
doc/scripts/base/bif/index.rst Normal file
View file

@ -0,0 +1,567 @@
:orphan:
Package: base/bif
=================
:doc:`/scripts/base/bif/const.bif.zeek`
Declaration of various scripting-layer constants that the Zeek core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
:doc:`/scripts/base/bif/types.bif.zeek`
Declaration of various types that the Zeek core uses internally.
:doc:`/scripts/base/bif/zeek.bif.zeek`
A collection of built-in functions that implement a variety of things
such as general programming algorithms, string processing, math functions,
introspection, type conversion, file/directory manipulation, packet
filtering, interprocess communication and controlling protocol analyzer
behavior.
You'll find most of Zeek's built-in functions that aren't protocol-specific
in this file.
:doc:`/scripts/base/bif/communityid.bif.zeek`
:doc:`/scripts/base/bif/stats.bif.zeek`
:doc:`/scripts/base/bif/reporter.bif.zeek`
The reporter built-in functions allow for the scripting layer to
generate messages of varying severity. If no event handlers
exist for reporter messages, the messages are output to stderr.
If event handlers do exist, it's assumed they take care of determining
how/where to output the messages.
See :doc:`/scripts/base/frameworks/reporter/main.zeek` for a convenient
reporter message logging framework.
:doc:`/scripts/base/bif/strings.bif.zeek`
Definitions of built-in functions related to string processing and
manipulation.
:doc:`/scripts/base/bif/option.bif.zeek`
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:doc:`/scripts/base/bif/supervisor.bif.zeek`
The BIFs that define the Zeek supervisor control interface.
:doc:`/scripts/base/bif/packet_analysis.bif.zeek`
:doc:`/scripts/base/bif/CPP-load.bif.zeek`
Definitions of built-in functions related to loading compiled-to-C++
scripts.
:doc:`/scripts/base/bif/mmdb.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek`
:doc:`/scripts/base/bif/telemetry_functions.bif.zeek`
Functions for accessing counter metrics from script land.
:doc:`/scripts/base/bif/telemetry_types.bif.zeek`
:doc:`/scripts/base/bif/event.bif.zeek`
The protocol-independent events that the C/C++ core of Zeek can generate.
This is mostly events not related to a specific transport- or
application-layer protocol, but also includes a few that may be generated
by more than one protocols analyzer (like events generated by both UDP and
TCP analysis.)
:doc:`/scripts/base/bif/analyzer.bif.zeek`
Internal functions and types used by the analyzer framework.
:doc:`/scripts/base/bif/file_analysis.bif.zeek`
Internal functions and types used by the file analysis framework.
:doc:`/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek`
:doc:`/scripts/base/bif/logging.bif.zeek`
Internal functions and types used by the logging framework.
:doc:`/scripts/base/bif/comm.bif.zeek`
Functions and events regarding broker communication mechanisms.
:doc:`/scripts/base/bif/messaging.bif.zeek`
Functions for peering and various messaging patterns.
:doc:`/scripts/base/bif/data.bif.zeek`
Functions for inspecting and manipulating broker data.
:doc:`/scripts/base/bif/store.bif.zeek`
Functions to interface with broker's distributed data store.
:doc:`/scripts/base/bif/input.bif.zeek`
Internal functions and types used by the input framework.
:doc:`/scripts/base/bif/cluster.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek`
:doc:`/scripts/base/bif/__load__.zeek`
:doc:`/scripts/base/bif/telemetry_consts.bif.zeek`
:doc:`/scripts/base/bif/zeekygen.bif.zeek`
Functions for querying script, package, or variable documentation.
:doc:`/scripts/base/bif/pcap.bif.zeek`
:doc:`/scripts/base/bif/bloom-filter.bif.zeek`
Functions to create and manipulate Bloom filters.
:doc:`/scripts/base/bif/cardinality-counter.bif.zeek`
Functions to create and manipulate probabilistic cardinality counters.
:doc:`/scripts/base/bif/top-k.bif.zeek`
Functions to probabilistically determine top-k elements.
:doc:`/scripts/base/bif/storage.bif.zeek`
Functions related to general storage operations. These are not specific to async or sync.
:doc:`/scripts/base/bif/storage-async.bif.zeek`
Functions related to asynchronous storage operations.
:doc:`/scripts/base/bif/storage-events.bif.zeek`
Events related to storage operations.
:doc:`/scripts/base/bif/storage-sync.bif.zeek`
Functions related to synchronous storage operations.
:doc:`/scripts/base/bif/spicy.bif.zeek`
:doc:`/scripts/base/bif/plugins/__load__.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_File.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek`
Internal functions used by the extraction file analyzer.
:doc:`/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek`
:doc:`/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek`

59
doc/scripts/base/bif/input.bif.zeek.rst Normal file
View file

@ -0,0 +1,59 @@
:tocdepth: 3
base/bif/input.bif.zeek
=======================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: Input
Internal functions and types used by the input framework.
:Namespaces: GLOBAL, Input
Summary
~~~~~~~
Functions
#########
================================================================= =
:zeek:id:`Input::__create_analysis_stream`: :zeek:type:`function`
:zeek:id:`Input::__create_event_stream`: :zeek:type:`function`
:zeek:id:`Input::__create_table_stream`: :zeek:type:`function`
:zeek:id:`Input::__force_update`: :zeek:type:`function`
:zeek:id:`Input::__remove_stream`: :zeek:type:`function`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Input::__create_analysis_stream
:source-code: base/bif/input.bif.zeek 28 28
:Type: :zeek:type:`function` (description: :zeek:type:`Input::AnalysisDescription`) : :zeek:type:`bool`
.. zeek:id:: Input::__create_event_stream
:source-code: base/bif/input.bif.zeek 25 25
:Type: :zeek:type:`function` (description: :zeek:type:`Input::EventDescription`) : :zeek:type:`bool`
.. zeek:id:: Input::__create_table_stream
:source-code: base/bif/input.bif.zeek 22 22
:Type: :zeek:type:`function` (description: :zeek:type:`Input::TableDescription`) : :zeek:type:`bool`
.. zeek:id:: Input::__force_update
:source-code: base/bif/input.bif.zeek 34 34
:Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Input::__remove_stream
:source-code: base/bif/input.bif.zeek 31 31
:Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`

122
doc/scripts/base/bif/logging.bif.zeek.rst Normal file
View file

@ -0,0 +1,122 @@
:tocdepth: 3
base/bif/logging.bif.zeek
=========================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: Log
Internal functions and types used by the logging framework.
:Namespaces: GLOBAL, Log
Summary
~~~~~~~
Functions
#########
================================================================= =
:zeek:id:`Log::__add_filter`: :zeek:type:`function`
:zeek:id:`Log::__create_stream`: :zeek:type:`function`
:zeek:id:`Log::__delay`: :zeek:type:`function`
:zeek:id:`Log::__delay_finish`: :zeek:type:`function`
:zeek:id:`Log::__disable_stream`: :zeek:type:`function`
:zeek:id:`Log::__enable_stream`: :zeek:type:`function`
:zeek:id:`Log::__flush`: :zeek:type:`function`
:zeek:id:`Log::__get_delay_queue_size`: :zeek:type:`function`
:zeek:id:`Log::__remove_filter`: :zeek:type:`function`
:zeek:id:`Log::__remove_stream`: :zeek:type:`function`
:zeek:id:`Log::__set_buf`: :zeek:type:`function`
:zeek:id:`Log::__set_max_delay_interval`: :zeek:type:`function`
:zeek:id:`Log::__set_max_delay_queue_size`: :zeek:type:`function`
:zeek:id:`Log::__write`: :zeek:type:`function`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Log::__add_filter
:source-code: base/bif/logging.bif.zeek 35 35
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, filter: :zeek:type:`Log::Filter`) : :zeek:type:`bool`
.. zeek:id:: Log::__create_stream
:source-code: base/bif/logging.bif.zeek 23 23
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, stream: :zeek:type:`Log::Stream`) : :zeek:type:`bool`
.. zeek:id:: Log::__delay
:source-code: base/bif/logging.bif.zeek 52 52
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, post_delay_cb: :zeek:type:`Log::PostDelayCallback`) : :zeek:type:`Log::DelayToken`
.. zeek:id:: Log::__delay_finish
:source-code: base/bif/logging.bif.zeek 55 55
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, token: :zeek:type:`Log::DelayToken`) : :zeek:type:`bool`
.. zeek:id:: Log::__disable_stream
:source-code: base/bif/logging.bif.zeek 32 32
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
.. zeek:id:: Log::__enable_stream
:source-code: base/bif/logging.bif.zeek 29 29
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
.. zeek:id:: Log::__flush
:source-code: base/bif/logging.bif.zeek 47 47
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
.. zeek:id:: Log::__get_delay_queue_size
:source-code: base/bif/logging.bif.zeek 64 64
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`int`
.. zeek:id:: Log::__remove_filter
:source-code: base/bif/logging.bif.zeek 38 38
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, name: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Log::__remove_stream
:source-code: base/bif/logging.bif.zeek 26 26
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
.. zeek:id:: Log::__set_buf
:source-code: base/bif/logging.bif.zeek 44 44
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, buffered: :zeek:type:`bool`) : :zeek:type:`bool`
.. zeek:id:: Log::__set_max_delay_interval
:source-code: base/bif/logging.bif.zeek 58 58
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_delay: :zeek:type:`interval`) : :zeek:type:`bool`
.. zeek:id:: Log::__set_max_delay_queue_size
:source-code: base/bif/logging.bif.zeek 61 61
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_queue_size: :zeek:type:`count`) : :zeek:type:`bool`
.. zeek:id:: Log::__write
:source-code: base/bif/logging.bif.zeek 41 41
:Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, columns: :zeek:type:`any`) : :zeek:type:`bool`

96
doc/scripts/base/bif/messaging.bif.zeek.rst Normal file
View file

@ -0,0 +1,96 @@
:tocdepth: 3
base/bif/messaging.bif.zeek
===========================
.. zeek:namespace:: Broker
.. zeek:namespace:: GLOBAL
Functions for peering and various messaging patterns.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================= ===================================================================
:zeek:id:`Broker::__flush_logs`: :zeek:type:`function`
:zeek:id:`Broker::__forward`: :zeek:type:`function`
:zeek:id:`Broker::__publish_id`: :zeek:type:`function`
:zeek:id:`Broker::__subscribe`: :zeek:type:`function`
:zeek:id:`Broker::__unsubscribe`: :zeek:type:`function`
:zeek:id:`Broker::make_event`: :zeek:type:`function` Create a data structure that may be used to send a remote event via
:zeek:see:`Broker::publish`.
:zeek:id:`Broker::publish`: :zeek:type:`function` Publishes an event at a given topic.
======================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Broker::__flush_logs
:source-code: base/bif/messaging.bif.zeek 37 37
:Type: :zeek:type:`function` () : :zeek:type:`count`
.. zeek:id:: Broker::__forward
:source-code: base/bif/messaging.bif.zeek 46 46
:Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Broker::__publish_id
:source-code: base/bif/messaging.bif.zeek 40 40
:Type: :zeek:type:`function` (topic: :zeek:type:`string`, id: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Broker::__subscribe
:source-code: base/bif/messaging.bif.zeek 43 43
:Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Broker::__unsubscribe
:source-code: base/bif/messaging.bif.zeek 49 49
:Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
.. zeek:id:: Broker::make_event
:source-code: base/bif/messaging.bif.zeek 22 22
:Type: :zeek:type:`function` (...) : :zeek:type:`Broker::Event`
Create a data structure that may be used to send a remote event via
:zeek:see:`Broker::publish`.
:param args: an event, followed by a list of argument values that may be used
to call it.
:returns: opaque communication data that may be used to send a remote
event.
.. zeek:id:: Broker::publish
:source-code: base/bif/messaging.bif.zeek 34 34
:Type: :zeek:type:`function` (...) : :zeek:type:`bool`
Publishes an event at a given topic.
:param topic: a topic associated with the event message.
:param args: Either the event arguments as already made by
:zeek:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.

90
doc/scripts/base/bif/mmdb.bif.zeek.rst Normal file
View file

@ -0,0 +1,90 @@
:tocdepth: 3
base/bif/mmdb.bif.zeek
======================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ================================================================
:zeek:id:`lookup_autonomous_system`: :zeek:type:`function` Performs an lookup of AS number & organization of an IP address.
:zeek:id:`lookup_location`: :zeek:type:`function` Performs a geo-lookup of an IP address.
:zeek:id:`mmdb_open_asn_db`: :zeek:type:`function` Initializes MMDB for later use of lookup_autonomous_system.
:zeek:id:`mmdb_open_location_db`: :zeek:type:`function` Initializes MMDB for later use of lookup_location.
========================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: lookup_autonomous_system
:source-code: base/bif/mmdb.bif.zeek 47 47
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`geo_autonomous_system`
Performs an lookup of AS number & organization of an IP address.
Requires Zeek to be built with ``libmaxminddb``.
:param a: The IP address to lookup.
:returns: A record with autonomous system number and organization that contains *a*.
.. zeek:see:: lookup_location
.. zeek:id:: lookup_location
:source-code: base/bif/mmdb.bif.zeek 36 36
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`geo_location`
Performs a geo-lookup of an IP address.
Requires Zeek to be built with ``libmaxminddb``.
:param a: The IP address to lookup.
:returns: A record with country, region, city, latitude, and longitude.
.. zeek:see:: lookup_autonomous_system
.. zeek:id:: mmdb_open_asn_db
:source-code: base/bif/mmdb.bif.zeek 25 25
:Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
Initializes MMDB for later use of lookup_autonomous_system.
Requires Zeek to be built with ``libmaxminddb``.
:param f: The filename of the MaxMind ASN DB.
:returns: A boolean indicating whether the db was successfully opened.
.. zeek:see:: lookup_autonomous_system
.. zeek:id:: mmdb_open_location_db
:source-code: base/bif/mmdb.bif.zeek 14 14
:Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
Initializes MMDB for later use of lookup_location.
Requires Zeek to be built with ``libmaxminddb``.
:param f: The filename of the MaxMind City or Country DB.
:returns: A boolean indicating whether the db was successfully opened.
.. zeek:see:: lookup_autonomous_system

104
doc/scripts/base/bif/option.bif.zeek.rst Normal file
View file

@ -0,0 +1,104 @@
:tocdepth: 3
base/bif/option.bif.zeek
========================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: Option
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:Namespaces: GLOBAL, Option
Summary
~~~~~~~
Functions
#########
============================================================ ================================================================
:zeek:id:`Option::any_set_to_any_vec`: :zeek:type:`function` Helper function that converts a set (of arbitrary index type) to
a "vector of any".
:zeek:id:`Option::set`: :zeek:type:`function` Set an option to a new value.
:zeek:id:`Option::set_change_handler`: :zeek:type:`function` Set a change handler for an option.
============================================================ ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Option::any_set_to_any_vec
:source-code: base/bif/option.bif.zeek 65 65
:Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`any_vec`
Helper function that converts a set (of arbitrary index type) to
a "vector of any".
:param v: an "any" type corresponding to a set.
:returns: a vector-of-any with one element for each member of v.
.. zeek:id:: Option::set
:source-code: base/bif/option.bif.zeek 29 29
:Type: :zeek:type:`function` (ID: :zeek:type:`string`, val: :zeek:type:`any`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
Set an option to a new value. This change will also cause the option change
handlers to be called.
:param ID: The ID of the option to update.
:param val: The new value of the option.
:param location: Optional parameter detailing where this change originated from.
:returns: true on success, false when an error occurred.
.. zeek:see:: Option::set_change_handler Config::set_value
.. note:: :zeek:id:`Option::set` only works on one node and does not distribute
new values across a cluster. The higher-level :zeek:id:`Config::set_value`
supports clusterization and should typically be used instead of this
lower-level function.
.. zeek:id:: Option::set_change_handler
:source-code: base/bif/option.bif.zeek 56 56
:Type: :zeek:type:`function` (ID: :zeek:type:`string`, on_change: :zeek:type:`any`, priority: :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
Set a change handler for an option. The change handler will be
called anytime :zeek:id:`Option::set` is called for the option.
:param ID: The ID of the option for which change notifications are desired.
:param on_change: The function that will be called when a change occurs. The
function can choose to receive two or three parameters: the first
parameter is a string containing *ID*, the second parameter is
the new option value. The third, optional, parameter is the
location string as passed to Option::set. Note that the global
value is not yet changed when the function is called. The passed
function has to return the new value that it wants the option to
be set to. This enables it to reject changes, or change values
that are being set. When several change handlers are set for an
option they are chained; the second change handler will see the
return value of the first change handler as the "new value".
:param priority: The priority of the function that was added; functions with higher
priority are called first, functions with the same priority are
called in the order in which they were added.
:returns: true when the change handler was set, false when an error occurred.
.. zeek:see:: Option::set

96
doc/scripts/base/bif/packet_analysis.bif.zeek.rst Normal file
View file

@ -0,0 +1,96 @@
:tocdepth: 3
base/bif/packet_analysis.bif.zeek
=================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer
:Namespaces: GLOBAL, PacketAnalyzer
Summary
~~~~~~~
Functions
#########
====================================================================================== ================================================================================================================
:zeek:id:`PacketAnalyzer::__disable_analyzer`: :zeek:type:`function` Internal function to disable a packet analyzer.
:zeek:id:`PacketAnalyzer::__enable_analyzer`: :zeek:type:`function` Internal function to enable a packet analyzer.
:zeek:id:`PacketAnalyzer::__set_ignore_checksums_nets`: :zeek:type:`function` Internal function that is used to update the core-mirror of the script-level ``ignore_checksums_nets`` variable.
:zeek:id:`PacketAnalyzer::register_packet_analyzer`: :zeek:type:`function` Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
:zeek:id:`PacketAnalyzer::register_protocol_detection`: :zeek:type:`function` Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
to forward from parent to child.
:zeek:id:`PacketAnalyzer::try_register_packet_analyzer_by_name`: :zeek:type:`function` Attempts to add an entry to ``parent``'s dispatcher that maps a protocol/index to a next-stage ``child``
analyzer.
====================================================================================== ================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::__disable_analyzer
:source-code: base/bif/packet_analysis.bif.zeek 41 41
:Type: :zeek:type:`function` (id: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
Internal function to disable a packet analyzer.
.. zeek:id:: PacketAnalyzer::__enable_analyzer
:source-code: base/bif/packet_analysis.bif.zeek 45 45
:Type: :zeek:type:`function` (id: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
Internal function to enable a packet analyzer.
.. zeek:id:: PacketAnalyzer::__set_ignore_checksums_nets
:source-code: base/bif/packet_analysis.bif.zeek 29 29
:Type: :zeek:type:`function` (v: :zeek:type:`subnet_set`) : :zeek:type:`bool`
Internal function that is used to update the core-mirror of the script-level ``ignore_checksums_nets`` variable.
.. zeek:id:: PacketAnalyzer::register_packet_analyzer
:source-code: base/bif/packet_analysis.bif.zeek 15 15
:Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, identifier: :zeek:type:`count`, child: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
:param parent: The parent analyzer being modified
:param identifier: The identifier for the protocol being registered
:param child: The analyzer that will be called for the identifier
.. zeek:id:: PacketAnalyzer::register_protocol_detection
:source-code: base/bif/packet_analysis.bif.zeek 37 37
:Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, child: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
to forward from parent to child.
:param parent: The parent analyzer being modified
:param child: The analyzer that will use protocol detection
.. zeek:id:: PacketAnalyzer::try_register_packet_analyzer_by_name
:source-code: base/bif/packet_analysis.bif.zeek 25 25
:Type: :zeek:type:`function` (parent: :zeek:type:`string`, identifier: :zeek:type:`count`, child: :zeek:type:`string`) : :zeek:type:`bool`
Attempts to add an entry to ``parent``'s dispatcher that maps a protocol/index to a next-stage ``child``
analyzer. This may fail if either of the two names does not respond to a known analyzer.
:param parent: The parent analyzer being modified
:param identifier: The identifier for the protocol being registered
:param child: The analyzer that will be called for the identifier

149
doc/scripts/base/bif/pcap.bif.zeek.rst Normal file
View file

@ -0,0 +1,149 @@
:tocdepth: 3
base/bif/pcap.bif.zeek
======================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: Pcap
:Namespaces: GLOBAL, Pcap
Summary
~~~~~~~
Functions
#########
=============================================================== ======================================================================
:zeek:id:`Pcap::error`: :zeek:type:`function` Returns a string representation of the last PCAP error.
:zeek:id:`Pcap::findalldevs`: :zeek:type:`function`
:zeek:id:`Pcap::get_filter_state`: :zeek:type:`function` Returns the initialization state of a PCAP filter, or OK if the either
there's no active packet source or the pcap filter ID does not exist.
:zeek:id:`Pcap::get_filter_state_string`: :zeek:type:`function` Returns a string containing any error messages that were reported by
filter initialization.
:zeek:id:`Pcap::install_pcap_filter`: :zeek:type:`function` Installs a PCAP filter that has been precompiled with
:zeek:id:`Pcap::precompile_pcap_filter`.
:zeek:id:`Pcap::precompile_pcap_filter`: :zeek:type:`function` Precompiles a PCAP filter and binds it to a given identifier.
=============================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Pcap::error
:source-code: base/bif/pcap.bif.zeek 71 71
:Type: :zeek:type:`function` () : :zeek:type:`string`
Returns a string representation of the last PCAP error.
:returns: A descriptive error message of the PCAP function that failed.
.. zeek:see:: Pcap::precompile_pcap_filter
Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
.. zeek:id:: Pcap::findalldevs
:source-code: base/bif/pcap.bif.zeek 101 101
:Type: :zeek:type:`function` () : :zeek:type:`Pcap::Interfaces`
.. zeek:id:: Pcap::get_filter_state
:source-code: base/bif/pcap.bif.zeek 84 84
:Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`Pcap::filter_state`
Returns the initialization state of a PCAP filter, or OK if the either
there's no active packet source or the pcap filter ID does not exist.
:param id: The PCAP filter id of a precompiled filter.
:returns: A state value denoting whether any warnings or errors were
encountered while initializing the filter.
.. zeek:see:: Pcap::precompile_pcap_filter
Pcap::install_pcap_filter
.. zeek:id:: Pcap::get_filter_state_string
:source-code: base/bif/pcap.bif.zeek 98 98
:Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`string`
Returns a string containing any error messages that were reported by
filter initialization.
:param id: The PCAP filter id of a precompiled filter.
:returns: Warning/error strings from the initialization process, a blank
string if none were encountered, or '<unknown>' if either there
is no active packet source or the filter ID doesn't exist.
.. zeek:see:: Pcap::precompile_pcap_filter
Pcap::install_pcap_filter
.. zeek:id:: Pcap::install_pcap_filter
:source-code: base/bif/pcap.bif.zeek 54 54
:Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`bool`
Installs a PCAP filter that has been precompiled with
:zeek:id:`Pcap::precompile_pcap_filter`.
:param id: The PCAP filter id of a precompiled filter.
:returns: True if the filter associated with *id* has been installed
successfully.
.. zeek:see:: Pcap::precompile_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error
.. zeek:id:: Pcap::precompile_pcap_filter
:source-code: base/bif/pcap.bif.zeek 33 33
:Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`, s: :zeek:type:`string`) : :zeek:type:`bool`
Precompiles a PCAP filter and binds it to a given identifier.
:param id: The PCAP identifier to reference the filter *s* later on.
:param s: The PCAP filter. See ``man tcpdump`` for valid expressions.
:returns: True if *s* is valid and precompiles successfully.
.. zeek:see:: Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error

16
doc/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek
==================================================
.. zeek:namespace:: AF_Packet
.. zeek:namespace:: GLOBAL
:Namespaces: AF_Packet, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

116
doc/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,116 @@
:tocdepth: 3
base/bif/plugins/Zeek_ARP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== =====================================================
:zeek:id:`arp_reply`: :zeek:type:`event` Generated for ARP replies.
:zeek:id:`arp_request`: :zeek:type:`event` Generated for ARP requests.
:zeek:id:`bad_arp`: :zeek:type:`event` Generated for ARP packets that Zeek cannot interpret.
========================================== =====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: arp_reply
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
Generated for ARP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:param mac_src: The reply's source MAC address.
:param mac_dst: The reply's destination MAC address.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
.. zeek:see:: arp_request bad_arp
.. zeek:id:: arp_request
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
Generated for ARP requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:param mac_src: The request's source MAC address.
:param mac_dst: The request's destination MAC address.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
.. zeek:see:: arp_reply bad_arp
.. zeek:id:: bad_arp
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
:Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
Generated for ARP packets that Zeek cannot interpret. Examples are packets
with non-standard hardware address formats or hardware addresses that do not
match the originator of the packet.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
:param explanation: A short description of why the ARP packet is considered "bad".
.. zeek:see:: arp_reply arp_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

16
doc/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputAscii
:Namespaces: GLOBAL, InputAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: LogAscii
:Namespaces: GLOBAL, LogAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
========================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputBenchmark
:Namespaces: GLOBAL, InputBenchmark
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
==================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputBinary
:Namespaces: GLOBAL, InputBinary
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

328
doc/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,328 @@
:tocdepth: 3
base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= =====
:zeek:id:`bittorrent_peer_bitfield`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_cancel`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_choke`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_handshake`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_have`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_interested`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_keep_alive`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_not_interested`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_piece`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_port`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_request`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_unchoke`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_unknown`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_weird`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_request`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_response`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_response_not_ok`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_weird`: :zeek:type:`event` TODO.
============================================================= =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: bittorrent_peer_bitfield
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 105 105
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, bitfield: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_cancel
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 144 144
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_choke
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 40 40
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_handshake
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 14 14
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, reserved: :zeek:type:`string`, info_hash: :zeek:type:`string`, peer_id: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_have
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, piece_index: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_interested
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 66 66
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_keep_alive
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_not_interested
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 79 79
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_piece
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 131 131
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, piece_length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_port
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, listen_port: :zeek:type:`port`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_request
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 118 118
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_unchoke
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 53 53
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_unknown
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, message_id: :zeek:type:`count`, data: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_weird
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 183 183
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown
.. zeek:id:: bt_tracker_request
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 196 196
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, uri: :zeek:type:`string`, headers: :zeek:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_response
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 209 209
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`, peers: :zeek:type:`bittorrent_peer_set`, benc: :zeek:type:`bittorrent_benc_dir`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_response_not_ok
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 222 222
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_weird
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 235 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird

29
doc/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
============================================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================================== =
:zeek:id:`Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread`: :zeek:type:`function`
================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread
:source-code: base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek 6 6
:Type: :zeek:type:`function` () : :zeek:type:`bool`

54
doc/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek
=======================================================
.. zeek:namespace:: Cluster
.. zeek:namespace:: GLOBAL
:Namespaces: Cluster, GLOBAL
Summary
~~~~~~~
Events
######
============================================================== ====================================================
:zeek:id:`Cluster::websocket_client_added`: :zeek:type:`event` Generated when a new WebSocket client has connected.
:zeek:id:`Cluster::websocket_client_lost`: :zeek:type:`event` Generated when a WebSocket client was lost.
============================================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: Cluster::websocket_client_added
:source-code: base/frameworks/cluster/main.zeek 700 705
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, subscriptions: :zeek:type:`string_vec`)
Generated when a new WebSocket client has connected.
:param endpoint: Various information about the WebSocket client.
:param subscriptions: The WebSocket client's subscriptions as provided in the handshake.
.. zeek:id:: Cluster::websocket_client_lost
:source-code: base/frameworks/cluster/main.zeek 707 713
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated when a WebSocket client was lost.
:param endpoint: Various information about the WebSocket client.
:param code: The code sent by the client in its CLOSE frame, or a code generated
internally if the server disconnected the client.
:param reason: The reason sent by the client in its CLOSE frame, or a reason generated
internally if the server disconnected the client.

16
doc/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
==================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputConfig
:Namespaces: GLOBAL, InputConfig
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

112
doc/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConnSize.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================================== =============================================================================================================
:zeek:id:`conn_bytes_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set byte threshold.
:zeek:id:`conn_duration_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set duration threshold.
:zeek:id:`conn_generic_packet_threshold_crossed`: :zeek:type:`event` Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
observed.
:zeek:id:`conn_packets_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set packet threshold.
==================================================================== =============================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: conn_bytes_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 320 337
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set byte threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::bytes_threshold_crossed` instead.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: conn_duration_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 358 370
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set duration threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::duration_threshold_crossed` instead.
Note that this event is not raised at the exact moment that a duration threshold is crossed; instead
it is raised when the next packet is seen after the threshold has been crossed. On a connection that is
idle, this can be raised significantly later.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: conn_generic_packet_threshold_crossed
:source-code: base/bif/plugins/Zeek_ConnSize.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`)
Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
connections, while short interactions, like scans consisting of only a few packets, are ignored.
:param c: the connection.
:param threshold: the threshold that was set
.. zeek:id:: conn_packets_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 339 356
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set packet threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::packets_threshold_crossed` instead.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
set_current_conn_duration_threshold get_current_conn_duration_threshold

147
doc/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,147 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
===================================================================== ===================================================================================
:zeek:id:`get_current_conn_bytes_threshold`: :zeek:type:`function`
:zeek:id:`get_current_conn_duration_threshold`: :zeek:type:`function` Gets the current duration threshold size for a connection.
:zeek:id:`get_current_conn_packets_threshold`: :zeek:type:`function` Gets the current packet threshold size for a connection.
:zeek:id:`set_current_conn_bytes_threshold`: :zeek:type:`function` Sets the current byte threshold for connection sizes, overwriting any potential old
threshold.
:zeek:id:`set_current_conn_duration_threshold`: :zeek:type:`function` Sets the current duration threshold for connection, overwriting any potential old
threshold.
:zeek:id:`set_current_conn_packets_threshold`: :zeek:type:`function` Sets a threshold for connection packets, overwriting any potential old thresholds.
===================================================================== ===================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: get_current_conn_bytes_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 63 63
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
:param cid: The connection id.
:param is_orig: If true, threshold of originator, otherwise threshold of responder.
:returns: 0 if no threshold is set or the threshold in bytes
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold set_current_conn_duration_threshold
get_current_conn_duration_threshold
.. zeek:id:: get_current_conn_duration_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 87 87
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`interval`
Gets the current duration threshold size for a connection.
:param cid: The connection id.
:returns: 0 if no threshold is set or the threshold in seconds
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold set_current_conn_duration_threshold
.. zeek:id:: get_current_conn_packets_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 76 76
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
Gets the current packet threshold size for a connection.
:param cid: The connection id.
:param is_orig: If true, threshold of originator, otherwise threshold of responder.
:returns: 0 if no threshold is set or the threshold in packets
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_bytes_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 19 19
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets the current byte threshold for connection sizes, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_bytes_threshold`).
:param cid: The connection id.
:param threshold: Threshold in bytes.
:param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_duration_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 49 49
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
Sets the current duration threshold for connection, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_duration_threshold`).
:param cid: The connection id.
:param threshold: Threshold in seconds.
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_packets_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 35 35
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets a threshold for connection packets, overwriting any potential old thresholds.
Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_packets_threshold`).
:param cid: The connection id.
:param threshold: Threshold in packets.
:param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
.. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold

15
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

258
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,258 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================= ==============================================================================================================================
:zeek:id:`dce_rpc_alter_context`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
:zeek:id:`dce_rpc_alter_context_resp`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:zeek:id:`dce_rpc_bind`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
:zeek:id:`dce_rpc_bind_ack`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:zeek:id:`dce_rpc_message`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:zeek:id:`dce_rpc_request`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:zeek:id:`dce_rpc_request_stub`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:zeek:id:`dce_rpc_response`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:zeek:id:`dce_rpc_response_stub`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
========================================================= ==============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dce_rpc_alter_context
:source-code: base/protocols/dce-rpc/main.zeek 137 149
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param uuid: The string interpreted uuid of the endpoint being requested.
:param ver_major: The major version of the endpoint being requested.
:param ver_minor: The minor version of the endpoint being requested.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
.. zeek:id:: dce_rpc_alter_context_resp
:source-code: base/protocols/dce-rpc/main.zeek 162 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
.. zeek:id:: dce_rpc_bind
:source-code: base/protocols/dce-rpc/main.zeek 123 135
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param uuid: The string interpreted uuid of the endpoint being requested.
:param ver_major: The major version of the endpoint being requested.
:param ver_minor: The minor version of the endpoint being requested.
.. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_bind_ack
:source-code: base/protocols/dce-rpc/main.zeek 151 160
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, sec_addr: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param sec_addr: Secondary address for the ack.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_message
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fid: :zeek:type:`count`, ptype_id: :zeek:type:`count`, ptype: :zeek:type:`DCE_RPC::PType`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:param c: The connection.
:param is_orig: True if the message was sent by the originator of the TCP connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ptype_id: Numeric representation of the procedure type of the message.
:param ptype: Enum representation of the procedure type of the message.
.. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_request
:source-code: base/protocols/dce-rpc/main.zeek 167 175
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub_len: Length of the data for the request.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
.. zeek:id:: dce_rpc_request_stub
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub: The data for the request.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
.. zeek:id:: dce_rpc_response
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 125 125
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub_len: Length of the data for the response.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
.. zeek:id:: dce_rpc_response_stub
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 161 161
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub: The data for the response.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response

107
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,107 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
============================================
.. zeek:namespace:: DCE_RPC
.. zeek:namespace:: GLOBAL
:Namespaces: DCE_RPC, GLOBAL
Summary
~~~~~~~
Types
#####
============================================== =
:zeek:type:`DCE_RPC::IfID`: :zeek:type:`enum`
:zeek:type:`DCE_RPC::PType`: :zeek:type:`enum`
============================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: DCE_RPC::IfID
:source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 33 33
:Type: :zeek:type:`enum`
.. zeek:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::epmapper DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::mgmt DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::netlogon DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::samr DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::spoolss DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::drs DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::winspipe DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::oxid DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
.. zeek:type:: DCE_RPC::PType
:source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 8 8
:Type: :zeek:type:`enum`
.. zeek:enum:: DCE_RPC::REQUEST DCE_RPC::PType
.. zeek:enum:: DCE_RPC::PING DCE_RPC::PType
.. zeek:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
.. zeek:enum:: DCE_RPC::FAULT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::WORKING DCE_RPC::PType
.. zeek:enum:: DCE_RPC::NOCALL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::REJECT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::FACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
.. zeek:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
.. zeek:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
.. zeek:enum:: DCE_RPC::RTS DCE_RPC::PType

44
doc/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Zeek_DHCP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ================================
:zeek:id:`dhcp_message`: :zeek:type:`event` Generated for all DHCP messages.
=========================================== ================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dhcp_message
:source-code: base/protocols/dhcp/main.zeek 301 308
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
Generated for all DHCP messages.
:param c: The connection record describing the underlying UDP flow.
:param is_orig: Indicate if the message came in a packet from the
originator/client of the udp flow or the responder/server.
:param msg: The parsed type-independent part of the DHCP message. The message
type is indicated in this record.
:param options: The full set of supported and parsed DHCP options.

16
doc/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_DHCP.types.bif.zeek
=========================================
.. zeek:namespace:: DHCP
.. zeek:namespace:: GLOBAL
:Namespaces: DHCP, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

618
doc/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,618 @@
:tocdepth: 3
base/bif/plugins/Zeek_DNP3.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================================== ===========================================================================
:zeek:id:`dnp3_analog_input_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
:zeek:id:`dnp3_analog_input_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
:zeek:id:`dnp3_analog_input_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
:zeek:id:`dnp3_analog_input_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
:zeek:id:`dnp3_analog_input_DPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
:zeek:id:`dnp3_analog_input_SPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
:zeek:id:`dnp3_analog_input_event_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
:zeek:id:`dnp3_analog_input_event_16woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
:zeek:id:`dnp3_analog_input_event_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
:zeek:id:`dnp3_analog_input_event_32woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
:zeek:id:`dnp3_analog_input_event_DPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precision float point with time
:zeek:id:`dnp3_analog_input_event_DPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
:zeek:id:`dnp3_analog_input_event_SPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
:zeek:id:`dnp3_analog_input_event_SPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
:zeek:id:`dnp3_application_request_header`: :zeek:type:`event` Generated for a DNP3 request header.
:zeek:id:`dnp3_application_response_header`: :zeek:type:`event` Generated for a DNP3 response header.
:zeek:id:`dnp3_attribute_common`: :zeek:type:`event` Generated for DNP3 attributes.
:zeek:id:`dnp3_counter_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
:zeek:id:`dnp3_counter_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
:zeek:id:`dnp3_counter_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
:zeek:id:`dnp3_counter_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
:zeek:id:`dnp3_crob`: :zeek:type:`event` Generated for DNP3 objects with the group number 12 and variation number 1
CROB: control relay output block
:zeek:id:`dnp3_debug_byte`: :zeek:type:`event` Debugging event generated by the DNP3 analyzer.
:zeek:id:`dnp3_file_transport`: :zeek:type:`event` g70
:zeek:id:`dnp3_frozen_analog_input_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
:zeek:id:`dnp3_frozen_analog_input_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
:zeek:id:`dnp3_frozen_analog_input_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
:zeek:id:`dnp3_frozen_analog_input_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
:zeek:id:`dnp3_frozen_analog_input_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
:zeek:id:`dnp3_frozen_analog_input_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
:zeek:id:`dnp3_frozen_analog_input_DPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
:zeek:id:`dnp3_frozen_analog_input_SPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
:zeek:id:`dnp3_frozen_analog_input_event_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
:zeek:id:`dnp3_frozen_analog_input_event_16woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
:zeek:id:`dnp3_frozen_analog_input_event_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
:zeek:id:`dnp3_frozen_analog_input_event_32woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
:zeek:id:`dnp3_frozen_analog_input_event_DPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
:zeek:id:`dnp3_frozen_analog_input_event_DPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
:zeek:id:`dnp3_frozen_analog_input_event_SPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
:zeek:id:`dnp3_frozen_analog_input_event_SPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
:zeek:id:`dnp3_frozen_counter_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
:zeek:id:`dnp3_frozen_counter_16wFlagTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
:zeek:id:`dnp3_frozen_counter_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
:zeek:id:`dnp3_frozen_counter_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
:zeek:id:`dnp3_frozen_counter_32wFlagTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
:zeek:id:`dnp3_frozen_counter_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
:zeek:id:`dnp3_header_block`: :zeek:type:`event` Generated for an additional header that the DNP3 analyzer passes to the
script-level.
:zeek:id:`dnp3_object_header`: :zeek:type:`event` Generated for the object header found in both DNP3 requests and responses.
:zeek:id:`dnp3_object_prefix`: :zeek:type:`event` Generated for the prefix before a DNP3 object.
:zeek:id:`dnp3_pcb`: :zeek:type:`event` Generated for DNP3 objects with the group number 12 and variation number 2
PCB: Pattern Control Block
:zeek:id:`dnp3_response_data_object`: :zeek:type:`event` Generated for a DNP3 "Response_Data_Object".
====================================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dnp3_analog_input_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 173 173
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
.. zeek:id:: dnp3_analog_input_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 183 183
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
.. zeek:id:: dnp3_analog_input_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 168 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
.. zeek:id:: dnp3_analog_input_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 178 178
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
.. zeek:id:: dnp3_analog_input_DPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 193 193
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
.. zeek:id:: dnp3_analog_input_SPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 188 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
.. zeek:id:: dnp3_analog_input_event_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
.. zeek:id:: dnp3_analog_input_event_16woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 243 243
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
.. zeek:id:: dnp3_analog_input_event_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 248 248
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
.. zeek:id:: dnp3_analog_input_event_32woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 238 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
.. zeek:id:: dnp3_analog_input_event_DPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 273 273
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precision float point with time
.. zeek:id:: dnp3_analog_input_event_DPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 263 263
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
.. zeek:id:: dnp3_analog_input_event_SPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 268 268
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
.. zeek:id:: dnp3_analog_input_event_SPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 258 258
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
.. zeek:id:: dnp3_application_request_header
:source-code: base/protocols/dnp3/main.zeek 49 59
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`)
Generated for a DNP3 request header.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param fc: function code.
.. zeek:id:: dnp3_application_response_header
:source-code: base/protocols/dnp3/main.zeek 61 76
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`, iin: :zeek:type:`count`)
Generated for a DNP3 response header.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param fc: function code.
:param iin: internal indication number.
.. zeek:id:: dnp3_attribute_common
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 103 103
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_type_code: :zeek:type:`count`, leng: :zeek:type:`count`, attribute_obj: :zeek:type:`string`)
Generated for DNP3 attributes.
.. zeek:id:: dnp3_counter_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 123 123
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
.. zeek:id:: dnp3_counter_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 133 133
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
.. zeek:id:: dnp3_counter_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 118 118
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
.. zeek:id:: dnp3_counter_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 128 128
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
.. zeek:id:: dnp3_crob
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 108 108
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 1
:param CROB: control relay output block
.. zeek:id:: dnp3_debug_byte
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 323 323
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, debug: :zeek:type:`string`)
Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
generates this for unknown "cases". The user can use it to debug the byte
string to check what caused the malformed network packets.
.. zeek:id:: dnp3_file_transport
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 317 317
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, file_handle: :zeek:type:`count`, block_num: :zeek:type:`count`, file_data: :zeek:type:`string`)
g70
.. zeek:id:: dnp3_frozen_analog_input_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 203 203
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
.. zeek:id:: dnp3_frozen_analog_input_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 213 213
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
.. zeek:id:: dnp3_frozen_analog_input_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 223 223
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
.. zeek:id:: dnp3_frozen_analog_input_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 198 198
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
.. zeek:id:: dnp3_frozen_analog_input_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 208 208
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
.. zeek:id:: dnp3_frozen_analog_input_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 218 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
.. zeek:id:: dnp3_frozen_analog_input_DPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 233 233
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
.. zeek:id:: dnp3_frozen_analog_input_SPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 228 228
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
.. zeek:id:: dnp3_frozen_analog_input_event_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 293 293
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
.. zeek:id:: dnp3_frozen_analog_input_event_16woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 283 283
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
.. zeek:id:: dnp3_frozen_analog_input_event_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 288 288
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
.. zeek:id:: dnp3_frozen_analog_input_event_32woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 278 278
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
.. zeek:id:: dnp3_frozen_analog_input_event_DPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 313 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
.. zeek:id:: dnp3_frozen_analog_input_event_DPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 303 303
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
.. zeek:id:: dnp3_frozen_analog_input_event_SPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 308 308
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
.. zeek:id:: dnp3_frozen_analog_input_event_SPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 298 298
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
.. zeek:id:: dnp3_frozen_counter_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
.. zeek:id:: dnp3_frozen_counter_16wFlagTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 153 153
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
.. zeek:id:: dnp3_frozen_counter_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 163 163
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
.. zeek:id:: dnp3_frozen_counter_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 138 138
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
.. zeek:id:: dnp3_frozen_counter_32wFlagTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 148 148
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
.. zeek:id:: dnp3_frozen_counter_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 158 158
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
.. zeek:id:: dnp3_header_block
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 82 82
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, len: :zeek:type:`count`, ctrl: :zeek:type:`count`, dest_addr: :zeek:type:`count`, src_addr: :zeek:type:`count`)
Generated for an additional header that the DNP3 analyzer passes to the
script-level. This header mimics the DNP3 transport-layer yet is only passed
once for each sequence of DNP3 records (which are otherwise reassembled and
treated as a single entity).
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param len: the "length" field in the DNP3 Pseudo Link Layer.
:param ctrl: the "control" field in the DNP3 Pseudo Link Layer.
:param dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
:param src_addr: the "source" field in the DNP3 Pseudo Link Layer.
.. zeek:id:: dnp3_object_header
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 50 50
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, obj_type: :zeek:type:`count`, qua_field: :zeek:type:`count`, number: :zeek:type:`count`, rf_low: :zeek:type:`count`, rf_high: :zeek:type:`count`)
Generated for the object header found in both DNP3 requests and responses.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param obj_type: type of object, which is classified based on an 8-bit group number
and an 8-bit variation number.
:param qua_field: qualifier field.
:param number: TODO.
:param rf_low: the structure of the range field depends on the qualified field.
In some cases, the range field contains only one logic part, e.g.,
number of objects, so only *rf_low* contains useful values.
:param rf_high: in some cases, the range field contains two logic parts, e.g., start
index and stop index, so *rf_low* contains the start index
while *rf_high* contains the stop index.
.. zeek:id:: dnp3_object_prefix
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix_value: :zeek:type:`count`)
Generated for the prefix before a DNP3 object. The structure and the meaning
of the prefix are defined by the qualifier field.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param prefix_value: The prefix.
.. zeek:id:: dnp3_pcb
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 113 113
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 2
:param PCB: Pattern Control Block
.. zeek:id:: dnp3_response_data_object
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 99 99
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_value: :zeek:type:`count`)
Generated for a DNP3 "Response_Data_Object".
The "Response_Data_Object" contains two parts: object prefix and object
data. In most cases, object data are defined by new record types. But
in a few cases, object data are directly basic types, such as int16_t, or
int8_t; thus we use an additional *data_value* to record the values of those
object data.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param data_value: The value for those objects that carry their information here
directly.

1206
doc/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

87
doc/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,87 @@
:tocdepth: 3
base/bif/plugins/Zeek_FTP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ==============================================================
:zeek:id:`ftp_reply`: :zeek:type:`event` Generated for server-side FTP replies.
:zeek:id:`ftp_request`: :zeek:type:`event` Generated for client-side FTP commands.
:zeek:id:`ftp_starttls`: :zeek:type:`event` Generated if an FTP connection switched to TLS using AUTH TLS.
=========================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ftp_reply
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 38 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
Generated for server-side FTP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:param c: The connection.
:param code: The numerical response code the server responded with.
:param msg: The textual message of the response.
:param cont_resp: True if the reply line is tagged as being continued to the next
line. If so, further events will be raised and a handler may want
to reassemble the pieces before processing the response any
further.
.. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. zeek:id:: ftp_request
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
Generated for client-side FTP commands.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:param c: The connection.
:param command: The FTP command issued by the client (without any arguments).
:param arg: The arguments going with the command.
.. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. zeek:id:: ftp_starttls
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 46 46
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated if an FTP connection switched to TLS using AUTH TLS. After this
event no more FTP events will be raised for the connection. See the SSL
analyzer for related SSL events, which will now be generated.
:param c: The connection.

115
doc/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,115 @@
:tocdepth: 3
base/bif/plugins/Zeek_FTP.functions.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================= ==========================================================================
:zeek:id:`fmt_ftp_port`: :zeek:type:`function` Formats an IP address and TCP port as an FTP PORT command.
:zeek:id:`parse_eftp_port`: :zeek:type:`function` Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_epsv`: :zeek:type:`function` Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_pasv`: :zeek:type:`function` Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_port`: :zeek:type:`function` Converts a string representation of the FTP PORT command to an
:zeek:type:`ftp_port`.
================================================= ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: fmt_ftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 65 65
:Type: :zeek:type:`function` (a: :zeek:type:`addr`, p: :zeek:type:`port`) : :zeek:type:`string`
Formats an IP address and TCP port as an FTP PORT command. For example,
``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
:param a: The IP address.
:param p: The TCP port.
:returns: The FTP PORT string.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
.. zeek:id:: parse_eftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 30 30
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :zeek:type:`ftp_port`. The format is
``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:param s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
.. zeek:id:: parse_ftp_epsv
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 52 52
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:zeek:type:`ftp_port`. The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:param str: The string containing the result of the FTP EPSV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
.. zeek:id:: parse_ftp_pasv
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 40 40
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
:param str: The string containing the result of the FTP PASV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
.. zeek:id:: parse_ftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 17 17
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts a string representation of the FTP PORT command to an
:zeek:type:`ftp_port`.
:param s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port

45
doc/scripts/base/bif/plugins/Zeek_File.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Zeek_File.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ========================================================================
:zeek:id:`file_transferred`: :zeek:type:`event` Generated when a TCP connection associated w/ file data transfer is seen
(e.g.
=============================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_transferred
:source-code: base/protocols/ftp/main.zeek 450 458
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, prefix: :zeek:type:`string`, descr: :zeek:type:`string`, mime_type: :zeek:type:`string`)
Generated when a TCP connection associated w/ file data transfer is seen
(e.g. as happens w/ FTP or IRC).
:param c: The connection over which file data is transferred.
:param prefix: Up to 1024 bytes of the file data.
:param descr: Deprecated/unused argument.
:param mime_type: MIME type of the file or "<unknown>" if no file magic signatures
matched.

39
doc/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,39 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ========================================================
:zeek:id:`file_entropy`: :zeek:type:`event` This event is generated each time file analysis performs
entropy testing on a file.
=========================================== ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_entropy
:source-code: policy/frameworks/files/entropy-test-all-files.zeek 16 19
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ent: :zeek:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:param f: The file.
:param ent: The results of the entropy testing.

51
doc/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,51 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileExtract.events.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ================================================================
:zeek:id:`file_extraction_limit`: :zeek:type:`event` This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
==================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_extraction_limit
:source-code: base/files/extract/main.zeek 89 93
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, limit: :zeek:type:`count`, len: :zeek:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:param f: The file.
:param args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:zeek:see:`FileExtract::set_limit`.
:param limit: The limit, in bytes, the extracted file is about to breach.
:param len: The length of the file chunk about to be written.
.. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT

32
doc/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,32 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
====================================================
.. zeek:namespace:: FileExtract
.. zeek:namespace:: GLOBAL
Internal functions used by the extraction file analyzer.
:Namespaces: FileExtract, GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ===================================
:zeek:id:`FileExtract::__set_limit`: :zeek:type:`function` :zeek:see:`FileExtract::set_limit`.
========================================================== ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FileExtract::__set_limit
:source-code: base/bif/plugins/Zeek_FileExtract.functions.bif.zeek 12 12
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, args: :zeek:type:`any`, n: :zeek:type:`count`) : :zeek:type:`bool`
:zeek:see:`FileExtract::set_limit`.

44
doc/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileHash.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== =========================================================================
:zeek:id:`file_hash`: :zeek:type:`event` This event is generated each time file analysis generates a digest of the
file contents.
======================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_hash
:source-code: base/bif/plugins/Zeek_FileHash.events.bif.zeek 15 15
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, kind: :zeek:type:`string`, hash: :zeek:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:param f: The file.
:param kind: The type of digest algorithm.
:param hash: The result of the hashing.
.. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256

37
doc/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ =========================================
:zeek:id:`gssapi_neg_result`: :zeek:type:`event` Generated for GSSAPI negotiation results.
================================================ =========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gssapi_neg_result
:source-code: base/bif/plugins/Zeek_GSSAPI.events.bif.zeek 10 10
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`count`)
Generated for GSSAPI negotiation results.
:param c: The connection.
:param state: The resulting state of the negotiation.

173
doc/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,173 @@
:tocdepth: 3
base/bif/plugins/Zeek_GTPv1.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===================================================================
:zeek:id:`gtpv1_create_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Create PDP Context Request messages.
:zeek:id:`gtpv1_create_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Create PDP Context Response messages.
:zeek:id:`gtpv1_delete_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Delete PDP Context Request messages.
:zeek:id:`gtpv1_delete_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Delete PDP Context Response messages.
:zeek:id:`gtpv1_g_pdu_packet`: :zeek:type:`event` Generated for GTPv1 G-PDU packets.
:zeek:id:`gtpv1_message`: :zeek:type:`event` Generated for any GTP message with a GTPv1 header.
:zeek:id:`gtpv1_update_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Update PDP Context Request messages.
:zeek:id:`gtpv1_update_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Update PDP Context Response messages.
:zeek:id:`new_gtpv1_state`: :zeek:type:`event` Generated when a new GTP analyzer is instantiated for a connection.
============================================================ ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gtpv1_create_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 45 45
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_request_elements`)
Generated for GTPv1-C Create PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_create_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 55 55
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_response_elements`)
Generated for GTPv1-C Create PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_delete_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 85 85
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_request_elements`)
Generated for GTPv1-C Delete PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_delete_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_response_elements`)
Generated for GTPv1-C Delete PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_g_pdu_packet
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 35 35
:Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner_gtp: :zeek:type:`gtpv1_hdr`, inner_ip: :zeek:type:`pkt_hdr`)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
that includes a GTP header followed by an IPv4 or IPv6 packet.
:param outer: The GTP outer tunnel connection.
:param inner_gtp: The GTP header.
:param inner_ip: The inner IP and transport layer packet headers.
.. note:: Since this event may be raised on a per-packet basis, handling
it may become particularly expensive for real-time analysis.
.. zeek:id:: gtpv1_message
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`)
Generated for any GTP message with a GTPv1 header.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
.. zeek:id:: gtpv1_update_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 65 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_request_elements`)
Generated for GTPv1-C Update PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_update_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 75 75
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_response_elements`)
Generated for GTPv1-C Update PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: new_gtpv1_state
:source-code: base/packet-protocols/gtpv1/main.zeek 35 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a new GTP analyzer is instantiated for a connection.
This event exists to install a connection removal hook to clear
internal per-connection GTPv1 state.
:param c: The connection for which the analyzer is instantiated.

30
doc/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,30 @@
:tocdepth: 3
base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::GTPV1
:Namespaces: GLOBAL, PacketAnalyzer::GTPV1
Summary
~~~~~~~
Functions
#########
================================================================================ =
:zeek:id:`PacketAnalyzer::GTPV1::remove_gtpv1_connection`: :zeek:type:`function`
================================================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::GTPV1::remove_gtpv1_connection
:source-code: base/bif/plugins/Zeek_GTPv1.functions.bif.zeek 9 9
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`

43
doc/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_Geneve.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================ =========================================================
:zeek:id:`geneve_packet`: :zeek:type:`event` Generated for any packet encapsulated in a Geneve tunnel.
============================================ =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: geneve_packet
:source-code: base/bif/plugins/Zeek_Geneve.events.bif.zeek 15 15
:Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
Generated for any packet encapsulated in a Geneve tunnel.
See :rfc:`8926` for more information about the Geneve protocol.
:param outer: The Geneve tunnel connection.
:param inner: The Geneve-encapsulated Ethernet packet header and transport header.
:param vni: Geneve Network Identifier.
.. note:: Since this event may be raised on a per-packet basis, handling
it may become particularly expensive for real-time analysis.

36
doc/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
base/bif/plugins/Zeek_Geneve.functions.bif.zeek
===============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::Geneve
:Namespaces: GLOBAL, PacketAnalyzer::Geneve
Summary
~~~~~~~
Functions
#########
===================================================================== =================================================================
:zeek:id:`PacketAnalyzer::Geneve::get_options`: :zeek:type:`function` Returns all Geneve options from all layers of the current packet.
===================================================================== =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::Geneve::get_options
:source-code: base/bif/plugins/Zeek_Geneve.functions.bif.zeek 15 15
:Type: :zeek:type:`function` () : :zeek:type:`geneve_options_vec_vec`
Returns all Geneve options from all layers of the current packet.
The last entry in the outer vector are the options of the most
inner Geneve header.
Returns a vector of vector of :zeek:see:`PacketAnalyzer::Geneve::Option` records.

137
doc/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,137 @@
:tocdepth: 3
base/bif/plugins/Zeek_Gnutella.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== =====
:zeek:id:`gnutella_binary_msg`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_establish`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_http_notify`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_not_establish`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_partial_binary_msg`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_text_msg`: :zeek:type:`event` TODO.
========================================================== =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gnutella_binary_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 32 32
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, ttl: :zeek:type:`count`, hops: :zeek:type:`count`, msg_len: :zeek:type:`count`, payload: :zeek:type:`string`, payload_len: :zeek:type:`count`, trunc: :zeek:type:`bool`, complete: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_establish
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_http_notify
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_not_establish
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 77 77
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_partial_binary_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 47 47
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg: :zeek:type:`string`, len: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_text_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, headers: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_partial_binary_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

374
doc/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,374 @@
:tocdepth: 3
base/bif/plugins/Zeek_HTTP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ========================================================================
:zeek:id:`http_all_headers`: :zeek:type:`event` Generated for HTTP headers, passing on all headers of an HTTP message at
once.
:zeek:id:`http_begin_entity`: :zeek:type:`event` Generated when starting to parse an HTTP body entity.
:zeek:id:`http_connection_upgrade`: :zeek:type:`event` Generated when a HTTP session is upgraded to a different protocol (e.g.
:zeek:id:`http_content_type`: :zeek:type:`event` Generated for reporting an HTTP body's content type.
:zeek:id:`http_end_entity`: :zeek:type:`event` Generated when finishing parsing an HTTP body entity.
:zeek:id:`http_entity_data`: :zeek:type:`event` Generated when parsing an HTTP body entity, passing on the data.
:zeek:id:`http_event`: :zeek:type:`event` Generated for errors found when decoding HTTP requests or replies.
:zeek:id:`http_header`: :zeek:type:`event` Generated for HTTP headers.
:zeek:id:`http_message_done`: :zeek:type:`event` Generated once at the end of parsing an HTTP message.
:zeek:id:`http_reply`: :zeek:type:`event` Generated for HTTP replies.
:zeek:id:`http_request`: :zeek:type:`event` Generated for HTTP requests.
:zeek:id:`http_stats`: :zeek:type:`event` Generated at the end of an HTTP session to report statistics about it.
====================================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: http_all_headers
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
Generated for HTTP headers, passing on all headers of an HTTP message at
once. Zeek supports persistent and pipelined HTTP sessions and raises
corresponding events as it parses client/server dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the header was sent by the originator of the TCP connection.
:param hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. zeek:see:: http_begin_entity http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_begin_entity
:source-code: base/protocols/http/entities.zeek 73 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated when starting to parse an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Zeek raises this event just before it starts parsing each entity's
content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
.. zeek:see:: http_all_headers http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
mime_begin_entity http_connection_upgrade
.. zeek:id:: http_connection_upgrade
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 267 267
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, protocol: :zeek:type:`string`)
Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
will be raised after this event.
:param c: The connection.
:param protocol: The protocol to which the connection is switching.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request
.. zeek:id:: http_content_type
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 196 196
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, ty: :zeek:type:`string`, subty: :zeek:type:`string`)
Generated for reporting an HTTP body's content type. This event is
generated at the end of parsing an HTTP header, passing on the MIME
type as specified by the ``Content-Type`` header. If that header is
missing, this event is still raised with a default value of ``text/plain``.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param ty: The main type.
:param subty: The subtype.
.. zeek:see:: http_all_headers http_begin_entity http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_end_entity
:source-code: base/protocols/http/entities.zeek 214 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated when finishing parsing an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Zeek raises this event at the point when it has finished parsing an
entity's content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data
http_event http_header http_message_done http_reply http_request
http_stats mime_end_entity http_connection_upgrade
.. zeek:id:: http_entity_data
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated when parsing an HTTP body entity, passing on the data. This event
can potentially be raised many times for each entity, each time passing a
chunk of the data of not further defined size.
A common idiom for using this event is to first *reassemble* the data
at the scripting layer by concatenating it to a successively growing
string; and only perform further content analysis once the corresponding
:zeek:id:`http_end_entity` event has been raised. Note, however, that doing so
can be quite expensive for HTTP tranders. At the very least, one should
impose an upper size limit on how much data is being buffered.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param length: The length of *data*.
:param data: One chunk of raw entity data.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_event http_header http_message_done http_reply http_request http_stats
mime_entity_data http_entity_data_delivery_size skip_http_data
http_connection_upgrade
.. zeek:id:: http_event
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 238 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors found when decoding HTTP requests or replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:param detail: Further more detailed description of the error.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_header http_message_done http_reply http_request
http_stats mime_event http_connection_upgrade
.. zeek:id:: http_header
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 74 74
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, original_name: :zeek:type:`string`, name: :zeek:type:`string`, value: :zeek:type:`string`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the header was sent by the originator of the TCP connection.
:param original_name: The name of the header (unaltered).
:param name: The name of the header (converted to all uppercase).
:param value: The value of the header.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_message_done http_reply http_request
http_stats http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_message_done
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 220 220
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, stat: :zeek:type:`http_message_stat`)
Generated once at the end of parsing an HTTP message. Zeek supports persistent
and pipelined HTTP sessions and raises corresponding events as it parses
client/server dialogues. A "message" is one top-level HTTP entity, such as a
complete request or reply. Each message can have further nested sub-entities
inside. This event is raised once all sub-entities belonging to a top-level
message have been processed (and their corresponding ``http_entity_*`` events
generated).
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param stat: Further meta information about the message.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_reply http_request http_stats
http_connection_upgrade
.. zeek:id:: http_reply
:source-code: base/protocols/http/main.zeek 274 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a reply's initial line has
been parsed, and before any :zeek:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param version: The version number specified in the reply (e.g., ``1.1``).
:param code: The numerical response code returned by the server.
:param reason: The textual description returned by the server along with *code*.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_request
http_stats http_connection_upgrade
.. zeek:id:: http_request
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 26 26
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`, version: :zeek:type:`string`)
Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a request's initial line has
been parsed, and before any :zeek:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
:param original_URI: The unprocessed URI as specified in the request.
:param unescaped_URI: The URI with all percent-encodings decoded.
:param version: The version number specified in the request (e.g., ``1.1``).
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply http_stats
truncate_http_URI http_connection_upgrade
.. zeek:id:: http_stats
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, stats: :zeek:type:`http_stats_rec`)
Generated at the end of an HTTP session to report statistics about it. This
event is raised after all of an HTTP session's requests and replies have been
fully processed.
:param c: The connection.
:param stats: Statistics summarizing HTTP-level properties of the finished
connection.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request http_connection_upgrade

60
doc/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/bif/plugins/Zeek_HTTP.functions.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================= ===============================================================
:zeek:id:`skip_http_entity_data`: :zeek:type:`function` Skips the data of the HTTP entity.
:zeek:id:`unescape_URI`: :zeek:type:`function` Unescapes all characters in a URI (decode every ``%xx`` group).
======================================================= ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: skip_http_entity_data
:source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 14 14
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`any`
Skips the data of the HTTP entity.
:param c: The HTTP connection.
:param is_orig: If true, the client data is skipped, and the server data otherwise.
.. zeek:see:: skip_smtp_data
.. zeek:id:: unescape_URI
:source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 30 30
:Type: :zeek:type:`function` (URI: :zeek:type:`string`) : :zeek:type:`string`
Unescapes all characters in a URI (decode every ``%xx`` group).
:param URI: The URI to unescape.
:returns: The unescaped URI with all ``%xx`` groups decoded.
.. note::
Unescaping reserved characters may cause loss of information.
:rfc:`2396`: A URI is always in an "escaped" form, since escaping or
unescaping a completed URI might change its semantics. Normally, the
only time escape encodings can safely be made is when the URI is
being created from its component parts.

529
doc/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,529 @@
:tocdepth: 3
base/bif/plugins/Zeek_ICMP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== =====================================================================
:zeek:id:`icmp_echo_reply`: :zeek:type:`event` Generated for ICMP *echo reply* messages.
:zeek:id:`icmp_echo_request`: :zeek:type:`event` Generated for ICMP *echo request* messages.
:zeek:id:`icmp_error_message`: :zeek:type:`event` Generated for all ICMPv6 error messages that are not handled
separately with dedicated events.
:zeek:id:`icmp_neighbor_advertisement`: :zeek:type:`event` Generated for ICMP *neighbor advertisement* messages.
:zeek:id:`icmp_neighbor_solicitation`: :zeek:type:`event` Generated for ICMP *neighbor solicitation* messages.
:zeek:id:`icmp_packet_too_big`: :zeek:type:`event` Generated for ICMPv6 *packet too big* messages.
:zeek:id:`icmp_parameter_problem`: :zeek:type:`event` Generated for ICMPv6 *parameter problem* messages.
:zeek:id:`icmp_redirect`: :zeek:type:`event` Generated for ICMP *redirect* messages.
:zeek:id:`icmp_router_advertisement`: :zeek:type:`event` Generated for ICMP *router advertisement* messages.
:zeek:id:`icmp_router_solicitation`: :zeek:type:`event` Generated for ICMP *router solicitation* messages.
:zeek:id:`icmp_sent`: :zeek:type:`event` Generated for all ICMP messages that are not handled separately with
dedicated ICMP events.
:zeek:id:`icmp_sent_payload`: :zeek:type:`event` The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
:zeek:id:`icmp_time_exceeded`: :zeek:type:`event` Generated for ICMP *time exceeded* messages.
:zeek:id:`icmp_unreachable`: :zeek:type:`event` Generated for ICMP *destination unreachable* messages.
========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: icmp_echo_reply
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 88 88
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
Generated for ICMP *echo reply* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param id: The *echo reply* identifier.
:param seq: The *echo reply* sequence number.
:param payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. zeek:see:: icmp_echo_request
.. zeek:id:: icmp_echo_request
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
Generated for ICMP *echo request* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param id: The *echo request* identifier.
:param seq: The *echo request* sequence number.
:param payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. zeek:see:: icmp_echo_reply
.. zeek:id:: icmp_error_message
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 115 115
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for all ICMPv6 error messages that are not handled
separately with dedicated events. Zeek's ICMP analyzer handles a number
of ICMP error messages directly with dedicated events. This event acts
as a fallback for those it doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param code: The ICMP code of the error message.
:param context: A record with specifics of the original packet that the message
refers to.
.. zeek:see:: icmp_unreachable icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem
.. zeek:id:: icmp_neighbor_advertisement
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 343 343
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, router: :zeek:type:`bool`, solicited: :zeek:type:`bool`, override: :zeek:type:`bool`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *neighbor advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param router: Flag indicating the sender is a router.
:param solicited: Flag indicating advertisement is in response to a solicitation.
:param override: Flag indicating advertisement should override existing caches.
:param tgt: the Target Address in the soliciting message or the address whose
link-layer address has changed for unsolicited adverts.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_redirect
.. zeek:id:: icmp_neighbor_solicitation
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 313 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *neighbor solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param tgt: The IP address of the target of the solicitation.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_packet_too_big
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 171 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMPv6 *packet too big* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *too big* message.
:param context: A record with specifics of the original packet that the message
refers to. *Too big* messages should include the original IP header
from the packet that triggered them, and Zeek parses that into
the *context* structure. Note that if the *too big* includes only
a partial IP header for some reason, no fields of *context* will
be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable
icmp_time_exceeded icmp_parameter_problem
.. zeek:id:: icmp_parameter_problem
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 227 227
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMPv6 *parameter problem* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *parameter problem* message.
:param context: A record with specifics of the original packet that the message
refers to. *Parameter problem* messages should include the original
IP header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *parameter problem*
includes only a partial IP header for some reason, no fields
of *context* will be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_time_exceeded
.. zeek:id:: icmp_redirect
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 369 369
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, dest: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *redirect* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param tgt: The address that is supposed to be a better first hop to use for
ICMP Destination Address.
:param dest: The address of the destination which is redirected to the target.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement
.. zeek:id:: icmp_router_advertisement
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 290 290
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, cur_hop_limit: :zeek:type:`count`, managed: :zeek:type:`bool`, other: :zeek:type:`bool`, home_agent: :zeek:type:`bool`, pref: :zeek:type:`count`, proxy: :zeek:type:`bool`, rsv: :zeek:type:`count`, router_lifetime: :zeek:type:`interval`, reachable_time: :zeek:type:`interval`, retrans_timer: :zeek:type:`interval`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *router advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param cur_hop_limit: The default value that should be placed in Hop Count field
for outgoing IP packets.
:param managed: Managed address configuration flag, :rfc:`4861`.
:param other: Other stateful configuration flag, :rfc:`4861`.
:param home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
:param pref: Router selection preferences, :rfc:`4191`.
:param proxy: Neighbor discovery proxy flag, :rfc:`4389`.
:param rsv: Remaining two reserved bits of router advertisement flags.
:param router_lifetime: How long this router should be used as a default router.
:param reachable_time: How long a neighbor should be considered reachable.
:param retrans_timer: How long a host should wait before retransmitting.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_router_solicitation
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 248 248
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *router solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_sent
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 22 22
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`)
Generated for all ICMP messages that are not handled separately with
dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
directly with dedicated events. This event acts as a fallback for those it
doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
.. zeek:see:: icmp_error_message icmp_sent_payload
.. zeek:id:: icmp_sent_payload
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 38 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, payload: :zeek:type:`string`)
The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param payload: The payload of the ICMP message.
.. zeek:see:: icmp_error_message icmp_sent_payload
.. zeek:id:: icmp_time_exceeded
:source-code: policy/misc/detect-traceroute/main.zeek 100 103
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMP *time exceeded* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *exceeded* message.
:param context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *exceeded* includes
only a partial IP header for some reason, no fields of *context*
will be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_parameter_problem
.. zeek:id:: icmp_unreachable
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMP *destination unreachable* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *unreachable* message.
:param context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *unreachable*
includes only a partial IP header for some reason, no
fields of *context* will be filled out.
.. zeek:see:: icmp_error_message icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem

51
doc/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,51 @@
:tocdepth: 3
base/bif/plugins/Zeek_IMAP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ==================================================================
:zeek:id:`imap_capabilities`: :zeek:type:`event` Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:zeek:id:`imap_starttls`: :zeek:type:`event` Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
================================================ ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: imap_capabilities
:source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 10 10
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, capabilities: :zeek:type:`string_vec`)
Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:param c: The connection.
:param capabilities: The list of IMAP capabilities as sent by the server.
.. zeek:id:: imap_starttls
:source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
:param c: The connection.

1162
doc/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

112
doc/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_Ident.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================ ==================================
:zeek:id:`ident_error`: :zeek:type:`event` Generated for Ident error replies.
:zeek:id:`ident_reply`: :zeek:type:`event` Generated for Ident replies.
:zeek:id:`ident_request`: :zeek:type:`event` Generated for Ident requests.
============================================ ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ident_error
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 67 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, line: :zeek:type:`string`)
Generated for Ident error replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The corresponding request's local port.
:param rport: The corresponding request's remote port.
:param line: The error description returned by the reply.
.. zeek:see:: ident_reply ident_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ident_reply
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 45 45
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, user_id: :zeek:type:`string`, system: :zeek:type:`string`)
Generated for Ident replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The corresponding request's local port.
:param rport: The corresponding request's remote port.
:param user_id: The user id returned by the reply.
:param system: The operating system returned by the reply.
.. zeek:see:: ident_error ident_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ident_request
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`)
Generated for Ident requests.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The request's local port.
:param rport: The request's remote port.
.. zeek:see:: ident_error ident_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

15
doc/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

260
doc/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,260 @@
:tocdepth: 3
base/bif/plugins/Zeek_KRB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ==================================================================
:zeek:id:`krb_ap_request`: :zeek:type:`event` A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_ap_response`: :zeek:type:`event` A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`.
:zeek:id:`krb_as_request`: :zeek:type:`event` A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_as_response`: :zeek:type:`event` A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`.
:zeek:id:`krb_cred`: :zeek:type:`event` A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_error`: :zeek:type:`event` A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_priv`: :zeek:type:`event` A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_safe`: :zeek:type:`event` A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_tgs_request`: :zeek:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_tgs_response`: :zeek:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`.
=============================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: krb_ap_request
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 90 90
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket: :zeek:type:`KRB::Ticket`, opts: :zeek:type:`KRB::AP_Options`)
A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`. This message contains authentication information
that should be part of the first message in an authenticated
transaction.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param ticket: The Kerberos ticket being used for authentication.
:param opts: A Kerberos AP options data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_ap_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 106 106
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`. This is used if mutual authentication is desired.
All of the interesting information in here is encrypted, so the event
doesn't have much useful data, but it's provided in case it's important
to know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_as_request
:source-code: base/protocols/krb/main.zeek 145 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`. The AS request contains a username of the client
requesting authentication, and returns an AS reply with an
encrypted Ticket Granting Ticket (TGT) for that user. The TGT
can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC request message data structure.
.. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_as_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 36 36
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`. Following the AS request for a user, an AS reply
contains an encrypted Ticket Granting Ticket (TGT) for that user.
The TGT can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC reply message data structure.
.. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_cred
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, tickets: :zeek:type:`KRB::Ticket_Vector`)
A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
a private (encrypted) message to forward credentials.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
:param tickets: Tickets obtained from the KDC that are being forwarded.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_error
.. zeek:id:: krb_error
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 171 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::Error_Msg`)
A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos error message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
.. zeek:id:: krb_priv
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 123 123
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This
is a private (encrypted) application message, so the event doesn't
have much useful data, but it's provided in case it's important to
know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_safe krb_cred krb_error
.. zeek:id:: krb_safe
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 140 140
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`KRB::SAFE_Msg`)
A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a
safe (checksummed) application message.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
:param msg: A Kerberos SAFE message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_cred krb_error
.. zeek:id:: krb_tgs_request
:source-code: base/protocols/krb/main.zeek 196 214
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`. Following the Authentication Server exchange, if
successful, the client now has a Ticket Granting Ticket (TGT). To
authenticate to a Kerberized service, the client requests a Service
Ticket, which will be returned in the TGS reply.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC request message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_tgs_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 71 71
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`. This message returns a Service Ticket to the client,
which is encrypted with the service's long-term key, and which the
client can use to authenticate to that service.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC reply message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error

16
doc/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_KRB.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: KRB
:Namespaces: GLOBAL, KRB
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

565
doc/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,565 @@
:tocdepth: 3
base/bif/plugins/Zeek_Login.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== =========================================================================
:zeek:id:`activating_encryption`: :zeek:type:`event` Generated for Telnet sessions when encryption is activated.
:zeek:id:`authentication_accepted`: :zeek:type:`event` Generated when a Telnet authentication has been successful.
:zeek:id:`authentication_rejected`: :zeek:type:`event` Generated when a Telnet authentication has been unsuccessful.
:zeek:id:`authentication_skipped`: :zeek:type:`event` Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
:zeek:id:`bad_option`: :zeek:type:`event` Generated for an ill-formed or unrecognized Telnet option.
:zeek:id:`bad_option_termination`: :zeek:type:`event` Generated for a Telnet option that's incorrectly terminated.
:zeek:id:`inconsistent_option`: :zeek:type:`event` Generated for an inconsistent Telnet option.
:zeek:id:`login_confused`: :zeek:type:`event` Generated when tracking of Telnet/Rlogin authentication failed.
:zeek:id:`login_confused_text`: :zeek:type:`event` Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog.
:zeek:id:`login_display`: :zeek:type:`event` Generated for clients transmitting an X11 DISPLAY in a Telnet session.
:zeek:id:`login_failure`: :zeek:type:`event` Generated for Telnet/Rlogin login failures.
:zeek:id:`login_input_line`: :zeek:type:`event` Generated for lines of input on Telnet/Rlogin sessions.
:zeek:id:`login_output_line`: :zeek:type:`event` Generated for lines of output on Telnet/Rlogin sessions.
:zeek:id:`login_prompt`: :zeek:type:`event` Generated for clients transmitting a terminal prompt in a Telnet session.
:zeek:id:`login_success`: :zeek:type:`event` Generated for successful Telnet/Rlogin logins.
:zeek:id:`login_terminal`: :zeek:type:`event` Generated for clients transmitting a terminal type in a Telnet session.
:zeek:id:`rsh_reply`: :zeek:type:`event` Generated for client side commands on an RSH connection.
:zeek:id:`rsh_request`: :zeek:type:`event` Generated for client side commands on an RSH connection.
====================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: activating_encryption
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 367 367
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for Telnet sessions when encryption is activated. The Telnet
protocol includes options for negotiating encryption. When such a series of
options is successfully negotiated, the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_rejected authentication_skipped
login_confused login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. zeek:id:: authentication_accepted
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 279 279
:Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
Generated when a Telnet authentication has been successful. The Telnet
protocol includes options for negotiating authentication. When such an
option is sent from client to server and the server replies that it accepts
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param name: The authenticated name.
:param c: The connection.
.. zeek:see:: authentication_rejected authentication_skipped login_success
.. note:: This event inspects the corresponding Telnet option
while :zeek:id:`login_success` heuristically determines success by watching
session data.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: authentication_rejected
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 305 305
:Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
Generated when a Telnet authentication has been unsuccessful. The Telnet
protocol includes options for negotiating authentication. When such an option
is sent from client to server and the server replies that it did not accept
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param name: The attempted authentication name.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_skipped login_failure
.. note:: This event inspects the corresponding Telnet option
while :zeek:id:`login_success` heuristically determines failure by watching
session data.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: authentication_skipped
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 330 330
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying activity. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: bad_option
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 407 407
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for an ill-formed or unrecognized Telnet option.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: inconsistent_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: bad_option_termination
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 427 427
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for a Telnet option that's incorrectly terminated.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: inconsistent_option bad_option authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: inconsistent_option
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 387 387
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for an inconsistent Telnet option. Telnet options are specified
by the client and server stating which options they are willing to
support vs. which they are not, and then instructing one another which in
fact they should or should not use for the current connection. If the event
engine sees a peer violate either what the other peer has instructed it to
do, or what it itself offered in terms of options in the past, then the
engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: bad_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. zeek:id:: login_confused
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 195 195
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`, line: :zeek:type:`string`)
Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
*login* analyzer uses a number of heuristics to extract authentication
information, it may become confused. If it can no longer correctly track
the authentication dialog, it raises this event.
:param c: The connection.
:param msg: Gives the particular problem the heuristics detected (for example,
``multiple_login_prompts`` means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them)
:param line: The line of text that caused the heuristics to conclude they were
confused.
.. zeek:see:: login_confused_text login_display login_failure login_input_line login_output_line
login_prompt login_success login_terminal direct_login_prompts get_login_state
login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_confused_text
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 217 217
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The *login* analyzer generates this even for every
line of user input after it has reported :zeek:id:`login_confused` for a
connection.
:param c: The connection.
:param line: The line the user typed.
.. zeek:see:: login_confused login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_display
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, display: :zeek:type:`string`)
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:param c: The connection.
:param display: The DISPLAY transmitted.
.. zeek:see:: login_confused login_confused_text login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_failure
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been unsuccessful.
:param c: The connection.
:param user: The user name tried.
:param client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:param password: The password tried.
:param line: The line of text that led the analyzer to conclude that the
authentication had failed.
.. zeek:see:: login_confused login_confused_text login_display login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeeks's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_input_line
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 149 149
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated for lines of input on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:param c: The connection.
:param line: The input line.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_output_line login_prompt login_success login_terminal rsh_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_output_line
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 167 167
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated for lines of output on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:param c: The connection.
:param line: The output line.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_prompt login_success login_terminal rsh_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_prompt
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 352 352
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, prompt: :zeek:type:`string`)
Generated for clients transmitting a terminal prompt in a Telnet session.
This information is extracted out of environment variables sent as Telnet
options.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
:param prompt: The TTYPROMPT transmitted.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_success
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 131 131
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been successful.
:param c: The connection.
:param user: The user name used.
:param client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:param password: The password used.
:param line: The line of text that led the analyzer to conclude that the
authentication had succeeded.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_terminal
direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
login_prompts login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_terminal
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 235 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, terminal: :zeek:type:`string`)
Generated for clients transmitting a terminal type in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:param c: The connection.
:param terminal: The TERM value transmitted.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_success
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: rsh_reply
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 59 59
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:param c: The connection.
:param client_user: The client-side user name as sent in the initial protocol
handshake.
:param server_user: The server-side user name as sent in the initial protocol
handshake.
:param line: The command line sent in the request.
.. zeek:see:: rsh_request login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: rsh_request
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`, new_session: :zeek:type:`bool`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:param c: The connection.
:param client_user: The client-side user name as sent in the initial protocol
handshake.
:param server_user: The server-side user name as sent in the initial protocol
handshake.
:param line: The command line sent in the request.
:param new_session: True if this is the first command of the Rsh session.
.. zeek:see:: rsh_reply login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

71
doc/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/bif/plugins/Zeek_Login.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================= ===================================================================
:zeek:id:`get_login_state`: :zeek:type:`function` Returns the state of the given login (Telnet or Rlogin) connection.
:zeek:id:`set_login_state`: :zeek:type:`function` Sets the login state of a connection with a login analyzer.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: get_login_state
:source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 26 26
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
Returns the state of the given login (Telnet or Rlogin) connection.
:param cid: The connection ID.
:returns: False if the connection is not active or is not tagged as a
login analyzer. Otherwise the function returns the state, which can
be one of:
- ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
initial authentication dialog.
- ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has
successfully authenticated.
- ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
processing of the connection.
- ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
does not correctly know the state of the connection, and/or
the username associated with it.
.. zeek:see:: set_login_state
.. zeek:id:: set_login_state
:source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 40 40
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, new_state: :zeek:type:`count`) : :zeek:type:`bool`
Sets the login state of a connection with a login analyzer.
:param cid: The connection ID.
:param new_state: The new state of the login analyzer. See
:zeek:id:`get_login_state` for possible values.
:returns: Returns false if *cid* is not an active connection
or is not tagged as a login analyzer, and true otherwise.
.. zeek:see:: get_login_state

15
doc/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_MIME.consts.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

289
doc/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,289 @@
:tocdepth: 3
base/bif/plugins/Zeek_MIME.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ =============================================================================
:zeek:id:`mime_all_data`: :zeek:type:`event` Generated for passing on all data decoded from a single email MIME
message.
:zeek:id:`mime_all_headers`: :zeek:type:`event` Generated for MIME headers extracted from email MIME entities, passing all
headers at once.
:zeek:id:`mime_begin_entity`: :zeek:type:`event` Generated when starting to parse an email MIME entity.
:zeek:id:`mime_content_hash`: :zeek:type:`event` Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums.
:zeek:id:`mime_end_entity`: :zeek:type:`event` Generated when finishing parsing an email MIME entity.
:zeek:id:`mime_entity_data`: :zeek:type:`event` Generated for data decoded from an email MIME entity.
:zeek:id:`mime_event`: :zeek:type:`event` Generated for errors found when decoding email MIME entities.
:zeek:id:`mime_one_header`: :zeek:type:`event` Generated for individual MIME headers extracted from email MIME
entities.
:zeek:id:`mime_segment_data`: :zeek:type:`event` Generated for chunks of decoded MIME data from email MIME entities.
================================================ =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mime_all_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 164 164
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for passing on all data decoded from a single email MIME
message. If an email message has more than one MIME entity, this event
combines all their data into a single value for analysis. Note that because
of the potentially significant buffering necessary, using this event can be
expensive.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of all MIME entities concatenated.
.. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_all_headers
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 85 85
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hlist: :zeek:type:`mime_header_list`)
Generated for MIME headers extracted from email MIME entities, passing all
headers at once. MIME is a protocol-independent data format for encoding
text and files, along with corresponding metadata, for transmission.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. zeek:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
http_header http_all_headers
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_header` instead.
.. zeek:id:: mime_begin_entity
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when starting to parse an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Zeek raises this event when it
begins parsing a MIME entity extracted from an email protocol.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
.. zeek:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_begin_entity
.. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
however, it raises :zeek:id:`http_begin_entity` instead.
.. zeek:id:: mime_content_hash
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 207 207
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, content_len: :zeek:type:`count`, hash_value: :zeek:type:`string`)
Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
each MIME entity.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param content_len: The length of the entity being hashed.
:param hash_value: The MD5 hash.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_end_entity
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 41 41
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when finishing parsing an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Zeek raises this event when it
finished parsing a MIME entity extracted from an email protocol.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_end_entity
.. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
however, it raises :zeek:id:`http_end_entity` instead.
.. zeek:id:: mime_entity_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 140 140
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for data decoded from an email MIME entity. This event delivers
the complete content of a single MIME entity with the quoted-printable and
and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
which passes on a sequence of data chunks as they come in. While
``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
more efficient as Zeek does not need to buffer the data. Thus, if possible,
the latter should be preferred.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of the complete entity.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_event
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 185 185
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors found when decoding email MIME entities.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:param detail: Further more detailed description of the error.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_event` instead.
.. zeek:id:: mime_one_header
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, h: :zeek:type:`mime_header_rec`)
Generated for individual MIME headers extracted from email MIME
entities. MIME is a protocol-independent data format for encoding text and
files, along with corresponding metadata, for transmission.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param h: The parsed MIME header.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_segment_data
http_header http_all_headers
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_header` instead.
.. zeek:id:: mime_segment_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 114 114
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for chunks of decoded MIME data from email MIME entities. MIME
is a protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. As Zeek parses the data of an
entity, it raises a sequence of these events, each coming as soon as a new
chunk of data is available. In contrast, there is also
:zeek:id:`mime_entity_data`, which passes all of an entities data at once
in a single block. While the latter is more convenient to handle,
``mime_segment_data`` is more efficient as Zeek does not need to buffer
the data. Thus, if possible, this event should be preferred.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of one segment of the current entity.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
mime_segment_length mime_segment_overlap_length
.. note:: Zeek also extracts MIME data from HTTP sessions. For those,
however, it raises :zeek:id:`http_entity_data` (sic!) instead.

239
doc/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,239 @@
:tocdepth: 3
base/bif/plugins/Zeek_MQTT.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:zeek:id:`mqtt_connack`: :zeek:type:`event` Generated for MQTT acknowledge connection messages
:zeek:id:`mqtt_connect`: :zeek:type:`event` Generated for MQTT "client requests a connection" messages
:zeek:id:`mqtt_disconnect`: :zeek:type:`event` Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
:zeek:id:`mqtt_pingreq`: :zeek:type:`event` Generated for MQTT ping requests sent by the client.
:zeek:id:`mqtt_pingresp`: :zeek:type:`event` Generated for MQTT ping responses sent by the server.
:zeek:id:`mqtt_puback`: :zeek:type:`event` Generated for MQTT publish acknowledgement messages
:zeek:id:`mqtt_pubcomp`: :zeek:type:`event` Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
:zeek:id:`mqtt_publish`: :zeek:type:`event` Generated for MQTT publish messages
:zeek:id:`mqtt_pubrec`: :zeek:type:`event` Generated for MQTT publish received messages (QoS 2 publish received, part 1)
:zeek:id:`mqtt_pubrel`: :zeek:type:`event` Generated for MQTT publish release messages (QoS 2 publish received, part 2)
:zeek:id:`mqtt_suback`: :zeek:type:`event` Generated for MQTT subscribe messages
:zeek:id:`mqtt_subscribe`: :zeek:type:`event` Generated for MQTT subscribe messages
:zeek:id:`mqtt_unsuback`: :zeek:type:`event` Generated for MQTT unsubscribe acknowledgements sent by the server
:zeek:id:`mqtt_unsubscribe`: :zeek:type:`event` Generated for MQTT unsubscribe messages sent by the client
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mqtt_connack
:source-code: base/protocols/mqtt/main.zeek 190 197
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectAckMsg`)
Generated for MQTT acknowledge connection messages
:param c: The connection
:param msg: MQTT connect ack message fields.
.. zeek:id:: mqtt_connect
:source-code: base/protocols/mqtt/main.zeek 177 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectMsg`)
Generated for MQTT "client requests a connection" messages
:param c: The connection
:param msg: MQTT connect message fields.
.. zeek:id:: mqtt_disconnect
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 127 127
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
:param c: The connection
.. zeek:id:: mqtt_pingreq
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 115 115
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT ping requests sent by the client.
:param c: The connection
.. zeek:id:: mqtt_pingresp
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 121 121
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT ping responses sent by the server.
:param c: The connection
.. zeek:id:: mqtt_puback
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 37 37
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish acknowledgement messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_pubcomp
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 67 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_publish
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`, msg: :zeek:type:`MQTT::PublishMsg`)
Generated for MQTT publish messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg: The MQTT publish message record.
.. zeek:id:: mqtt_pubrec
:source-code: base/protocols/mqtt/main.zeek 257 266
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish received messages (QoS 2 publish received, part 1)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_pubrel
:source-code: base/protocols/mqtt/main.zeek 268 277
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish release messages (QoS 2 publish received, part 2)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_suback
:source-code: base/protocols/mqtt/main.zeek 320 333
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, granted_qos: :zeek:type:`count`)
Generated for MQTT subscribe messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_subscribe
:source-code: base/protocols/mqtt/main.zeek 306 318
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`, requested_qos: :zeek:type:`index_vec`)
Generated for MQTT subscribe messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
:param topics: The topics being subscribed to
:param requested_qos: The desired QoS option associated with each topic.
.. zeek:id:: mqtt_unsuback
:source-code: base/protocols/mqtt/main.zeek 348 360
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`)
Generated for MQTT unsubscribe acknowledgements sent by the server
:param c: The connection
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_unsubscribe
:source-code: base/protocols/mqtt/main.zeek 335 346
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`)
Generated for MQTT unsubscribe messages sent by the client
:param c: The connection
:param msg_id: The id value for the message.
:param topics: The topics being unsubscribed from

15
doc/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_MQTT.types.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

650
doc/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,650 @@
:tocdepth: 3
base/bif/plugins/Zeek_Modbus.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================================ ======================================================================
:zeek:id:`modbus_diagnostics_request`: :zeek:type:`event` Generated for a Modbus Diagnostics request.
:zeek:id:`modbus_diagnostics_response`: :zeek:type:`event` Generated for a Modbus Diagnostics response.
:zeek:id:`modbus_encap_interface_transport_request`: :zeek:type:`event` Generated for a Modbus Encapsulated Interface Transport request.
:zeek:id:`modbus_encap_interface_transport_response`: :zeek:type:`event` Generated for a Modbus Encapsulated Interface Transport response.
:zeek:id:`modbus_exception`: :zeek:type:`event` Generated for any Modbus exception message.
:zeek:id:`modbus_mask_write_register_request`: :zeek:type:`event` Generated for a Modbus mask write register request.
:zeek:id:`modbus_mask_write_register_response`: :zeek:type:`event` Generated for a Modbus mask write register request.
:zeek:id:`modbus_message`: :zeek:type:`event` Generated for any Modbus message regardless if the particular function
is further supported or not.
:zeek:id:`modbus_read_coils_request`: :zeek:type:`event` Generated for a Modbus read coils request.
:zeek:id:`modbus_read_coils_response`: :zeek:type:`event` Generated for a Modbus read coils response.
:zeek:id:`modbus_read_discrete_inputs_request`: :zeek:type:`event` Generated for a Modbus read discrete inputs request.
:zeek:id:`modbus_read_discrete_inputs_response`: :zeek:type:`event` Generated for a Modbus read discrete inputs response.
:zeek:id:`modbus_read_fifo_queue_request`: :zeek:type:`event` Generated for a Modbus read FIFO queue request.
:zeek:id:`modbus_read_fifo_queue_response`: :zeek:type:`event` Generated for a Modbus read FIFO queue response.
:zeek:id:`modbus_read_file_record_request`: :zeek:type:`event` Generated for a Modbus read file record request.
:zeek:id:`modbus_read_file_record_response`: :zeek:type:`event` Generated for a Modbus read file record response.
:zeek:id:`modbus_read_holding_registers_request`: :zeek:type:`event` Generated for a Modbus read holding registers request.
:zeek:id:`modbus_read_holding_registers_response`: :zeek:type:`event` Generated for a Modbus read holding registers response.
:zeek:id:`modbus_read_input_registers_request`: :zeek:type:`event` Generated for a Modbus read input registers request.
:zeek:id:`modbus_read_input_registers_response`: :zeek:type:`event` Generated for a Modbus read input registers response.
:zeek:id:`modbus_read_write_multiple_registers_request`: :zeek:type:`event` Generated for a Modbus read/write multiple registers request.
:zeek:id:`modbus_read_write_multiple_registers_response`: :zeek:type:`event` Generated for a Modbus read/write multiple registers response.
:zeek:id:`modbus_write_file_record_request`: :zeek:type:`event` Generated for a Modbus write file record request.
:zeek:id:`modbus_write_file_record_response`: :zeek:type:`event` Generated for a Modbus write file record response.
:zeek:id:`modbus_write_multiple_coils_request`: :zeek:type:`event` Generated for a Modbus write multiple coils request.
:zeek:id:`modbus_write_multiple_coils_response`: :zeek:type:`event` Generated for a Modbus write multiple coils response.
:zeek:id:`modbus_write_multiple_registers_request`: :zeek:type:`event` Generated for a Modbus write multiple registers request.
:zeek:id:`modbus_write_multiple_registers_response`: :zeek:type:`event` Generated for a Modbus write multiple registers response.
:zeek:id:`modbus_write_single_coil_request`: :zeek:type:`event` Generated for a Modbus write single coil request.
:zeek:id:`modbus_write_single_coil_response`: :zeek:type:`event` Generated for a Modbus write single coil response.
:zeek:id:`modbus_write_single_register_request`: :zeek:type:`event` Generated for a Modbus write single register request.
:zeek:id:`modbus_write_single_register_response`: :zeek:type:`event` Generated for a Modbus write single register response.
============================================================================ ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: modbus_diagnostics_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 341 341
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Diagnostics request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param subfunction: The subfunction for the diagnostics request.
:param data: The data passed in the diagnostics request.
.. zeek:id:: modbus_diagnostics_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 353 353
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Diagnostics response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param subfunction: The subfunction for the diagnostics response.
:param data: The data passed in the diagnostics response.
.. zeek:id:: modbus_encap_interface_transport_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 365 365
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Encapsulated Interface Transport request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param mei_type: The MEI type for the request.
:param data: The MEI type specific data passed in the request.
.. zeek:id:: modbus_encap_interface_transport_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 377 377
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Encapsulated Interface Transport response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param mei_type: The MEI type for the response.
:param data: The MEI type specific data passed in the response.
.. zeek:id:: modbus_exception
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 22 22
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, code: :zeek:type:`count`)
Generated for any Modbus exception message.
:param c: The connection.
:param headers: The headers for the modbus function.
:param code: The exception code.
.. zeek:id:: modbus_mask_write_register_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 268 268
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
Generated for a Modbus mask write register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register where the masks should be applied.
:param and_mask: The value of the logical AND mask to apply to the register.
:param or_mask: The value of the logical OR mask to apply to the register.
.. zeek:id:: modbus_mask_write_register_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 282 282
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
Generated for a Modbus mask write register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register where the masks were applied.
:param and_mask: The value of the logical AND mask applied register.
:param or_mask: The value of the logical OR mask applied to the register.
.. zeek:id:: modbus_message
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 12 12
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, is_orig: :zeek:type:`bool`)
Generated for any Modbus message regardless if the particular function
is further supported or not.
:param c: The connection.
:param headers: The headers for the modbus function.
:param is_orig: True if the event is raised for the originator side.
.. zeek:id:: modbus_read_coils_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read coils request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be read.
:param quantity: The number of coils to be read.
.. zeek:id:: modbus_read_coils_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 44 44
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus read coils response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param coils: The coil values returned from the device.
.. zeek:id:: modbus_read_discrete_inputs_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 56 56
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read discrete inputs request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be read.
:param quantity: The number of coils to be read.
.. zeek:id:: modbus_read_discrete_inputs_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 66 66
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus read discrete inputs response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param coils: The coil values returned from the device.
.. zeek:id:: modbus_read_fifo_queue_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 319 319
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`)
Generated for a Modbus read FIFO queue request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The address of the FIFO queue to read.
.. zeek:id:: modbus_read_fifo_queue_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 329 329
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, fifos: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read FIFO queue response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param fifos: The register values read from the FIFO queue on the device.
.. zeek:id:: modbus_read_file_record_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 218 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordRequests`)
Generated for a Modbus read file record request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_read_file_record_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 230 230
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordResponses`)
Generated for a Modbus read file record response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_read_holding_registers_request
:source-code: policy/protocols/modbus/track-memmap.zeek 62 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read holding registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be read.
:param quantity: The number of registers to be read.
.. zeek:id:: modbus_read_holding_registers_response
:source-code: policy/protocols/modbus/track-memmap.zeek 67 101
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read holding registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param registers: The register values returned from the device.
.. zeek:id:: modbus_read_input_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read input registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be read.
:param quantity: The number of registers to be read.
.. zeek:id:: modbus_read_input_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 110 110
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read input registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param registers: The register values returned from the device.
.. zeek:id:: modbus_read_write_multiple_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 298 298
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, read_start_address: :zeek:type:`count`, read_quantity: :zeek:type:`count`, write_start_address: :zeek:type:`count`, write_registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param read_start_address: The memory address of the first register to be read.
:param read_quantity: The number of registers to read.
:param write_start_address: The memory address of the first register to be written.
:param write_registers: The values to be written to the registers.
.. zeek:id:: modbus_read_write_multiple_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 309 309
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, written_registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param written_registers: The register values read from the registers specified in
the request.
.. zeek:id:: modbus_write_file_record_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 242 242
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
Generated for a Modbus write file record request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_write_file_record_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 254 254
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
Generated for a Modbus write file record response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_write_multiple_coils_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus write multiple coils request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be written.
:param coils: The values to be written to the coils.
.. zeek:id:: modbus_write_multiple_coils_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 182 182
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus write multiple coils response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil that was written.
:param quantity: The quantity of coils that were written.
.. zeek:id:: modbus_write_multiple_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 194 194
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus write multiple registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be written.
:param registers: The values to be written to the registers.
.. zeek:id:: modbus_write_multiple_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 206 206
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus write multiple registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register that was written.
:param quantity: The quantity of registers that were written.
.. zeek:id:: modbus_write_single_coil_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 122 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
Generated for a Modbus write single coil request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the coil to be written.
:param value: The value to be written to the coil.
.. zeek:id:: modbus_write_single_coil_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 134 134
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
Generated for a Modbus write single coil response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the coil that was written.
:param value: The value that was written to the coil.
.. zeek:id:: modbus_write_single_register_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 146 146
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for a Modbus write single register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register to be written.
:param value: The value to be written to the register.
.. zeek:id:: modbus_write_single_register_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 158 158
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for a Modbus write single register response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register that was written.
:param value: The value that was written to the register.

267
doc/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,267 @@
:tocdepth: 3
base/bif/plugins/Zeek_MySQL.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== ======================================================================================================
:zeek:id:`mysql_auth_more_data`: :zeek:type:`event` Generated for opaque authentication data exchanged between client and server
after the client's handshake packet, but before the server replied with
an OK_Packet
:zeek:id:`mysql_auth_plugin`: :zeek:type:`event` Generated for information about plugin authentication within handshake packets.
:zeek:id:`mysql_auth_switch_request`: :zeek:type:`event` Generated for a server packet with an auth switch request.
:zeek:id:`mysql_change_user`: :zeek:type:`event` Generated for a change user command from a MySQL client.
:zeek:id:`mysql_command_request`: :zeek:type:`event` Generated for a command request from a MySQL client.
:zeek:id:`mysql_eof`: :zeek:type:`event` Generated for a MySQL EOF packet.
:zeek:id:`mysql_error`: :zeek:type:`event` Generated for an unsuccessful MySQL response.
:zeek:id:`mysql_handshake`: :zeek:type:`event` Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
:zeek:id:`mysql_ok`: :zeek:type:`event` Generated for a successful MySQL response.
:zeek:id:`mysql_result_row`: :zeek:type:`event` Generated for each MySQL ResultsetRow response packet.
:zeek:id:`mysql_server_version`: :zeek:type:`event` Generated for the initial server handshake packet, which includes the MySQL server version.
:zeek:id:`mysql_ssl_request`: :zeek:type:`event` Generated for a short client handshake response packet with the CLIENT_SSL
flag set.
======================================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mysql_auth_more_data
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 166 166
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
Generated for opaque authentication data exchanged between client and server
after the client's handshake packet, but before the server replied with
an OK_Packet
Data is specific to the plugin auth mechanism used by client and server.
:param c: The connection.
:param is_orig: True if this is from the client, false if from the server.
:param data: More authentication data.
.. zeek:see:: mysql_handshake mysql_auth_switch_request
.. zeek:id:: mysql_auth_plugin
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 138 138
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for information about plugin authentication within handshake packets.
:param c: The connection.
:param is_orig: True if this is from the client, false if from the server.
:param name: Name of the authentication plugin.
:param data: The initial auth data. From the server, it is the concatenation of
auth_plugin_data_part_1 and auth_plugin_data_part_2 in the handshake.
For the client it is the auth_response in the handshake response.
.. zeek:see:: mysql_handshake mysql_auth_switch_request mysql_auth_more_data
.. zeek:id:: mysql_auth_switch_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 150 150
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for a server packet with an auth switch request.
:param c: The connection.
:param name: The plugin name.
:param data: Initial authentication data for the plugin.
.. zeek:see:: mysql_handshake mysql_auth_more_data
.. zeek:id:: mysql_change_user
:source-code: base/protocols/mysql/main.zeek 87 90
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
Generated for a change user command from a MySQL client.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param username: The username supplied by the client
.. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_command_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 16 16
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`count`, arg: :zeek:type:`string`)
Generated for a command request from a MySQL client.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param command: The numerical code of the command issued.
:param arg: The argument for the command (empty string if not provided).
.. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_eof
:source-code: base/protocols/mysql/main.zeek 120 137
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_intermediate: :zeek:type:`bool`)
Generated for a MySQL EOF packet.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param is_intermediate: True if this is an EOF packet between the column definition and the rows, false if a final EOF.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
.. zeek:id:: mysql_error
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 44 44
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`)
Generated for an unsuccessful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param code: The error code.
:param msg: Any extra details about the error (empty string if not provided).
.. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_handshake
:source-code: base/protocols/mysql/main.zeek 52 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param username: The username supplied by the client
.. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
.. zeek:id:: mysql_ok
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 57 57
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, affected_rows: :zeek:type:`count`)
Generated for a successful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param affected_rows: The number of rows that were affected.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
.. zeek:id:: mysql_result_row
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 83 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, row: :zeek:type:`string_vec`)
Generated for each MySQL ResultsetRow response packet.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param row: The result row data.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
.. zeek:id:: mysql_server_version
:source-code: policy/protocols/mysql/software.zeek 14 20
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, ver: :zeek:type:`string`)
Generated for the initial server handshake packet, which includes the MySQL server version.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param ver: The server version string.
.. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
.. zeek:id:: mysql_ssl_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 122 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for a short client handshake response packet with the CLIENT_SSL
flag set. Usually the client will initiate a TLS handshake afterwards.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
.. zeek:see:: mysql_handshake

15
doc/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_NCP.consts.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

88
doc/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,88 @@
:tocdepth: 3
base/bif/plugins/Zeek_NCP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== ===================================================
:zeek:id:`ncp_reply`: :zeek:type:`event` Generated for NCP replies (Netware Core Protocol).
:zeek:id:`ncp_request`: :zeek:type:`event` Generated for NCP requests (Netware Core Protocol).
========================================== ===================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ncp_reply
:source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 49 49
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, req_frame: :zeek:type:`count`, req_func: :zeek:type:`count`, completion_code: :zeek:type:`count`)
Generated for NCP replies (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:param c: The connection.
:param frame_type: The frame type, as specified by the protocol.
:param length: The length of the request body, excluding the frame header.
:param req_frame: The frame type from the corresponding request.
:param req_func: The function code from the corresponding request.
:param completion_code: The reply's completion code, as specified by the protocol.
.. zeek:see:: ncp_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ncp_request
:source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 23 23
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, func: :zeek:type:`count`)
Generated for NCP requests (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:param c: The connection.
:param frame_type: The frame type, as specified by the protocol.
:param length: The length of the request body, excluding the frame header.
:param func: The requested function, as specified by the protocol.
.. zeek:see:: ncp_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

70
doc/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTLM.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ============================================================================
:zeek:id:`ntlm_authenticate`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:zeek:id:`ntlm_challenge`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:zeek:id:`ntlm_negotiate`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
================================================ ============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ntlm_authenticate
:source-code: base/protocols/ntlm/main.zeek 85 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, request: :zeek:type:`NTLM::Authenticate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:param c: The connection.
:param request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_negotiate ntlm_challenge
.. zeek:id:: ntlm_challenge
:source-code: base/protocols/ntlm/main.zeek 69 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, challenge: :zeek:type:`NTLM::Challenge`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:param c: The connection.
:param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_negotiate ntlm_authenticate
.. zeek:id:: ntlm_negotiate
:source-code: base/protocols/ntlm/main.zeek 64 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, negotiate: :zeek:type:`NTLM::Negotiate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
:param c: The connection.
:param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_challenge ntlm_authenticate

16
doc/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTLM.types.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: NTLM
:Namespaces: GLOBAL, NTLM
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

43
doc/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== ===============================
:zeek:id:`ntp_message`: :zeek:type:`event` Generated for all NTP messages.
========================================== ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ntp_message
:source-code: base/bif/plugins/Zeek_NTP.events.bif.zeek 15 15
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`NTP::Message`)
Generated for all NTP messages. Different from many other of Zeek's events,
this one is generated for both client-side and server-side messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
more information about the NTP protocol.
:param c: The connection record describing the corresponding UDP flow.
:param is_orig: True if the message was sent by the originator.
:param msg: The parsed NTP message.

16
doc/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTP.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: NTP
:Namespaces: GLOBAL, NTP
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

284
doc/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,284 @@
:tocdepth: 3
base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== =====================================================================
:zeek:id:`netbios_session_accepted`: :zeek:type:`event` Generated for NetBIOS messages of type *positive session response*.
:zeek:id:`netbios_session_keepalive`: :zeek:type:`event` Generated for NetBIOS messages of type *keep-alive*.
:zeek:id:`netbios_session_message`: :zeek:type:`event` Generated for all NetBIOS SSN and DGM messages.
:zeek:id:`netbios_session_raw_message`: :zeek:type:`event` Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
:zeek:id:`netbios_session_rejected`: :zeek:type:`event` Generated for NetBIOS messages of type *negative session response*.
:zeek:id:`netbios_session_request`: :zeek:type:`event` Generated for NetBIOS messages of type *session request*.
:zeek:id:`netbios_session_ret_arg_resp`: :zeek:type:`event` Generated for NetBIOS messages of type *retarget response*.
=========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: netbios_session_accepted
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *positive session response*. Zeek's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_keepalive netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_keepalive
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 217 217
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_message
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, data_len: :zeek:type:`count`)
Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param is_orig: True if the message was sent by the originator of the connection.
:param msg_type: The general type of message, as defined in Section 4.3.1 of
:rfc:`1002`.
:param data_len: The length of the message's payload.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_raw_message
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param is_orig: True if the message was sent by the originator of the connection.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header (i.e., the ``user_data``).
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event. In fact, it's probably an odd event
to have to begin with.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_rejected
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 121 121
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *negative session response*. Zeek's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_request
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_ret_arg_resp
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 188 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_request decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

58
doc/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,58 @@
:tocdepth: 3
base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ================================================================
:zeek:id:`decode_netbios_name`: :zeek:type:`function` Decode a NetBIOS name.
:zeek:id:`decode_netbios_name_type`: :zeek:type:`function` Converts a NetBIOS name type to its corresponding numeric value.
========================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: decode_netbios_name
:source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 16 16
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
Decode a NetBIOS name. See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.
:param name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``.
:returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAM"``. An empty
string is returned if the argument is not a valid NetBIOS encoding
(though an encoding that would decode to something that includes
only null-bytes or space-characters also yields an empty string).
.. zeek:see:: decode_netbios_name_type
.. zeek:id:: decode_netbios_name_type
:source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 27 27
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`count`
Converts a NetBIOS name type to its corresponding numeric value.
See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.
:param name: An encoded NetBIOS name.
:returns: The numeric value of *name* or 256 if it's not a valid encoding.
.. zeek:see:: decode_netbios_name

16
doc/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: LogNone
:Namespaces: GLOBAL, LogNone
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

115
doc/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,115 @@
:tocdepth: 3
base/bif/plugins/Zeek_PE.events.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===================================================================
:zeek:id:`pe_dos_code`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
:zeek:id:`pe_dos_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file DOS header was parsed.
:zeek:id:`pe_file_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file file header was parsed.
:zeek:id:`pe_optional_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file optional header was parsed.
:zeek:id:`pe_section_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file section header was parsed.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: pe_dos_code
:source-code: base/bif/plugins/Zeek_PE.events.bif.zeek 25 25
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, code: :zeek:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:param f: The file.
:param code: The DOS stub
.. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. zeek:id:: pe_dos_header
:source-code: base/files/pe/main.zeek 72 75
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:param f: The file.
:param h: The parsed DOS header information.
.. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. zeek:id:: pe_file_header
:source-code: base/files/pe/main.zeek 77 90
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:param f: The file.
:param h: The parsed file header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. zeek:id:: pe_optional_header
:source-code: base/files/pe/main.zeek 92 119
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:param f: The file.
:param h: The parsed optional header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. zeek:id:: pe_section_header
:source-code: base/files/pe/main.zeek 121 132
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:param f: The file.
:param h: The parsed section header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header

15
doc/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_POP3.consts.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

241
doc/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,241 @@
:tocdepth: 3
base/bif/plugins/Zeek_POP3.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===================================================================
:zeek:id:`pop3_data`: :zeek:type:`event` Generated for server-side multi-line responses on POP3 connections.
:zeek:id:`pop3_login_failure`: :zeek:type:`event` Generated for unsuccessful authentications on POP3 connections.
:zeek:id:`pop3_login_success`: :zeek:type:`event` Generated for successful authentications on POP3 connections.
:zeek:id:`pop3_reply`: :zeek:type:`event` Generated for server-side replies to commands on POP3 connections.
:zeek:id:`pop3_request`: :zeek:type:`event` Generated for client-side commands on POP3 connections.
:zeek:id:`pop3_starttls`: :zeek:type:`event` Generated when a POP3 connection goes encrypted.
:zeek:id:`pop3_unexpected`: :zeek:type:`event` Generated for errors encountered on POP3 sessions.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: pop3_data
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 76 76
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
Generated for server-side multi-line responses on POP3 connections. POP3
connections use multi-line responses to send bulk data, such as the actual
mails. This event is generated once for each line that's part of such a
response.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the data was sent by the originator of the TCP connection.
:param data: The data sent.
.. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_login_failure
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 168 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
Generated for unsuccessful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: Always false.
:param user: The user name attempted for authentication. The event is only
generated if a non-empty user name was used.
:param password: The password attempted for authentication.
.. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_login_success
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 144 144
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
Generated for successful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: Always false.
:param user: The user name used for authentication. The event is only generated if
a non-empty user name was used.
:param password: The password used for authentication.
.. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_reply
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 52 52
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`)
Generated for server-side replies to commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the command was sent by the originator of the TCP
connection.
:param cmd: The success indicator sent by the server. This corresponds to the
first token on the line sent, and should be either ``OK`` or ``ERR``.
:param msg: The textual description the server sent along with *cmd*.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
pop3_unexpected
.. todo:: This event is receiving odd parameters, should unify.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_request
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 25 25
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
Generated for client-side commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the command was sent by the originator of the TCP
connection.
:param command: The command sent.
:param arg: The argument to the command.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_starttls
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 120 120
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a POP3 connection goes encrypted. While POP3 is by default a
clear-text protocol, extensions exist to switch to encryption. This event is
generated if that happens and the analyzer then stops processing the
connection.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_request pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_unexpected
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors encountered on POP3 sessions. If the POP3 analyzer
finds state transitions that do not conform to the protocol specification,
or other situations it can't handle, it raises this event.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the data was sent by the originator of the TCP connection.
:param msg: A textual description of the situation.
:param detail: The input that triggered the event.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

37
doc/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::PPPoE
:Namespaces: GLOBAL, PacketAnalyzer::PPPoE
Summary
~~~~~~~
Functions
#########
=================================================================== ===============================================================
:zeek:id:`PacketAnalyzer::PPPoE::session_id`: :zeek:type:`function` Returns the PPPoE Session ID of the current packet, if present.
=================================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::PPPoE::session_id
:source-code: base/bif/plugins/Zeek_PPPoE.functions.bif.zeek 15 15
:Type: :zeek:type:`function` () : :zeek:type:`count`
Returns the PPPoE Session ID of the current packet, if present.
If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
is out of range of the session ID.
:returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.

61
doc/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,61 @@
:tocdepth: 3
base/bif/plugins/Zeek_RADIUS.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ====================================
:zeek:id:`radius_attribute`: :zeek:type:`event` Generated for each RADIUS attribute.
:zeek:id:`radius_message`: :zeek:type:`event` Generated for RADIUS messages.
=============================================== ====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: radius_attribute
:source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, attr_type: :zeek:type:`count`, value: :zeek:type:`string`)
Generated for each RADIUS attribute.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:param c: The connection.
:param attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
:param value: The data/value bound to the attribute.
.. zeek:id:: radius_message
:source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 13 13
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`RADIUS::Message`)
Generated for RADIUS messages.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:param c: The connection.
:param result: A record containing fields parsed from a RADIUS packet.

269
doc/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,269 @@
:tocdepth: 3
base/bif/plugins/Zeek_RDP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= =================================================================================
:zeek:id:`rdp_begin_encryption`: :zeek:type:`event` Generated when an RDP session becomes encrypted.
:zeek:id:`rdp_client_cluster_data`: :zeek:type:`event` Generated for client cluster data packets.
:zeek:id:`rdp_client_core_data`: :zeek:type:`event` Generated for MCS client requests.
:zeek:id:`rdp_client_network_data`: :zeek:type:`event` Generated for Client Network Data (TS_UD_CS_NET) packets
:zeek:id:`rdp_client_security_data`: :zeek:type:`event` Generated for client security data packets.
:zeek:id:`rdp_connect_request`: :zeek:type:`event` Generated for X.224 client requests.
:zeek:id:`rdp_gcc_server_create_response`: :zeek:type:`event` Generated for MCS server responses.
:zeek:id:`rdp_native_encrypted_data`: :zeek:type:`event` Generated for each packet after RDP native encryption begins
:zeek:id:`rdp_negotiation_failure`: :zeek:type:`event` Generated for RDP Negotiation Failure messages.
:zeek:id:`rdp_negotiation_response`: :zeek:type:`event` Generated for RDP Negotiation Response messages.
:zeek:id:`rdp_server_certificate`: :zeek:type:`event` Generated for a server certificate section.
:zeek:id:`rdp_server_security`: :zeek:type:`event` Generated for MCS server responses.
:zeek:id:`rdpeudp_data`: :zeek:type:`event` Generated when for data messages exchanged after a RDPEUDP connection establishes
:zeek:id:`rdpeudp_established`: :zeek:type:`event` Generated when RDPEUDP connections are established (both sides SYN)
:zeek:id:`rdpeudp_syn`: :zeek:type:`event` Generated for RDPEUDP SYN UDP Datagram
:zeek:id:`rdpeudp_synack`: :zeek:type:`event` Generated for RDPEUDP SYNACK UDP Datagram
============================================================= =================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: rdp_begin_encryption
:source-code: base/protocols/rdp/main.zeek 259 269
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
Generated when an RDP session becomes encrypted.
:param c: The connection record for the underlying transport-layer session/flow.
:param security_protocol: The security protocol being used for the session.
.. zeek:id:: rdp_client_cluster_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 111 111
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientClusterData`)
Generated for client cluster data packets.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client security data structure.
.. zeek:id:: rdp_client_core_data
:source-code: base/protocols/rdp/main.zeek 187 213
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientCoreData`)
Generated for MCS client requests.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client core data structure.
.. zeek:id:: rdp_client_network_data
:source-code: base/protocols/rdp/main.zeek 215 228
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, channels: :zeek:type:`RDP::ClientChannelList`)
Generated for Client Network Data (TS_UD_CS_NET) packets
:param c: The connection record for the underlying transport-layer session/flow.
:param channels: The channels that were requested
.. zeek:id:: rdp_client_security_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientSecurityData`)
Generated for client security data packets.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client security data structure.
.. zeek:id:: rdp_connect_request
:source-code: base/protocols/rdp/main.zeek 166 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`)
Generated for X.224 client requests.
:param c: The connection record for the underlying transport-layer session/flow.
:param cookie: The cookie included in the request; empty if no cookie was provided.
:param flags: The flags set by the client.
.. zeek:id:: rdp_gcc_server_create_response
:source-code: base/protocols/rdp/main.zeek 230 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`count`)
Generated for MCS server responses.
:param c: The connection record for the underlying transport-layer session/flow.
:param result: The 8-bit integer representing the GCC Conference Create Response result.
.. zeek:id:: rdp_native_encrypted_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 43 43
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
Generated for each packet after RDP native encryption begins
:param c: The connection record for the underlying transport-layer session/flow.
:param orig: True if the packet was sent by the originator of the connection.
:param len: The length of the encrypted data.
.. zeek:id:: rdp_negotiation_failure
:source-code: base/protocols/rdp/main.zeek 180 185
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`)
Generated for RDP Negotiation Failure messages.
:param c: The connection record for the underlying transport-layer session/flow.
:param failure_code: The failure code sent by the server.
:param flags: The flags set by the server.
.. zeek:id:: rdp_negotiation_response
:source-code: base/protocols/rdp/main.zeek 173 178
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
Generated for RDP Negotiation Response messages.
:param c: The connection record for the underlying transport-layer session/flow.
:param security_protocol: The security protocol selected by the server.
:param flags: The flags set by the server.
.. zeek:id:: rdp_server_certificate
:source-code: base/protocols/rdp/main.zeek 245 257
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cert_type: :zeek:type:`count`, permanently_issued: :zeek:type:`bool`)
Generated for a server certificate section. If multiple X.509
certificates are included in chain, this event will still
only be generated a single time.
:param c: The connection record for the underlying transport-layer session/flow.
:param cert_type: Indicates the type of certificate.
:param permanently_issued: Value will be true is the certificate(s) is permanent on the server.
.. zeek:id:: rdp_server_security
:source-code: base/protocols/rdp/main.zeek 237 243
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, encryption_method: :zeek:type:`count`, encryption_level: :zeek:type:`count`)
Generated for MCS server responses.
:param c: The connection record for the underlying transport-layer session/flow.
:param encryption_method: The 32-bit integer representing the encryption method used in the connection.
:param encryption_level: The 32-bit integer representing the encryption level used in the connection.
.. zeek:id:: rdpeudp_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, data: :zeek:type:`string`)
Generated when for data messages exchanged after a RDPEUDP connection establishes
:param c: The connection record for the underlying transport-layer session/flow.
:param is_orig: Whether the data was sent by the originator or responder of the connection.
:param version: Whether the connection is RDPEUDP1 or RDPEUDP2
:param data: The payload of the packet. This is probably very non-performant.
.. zeek:id:: rdpeudp_established
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`)
Generated when RDPEUDP connections are established (both sides SYN)
:param c: The connection record for the underlying transport-layer session/flow.
:param version: Whether the connection is RDPEUDP1 or RDPEUDP2
.. zeek:id:: rdpeudp_syn
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 7 7
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for RDPEUDP SYN UDP Datagram
:param c: The connection record for the underlying transport-layer session/flow.
.. zeek:id:: rdpeudp_synack
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 13 13
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for RDPEUDP SYNACK UDP Datagram
:param c: The connection record for the underlying transport-layer session/flow.

16
doc/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_RDP.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: RDP
:Namespaces: GLOBAL, RDP
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

112
doc/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_RFB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ==========================================================
:zeek:id:`rfb_auth_result`: :zeek:type:`event` Generated for RFB event authentication result message
:zeek:id:`rfb_authentication_type`: :zeek:type:`event` Generated for RFB event authentication mechanism selection
:zeek:id:`rfb_client_version`: :zeek:type:`event` Generated for RFB event client banner message
:zeek:id:`rfb_server_parameters`: :zeek:type:`event` Generated for RFB event server parameter message
:zeek:id:`rfb_server_version`: :zeek:type:`event` Generated for RFB event server banner message
:zeek:id:`rfb_share_flag`: :zeek:type:`event` Generated for RFB event share flag messages
====================================================== ==========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: rfb_auth_result
:source-code: base/protocols/rfb/main.zeek 152 155
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`bool`)
Generated for RFB event authentication result message
:param c: The connection record for the underlying transport-layer session/flow.
:param result: whether or not authentication was successful
.. zeek:id:: rfb_authentication_type
:source-code: base/protocols/rfb/main.zeek 131 136
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, authtype: :zeek:type:`count`)
Generated for RFB event authentication mechanism selection
:param c: The connection record for the underlying transport-layer session/flow.
:param authtype: the value of the chosen authentication mechanism
.. zeek:id:: rfb_client_version
:source-code: base/protocols/rfb/main.zeek 117 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
Generated for RFB event client banner message
:param c: The connection record for the underlying transport-layer session/flow.
:param version: of the client's rfb library
.. zeek:id:: rfb_server_parameters
:source-code: base/bif/plugins/Zeek_RFB.events.bif.zeek 53 53
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, width: :zeek:type:`count`, height: :zeek:type:`count`)
Generated for RFB event server parameter message
:param c: The connection record for the underlying transport-layer session/flow.
:param name: name of the shared screen
:param width: width of the shared screen
:param height: height of the shared screen
.. zeek:id:: rfb_server_version
:source-code: base/protocols/rfb/main.zeek 124 129
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
Generated for RFB event server banner message
:param c: The connection record for the underlying transport-layer session/flow.
:param version: of the server's rfb library
.. zeek:id:: rfb_share_flag
:source-code: base/protocols/rfb/main.zeek 157 160
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, flag: :zeek:type:`bool`)
Generated for RFB event share flag messages
:param c: The connection record for the underlying transport-layer session/flow.
:param flag: whether or not the share flag was set

1320
doc/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

16
doc/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_RawReader.raw.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputRaw
:Namespaces: GLOBAL, InputRaw
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

163
doc/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,163 @@
:tocdepth: 3
base/bif/plugins/Zeek_SIP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ==========================================================================================================
:zeek:id:`sip_all_headers`: :zeek:type:`event` Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
:zeek:id:`sip_begin_entity`: :zeek:type:`event` Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
:zeek:id:`sip_end_entity`: :zeek:type:`event` Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
:zeek:id:`sip_header`: :zeek:type:`event` Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
:zeek:id:`sip_reply`: :zeek:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
:zeek:id:`sip_request`: :zeek:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
=============================================== ==========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: sip_all_headers
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 71 71
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the headers came from the originator.
:param hlist: All the headers, and their values
.. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
.. zeek:id:: sip_begin_entity
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 86 86
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
This event is generated as soon as a message's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the message came from the originator.
.. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
.. zeek:id:: sip_end_entity
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 99 99
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the message came from the originator.
.. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
.. zeek:id:: sip_header
:source-code: base/protocols/sip/main.zeek 193 273
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the header came from the originator.
:param name: Header name.
:param value: Header value.
.. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
.. zeek:id:: sip_reply
:source-code: base/protocols/sip/main.zeek 181 191
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
This event is generated as soon as a reply's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param version: The :abbr:`SIP (Session Initiation Protocol)` version in use.
:param code: The response code.
:param reason: Textual details for the response code.
.. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
.. zeek:id:: sip_request
:source-code: base/protocols/sip/main.zeek 170 179
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, version: :zeek:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
This event is generated as soon as a request's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param method: The :abbr:`SIP (Session Initiation Protocol)` method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``).
:param original_URI: The unprocessed URI as specified in the request.
:param version: The version number specified in the request (e.g., ``2.0``).
.. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity

15
doc/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.consts.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

58
doc/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,58 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================== ==========================================================================
:zeek:id:`smb_discarded_dce_rpc_analyzers`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` when the number of
:abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
:zeek:id:`smb_pipe_connect_heuristic`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically.
============================================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb_discarded_dce_rpc_analyzers
:source-code: base/protocols/dce-rpc/main.zeek 231 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for :abbr:`SMB (Server Message Block)` when the number of
:abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
Occurrence of this event may indicate traffic loss, traffic load-balancing
issues or abnormal SMB protocol usage.
:param c: The connection.
.. zeek:id:: smb_pipe_connect_heuristic
:source-code: base/protocols/smb/main.zeek 243 247
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically. The case when this comes
up is when the drive mapping isn't seen so the analyzer is not able
to determine whether to send the data to the files framework or to
the DCE_RPC analyzer. This heuristic can be tuned by adding or
removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames`
const.
:param c: The connection.

67
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek.rst Normal file
View file

@ -0,0 +1,67 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
===========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===========================================================================================
:zeek:id:`smb1_check_directory_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*.
:zeek:id:`smb1_check_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*.
============================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_check_directory_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*. This is used by the client to verify that
a specified path resolves to a valid directory on the server.
For more information, see MS-CIFS:2.2.4.17
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param directory_name: The directory name to check for existence.
.. zeek:see:: smb1_message smb1_check_directory_response
.. zeek:id:: smb1_check_directory_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*. This is the server response to the
*check directory* request.
For more information, see MS-CIFS:2.2.4.17
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message smb1_check_directory_request

46
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek.rst Normal file
View file

@ -0,0 +1,46 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:zeek:id:`smb1_close_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_close_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*. This is used by the client to close an instance of an object
associated with a valid file ID.
For more information, see MS-CIFS:2.2.4.5
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_id: The file identifier being closed.
.. zeek:see:: smb1_message

69
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek.rst Normal file
View file

@ -0,0 +1,69 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= ===========================================================================================
:zeek:id:`smb1_create_directory_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*.
:zeek:id:`smb1_create_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*.
============================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_create_directory_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 18 18
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
create a new directory on the server, relative to a connected share.
For more information, see MS-CIFS:2.2.4.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param directory_name: The name of the directory to create.
.. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
.. zeek:id:: smb1_create_directory_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is the server response
to the *create directory* request.
For more information, see MS-CIFS:2.2.4.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request

75
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek.rst Normal file
View file

@ -0,0 +1,75 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:zeek:id:`smb1_echo_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*.
:zeek:id:`smb1_echo_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_echo_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, echo_count: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*. This is sent by the client to test the transport layer
connection with the server.
For more information, see MS-CIFS:2.2.4.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param echo_count: The number of times the server should echo the data back.
:param data: The data for the server to echo.
.. zeek:see:: smb1_message smb1_echo_response
.. zeek:id:: smb1_echo_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 36 36
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, seq_num: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*. This is the server response to the *echo* request.
For more information, see MS-CIFS:2.2.4.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param seq_num: The sequence number of this echo reply.
:param data: The data echoed back from the client.
.. zeek:see:: smb1_message smb1_echo_request

45
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
=======================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:zeek:id:`smb1_logoff_andx`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*.
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_logoff_andx
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*. This is used by the client to logoff the user
connection represented by UID in the SMB Header. The server releases all locks and closes
all files currently open by this user, disconnects all tree connects, cancels any outstanding
requests for this UID, and invalidates the UID.
For more information, see MS-CIFS:2.2.4.54
:param c: The connection.
:param is_orig: Indicates which host sent the logoff message.
.. zeek:see:: smb1_message

71
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===========================================================================================
:zeek:id:`smb1_negotiate_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*.
:zeek:id:`smb1_negotiate_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*.
====================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_negotiate_request
:source-code: base/protocols/smb/smb1-main.zeek 77 80
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, dialects: :zeek:type:`string_vec`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
connection between the client and the server. A *negotiate* exchange MUST be completed
before any other SMB messages are sent to the server.
For more information, see MS-CIFS:2.2.4.52
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param dialects: The SMB dialects supported by the client.
.. zeek:see:: smb1_message smb1_negotiate_response
.. zeek:id:: smb1_negotiate_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::NegotiateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*. This is the server response to the *negotiate*
request.
For more information, see MS-CIFS:2.2.4.52
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param response: A record structure containing more information from the response.
.. zeek:see:: smb1_message smb1_negotiate_request

43
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
===================================================== ===========================================================================================
:zeek:id:`smb1_nt_cancel_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*.
===================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_nt_cancel_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek 15 15
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
pending request be cancelled.
For more information, see MS-CIFS:2.2.4.65
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message

77
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,77 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
==========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===========================================================================================
:zeek:id:`smb1_nt_create_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*.
:zeek:id:`smb1_nt_create_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*.
=========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_nt_create_andx_request
:source-code: base/protocols/smb/smb1-main.zeek 137 146
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*. This is sent by the client to create and open
a new file, or to open an existing file, or to open and truncate an existing file to zero
length, or to create a directory, or to create a connection to a named pipe.
For more information, see MS-CIFS:2.2.4.64
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param name: The ``name`` attribute specified in the message.
.. zeek:see:: smb1_message smb1_nt_create_andx_response
.. zeek:id:: smb1_nt_create_andx_response
:source-code: base/protocols/smb/smb1-main.zeek 148 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, file_size: :zeek:type:`count`, times: :zeek:type:`SMB::MACTimes`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*. This is the server response to the
*nt create andx* request.
For more information, see MS-CIFS:2.2.4.64
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_id: The SMB2 GUID for the file.
:param file_size: Size of the file.
:param times: Timestamps associated with the file in question.
.. zeek:see:: smb1_message smb1_nt_create_andx_request

47
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek.rst Normal file
View file

@ -0,0 +1,47 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
=============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= ===========================================================================================
:zeek:id:`smb1_query_information_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*.
============================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_query_information_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek 18 18
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, filename: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*. This is a deprecated command which
has been replaced by the *trans2_query_path_information* subcommand. This is used by the
client to obtain attribute information about a file.
For more information, see MS-CIFS:2.2.4.9
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param filename: The filename that the client is querying.
.. zeek:see:: smb1_message smb1_transaction2_request

Some files were not shown because too many files have changed in this diff Show more